| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
adds new labelmap api to create a name <-> bit mapping
from a text file (default: /etc/xtables/connlabel.conf).
nfct_labelmap_new(filename) is used to create the map,
nfct_labelmap_destroy() releases the resources allocated for the map.
Two functions are added to make map lookups:
nfct_labelmap_get_name(map, bit) returns the name of a bit,
nfct_labelmap_get_bit returns the bit associated with a name.
The connlabel attribute is represented by a nfct_bitmask object, the
nfct_bitmask api can be used to test/set/get individual bits
("labels").
The exisiting nfct_attr_get/set interfaces can be used to read or
replace the existing labels associated with a conntrack with a new set.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to use generic getter/setter API with upcoming
conntrack label extension, add helper functions to set/test/unset
bits in a vector of arbitrary size.
Conntrack labels will then be encoded via nfct_bitmask object.
Original idea from Pablo Neira Ayuso.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
For consistency with other tests.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use buf[32] as struct nfct_attr_grp_ipv6 is 32 bytes long. That fixes:
== validate set grp API ==
ERROR: set/get operations don't match for attribute 2 (2 != 1)
ERROR: set/get operations don't match for attribute 3 (3 != 1)
ERROR: set/get operations don't match for attribute 8 (8 != 1)
Shows up with gcc 4.7.1.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
some attributes are pointers to malloc'd objects. Simply copying the
pointer results in use-after free when the original or the clone is
destroyed.
Fix it by using nfct_copy instead of memcpy and add proper test case
for cloned objects:
- nfct_cmp of orig and clone should return 1 (equal)
- freeing both the original and the clone should
neither leak memory nor result in double-frees.
the testsuite changes revealed a few more problems:
- ct1->timeout == ct2->timeout returned 0, ie. same timeout
was considered "not equal" by nfct_cmp
- secctx comparision causes "Invalid address" valgrind warnings
when pointer is NULL
- NFCT_CP_OVERRIDE did not handle helper attribute and
erronously freed ct1 secctx memory.
While at it, bump qa_test data dummy to 256 (else, valgrind
complains about move-depends-on-uninitialized-memory).
Lastly, fix compilation of test_api by killing bogus ATTR_CONNLABEL.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
The attribute is variable-length and must be thus be set via set_attr_l().
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
The compiler is probably smart enough to see that the type cannot
change, but make an "else" out of it, just for fun.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
"-ldl" is not needed since the programs themselves never use functions
from libdl. Also, -dynamic is not required at all.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch improves several aspects of the QA tools to stress
the conntrack system via ctnetlink and to check reliable event
delivery.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ct_stress adds plenty of flows in assured state (worst case
for the conntrack table).
ct_events_reliable forces reliable event delivery.
You have to use this tools together:
./ct_events_reliable &
then:
./ct_stress 65535 # your ct table size
If things go well, you will end up hitting ENOMEM.
Both as root, of course.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch adds nfexp_cmp that allows you to compare two expectation
objects.
This includes the extension of test_api for this new function.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
-Wall flags this:
make test_api test_filter
make[1]: Entering directory `/home/jengelh/code/libnetfilter_conntrack/qa'
CC test_api.o
test_api.c:16:8: warning: return type defaults to "int"
test_api.c: In function "eval_sigterm":
test_api.c:23:18: warning: too many arguments for format
test_api.c: In function "main":
test_api.c:55:2: warning: implicit declaration of function "fork"
test_api.c:34:22: warning: unused variable "h"
test_api.c:102:1: warning: control reaches end of non-void function
test_api.c: In function "eval_sigterm":
test_api.c:29:1: warning: control reaches end of non-void function
CCLD test_api
CC test_filter.o
test_filter.c: In function "main":
test_filter.c:58:4: warning: implicit declaration of function "inet_addr"
test_filter.c:74:2: warning: implicit declaration of function "strerror"
test_filter.c:74:2: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’
test_filter.c:75:1: warning: control reaches end of non-void function
CCLD test_filter
make[1]: Leaving directory `/home/jengelh/code/libnetfilter_conntrack/qa'
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch reworks the BSF automatic generation code. This
feature needs more love and it has several limitations like
that the maximum number of IPs are 127 due to BSF code
restrictions. See this patch as a first step forward.
This patch also adds the stack data type, which is used to
resolve jump dynamically instead of the previous static
approach.
This patch also includes fixes in the limitations, previous
calculations were wrong.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds a rudimentary test file to check for possible unset
indirect function calls. This automated test should be run after
adding a new attribute.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|