| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
This helper function builds the payload of the netlink dump request
including the filtering criteria.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Incorrect mapping of the expected reply message.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This tells kernel to suppress conntrack entries that do not match
the status bits/bitmask filter.
This is useful to e.g. only list entries that are not assured
(value 0, mask == ASSUED) or entries that only saw one-way traffic
(value 0, mask == SEEN_REPLY).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
conntrack-tools doesn't set the REPL attributes by default for updates,
so for ICMP flows, the update won't be sent as building the repl tuple
will fail.
Signed-off-by: Luuk Paulussen <luuk.paulussen@alliedtelesis.co.nz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The NFCT_Q_FLUSH command flushes both IPv4 and IPv6 conntrack tables.
Add new command NFCT_Q_FLUSH_FILTER that allows to flush based on the
family to retain backward compatibility on NFCT_Q_FLUSH.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
with more recent kernels "conntrack -L" prints NONE instead of
HEARTBEAT_SENT/RECEIVED because the state is unknown in userspace.
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Found while reading code, compile tested only.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
| |
Signed-off-by: Daniel Gröber <dxld@darkboxed.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Daniel Gröber <dxld@darkboxed.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the invmap_icmp* arrays are duplicated in setter.c and
grp_setter.c. This moves them to a new module 'proto'.
Instead of having the code access the arrays directly we provide new
wrapper functions __icmp{,v6}_reply_type.
Signed-off-by: Daniel Gröber <dxld@darkboxed.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
When type is out of range for the invmap_icmp{,v6} array we leave rtype at
zero which will map to type=255 just like other error cases in this
function.
Signed-off-by: Daniel Gröber <dxld@darkboxed.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
The previous BUFFER_SIZE() call already updated the remaining 'len'. So
there is no need to subtract 'size' again. While this just makes the buffer
appear smaller than it is, which is mostly harmless, the subtraction might
underflow as 'size > len' is not checked like BUFFER_SIZE() does.
Signed-off-by: Daniel Gröber <dxld@darkboxed.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We currently use strncpy in a bunch of places which has this weird quirk
where it doesn't write a terminating null byte if the input string is >=
the max length. To mitigate this we write a null byte to the last character
manually.
While this works it is easy to forget. Instead we should just be using
snprintf which has more sensible behaviour as it always writes a null byte
even when truncating the string.
Signed-off-by: Daniel Gröber <dxld@darkboxed.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
The docs currently say "[...] Otherwise, 0 is returned." which is just
completely wrong. Just like nfct_snprintf the expected buffer size is
returned.
Signed-off-by: Daniel Gröber <dxld@darkboxed.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Currently the BUFFER_SIZE macro doesn't take negative 'ret' values into
account. A negative return should just be passed through to the caller,
snprintf will already have set 'errno' properly.
Signed-off-by: Daniel Gröber <dxld@darkboxed.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This flags specifies that this conntrack entry is in hardware.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
parse_mnl.c: In function ‘nfexp_nlmsg_parse’:
parse_mnl.c:142:3: warning: ‘strncpy’ specified bound 16 equals destination size [-Wstringop-truncation]
142 | strncpy(exp->helper_name,
| ^~~~~~~~~~~~~~~~~~~~~~~~~
143 | mnl_attr_get_str(tb[CTA_EXPECT_HELP_NAME]),
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
144 | NFCT_HELPER_NAME_MAX);
| ~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Print [OFFLOAD] tag when listing entries via snprintf() interface.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Replace libnfnetlink's nfnl_fill_hdr() by more modern libmnl code.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Use the new libmnl version, remove duplicated code.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Use the new libmnl version, remove duplicated code.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Add missing code to handle CTA_EXPECT_CLASS, CTA_EXPECT_NAT and
CTA_EXPECT_FN from libmnl parser.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Changes in the netlink attribute layout is considered to be a kernel ABI
breakage, so report this immediately and stop execution, instead of lazy
error back to the client application, which cannot do anything with
this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When CONNLABEL_CFG isn't available (/etc/xtables/connlabel.conf),
conntrack tool crashes:
[marcos@Icarus ~]$ conntrack -l something
nfct_labelmap_new: No such file or directory
Segmentation fault (core dumped)
I can see this problem in Fedora 26, because connlabel.conf does not
come along the conntrack/libnetfilter packages. This problem happens because
conntrack calls nfct_labelmap_new, which resides on
libnetfilter_conntrack. So this lib returns NULL because CONNLABEL_CFG
is not present, and then NULL is assigned to the global var called
labelmap on conntrack. Later, get_label is called, passing NULL to the
library, and __label_get_bit is called and deferences labelmap without
check, which leads to a crash.
With this patch the crash does not happen anymore,
and an error message is displayed:
conntrack -l something
nfct_labelmap_new: No such file or directory
conntrack v1.4.4 (conntrack-tools): unknown label 'something'
Signed-off-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
getobjopt_is_nat() used to work even if no status bits where set, by
checking if addresses don't match. Restore this behaviour for
compatibility reasons.
Fixes: 73ad642ba462 ("src: add support for IPv6 NAT")
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Otherwise we fall into the IPv6 case.
Signed-off-by Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
clang treats "char buffer[size]" inside a union as VLAIS unless |size|
is const:
src/conntrack/api.c:992:8: error: fields must have a constant size: 'variable length array in structure' extension will never be supported
char buffer[size];
^
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
The conntrackd daemon lacks support for syncing IPv6 NATed connections.
This patch adds support for managing the IPv6 part of struct __nfct_nat,
also updating the corresponsing symbols.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The conntrackd daemon lacks support for syncing IPv6 NATed connections.
This patch prepares the ground to give support to such operations:
* replace uint32_t with union __nfct_address in struct __nfct_nat.
* update all users of the former uint32_t to support the new struct
A follow-up patch gives support to actually manage the IPv6 NAT.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
|
|
|
|
|
|
|
| |
looks like copy & paste bug.
Reported-by: Sargun Dhillon <sargun@sargun.me>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
This patch adds the front-end to the recent ctnetlink interface
changes that add the zone attribute into the tuple.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
| |
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds mark filter for event listener, using same struct
nfct_filter_dump_mark at dump.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
This breaks static builds where the toolchain completely lacks libdl.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
| |
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
This patch adds two functions, useful for ulogd IPFIX
output module.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Relax checking for MARK and ZONE to treat 'attribute not
set' like 'attribute is set to 0'.
This matches kernel behaviour, conntracks are always in zone 0,
except if specified differently. Same for connmark.
The kernel will also not include the zone/mark attributes in dumps
unless they have non-zero values.
This makes qa/test_api pass again with the updated test cases.
Reported-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
nfct_filter_dump_set_attr() will set the bit.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
unsigned, < 0 is always false.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Stefan reported that the *_catch() functions documentation was imprecise
on some aspects.
Reported-by: Stefan Nicolae Stancu <Stefan.Stancu@cern.ch>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Substract the netlink + nfnetlink headers to pass the payload length
to nfct_payload_parse().
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nfct_labelmap_new returns NULL on failure, e.g. when file cannot be
opened. It will also fail if no labels have been parsed, and in this
case, content of errno is random.
Avoid it by making sure that errno is re-set when no labels were found.
While at it, also change ptr test when parsing so reviewers don't
need to triple check that this cannot result in out-of-bounds read.
Reported-by: Afschin Hormozdiary <Afschin.Hormozdiary@sophos.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nfct_snprintf doesn't print connlabels, as they're system specific
and can easily generate lots of output.
This adds a new helper function, nfct_snprintf_labels. It behaves like
nfct_snprintf, except that the label names in the labelmap whose bits are
contained in connlabel attribute bitset are added to the buffer.
output looks like this:
output looks like this:
... mark=0 use=1 labels=eth0-in,eth1-in
or
<labels>
<label>eth0-in</label>
<label>eth1-in</label>
</labels>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
Must free ct and exp using the _destroy functions, else we leak attributes with malloc'd data.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Can always lift this restriction later but for now enforce
strict label naming.
This is mainly to make sure that e.g. using
conntrack ... -o xml,connlabels
will output the expected format, without nasty surprises.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
Can't be zero, it was already tested.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
This fixes construction of the conntrack object when CTA_LABEL
attribute is present.
Signed-off-by: Florian Westphal <fw@strlen.de>
|