| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
unsigned, < 0 is always false.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nfct_labelmap_new returns NULL on failure, e.g. when file cannot be
opened. It will also fail if no labels have been parsed, and in this
case, content of errno is random.
Avoid it by making sure that errno is re-set when no labels were found.
While at it, also change ptr test when parsing so reviewers don't
need to triple check that this cannot result in out-of-bounds read.
Reported-by: Afschin Hormozdiary <Afschin.Hormozdiary@sophos.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Can always lift this restriction later but for now enforce
strict label naming.
This is mainly to make sure that e.g. using
conntrack ... -o xml,connlabels
will output the expected format, without nasty surprises.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
adds new labelmap api to create a name <-> bit mapping
from a text file (default: /etc/xtables/connlabel.conf).
nfct_labelmap_new(filename) is used to create the map,
nfct_labelmap_destroy() releases the resources allocated for the map.
Two functions are added to make map lookups:
nfct_labelmap_get_name(map, bit) returns the name of a bit,
nfct_labelmap_get_bit returns the bit associated with a name.
The connlabel attribute is represented by a nfct_bitmask object, the
nfct_bitmask api can be used to test/set/get individual bits
("labels").
The exisiting nfct_attr_get/set interfaces can be used to read or
replace the existing labels associated with a conntrack with a new set.
Signed-off-by: Florian Westphal <fw@strlen.de>
|