summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* expect/conntrack: Avoid spurious covscan overrun warningHEADmasterPhil Sutter2022-03-294-6/+6
| | | | | | | | | It doesn't like how memset() is called for a struct nfnlhdr pointer with large size value. Pass void pointers instead. This also removes the call from __build_{expect,conntrack}() which is duplicate in __build_query_{exp,ct}() code-path. Signed-off-by: Phil Sutter <phil@nwl.cc>
* conntrack: fix build with kernel 5.15 and muslRobert Marko2022-02-242-1/+1
| | | | | | | | | | | | | | | | | | | | | | Currently, with kernel 5.15 headers and musl building is failing with redefinition errors due to a conflict between the kernel and musl headers. Musl is able to suppres the conflicting kernel header definitions if they are included after the standard libc ones, however since ICMP definitions were moved into a separate internal header to avoid duplication this has stopped working and is breaking the builds. It seems that the issue is that <netinet/in.h> which contains the UAPI suppression defines is included in the internal.h header and not in the proto.h which actually includes the kernel ICMP headers and thus UAPI supression defines are not present. Solve this by moving the <netinet/in.h> include before the ICMP kernel includes in the proto.h Fixes: bc1cb4b11403 ("conntrack: Move icmp request>reply type mapping to common file") Signed-off-by: Robert Marko <robimarko@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* libnetfilter_conntrack: bump version to 1.0.9libnetfilter_conntrack-1.0.9Florian Westphal2022-02-142-5/+21
| | | | | | | | | Also increment library version, see 'conntrack: add nfct_nlmsg_build_filter() helper'. While at it, add the LIBVERSION instructions just like in libnftnl. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: Add simple tests to TESTS variablePhil Sutter2022-02-082-0/+10
| | | | | | | | | | | This way, 'make check' and 'make distcheck' call them. Omit ct_stress/ct_events_reliable, they require root. For test_connlabel to find qa-connlabel.conf during 'make distcheck', use of 'srcdir' env variable is needed. Add this as a third option to not break existing use-cases. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: Fix for missing qa-connlabel.conf in tarballPhil Sutter2022-02-081-0/+2
| | | | | | | Register the file as extra dist so 'make dist' picks it up. Fixes: 6510a98f4139f ("api: add connlabel api and attribute") Signed-off-by: Phil Sutter <phil@nwl.cc>
* build: update obsolete autoconf macrosJeremy Sowden2022-02-071-3/+2
| | | | | | | | | | | `AC_CONFIG_HEADER` has been superseded by `AC_CONFIG_HEADERS`. `AM_PROG_LIBTOOL` has been superseded by `LT_INIT`. `AC_DISABLE_STATIC` can be replaced by an argument to `LT_INIT`. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: don't cancel nest on unknown layer 4 protocolsPablo Neira Ayuso2021-12-101-2/+1
| | | | | | | | It is valid to specify CTA_PROTO_NUM with a protocol that is not natively supported by conntrack. Do not cancel the CTA_TUPLE_PROTO nest in this case. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add nfct_nlmsg_build_filter() helperPablo Neira Ayuso2021-11-143-16/+25
| | | | | | | This helper function builds the payload of the netlink dump request including the filtering criteria. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: fix invmap_icmpv6 entriesKen-ichirou MATSUZAWA2021-10-111-2/+2
| | | | | | | Incorrect mapping of the expected reply message. Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: add CTA_STATS_CHAIN_TOOLONG from linux 5.15 uapiFlorian Westphal2021-09-081-0/+1
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add support for status dump filterFlorian Westphal2021-08-053-2/+21
| | | | | | | | | | | This tells kernel to suppress conntrack entries that do not match the status bits/bitmask filter. This is useful to e.g. only list entries that are not assured (value 0, mask == ASSUED) or entries that only saw one-way traffic (value 0, mask == SEEN_REPLY). Signed-off-by: Florian Westphal <fw@strlen.de>
* include: sync uapi header with nf-nextFlorian Westphal2021-08-051-5/+19
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrack: Don't use ICMP attrs in decision to build repl tupleLuuk Paulussen2021-03-191-4/+1
| | | | | | | | | conntrack-tools doesn't set the REPL attributes by default for updates, so for ICMP flows, the update won't be sent as building the repl tuple will fail. Signed-off-by: Luuk Paulussen <luuk.paulussen@alliedtelesis.co.nz> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: check return value of nfct_nlmsg_build()Eyal Birger2021-01-034-4/+21
| | | | | | | | | | | | | | | | nfct_nlmsg_build() may fail for different reasons, for example if insufficient parameters exist in the ct object. The resulting nlh would not contain any of the ct attributes. Some conntrack operations would still operate in such case, for example an IPCTNL_MSG_CT_DELETE message would just delete all existing conntrack entries. While the example as it is does supply correct parameters, it's safer as reference to validate the return value. Signed-off-by: Eyal Birger <eyal.birger@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: missing internal/proto.h in Makefile.amPablo Neira Ayuso2020-12-081-1/+1
| | | | | | This is breaking `make distcheck'. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Update .gitignoreJan Engelhardt2020-12-081-0/+13
| | | | | Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: use the right automake variablesJan Engelhardt2020-12-081-20/+20
| | | | | | | -l is a library selection and needs to go into _LDADD/_LIBADD. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add flush filter commandPablo Neira Ayuso2020-10-292-0/+4
| | | | | | | | The NFCT_Q_FLUSH command flushes both IPv4 and IPv6 conntrack tables. Add new command NFCT_Q_FLUSH_FILTER that allows to flush based on the family to retain backward compatibility on NFCT_Q_FLUSH. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: add CTA_STATS_CLASH_RESOLVEFlorian Westphal2020-08-261-0/+1
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrack: sctp: update statesFlorian Westphal2020-08-142-0/+4
| | | | | | | | with more recent kernels "conntrack -L" prints NONE instead of HEARTBEAT_SENT/RECEIVED because the state is unknown in userspace. Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: dccp print function should use dccp stateFlorian Westphal2020-08-141-1/+1
| | | | | | Found while reading code, compile tested only. Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrack: Fix buffer overflows in __snprintf_protoinfo* like in *2str fnsDaniel Gröber2020-07-011-15/+39
| | | | | Signed-off-by: Daniel Gröber <dxld@darkboxed.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: Fix buffer overflow in protocol related snprintf functionsDaniel Gröber2020-07-012-10/+24
| | | | | Signed-off-by: Daniel Gröber <dxld@darkboxed.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: Move icmp request>reply type mapping to common fileDaniel Gröber2020-07-016-65/+62
| | | | | | | | | | | Currently the invmap_icmp* arrays are duplicated in setter.c and grp_setter.c. This moves them to a new module 'proto'. Instead of having the code access the arrays directly we provide new wrapper functions __icmp{,v6}_reply_type. Signed-off-by: Daniel Gröber <dxld@darkboxed.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: Fix buffer overflow on invalid icmp type in settersDaniel Gröber2020-07-012-7/+12
| | | | | | | | | When type is out of range for the invmap_icmp{,v6} array we leave rtype at zero which will map to type=255 just like other error cases in this function. Signed-off-by: Daniel Gröber <dxld@darkboxed.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: Add ARRAY_SIZE() macroDaniel Gröber2020-07-011-0/+2
| | | | | Signed-off-by: Daniel Gröber <dxld@darkboxed.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: Fix incorrect snprintf size calculationDaniel Gröber2020-07-011-1/+1
| | | | | | | | | | The previous BUFFER_SIZE() call already updated the remaining 'len'. So there is no need to subtract 'size' again. While this just makes the buffer appear smaller than it is, which is mostly harmless, the subtraction might underflow as 'size > len' is not checked like BUFFER_SIZE() does. Signed-off-by: Daniel Gröber <dxld@darkboxed.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: Replace strncpy with snprintf to improve null byte handlingDaniel Gröber2020-07-015-18/+15
| | | | | | | | | | | | | | We currently use strncpy in a bunch of places which has this weird quirk where it doesn't write a terminating null byte if the input string is >= the max length. To mitigate this we write a null byte to the last character manually. While this works it is easy to forget. Instead we should just be using snprintf which has more sensible behaviour as it always writes a null byte even when truncating the string. Signed-off-by: Daniel Gröber <dxld@darkboxed.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Fix nfexp_snprintf return value docsDaniel Gröber2020-07-011-2/+3
| | | | | | | | | The docs currently say "[...] Otherwise, 0 is returned." which is just completely wrong. Just like nfct_snprintf the expected buffer size is returned. Signed-off-by: Daniel Gröber <dxld@darkboxed.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Handle negative snprintf return values properlyDaniel Gröber2020-07-014-3/+11
| | | | | | | | | Currently the BUFFER_SIZE macro doesn't take negative 'ret' values into account. A negative return should just be passed through to the caller, snprintf will already have set 'errno' properly. Signed-off-by: Daniel Gröber <dxld@darkboxed.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add IPS_HW_OFFLOAD flagPablo Neira Ayuso2020-04-282-3/+19
| | | | | | This flags specifies that this conntrack entry is in hardware. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnetfilter_conntrack.pc.in: add LIBMNL_LIBS to Libs.PrivateFabrice Fontaine2020-04-141-1/+1
| | | | | | | | | | | | | | | | | | Since version 1.0.8 and commit c1c0f16c1fedb46547c2e104beeaaeac5933b214, libnetfilter_conntrack depends on libmnl so add it to Libs.Private. Otherwise, applications such as dnsmasq will fail to link on: /home/buildroot/autobuild/instance-0/output-1/host/bin/arm-linux-gcc -Wl,-elf2flt -static -o dnsmasq cache.o rfc1035.o util.o option.o forward.o network.o dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o domain.o dnssec.o blockdata.o tables.o loop.o inotify.o poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o metrics.o -L/home/buildroot/autobuild/instance-0/output-1/host/bin/../arm-buildroot-uclinux-uclibcgnueabi/sysroot/usr/lib -lnetfilter_conntrack -L/home/buildroot/autobuild/instance-0/output-1/host/bin/../arm-buildroot-uclinux-uclibcgnueabi/sysroot/usr/lib -lnfnetlink /home/buildroot/autobuild/instance-0/output-1/host/opt/ext-toolchain/arm-buildroot-uclinux-uclibcgnueabi/bin/ld.real: /home/buildroot/autobuild/instance-0/output-1/host/bin/../arm-buildroot-uclinux-uclibcgnueabi/sysroot/usr/lib/libnetfilter_conntrack.a(api.o): in function `nfct_fill_hdr.constprop.4': api.c:(.text+0x34): undefined reference to `mnl_nlmsg_put_header' Fixes: - http://autobuild.buildroot.org/results/3fdc2cba20162eb86eaa5c49a056fb40fb18a392 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnetfilter_conntrack: bump version to 1.0.8libnetfilter_conntrack-1.0.8Pablo Neira Ayuso2020-04-011-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: parse_mnl: fix gcc compile warningPablo Neira Ayuso2020-04-011-0/+1
| | | | | | | | | | | | | parse_mnl.c: In function ‘nfexp_nlmsg_parse’: parse_mnl.c:142:3: warning: ‘strncpy’ specified bound 16 equals destination size [-Wstringop-truncation] 142 | strncpy(exp->helper_name, | ^~~~~~~~~~~~~~~~~~~~~~~~~ 143 | mnl_attr_get_str(tb[CTA_EXPECT_HELP_NAME]), | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 144 | NFCT_HELPER_NAME_MAX); | ~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: support for IPS_OFFLOADPablo Neira Ayuso2019-08-092-4/+26
| | | | | | Print [OFFLOAD] tag when listing entries via snprintf() interface. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: api: use libmnl API to build the netlink headersPablo Neira Ayuso2019-05-032-7/+51
| | | | | | Replace libnfnetlink's nfnl_fill_hdr() by more modern libmnl code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: replace old libnfnetlink builderPablo Neira Ayuso2019-05-022-665/+28
| | | | | | Use the new libmnl version, remove duplicated code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: replace old libnfnetlink parserPablo Neira Ayuso2019-05-028-780/+45
| | | | | | Use the new libmnl version, remove duplicated code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: add missing handling for CTA_EXPECT_* attributesPablo Neira Ayuso2019-05-021-3/+61
| | | | | | | Add missing code to handle CTA_EXPECT_CLASS, CTA_EXPECT_NAT and CTA_EXPECT_FN from libmnl parser. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: introduce abi_breakage()Pablo Neira Ayuso2019-05-024-29/+42
| | | | | | | | | Changes in the netlink attribute layout is considered to be a kernel ABI breakage, so report this immediately and stop execution, instead of lazy error back to the client application, which cannot do anything with this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Rename 'qa' directory to 'tests'Phil Sutter2019-03-1118-4/+4
| | | | | | | | | When searching for library tests, 'qa' is easily overlooked. Use a more common name instead. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* qa: test_api: skip synproxy attributes in comparatorPablo Neira Ayuso2019-02-201-0/+4
| | | | | | Not implemented, skip them. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: bump LIBVERSIONlibnetfilter_conntrack-1.0.7Arturo Borrero Gonzalez2018-05-011-1/+1
| | | | | | library version was already bumped by b266523a03a2. Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
* conntrack: add synproxy supportPablo Neira Ayuso2018-03-2410-0/+198
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* labels: don't crash on NULL labelmapMarcos Paulo de Souza2017-07-251-2/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | When CONNLABEL_CFG isn't available (/etc/xtables/connlabel.conf), conntrack tool crashes: [marcos@Icarus ~]$ conntrack -l something nfct_labelmap_new: No such file or directory Segmentation fault (core dumped) I can see this problem in Fedora 26, because connlabel.conf does not come along the conntrack/libnetfilter packages. This problem happens because conntrack calls nfct_labelmap_new, which resides on libnetfilter_conntrack. So this lib returns NULL because CONNLABEL_CFG is not present, and then NULL is assigned to the global var called labelmap on conntrack. Later, get_label is called, passing NULL to the library, and __label_get_bit is called and deferences labelmap without check, which leads to a crash. With this patch the crash does not happen anymore, and an error message is displayed: conntrack -l something nfct_labelmap_new: No such file or directory conntrack v1.4.4 (conntrack-tools): unknown label 'something' Signed-off-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* libnetfilter_conntrack: bump version to 1.0.7Richard Weinberger2017-07-171-1/+1
| | | | | | | This is a maintenance release, so the version is just bumped to 1.0.7. Signed-off-by: Richard Weinberger <richard@nod.at> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: revert getobjopt_is_nat() conditionKen-ichirou MATSUZAWA2017-03-031-8/+4
| | | | | | | | | | getobjopt_is_nat() used to work even if no status bits where set, by checking if addresses don't match. Restore this behaviour for compatibility reasons. Fixes: 73ad642ba462 ("src: add support for IPv6 NAT") Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: fix missing break in setobjopt_undo_dnat()Ken-ichirou MATSUZAWA2017-02-281-0/+1
| | | | | | | Otherwise we fall into the IPv6 case. Signed-off-by Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: expose a copy of nf_conntrack_common.hPablo Neira Ayuso2016-11-243-71/+149
| | | | | | | | | | | | | | | | | | Get rid of copy&paster definitions that were made long time ago, this is causing problems. Copy and rename nf_conntrack_common.h to linux_nf_conntrack_common.h, then include it from libnetfilter_conntrack.h After that change, we can remove the status flags definition in libnetfilter_conntrack.h that was copied and pasted from the above file. This helps us solve compilation errors due to redeclaration: /usr/include/libnetfilter_conntrack/libnetfilter_conntrack.h:729:6: error: redeclaration of ‘enum ip_conntrack_status’ In file included from nf-log.c:12:0: /usr/include/linux/netfilter/nf_conntrack_common.h:37:6: note: originally defined here Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: bump version to 1.0.6libnetfilter_conntrack-1.0.6Pablo Neira Ayuso2016-08-222-2/+2
| | | | | | | | This release includes NAT IPv6 support, the new nfct_labels_get_path() interface, zones both for original and reply tuples and clang build fixes. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>