| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
| |
Print [OFFLOAD] tag when listing entries via snprintf() interface.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Replace libnfnetlink's nfnl_fill_hdr() by more modern libmnl code.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Use the new libmnl version, remove duplicated code.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Use the new libmnl version, remove duplicated code.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Add missing code to handle CTA_EXPECT_CLASS, CTA_EXPECT_NAT and
CTA_EXPECT_FN from libmnl parser.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Changes in the netlink attribute layout is considered to be a kernel ABI
breakage, so report this immediately and stop execution, instead of lazy
error back to the client application, which cannot do anything with
this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
When searching for library tests, 'qa' is easily overlooked. Use a more
common name instead.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Not implemented, skip them.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
library version was already bumped by b266523a03a2.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When CONNLABEL_CFG isn't available (/etc/xtables/connlabel.conf),
conntrack tool crashes:
[marcos@Icarus ~]$ conntrack -l something
nfct_labelmap_new: No such file or directory
Segmentation fault (core dumped)
I can see this problem in Fedora 26, because connlabel.conf does not
come along the conntrack/libnetfilter packages. This problem happens because
conntrack calls nfct_labelmap_new, which resides on
libnetfilter_conntrack. So this lib returns NULL because CONNLABEL_CFG
is not present, and then NULL is assigned to the global var called
labelmap on conntrack. Later, get_label is called, passing NULL to the
library, and __label_get_bit is called and deferences labelmap without
check, which leads to a crash.
With this patch the crash does not happen anymore,
and an error message is displayed:
conntrack -l something
nfct_labelmap_new: No such file or directory
conntrack v1.4.4 (conntrack-tools): unknown label 'something'
Signed-off-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
This is a maintenance release, so the version is just bumped to 1.0.7.
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
getobjopt_is_nat() used to work even if no status bits where set, by
checking if addresses don't match. Restore this behaviour for
compatibility reasons.
Fixes: 73ad642ba462 ("src: add support for IPv6 NAT")
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Otherwise we fall into the IPv6 case.
Signed-off-by Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Get rid of copy&paster definitions that were made long time ago, this is
causing problems.
Copy and rename nf_conntrack_common.h to linux_nf_conntrack_common.h,
then include it from libnetfilter_conntrack.h
After that change, we can remove the status flags definition in
libnetfilter_conntrack.h that was copied and pasted from the above file.
This helps us solve compilation errors due to redeclaration:
/usr/include/libnetfilter_conntrack/libnetfilter_conntrack.h:729:6: error: redeclaration of ‘enum ip_conntrack_status’
In file included from nf-log.c:12:0: /usr/include/linux/netfilter/nf_conntrack_common.h:37:6: note: originally defined here
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This release includes NAT IPv6 support, the new nfct_labels_get_path()
interface, zones both for original and reply tuples and clang build
fixes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
clang treats "char buffer[size]" inside a union as VLAIS unless |size|
is const:
src/conntrack/api.c:992:8: error: fields must have a constant size: 'variable length array in structure' extension will never be supported
char buffer[size];
^
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Comparators are not implemented.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
The conntrackd daemon lacks support for syncing IPv6 NATed connections.
This patch adds support for managing the IPv6 part of struct __nfct_nat,
also updating the corresponsing symbols.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The conntrackd daemon lacks support for syncing IPv6 NATed connections.
This patch prepares the ground to give support to such operations:
* replace uint32_t with union __nfct_address in struct __nfct_nat.
* update all users of the former uint32_t to support the new struct
A follow-up patch gives support to actually manage the IPv6 NAT.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
|
|
|
|
|
|
|
| |
looks like copy & paste bug.
Reported-by: Sargun Dhillon <sargun@sargun.me>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
This patch adds the front-end to the recent ctnetlink interface
changes that add the zone attribute into the tuple.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
The ct_echo_event and ct_mark_filter tests break `make distcheck'. Get them
out of the way until this is corrently integrated into automake.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
| |
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
testing mark filter in root by
# ./qa/ct_mark_filter.sh
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
This patch adds mark filter for event listener, using same struct
nfct_filter_dump_mark at dump.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
This breaks static builds where the toolchain completely lacks libdl.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nssocket forks and change netns pre-establishd by ip(8), serves its
socket descriptor to parent via nssocket(). Since this socket is
isolated, it can be used to create regression tests for conntrack.
This also adds a conntrack event testcase as a first user.
A ct_echo_event.sh script is provided to build and run this test
automatically:
# ./qa/ct_echo_event.sh
make: Entering directory...
...debug output like:
[NEW] tcp 6 2 SYN_SENT src=10.255.255.249 dst=10.255.255.250 sport...
[UPDATE] tcp 6 2 SYN_RECV src=10.255.255.249 dst=10.255.255.250 sport...
...
[DESTROY] icmp 1 src=10.255.255.249 dst=10.255.255.250 type=8 code=0...
# echo $?
0
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
| |
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
for nfct_bitmask_clear() and nfct_bitmask_equal()
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
This patch adds two functions, useful for ulogd IPFIX
output module.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Relax checking for MARK and ZONE to treat 'attribute not
set' like 'attribute is set to 0'.
This matches kernel behaviour, conntracks are always in zone 0,
except if specified differently. Same for connmark.
The kernel will also not include the zone/mark attributes in dumps
unless they have non-zero values.
This makes qa/test_api pass again with the updated test cases.
Reported-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Test all combinations of flags/attribute states for both
ZONE and MARK.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
nfct_filter_dump_set_attr() will set the bit.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As reported by Ken-ichirou MATSUZAWA:
"conntrack -L --zone 0" doesn't list any output.
nfct_cmp(mask_obj, ct, NFCT_CMP_MASK)
considers ct to not match since the zone attribute
in ct is not set for the default (0) zone.
libnetfilter_conntrack should be more permissive and return
that these are equal iff 'mask_obj' has ATTR_ZONE with a 0 value,
and ct object has ATTR_ZONE not set.
These 3 checks currently fail, even though they really should not:
assert(test_cmp_attr32(ATTR_ZONE, true, false, 0, 0, NFCT_CMP_STRICT) == 1);
assert(test_cmp_attr32(ATTR_ZONE, false, true, 0, 0, NFCT_CMP_STRICT) == 1);
assert(test_cmp_attr32(ATTR_ZONE, true, false, 0, 0, NFCT_CMP_MASK) == 1);
Altough in all 3 cases the zone is only set in one conntrack, the value
is zero, so it should be equal to a conntrack object without the zone
bit set.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
unsigned, < 0 is always false.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Stefan reported that the *_catch() functions documentation was imprecise
on some aspects.
Reported-by: Stefan Nicolae Stancu <Stefan.Stancu@cern.ch>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Substract the netlink + nfnetlink headers to pass the payload length
to nfct_payload_parse().
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
also bump LIBVERSION, we've added new interfaces and retained
backwards compatibility.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nfct_labelmap_new returns NULL on failure, e.g. when file cannot be
opened. It will also fail if no labels have been parsed, and in this
case, content of errno is random.
Avoid it by making sure that errno is re-set when no labels were found.
While at it, also change ptr test when parsing so reviewers don't
need to triple check that this cannot result in out-of-bounds read.
Reported-by: Afschin Hormozdiary <Afschin.Hormozdiary@sophos.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Only dump the contents of the system-wide connlabel.conf if present
instead of expecting same content as the qa config.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nfct_snprintf doesn't print connlabels, as they're system specific
and can easily generate lots of output.
This adds a new helper function, nfct_snprintf_labels. It behaves like
nfct_snprintf, except that the label names in the labelmap whose bits are
contained in connlabel attribute bitset are added to the buffer.
output looks like this:
output looks like this:
... mark=0 use=1 labels=eth0-in,eth1-in
or
<labels>
<label>eth0-in</label>
<label>eth1-in</label>
</labels>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
Must free ct and exp using the _destroy functions, else we leak attributes with malloc'd data.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Can always lift this restriction later but for now enforce
strict label naming.
This is mainly to make sure that e.g. using
conntrack ... -o xml,connlabels
will output the expected format, without nasty surprises.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
Can't be zero, it was already tested.
Signed-off-by: Florian Westphal <fw@strlen.de>
|