* src: replace old libnfnetlink parserPablo Neira Ayuso2019-05-021-1/+1
| | | | | | Use the new libmnl version, remove duplicated code. Signed-off-by: Pablo Neira Ayuso <>
* api: add connlabel api and attributeFlorian Westphal2013-05-061-0/+1
| | | | | | | | | | | | | | | | | | | | | | adds new labelmap api to create a name <-> bit mapping from a text file (default: /etc/xtables/connlabel.conf). nfct_labelmap_new(filename) is used to create the map, nfct_labelmap_destroy() releases the resources allocated for the map. Two functions are added to make map lookups: nfct_labelmap_get_name(map, bit) returns the name of a bit, nfct_labelmap_get_bit returns the bit associated with a name. The connlabel attribute is represented by a nfct_bitmask object, the nfct_bitmask api can be used to test/set/get individual bits ("labels"). The exisiting nfct_attr_get/set interfaces can be used to read or replace the existing labels associated with a conntrack with a new set. Signed-off-by: Florian Westphal <>
* conntrack: add new API to build/parse ctnetlink messages using libmnlPablo Neira Ayuso2012-05-261-0/+1
| | | | | | | | | | | | | | | This patch adds support to build and to parse netlink messages from/to one user-space nf_conntrack object. It uses libmnl, thus libnetfilter_conntrack now depends on this library. This is the first patch in the direction of removing the dependency on the veteran libnfnetlink. I have decided to update LIBVERSION in this patch. I know it's recommended to do this before releasing the software. I prefer to do this so snapshot packages get the correct LIBVERSION. Signed-off-by: Pablo Neira Ayuso <>
* conntrack: add support for CTA_MARK_MASK and filtered dumpingPablo Neira Ayuso2012-02-091-1/+1
| | | | | | | | This patch adds the infrastructure to allow filtered dumping. See utils/conntrack_dump_filter.c for instance. Signed-off-by: Pablo Neira Ayuso <>
* build: use -Wall across the entire sourceJan Engelhardt2010-12-301-2/+0
| | | | Signed-off-by: Jan Engelhardt <>
* src: allow to use nfct handler for conntrack and expectations at the same timePablo Neira Ayuso2010-11-081-1/+1
| | | | | | | | | | This patch re-works the callback handling to allow the use the same socket to send/receive commands and listen to events of both conntrack and expectation subsystems. Now you can register one callback for conntrack and one for expectation with the same handler with no problems (before this patch, this was not possible, you required two different handlers). Signed-off-by: Pablo Neira Ayuso <>
* build: no need for error message in PKG_CHECK_MODULESJan Engelhardt2010-10-301-2/+1
| | | | | | | | | | PKG_CHECK_MODULES already produces its own (and more verbose) messsage when a module cannot be found. Mucking around with CFLAGS and LIBS is also not needed since pkgconfig takes care of providing variables, so let's use them in Signed-off-by: Jan Engelhardt <>
* build: remove -fPIC flagJan Engelhardt2010-10-301-1/+1
| | | | | | libtool automatically adds PIC flags as needed. Signed-off-by: Jan Engelhardt <>
* bsf: major rework of the BSF generation codePablo Neira Ayuso2008-11-251-1/+2
| | | | | | | | | | | | | | | | This patch reworks the BSF automatic generation code. This feature needs more love and it has several limitations like that the maximum number of IPs are 127 due to BSF code restrictions. See this patch as a first step forward. This patch also adds the stack data type, which is used to resolve jump dynamically instead of the previous static approach. This patch also includes fixes in the limitations, previous calculations were wrong. Signed-off-by: Pablo Neira Ayuso <>
* groups: add attribute group APIPablo Neira Ayuso2008-10-301-1/+2
| | | | | | | | | | | | This new API allows you to set and get some logical set of attributes. This is not intended to replace the existing per-attribute get/set API but to provide more efficient way to get/set certain attributes. This change includes an example file (conntrack_grp_create.c) of the use of the attribute group API. See ATTR_GRP_* for more information on the existing groups. Signed-off-by: Pablo Neira Ayuso <>
* add berkeley socket filtering high-level APIPablo Neira Ayuso2008-07-171-1/+2
| | | | | | | | This patch adds an abstraction level to berkeley sockets filter (BSF) for Netlink sockets available since Linux kernel 2.6.26. This provides an easy way to attach filters without knowing about BSF at all. Signed-off-by: Pablo Neira Ayuso <>
* - add nfct_cmp (replacement for nfct_compare a bit more flexible)/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-131-1/+2
| | | | | | - add nfct_copy - conditional build of original and reply tuples - fix secmark parsing
* several cleanups for Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-131-12/+8
* - fix compilation warning in snprintf.c/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2007-04-241-1/+2
| | | | | | - introduce the new compare infrastructure: much simple than previous - introduce nfct_maxsize for nf_conntrack object allocated in the stack - more strict checkings in nfct_set_attr: third parameter is const
* Introduce the new libnetfilter_conntrack API, features:/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=pablo/emailAddress=pablo@netfilter.org2006-12-191-0/+17
- object oriented infrastructure - extensible and configurable output (XML) - low level functions to interact with netlink details - fairly documented Still backward compatible.