summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* conntrack: support for IPS_OFFLOADHEADmasterPablo Neira Ayuso2019-08-092-4/+26
| | | | | | Print [OFFLOAD] tag when listing entries via snprintf() interface. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: api: use libmnl API to build the netlink headersPablo Neira Ayuso2019-05-032-7/+51
| | | | | | Replace libnfnetlink's nfnl_fill_hdr() by more modern libmnl code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: replace old libnfnetlink builderPablo Neira Ayuso2019-05-022-665/+28
| | | | | | Use the new libmnl version, remove duplicated code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: replace old libnfnetlink parserPablo Neira Ayuso2019-05-028-780/+45
| | | | | | Use the new libmnl version, remove duplicated code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: add missing handling for CTA_EXPECT_* attributesPablo Neira Ayuso2019-05-021-3/+61
| | | | | | | Add missing code to handle CTA_EXPECT_CLASS, CTA_EXPECT_NAT and CTA_EXPECT_FN from libmnl parser. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: introduce abi_breakage()Pablo Neira Ayuso2019-05-024-29/+42
| | | | | | | | | Changes in the netlink attribute layout is considered to be a kernel ABI breakage, so report this immediately and stop execution, instead of lazy error back to the client application, which cannot do anything with this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Rename 'qa' directory to 'tests'Phil Sutter2019-03-1118-4/+4
| | | | | | | | | When searching for library tests, 'qa' is easily overlooked. Use a more common name instead. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* qa: test_api: skip synproxy attributes in comparatorPablo Neira Ayuso2019-02-201-0/+4
| | | | | | Not implemented, skip them. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: bump LIBVERSIONlibnetfilter_conntrack-1.0.7Arturo Borrero Gonzalez2018-05-011-1/+1
| | | | | | library version was already bumped by b266523a03a2. Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
* conntrack: add synproxy supportPablo Neira Ayuso2018-03-2410-0/+198
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* labels: don't crash on NULL labelmapMarcos Paulo de Souza2017-07-251-2/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | When CONNLABEL_CFG isn't available (/etc/xtables/connlabel.conf), conntrack tool crashes: [marcos@Icarus ~]$ conntrack -l something nfct_labelmap_new: No such file or directory Segmentation fault (core dumped) I can see this problem in Fedora 26, because connlabel.conf does not come along the conntrack/libnetfilter packages. This problem happens because conntrack calls nfct_labelmap_new, which resides on libnetfilter_conntrack. So this lib returns NULL because CONNLABEL_CFG is not present, and then NULL is assigned to the global var called labelmap on conntrack. Later, get_label is called, passing NULL to the library, and __label_get_bit is called and deferences labelmap without check, which leads to a crash. With this patch the crash does not happen anymore, and an error message is displayed: conntrack -l something nfct_labelmap_new: No such file or directory conntrack v1.4.4 (conntrack-tools): unknown label 'something' Signed-off-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* libnetfilter_conntrack: bump version to 1.0.7Richard Weinberger2017-07-171-1/+1
| | | | | | | This is a maintenance release, so the version is just bumped to 1.0.7. Signed-off-by: Richard Weinberger <richard@nod.at> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: revert getobjopt_is_nat() conditionKen-ichirou MATSUZAWA2017-03-031-8/+4
| | | | | | | | | | getobjopt_is_nat() used to work even if no status bits where set, by checking if addresses don't match. Restore this behaviour for compatibility reasons. Fixes: 73ad642ba462 ("src: add support for IPv6 NAT") Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: fix missing break in setobjopt_undo_dnat()Ken-ichirou MATSUZAWA2017-02-281-0/+1
| | | | | | | Otherwise we fall into the IPv6 case. Signed-off-by Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: expose a copy of nf_conntrack_common.hPablo Neira Ayuso2016-11-243-71/+149
| | | | | | | | | | | | | | | | | | Get rid of copy&paster definitions that were made long time ago, this is causing problems. Copy and rename nf_conntrack_common.h to linux_nf_conntrack_common.h, then include it from libnetfilter_conntrack.h After that change, we can remove the status flags definition in libnetfilter_conntrack.h that was copied and pasted from the above file. This helps us solve compilation errors due to redeclaration: /usr/include/libnetfilter_conntrack/libnetfilter_conntrack.h:729:6: error: redeclaration of ‘enum ip_conntrack_status’ In file included from nf-log.c:12:0: /usr/include/linux/netfilter/nf_conntrack_common.h:37:6: note: originally defined here Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: bump version to 1.0.6libnetfilter_conntrack-1.0.6Pablo Neira Ayuso2016-08-222-2/+2
| | | | | | | | This release includes NAT IPv6 support, the new nfct_labels_get_path() interface, zones both for original and reply tuples and clang build fixes. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Make the library compile under clangKevin Cernekee2016-08-172-4/+4
| | | | | | | | | | | | clang treats "char buffer[size]" inside a union as VLAIS unless |size| is const: src/conntrack/api.c:992:8: error: fields must have a constant size: 'variable length array in structure' extension will never be supported char buffer[size]; ^ Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: labels: add function to fetch default config file locationFlorian Westphal2016-08-084-0/+18
| | | | | | Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* qa: update test_api with IPv6 NATArturo Borrero2016-05-251-0/+2
| | | | | | | Comparators are not implemented. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for IPv6 NATArturo Borrero2016-05-207-2/+150
| | | | | | | | | | The conntrackd daemon lacks support for syncing IPv6 NATed connections. This patch adds support for managing the IPv6 part of struct __nfct_nat, also updating the corresponsing symbols. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for IPv6 to struct __nfct_natArturo Borrero2016-05-207-45/+90
| | | | | | | | | | | | The conntrackd daemon lacks support for syncing IPv6 NATed connections. This patch prepares the ground to give support to such operations: * replace uint32_t with union __nfct_address in struct __nfct_nat. * update all users of the former uint32_t to support the new struct A follow-up patch gives support to actually manage the IPv6 NAT. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
* setter: don't touch snat.max_ip in set_attr_dnat_ipv4Florian Westphal2016-01-121-1/+1
| | | | | | | looks like copy & paste bug. Reported-by: Sargun Dhillon <sargun@sargun.me> Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrack: add zone attribute to tupleDaniel Borkmann2015-09-2914-20/+205
| | | | | | | | This patch adds the front-end to the recent ctnetlink interface changes that add the zone attribute into the tuple. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* qa: Keep ct_echo_event and ct_mark_filter out from Makefile.amlibnetfilter_conntrack-1.0.5Pablo Neira Ayuso2015-09-081-10/+1
| | | | | | | The ct_echo_event and ct_mark_filter tests break `make distcheck'. Get them out of the way until this is corrently integrated into automake. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: bump version to 1.0.5Pablo Neira Ayuso2015-09-081-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: fix stop timestamp assignmentKen-ichirou MATSUZAWA2015-07-071-1/+1
| | | | | Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: Use stdint types everywhereFelix Janda2015-05-2530-354/+354
| | | | | Signed-off-by: Felix Janda <felix.janda@posteo.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: Sync with kernel headersFelix Janda2015-05-251-4/+19
| | | | | Signed-off-by: Felix Janda <felix.janda@posteo.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* qa: add test for mark event filterKen-ichirou MATSUZAWA2015-03-134-2/+191
| | | | | | | | | testing mark filter in root by # ./qa/ct_mark_filter.sh Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp> Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrack: add mark event filterKen-ichirou MATSUZAWA2015-03-134-0/+94
| | | | | | | | This patch adds mark filter for event listener, using same struct nfct_filter_dump_mark at dump. Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp> Signed-off-by: Florian Westphal <fw@strlen.de>
* src/Makefile.am: drop hardcoded -ldlGustavo Zacarias2015-01-211-1/+1
| | | | | | | This breaks static builds where the toolchain completely lacks libdl. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Florian Westphal <fw@strlen.de>
* qa: build unshared nfct environmentKen-ichirou MATSUZAWA2014-10-149-1/+1028
| | | | | | | | | | | | | | | | | | | | | | | nssocket forks and change netns pre-establishd by ip(8), serves its socket descriptor to parent via nssocket(). Since this socket is isolated, it can be used to create regression tests for conntrack. This also adds a conntrack event testcase as a first user. A ct_echo_event.sh script is provided to build and run this test automatically: # ./qa/ct_echo_event.sh make: Entering directory... ...debug output like: [NEW] tcp 6 2 SYN_SENT src=10.255.255.249 dst=10.255.255.250 sport... [UPDATE] tcp 6 2 SYN_RECV src=10.255.255.249 dst=10.255.255.250 sport... ... [DESTROY] icmp 1 src=10.255.255.249 dst=10.255.255.250 type=8 code=0... # echo $? 0 Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp> Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: fix symbol name typo in commentKen-ichirou MATSUZAWA2014-10-081-3/+3
| | | | | Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp> Signed-off-by: Florian Westphal <fw@strlen.de>
* qa: add tests for new bitmask functionsKen-ichirou MATSUZAWA2014-09-111-0/+37
| | | | | | | for nfct_bitmask_clear() and nfct_bitmask_equal() Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp> Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrack: api: add two new bitmask functionsKen-ichirou MATSUZAWA2014-09-112-0/+32
| | | | | | | | This patch adds two functions, useful for ulogd IPFIX output module. Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp> Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrack: compare: relax MARK/ZONE attribute comparisionFlorian Westphal2014-06-241-42/+45
| | | | | | | | | | | | | | | | Relax checking for MARK and ZONE to treat 'attribute not set' like 'attribute is set to 0'. This matches kernel behaviour, conntracks are always in zone 0, except if specified differently. Same for connmark. The kernel will also not include the zone/mark attributes in dumps unless they have non-zero values. This makes qa/test_api pass again with the updated test cases. Reported-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp> Signed-off-by: Florian Westphal <fw@strlen.de>
* qa: update cmp ATTR_ZONE size mark and zoneKen-ichirou MATSUZAWA2014-06-241-20/+76
| | | | | | | | Test all combinations of flags/attribute states for both ZONE and MARK. Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp> Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrack: remove duplicate codeKen-ichirou MATSUZAWA2014-06-211-2/+0
| | | | | | | nfct_filter_dump_set_attr() will set the bit. Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp> Signed-off-by: Florian Westphal <fw@strlen.de>
* qa: add cmp ATTR_ZONE regression test casesFlorian Westphal2014-06-191-0/+46
| | | | | | | | | | | | | | | | | | | | | | | | | | | As reported by Ken-ichirou MATSUZAWA: "conntrack -L --zone 0" doesn't list any output. nfct_cmp(mask_obj, ct, NFCT_CMP_MASK) considers ct to not match since the zone attribute in ct is not set for the default (0) zone. libnetfilter_conntrack should be more permissive and return that these are equal iff 'mask_obj' has ATTR_ZONE with a 0 value, and ct object has ATTR_ZONE not set. These 3 checks currently fail, even though they really should not: assert(test_cmp_attr32(ATTR_ZONE, true, false, 0, 0, NFCT_CMP_STRICT) == 1); assert(test_cmp_attr32(ATTR_ZONE, false, true, 0, 0, NFCT_CMP_STRICT) == 1); assert(test_cmp_attr32(ATTR_ZONE, true, false, 0, 0, NFCT_CMP_MASK) == 1); Altough in all 3 cases the zone is only set in one conntrack, the value is zero, so it should be equal to a conntrack object without the zone bit set. Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrack: labels: remove dead codeFlorian Westphal2014-02-181-1/+1
| | | | | | unsigned, < 0 is always false. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: fix documentation regarding nfct_catch() and nfexp_catch()Pablo Neira Ayuso2014-01-302-4/+16
| | | | | | | | Stefan reported that the *_catch() functions documentation was imprecise on some aspects. Reported-by: Stefan Nicolae Stancu <Stefan.Stancu@cern.ch> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: mnl: fix parsing payload lenKen-ichirou MATSUZAWA2014-01-291-1/+2
| | | | | | | | Substract the netlink + nfnetlink headers to pass the payload length to nfct_payload_parse(). Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure: uclinux is also linuxGustavo Zacarias2013-09-171-1/+1
| | | | | Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: bump version to 1.0.4libnetfilter_conntrack-1.0.4Florian Westphal2013-07-152-2/+2
| | | | | | | also bump LIBVERSION, we've added new interfaces and retained backwards compatibility. Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrack: labels: labelmap_new: make sure errno is 0 when no labels are foundFlorian Westphal2013-07-111-1/+3
| | | | | | | | | | | | | | nfct_labelmap_new returns NULL on failure, e.g. when file cannot be opened. It will also fail if no labels have been parsed, and in this case, content of errno is random. Avoid it by making sure that errno is re-set when no labels were found. While at it, also change ptr test when parsing so reviewers don't need to triple check that this cannot result in out-of-bounds read. Reported-by: Afschin Hormozdiary <Afschin.Hormozdiary@sophos.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* qa: test_connlabel: don't abort when system-wide config existsFlorian Westphal2013-07-111-6/+6
| | | | | | | Only dump the contents of the system-wide connlabel.conf if present instead of expecting same content as the qa config. Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrack: api: add nfct_snprintf_labelsFlorian Westphal2013-07-046-10/+130
| | | | | | | | | | | | | | | | | | | | nfct_snprintf doesn't print connlabels, as they're system specific and can easily generate lots of output. This adds a new helper function, nfct_snprintf_labels. It behaves like nfct_snprintf, except that the label names in the labelmap whose bits are contained in connlabel attribute bitset are added to the buffer. output looks like this: output looks like this: ... mark=0 use=1 labels=eth0-in,eth1-in or <labels> <label>eth0-in</label> <label>eth1-in</label> </labels> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: callback: fix memory leak when ct has dynamically allocated attrFlorian Westphal2013-07-031-26/+8
| | | | | | Must free ct and exp using the _destroy functions, else we leak attributes with malloc'd data. Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrack: labels: skip labels with non-alnum charactersFlorian Westphal2013-06-301-1/+27
| | | | | | | | | | | | Can always lift this restriction later but for now enforce strict label naming. This is mainly to make sure that e.g. using conntrack ... -o xml,connlabels will output the expected format, without nasty surprises. Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrack: connlabel: remove useless testFlorian Westphal2013-06-181-2/+2
| | | | | | Can't be zero, it was already tested. Signed-off-by: Florian Westphal <fw@strlen.de>