| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
some attributes are pointers to malloc'd objects. Simply copying the
pointer results in use-after free when the original or the clone is
destroyed.
Fix it by using nfct_copy instead of memcpy and add proper test case
for cloned objects:
- nfct_cmp of orig and clone should return 1 (equal)
- freeing both the original and the clone should
neither leak memory nor result in double-frees.
the testsuite changes revealed a few more problems:
- ct1->timeout == ct2->timeout returned 0, ie. same timeout
was considered "not equal" by nfct_cmp
- secctx comparision causes "Invalid address" valgrind warnings
when pointer is NULL
- NFCT_CP_OVERRIDE did not handle helper attribute and
erronously freed ct1 secctx memory.
While at it, bump qa_test data dummy to 256 (else, valgrind
complains about move-depends-on-uninitialized-memory).
Lastly, fix compilation of test_api by killing bogus ATTR_CONNLABEL.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
It was missing, add it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
build_mnl.c: In function 'nfexp_nlmsg_build':
build_mnl.c:18:11: warning: variable 'l3num' set but not used [-Wunused-but-set-variable]
This patch relaxes the checking for the L3PROTO. The kernel will report
EINVAL in case that something is missing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
4b6df76 conntrack: fix autogenerated BPF code for IPv6 filtering aimed
to fix a bug the IPv6 BPF filtering. However, it didn't fix it for
NFCT_FILTER_LOGIC_POSITIVE case since jump is still miscalculated.
This chunk below shows the BPF code to filter IPv6 address 2:4:6::
{0x00020004, 0x00060000, 0x0, 0x0 } in case that NFCT_FILTER_LOGIC_POSITIVE
is used, ie. if that address matches, accept the event.
(0032) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000004
(0033) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(0034) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=09 k=00020004
[ this above compares second 4 bytes with 00020004, if comparison fails
it jumps to 003e ]
(0035) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000008
(0036) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(0037) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=06 k=00060000
[ this above compares second 4 bytes with 00060000, if comparison fails
it jumps to 003e ]
(0038) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=0000000c
(0039) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(003a) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=03 k=00000000
[ this above compares third 4 bytes with 00000000, if comparison fails
it jumps to 003e ]
(003b) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000010
(003c) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(003d) code= BPF_JMP|BPF_JEQ|BPF_K jt=01 jf=00 k=00000000
[ this above compares last 4 bytes with 00000000, if comparison succeded
it jumps to 003f, which means, accept event ]
(003e) code= BPF_RET|BPF_K jt=00 jf=00 k=00000000
---- final verdict ----
(003f) code= BPF_RET|BPF_K jt=00 jf=00 k=ffffffff
Just for the record: This chunk below shows the BPF code to filter IPv6
address 2:4:6:: {0x00020004, 0x00060000, 0x0, 0x0 } in case that
NFCT_FILTER_LOGIC_NEGATIVE is used, ie. if that address matches, drop
the event.
[...]
(0032) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000004
(0033) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(0034) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=09 k=00020004
[ this above compares first 4 bytes with 00020004, if comparison fails
it jumps to 003e ]
(0035) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000008
(0036) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(0037) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=06 k=00060000
[ this above compares second 4 bytes with 00060000, if comparison fails
it jumps to 003e ]
(0038) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=0000000c
(0039) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(003a) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=03 k=00000000
[ this above compares third 4 bytes with 00000000, if comparison fails
it jumps to 003e ]
(003b) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000010
(003c) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(003d) code= BPF_JMP|BPF_JEQ|BPF_K jt=01 jf=00 k=00000000
[ this above compares last 4 bytes with 00000000, if comparison succeded
it jumps to 003e ]
(003e) code= BPF_JMP|BPF_JA jt=00 jf=00 k=00000001
(003f) code= BPF_RET|BPF_K jt=00 jf=00 k=00000000
[ default action specified by 003e is to drop the event ]
Tested-by: Eric Leblond <eric@regit.org>
Reported-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BPF code generated for IPv6 filtering was wrong.
Assuming you want to allow all traffic except ::1, the filter that
libnetfilter_conntrack generates for the IPv6 address part looks like:
[...]
(0032) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000004
(0033) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(0034) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=0a k=00000000
(0035) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000008 [0]
(0036) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff [1]
(0037) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=07 k=00000000 [2]
(0038) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=0000000c [3]
(0039) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff [4]
(003a) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=04 k=00000000 [5]
(003b) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000010 [6]
(003c) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff [7]
(003d) code= BPF_JMP|BPF_JEQ|BPF_K jt=01 jf=00 k=00000001 [8]
(003e) code= BPF_JMP|BPF_JA jt=00 jf=00 k=00000001 [9]
(003f) code= BPF_RET|BPF_K jt=00 jf=00 k=00000000 [A]
Line 32 loads the first 4 bytes for the 32 bytes IPv6 address, then
line 33 performs the binary AND with the first 4 bytes of the mask.
Line 34 evaluated false for the case 2::1 that Eric reported (since 0x2
is not 0x0). Thus, jumping to line 3f that returns reject. However,
2::1 should be allowed.
This false-jump case depends on the logic we're using, for the negative
logic case, the jump offset is 9 to accept it. In the positive case
(ie. accept this event message if matching happens), it has to be 10 (A),
to reject it.
Reported-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds more verbose output for the automatic BPF filter
generation to sieve netlink messages that are receive via
ctnetlink.
This code is disabled by default, only useful for debugging so
far. It shouldn't be hard to provide a function to explicitly
print instead.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds the ATTR_HELPER_INFO that can be used to send binary data
that will be attached to the conntrack. This is useful for the
user-space connection tracking support.
This patch also adds a new interface:
nfct_set_attr_l(attr, type, value, length);
that is used to set the variable length helper information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds support to build and to parse netlink messages
from/to one user-space nf_conntrack object. It uses libmnl, thus
libnetfilter_conntrack now depends on this library.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support to build and to parse netlink messages
from/to one user-space nf_conntrack object. It uses libmnl, thus
libnetfilter_conntrack now depends on this library.
This is the first patch in the direction of removing the dependency
on the veteran libnfnetlink.
I have decided to update LIBVERSION in this patch. I know it's
recommended to do this before releasing the software. I prefer to
do this so snapshot packages get the correct LIBVERSION.
Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
This will work as it does in conntrack; it won't pass NLM_F_ACK into
ctnetlink_new_expect in the kernel, and will thus invoke
ctnetlink_change_expect if the expectation already exists.
Signed-off-by: Kelvie Wong <kelvie@ieee.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
The previous patch was incomplete. This fixes several issues with
it like the IPV4 and IPV6 address are mutually exclusive, thus,
the getter operation works. No sane way to support the setter
operation correctly, thus, it's been documented that it has no
effect.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows you to set and to get the address for both IPv4 and IPV6
using the same interface. This can simplify much redundant code that
needs to support both protocols.
This relies on some fixed layout union:
union nfct_attr_grp_addr {
u_int32_t ip;
u_int32_t ip6[4];
u_int32_t addr[4];
};
But I don't see this library will support anything different from
IPv4 and IPv6 as layer 3 protocol. If that happens and some point,
we can add some new attribute group and deprecate this one.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
For ICMP flows:
conntrack -U -s 192.168.1.114 -m 1
returned -EINVAL. It seems we were including the reply tuple
imcompletely.
Reported-by: <abirvalg@lavabit.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds the infrastructure to allow filtered dumping.
See utils/conntrack_dump_filter.c for instance.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before:
proto=17 src=192.168.11.4 dst=192.168.10.4 sport=0 dport=5060 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.10.4 master-dst=192.168.11.4 sport=5060 dport=5060 PERMANENTclass=0 helper=sip [active since 8s]
After:
proto=17 src=192.168.11.4 dst=192.168.10.4 sport=0 dport=5060 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.10.4 master-dst=192.168.11.4 sport=5060 dport=5060 PERMANENT class=0 helper=sip [active since 8s]
Note the space after PERMANENT.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Make sure this attribute is a NULL-terminated string, otherwise
we hit EINVAL if we set this attribute.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch allows you to set expectfn.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch adds ATTR_EXP_NAT_TUPLE and ATTR_EXP_NAT_DIR attributes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch allows you to specify the expectation class.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Example of the XML output:
<flow type="new">
<layer3 protonum="2" protoname="IPv4">
<expected>
<src>192.168.0.2</src>
<dst>192.168.1.2</dst>
</expected>
<mask>
<src>255.255.255.255</src>
<dst>255.255.255.255</dst>
</mask>
<master>
<src>192.168.0.2</src>
<dst>192.168.1.2</dst>
</master>
</layer3>
<layer4 protonum="6" protoname="tcp">
<expected>
<sport>0</sport>
<dport>41739</dport>
</expected>
<mask>
<sport>0</sport>
<dport>65535</dport>
</mask>
<master>
<sport>36390</sport>
<dport>21</dport>
</master>
</layer4>
<meta>
<helper-name>ftp</helper-name>
<timeout>300</timeout>
<zone>0</zone>
</meta>
</flow>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch adds nfexp_cmp that allows you to compare two expectation
objects.
This includes the extension of test_api for this new function.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
They seem to be accidentally swapped. Fix this.
Spotted by qa/test_api.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now, struct nf_expect takes only 192 bytes, instead of 1KB.
struct nf_conntrack takes 296 bytes instead of 328 bytes.
The size of the nf_expect structure has been reduced by rearranging
the layout of the nf_conntrack structure. For the nf_conntrack case,
this removes the allocation of room for attributes that the master
tuple does not use (more specifically, the NATseq bytes).
This patch modifies the binary layout of struct nf_conntrack.
This should not be a problem since the definition of this
object is opaque (it can be only accessed via get/set API).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have to use sizeof(struct nf_ct_tcp_flags) instead of
sizeof(u_int16_t) to avoid problems in Intel IXP4xx network
processor (ARM big endian).
For more information, please see:
http://markmail.org/message/afhn66qzyebyf7cs#query:+page:1+mid:7bw756ncuyosv23c+state:results
Reported-by: Lutz Jaenicke <ljaenicke@innominate.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is *not* changing the licensing terms of this library (which
was initially released under GPLv2 and later on extended to GPLv2+ after
contacting all the contributors who kindly agreed to extend it to any
later GPL version).
Jan says: "In libnetfilter_conntrack, there are many .c files declaring
GNU GPL incorporated herein by reference without telling which version(s)
exactly apply. Given src/main.c for example is actually GPL-2.0+,
the reference made is ambiguous."
This patch should definitely clarify this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
NFCT_HELPER_NAME_MAX is 16, which is the maximum helper name
allowed since 2.6.29.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Now, the output of nfexp_snprintf looks like this:
299 proto=6 src=192.168.1.130 dst=130.89.148.12 sport=0 dport=45420 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.1.130 master-dst=130.89.148.12 sport=46368 dport=21 helper=ftp
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds support for CTA_EXPECT_HELP_NAME.
We now have the ATTR_EXP_HELPER_NAME attribute.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
It is like nfct_send() but for expectations, for API symmetry.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds mask and master tuple information regarding one
expectation. This information has been not shown so far. I consider
that it is interesting because you can use this information to
troubleshoot expectation issues. Moreover, you can know which is
the master conntrack that this expectation is attached to.
This extends the text-based output for `conntrack -L exp'. This
can be considered a backward compatibily issue since existing
tools that are parsing this interface may break. But this is not
our fault, we provide an API to the conntrack table via
libnetfilter_conntrack. People should use those.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Otherwise, we don't print it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
The master tuple was not parsed. This patch also fixes an incorrect
use of the exp->set field for the expectation and mask tuples.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This closes netfilter bugzilla #754:
http://bugzilla.netfilter.org/show_bug.cgi?id=754
Reported-by: <abirvalg@lavabit.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
static analysis (analysis based only on compiling of sources, not based
on running of binary) of the code revealed the following problem:
conntrack/objopt.c:63: self_assign: Assignment operation
"ct->snat.l4max.all = ct->snat.l4max.all"
has no effect.
Signed-off-by: Jiri Popelka <jpopelka@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
> CC parse.lo
> parse.c: In function ‘__parse_conntrack’:
> parse.c:434:15: warning: array subscript is above array bounds
>
> struct nfattr *tb[CTA_SECCTX_MAX]
> 434: ct->secctx = strdup(NFA_DATA(tb[CTA_SECCTX-1]))
>
> CTA_SECCTX has value 19, and CTA_SECCTX_MAX is just 1.
Reported-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch deprecates the low level API. This API is not currently
used by any known clients (at least, at a quick glance at google).
These functions are a problem if we plan to port libnetfilter_conntrack
upon libmnl since they contain specific libnfnetlink bits.
I have also added __build_query_[ct|exp] to avoid compilation warnings.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
These functions are evil since they allow the use of memcpy() instead
of nfct_copy(). This is a problem because it violates the design
principle that the library follows, that is to provide opaque objects
in which the client code does not care on the binary layout.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Thus, we have a fast version of nfct_copy() which allows to
copy the destination to the origin. After this call, the
destination is a clone of the origin.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This problem was caught by qa/test_api.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the connection tracking extension that allows
conntrack timestamping.
This requires a Linux kernel >= 2.6.38.
We have now 65 attributes, we need 96 bits to store what attributes
are set in the objects.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes an embarasing a use-after-free in nfct_destroy()
that was introduced by myself in:
http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_conntrack.git;a=commit;h=fdda1474cc8654430f245b7f01c30e8ff171fa60
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch adds support for the new attribute CTA_SECCTX that
supersedes CTA_SECMARK.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|\ |
|
| |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| | |
This fixes a minor problem introduced in b245e4092c5a7f09729e64868a42e13f48a
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|/
|
|
|
|
|
|
|
|
|
| |
This patch uses CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ instead which is the
name that is used in the Linux kernel header. Thus, both the headers
and the internal copy for the library are in sync.
This problem was probably introduced at the time that we added support
for the DCCP handshake sequence number.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|