| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
Replace libnfnetlink's nfnl_fill_hdr() by more modern libmnl code.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Use the new libmnl version, remove duplicated code.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
clang treats "char buffer[size]" inside a union as VLAIS unless |size|
is const:
src/conntrack/api.c:992:8: error: fields must have a constant size: 'variable length array in structure' extension will never be supported
char buffer[size];
^
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
This patch adds two functions, useful for ulogd IPFIX
output module.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Stefan reported that the *_catch() functions documentation was imprecise
on some aspects.
Reported-by: Stefan Nicolae Stancu <Stefan.Stancu@cern.ch>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nfct_snprintf doesn't print connlabels, as they're system specific
and can easily generate lots of output.
This adds a new helper function, nfct_snprintf_labels. It behaves like
nfct_snprintf, except that the label names in the labelmap whose bits are
contained in connlabel attribute bitset are added to the buffer.
output looks like this:
output looks like this:
... mark=0 use=1 labels=eth0-in,eth1-in
or
<labels>
<label>eth0-in</label>
<label>eth1-in</label>
</labels>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
allows to set/clear only a subset of the in-kernel label set, e.g.
"set bit 1 and do not change any others".
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
adds new labelmap api to create a name <-> bit mapping
from a text file (default: /etc/xtables/connlabel.conf).
nfct_labelmap_new(filename) is used to create the map,
nfct_labelmap_destroy() releases the resources allocated for the map.
Two functions are added to make map lookups:
nfct_labelmap_get_name(map, bit) returns the name of a bit,
nfct_labelmap_get_bit returns the bit associated with a name.
The connlabel attribute is represented by a nfct_bitmask object, the
nfct_bitmask api can be used to test/set/get individual bits
("labels").
The exisiting nfct_attr_get/set interfaces can be used to read or
replace the existing labels associated with a conntrack with a new set.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to use generic getter/setter API with upcoming
conntrack label extension, add helper functions to set/test/unset
bits in a vector of arbitrary size.
Conntrack labels will then be encoded via nfct_bitmask object.
Original idea from Pablo Neira Ayuso.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
some attributes are pointers to malloc'd objects. Simply copying the
pointer results in use-after free when the original or the clone is
destroyed.
Fix it by using nfct_copy instead of memcpy and add proper test case
for cloned objects:
- nfct_cmp of orig and clone should return 1 (equal)
- freeing both the original and the clone should
neither leak memory nor result in double-frees.
the testsuite changes revealed a few more problems:
- ct1->timeout == ct2->timeout returned 0, ie. same timeout
was considered "not equal" by nfct_cmp
- secctx comparision causes "Invalid address" valgrind warnings
when pointer is NULL
- NFCT_CP_OVERRIDE did not handle helper attribute and
erronously freed ct1 secctx memory.
While at it, bump qa_test data dummy to 256 (else, valgrind
complains about move-depends-on-uninitialized-memory).
Lastly, fix compilation of test_api by killing bogus ATTR_CONNLABEL.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds the ATTR_HELPER_INFO that can be used to send binary data
that will be attached to the conntrack. This is useful for the
user-space connection tracking support.
This patch also adds a new interface:
nfct_set_attr_l(attr, type, value, length);
that is used to set the variable length helper information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
The previous patch was incomplete. This fixes several issues with
it like the IPV4 and IPV6 address are mutually exclusive, thus,
the getter operation works. No sane way to support the setter
operation correctly, thus, it's been documented that it has no
effect.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds the infrastructure to allow filtered dumping.
See utils/conntrack_dump_filter.c for instance.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now, struct nf_expect takes only 192 bytes, instead of 1KB.
struct nf_conntrack takes 296 bytes instead of 328 bytes.
The size of the nf_expect structure has been reduced by rearranging
the layout of the nf_conntrack structure. For the nf_conntrack case,
this removes the allocation of room for attributes that the master
tuple does not use (more specifically, the NATseq bytes).
This patch modifies the binary layout of struct nf_conntrack.
This should not be a problem since the definition of this
object is opaque (it can be only accessed via get/set API).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is *not* changing the licensing terms of this library (which
was initially released under GPLv2 and later on extended to GPLv2+ after
contacting all the contributors who kindly agreed to extend it to any
later GPL version).
Jan says: "In libnetfilter_conntrack, there are many .c files declaring
GNU GPL incorporated herein by reference without telling which version(s)
exactly apply. Given src/main.c for example is actually GPL-2.0+,
the reference made is ambiguous."
This patch should definitely clarify this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This closes netfilter bugzilla #754:
http://bugzilla.netfilter.org/show_bug.cgi?id=754
Reported-by: <abirvalg@lavabit.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch deprecates the low level API. This API is not currently
used by any known clients (at least, at a quick glance at google).
These functions are a problem if we plan to port libnetfilter_conntrack
upon libmnl since they contain specific libnfnetlink bits.
I have also added __build_query_[ct|exp] to avoid compilation warnings.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
These functions are evil since they allow the use of memcpy() instead
of nfct_copy(). This is a problem because it violates the design
principle that the library follows, that is to provide opaque objects
in which the client code does not care on the binary layout.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Thus, we have a fast version of nfct_copy() which allows to
copy the destination to the origin. After this call, the
destination is a clone of the origin.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the connection tracking extension that allows
conntrack timestamping.
This requires a Linux kernel >= 2.6.38.
We have now 65 attributes, we need 96 bits to store what attributes
are set in the objects.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes an embarasing a use-after-free in nfct_destroy()
that was introduced by myself in:
http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_conntrack.git;a=commit;h=fdda1474cc8654430f245b7f01c30e8ff171fa60
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch adds support for the new attribute CTA_SECCTX that
supersedes CTA_SECMARK.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
| |
This patch re-works the callback handling to allow the use the same socket
to send/receive commands and listen to events of both conntrack and
expectation subsystems. Now you can register one callback for conntrack
and one for expectation with the same handler with no problems (before
this patch, this was not possible, you required two different handlers).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Still missing several enumerations that should be documented.
You still have to look at libnetfilter_conntrack.h to check
conntrack object attributes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
From: Pablo Neira Ayuso <pablo@netfilter.org>
This patch adds the support for the DCCP sequence number tracking
that is included in the upcoming Linux kernel 2.6.31.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds nfct_callback_register2() and nfct_callback_unregister2()
that allows to register a callback function with a new callback interface
that includes the Netlink message. This fixes an early design error.
This is not nice but it is the only way to resolve this problem without
breaking backward (I don't like function versioning, it is messy).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch fixes some minor issues that confuse kernel-doc in the
generation of the API reference documentation.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch removes unnecessary flags included in NFCT_Q_DUMP,
NFCT_Q_DUMP_RESET and NFCT_Q_DESTROY requests.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch reworks the BSF automatic generation code. This
feature needs more love and it has several limitations like
that the maximum number of IPs are 127 due to BSF code
restrictions. See this patch as a first step forward.
This patch also adds the stack data type, which is used to
resolve jump dynamically instead of the previous static
approach.
This patch also includes fixes in the limitations, previous
calculations were wrong.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes a NULL dereference to a function pointer in
nfct_copy() that is triggered when you try to copy the helper
name. This patch also adds an assertion to easily report similar
problems in the future.
Thanks to <pageexec@freemail.hu> for his detailed debugging report.
Reported-by: Wolfram Schlich <lists@wolfram.schlich.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This new function checks for the presence of a given set of
attributes that are passed as an array.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This new API allows you to set and get some logical set of
attributes. This is not intended to replace the existing
per-attribute get/set API but to provide more efficient way
to get/set certain attributes. This change includes an example
file (conntrack_grp_create.c) of the use of the attribute group API.
See ATTR_GRP_* for more information on the existing groups.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch introduces likely() and unlikely() that use
__builtin_expect to assist the compiler in the branch decisions.
I am assuming that we have no clients of libnetfilter_conntrack
that use gcc < 2.96.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds NFCT_CMP_MASK and NFCT_CMP_STRICT which determines the
level of strictness that is applied to the comparison of two conntrack
objects.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
In nfct_build_query() the *data argument is converted into a u_int8_t*.
This works for little-endian but not for big-endian.
Signed-off-by: Albert Veli <albert.veli@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch cleanups the internal headers by splitting them into several
logical pieces.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch introduces nfct_filter_set_logic() to set the filtering
logic which results in a more flexible solution.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds an abstraction level to berkeley sockets filter (BSF) for
Netlink sockets available since Linux kernel 2.6.26. This provides an
easy way to attach filters without knowing about BSF at all.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
alignment.
Signed-off-by: Fabian Hugelshofer <hugelshofer2006@gmx.ch>
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
- recover the ID support
- add support for timeout comparison
- ignore set operation for counters and use attributes
- fix broken status comparison
- statify several __snprintf functions
|
|
|
|
|
|
| |
- add nfct_copy
- conditional build of original and reply tuples
- fix secmark parsing
|
| |
|