| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
Test all combinations of flags/attribute states for both
ZONE and MARK.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
nfct_filter_dump_set_attr() will set the bit.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As reported by Ken-ichirou MATSUZAWA:
"conntrack -L --zone 0" doesn't list any output.
nfct_cmp(mask_obj, ct, NFCT_CMP_MASK)
considers ct to not match since the zone attribute
in ct is not set for the default (0) zone.
libnetfilter_conntrack should be more permissive and return
that these are equal iff 'mask_obj' has ATTR_ZONE with a 0 value,
and ct object has ATTR_ZONE not set.
These 3 checks currently fail, even though they really should not:
assert(test_cmp_attr32(ATTR_ZONE, true, false, 0, 0, NFCT_CMP_STRICT) == 1);
assert(test_cmp_attr32(ATTR_ZONE, false, true, 0, 0, NFCT_CMP_STRICT) == 1);
assert(test_cmp_attr32(ATTR_ZONE, true, false, 0, 0, NFCT_CMP_MASK) == 1);
Altough in all 3 cases the zone is only set in one conntrack, the value
is zero, so it should be equal to a conntrack object without the zone
bit set.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
unsigned, < 0 is always false.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Stefan reported that the *_catch() functions documentation was imprecise
on some aspects.
Reported-by: Stefan Nicolae Stancu <Stefan.Stancu@cern.ch>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Substract the netlink + nfnetlink headers to pass the payload length
to nfct_payload_parse().
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
also bump LIBVERSION, we've added new interfaces and retained
backwards compatibility.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
nfct_labelmap_new returns NULL on failure, e.g. when file cannot be
opened. It will also fail if no labels have been parsed, and in this
case, content of errno is random.
Avoid it by making sure that errno is re-set when no labels were found.
While at it, also change ptr test when parsing so reviewers don't
need to triple check that this cannot result in out-of-bounds read.
Reported-by: Afschin Hormozdiary <Afschin.Hormozdiary@sophos.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Only dump the contents of the system-wide connlabel.conf if present
instead of expecting same content as the qa config.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nfct_snprintf doesn't print connlabels, as they're system specific
and can easily generate lots of output.
This adds a new helper function, nfct_snprintf_labels. It behaves like
nfct_snprintf, except that the label names in the labelmap whose bits are
contained in connlabel attribute bitset are added to the buffer.
output looks like this:
output looks like this:
... mark=0 use=1 labels=eth0-in,eth1-in
or
<labels>
<label>eth0-in</label>
<label>eth1-in</label>
</labels>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Must free ct and exp using the _destroy functions, else we leak attributes with malloc'd data.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Can always lift this restriction later but for now enforce
strict label naming.
This is mainly to make sure that e.g. using
conntrack ... -o xml,connlabels
will output the expected format, without nasty surprises.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Can't be zero, it was already tested.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
This fixes construction of the conntrack object when CTA_LABEL
attribute is present.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
For each attribute:
- copy ct2 attrs to ct1 (so they're the same)
- change value of attr
- call nfct_cmp to check of cmp now fails
Unfortunately, most attributes fail this test at this time, thus
added a TODO exclusion list to make the test pass for now.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
The expect cmp function ignored most of the attributes.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Normal comparision succeeds when the _common_ attribute subset
have same values.
When STRICT matching is specified, the comparision should succeed only when
both objects have same attribute subset and attribute values match.
However, STRICT comparision often fails as an attribute missing in both
objects is erronously considered an error.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Some of these checks will fail due to errors in nfct_cmp STRICT handling
and missing comparision of attributes in the nfexpect_cmp functions.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The libnfnetlink based backend 'build.c' currently ignores
ATTR_CONNLABELS and ATTR_CONNLABELS_MASK.
The libmnl based backend 'build_mnl.c' instead handles
both attributes correct.
Add function to set CTA_LABELS and CTA_LABELS_MASK
if required.
Signed-off-by: Afschin Hormozdiary <Afschin.Hormozdiary@sophos.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
allows to set/clear only a subset of the in-kernel label set, e.g.
"set bit 1 and do not change any others".
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
adds new labelmap api to create a name <-> bit mapping
from a text file (default: /etc/xtables/connlabel.conf).
nfct_labelmap_new(filename) is used to create the map,
nfct_labelmap_destroy() releases the resources allocated for the map.
Two functions are added to make map lookups:
nfct_labelmap_get_name(map, bit) returns the name of a bit,
nfct_labelmap_get_bit returns the bit associated with a name.
The connlabel attribute is represented by a nfct_bitmask object, the
nfct_bitmask api can be used to test/set/get individual bits
("labels").
The exisiting nfct_attr_get/set interfaces can be used to read or
replace the existing labels associated with a conntrack with a new set.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In order to use generic getter/setter API with upcoming
conntrack label extension, add helper functions to set/test/unset
bits in a vector of arbitrary size.
Conntrack labels will then be encoded via nfct_bitmask object.
Original idea from Pablo Neira Ayuso.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
For consistency with other tests.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Use buf[32] as struct nfct_attr_grp_ipv6 is 32 bytes long. That fixes:
== validate set grp API ==
ERROR: set/get operations don't match for attribute 2 (2 != 1)
ERROR: set/get operations don't match for attribute 3 (3 != 1)
ERROR: set/get operations don't match for attribute 8 (8 != 1)
Shows up with gcc 4.7.1.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |\ |
|
| | |
| |
| |
| |
| |
| | |
To include: IPCTNL_MSG_CT_GET_DYING and IPCTNL_MSG_CT_GET_UNCONFIRMED
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |/
|
|
|
|
|
|
| |
cppcheck reported:
[src/conntrack/compare.c:364] -> [src/conntrack/compare.c:364]: (style) Same expression on both sides of '||'.
Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
some attributes are pointers to malloc'd objects. Simply copying the
pointer results in use-after free when the original or the clone is
destroyed.
Fix it by using nfct_copy instead of memcpy and add proper test case
for cloned objects:
- nfct_cmp of orig and clone should return 1 (equal)
- freeing both the original and the clone should
neither leak memory nor result in double-frees.
the testsuite changes revealed a few more problems:
- ct1->timeout == ct2->timeout returned 0, ie. same timeout
was considered "not equal" by nfct_cmp
- secctx comparision causes "Invalid address" valgrind warnings
when pointer is NULL
- NFCT_CP_OVERRIDE did not handle helper attribute and
erronously freed ct1 secctx memory.
While at it, bump qa_test data dummy to 256 (else, valgrind
complains about move-depends-on-uninitialized-memory).
Lastly, fix compilation of test_api by killing bogus ATTR_CONNLABEL.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
The attribute is variable-length and must be thus be set via set_attr_l().
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
am/ltlibrary.am: warning: 'libnetfilter_conntrack.la': linking
libtool libraries using a non-POSIX archiver requires 'AM_PROG_AR'
in 'configure.ac'
(multiple instances)
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| |
|
|
|
|
|
| |
bump current and age since we have new interfaces but we're backward
compatible.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
It was missing, add it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
build_mnl.c: In function 'nfexp_nlmsg_build':
build_mnl.c:18:11: warning: variable 'l3num' set but not used [-Wunused-but-set-variable]
This patch relaxes the checking for the L3PROTO. The kernel will report
EINVAL in case that something is missing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
4b6df76 conntrack: fix autogenerated BPF code for IPv6 filtering aimed
to fix a bug the IPv6 BPF filtering. However, it didn't fix it for
NFCT_FILTER_LOGIC_POSITIVE case since jump is still miscalculated.
This chunk below shows the BPF code to filter IPv6 address 2:4:6::
{0x00020004, 0x00060000, 0x0, 0x0 } in case that NFCT_FILTER_LOGIC_POSITIVE
is used, ie. if that address matches, accept the event.
(0032) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000004
(0033) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(0034) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=09 k=00020004
[ this above compares second 4 bytes with 00020004, if comparison fails
it jumps to 003e ]
(0035) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000008
(0036) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(0037) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=06 k=00060000
[ this above compares second 4 bytes with 00060000, if comparison fails
it jumps to 003e ]
(0038) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=0000000c
(0039) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(003a) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=03 k=00000000
[ this above compares third 4 bytes with 00000000, if comparison fails
it jumps to 003e ]
(003b) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000010
(003c) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(003d) code= BPF_JMP|BPF_JEQ|BPF_K jt=01 jf=00 k=00000000
[ this above compares last 4 bytes with 00000000, if comparison succeded
it jumps to 003f, which means, accept event ]
(003e) code= BPF_RET|BPF_K jt=00 jf=00 k=00000000
---- final verdict ----
(003f) code= BPF_RET|BPF_K jt=00 jf=00 k=ffffffff
Just for the record: This chunk below shows the BPF code to filter IPv6
address 2:4:6:: {0x00020004, 0x00060000, 0x0, 0x0 } in case that
NFCT_FILTER_LOGIC_NEGATIVE is used, ie. if that address matches, drop
the event.
[...]
(0032) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000004
(0033) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(0034) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=09 k=00020004
[ this above compares first 4 bytes with 00020004, if comparison fails
it jumps to 003e ]
(0035) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000008
(0036) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(0037) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=06 k=00060000
[ this above compares second 4 bytes with 00060000, if comparison fails
it jumps to 003e ]
(0038) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=0000000c
(0039) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(003a) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=03 k=00000000
[ this above compares third 4 bytes with 00000000, if comparison fails
it jumps to 003e ]
(003b) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000010
(003c) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(003d) code= BPF_JMP|BPF_JEQ|BPF_K jt=01 jf=00 k=00000000
[ this above compares last 4 bytes with 00000000, if comparison succeded
it jumps to 003e ]
(003e) code= BPF_JMP|BPF_JA jt=00 jf=00 k=00000001
(003f) code= BPF_RET|BPF_K jt=00 jf=00 k=00000000
[ default action specified by 003e is to drop the event ]
Tested-by: Eric Leblond <eric@regit.org>
Reported-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BPF code generated for IPv6 filtering was wrong.
Assuming you want to allow all traffic except ::1, the filter that
libnetfilter_conntrack generates for the IPv6 address part looks like:
[...]
(0032) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000004
(0033) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(0034) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=0a k=00000000
(0035) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000008 [0]
(0036) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff [1]
(0037) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=07 k=00000000 [2]
(0038) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=0000000c [3]
(0039) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff [4]
(003a) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=04 k=00000000 [5]
(003b) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000010 [6]
(003c) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff [7]
(003d) code= BPF_JMP|BPF_JEQ|BPF_K jt=01 jf=00 k=00000001 [8]
(003e) code= BPF_JMP|BPF_JA jt=00 jf=00 k=00000001 [9]
(003f) code= BPF_RET|BPF_K jt=00 jf=00 k=00000000 [A]
Line 32 loads the first 4 bytes for the 32 bytes IPv6 address, then
line 33 performs the binary AND with the first 4 bytes of the mask.
Line 34 evaluated false for the case 2::1 that Eric reported (since 0x2
is not 0x0). Thus, jumping to line 3f that returns reject. However,
2::1 should be allowed.
This false-jump case depends on the logic we're using, for the negative
logic case, the jump offset is 9 to accept it. In the positive case
(ie. accept this event message if matching happens), it has to be 10 (A),
to reject it.
Reported-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch adds more verbose output for the automatic BPF filter
generation to sieve netlink messages that are receive via
ctnetlink.
This code is disabled by default, only useful for debugging so
far. It shouldn't be hard to provide a function to explicitly
print instead.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds the ATTR_HELPER_INFO that can be used to send binary data
that will be attached to the conntrack. This is useful for the
user-space connection tracking support.
This patch also adds a new interface:
nfct_set_attr_l(attr, type, value, length);
that is used to set the variable length helper information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Because the obtained flags are essentially that (preprocessor
options).
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the following examples:
nfexp-mnl-dump
nfexp-mnl-event
Basically, we re-use the existing object oriented handling and
we provide full control on the netlink socket at the same time.
Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the following examples:
nfct-mnl-create
nfct-mnl-del
nfct-mnl-dump
nfct-mnl-event
nfct-mnl-flush
nfct-mnl-get
Basically, we re-use the existing object oriented handling and
we provide full control on the netlink socket at the same time.
Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
|
| |
|
|
|
|
|
|
| |
This patch adds support to build and to parse netlink messages
from/to one user-space nf_conntrack object. It uses libmnl, thus
libnetfilter_conntrack now depends on this library.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support to build and to parse netlink messages
from/to one user-space nf_conntrack object. It uses libmnl, thus
libnetfilter_conntrack now depends on this library.
This is the first patch in the direction of removing the dependency
on the veteran libnfnetlink.
I have decided to update LIBVERSION in this patch. I know it's
recommended to do this before releasing the software. I prefer to
do this so snapshot packages get the correct LIBVERSION.
Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
|
