| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
"-ldl" is not needed since the programs themselves never use functions
from libdl. Also, -dynamic is not required at all.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
| |
This patch adds the infrastructure to allow filtered dumping.
See utils/conntrack_dump_filter.c for instance.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Example of the XML output:
<flow type="new">
<layer3 protonum="2" protoname="IPv4">
<expected>
<src>192.168.0.2</src>
<dst>192.168.1.2</dst>
</expected>
<mask>
<src>255.255.255.255</src>
<dst>255.255.255.255</dst>
</mask>
<master>
<src>192.168.0.2</src>
<dst>192.168.1.2</dst>
</master>
</layer3>
<layer4 protonum="6" protoname="tcp">
<expected>
<sport>0</sport>
<dport>41739</dport>
</expected>
<mask>
<sport>0</sport>
<dport>65535</dport>
</mask>
<master>
<sport>36390</sport>
<dport>21</dport>
</master>
</layer4>
<meta>
<helper-name>ftp</helper-name>
<timeout>300</timeout>
<zone>0</zone>
</meta>
</flow>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
expect_get now allows you get the expectation that has been
created with expect_create.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch adds nfct_destroy() to all the examples in the utils folder.
Although this may be obvious to some, when I wrote my first code using
libnetfilter_conntract, I used the examples but subsequently missed out
all the calls to nfct_destroy().
Signed-off-by: Andrew Beverley <andy@andybev.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the connection tracking extension that allows
conntrack timestamping.
This requires a Linux kernel >= 2.6.38.
We have now 65 attributes, we need 96 bits to store what attributes
are set in the objects.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The addition of -Wall flagged some legitimate warnings:
make expect_dump expect_create expect_get expect_delete expect_flush expect_events expect_create_userspace conntrack_create conntrack_dump conntrack_update conntrack_delete conntrack_flush conntrack_create_nat conntrack_get conntrack_events conntrack_master conntrack_filter conntrack_grp_create ctexp_events
make[1]: Entering directory `/home/jengelh/code/libnetfilter_conntrack/utils'
CC expect_dump.o
expect_dump.c: In function "main":
expect_dump.c:36:3: warning: implicit declaration of function "strerror"
expect_dump.c:36:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’
CCLD expect_dump
CC expect_create.o
expect_create.c: In function "main":
expect_create.c:31:2: warning: implicit declaration of function "inet_addr"
expect_create.c:54:3: warning: implicit declaration of function "strerror"
expect_create.c:54:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’
expect_create.c:117:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’
CCLD expect_create
CC expect_get.o
expect_get.c: In function "main":
expect_get.c:33:2: warning: implicit declaration of function "inet_addr"
expect_get.c:59:3: warning: implicit declaration of function "strerror"
expect_get.c:59:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’
CCLD expect_get
CC expect_delete.o
expect_delete.c: In function "main":
expect_delete.c:21:2: warning: implicit declaration of function "inet_addr"
expect_delete.c:46:3: warning: implicit declaration of function "strerror"
expect_delete.c:46:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’
CCLD expect_delete
CC expect_flush.o
expect_flush.c: In function "main":
expect_flush.c:23:3: warning: implicit declaration of function "strerror"
expect_flush.c:23:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’
CCLD expect_flush
CC expect_events.o
expect_events.c: In function "main":
expect_events.c:44:3: warning: implicit declaration of function "strerror"
expect_events.c:44:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’
CCLD expect_events
CC expect_create_userspace.o
expect_create_userspace.c: In function "main":
expect_create_userspace.c:31:2: warning: implicit declaration of function "inet_addr"
expect_create_userspace.c:58:3: warning: implicit declaration of function "strerror"
expect_create_userspace.c:58:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’
expect_create_userspace.c:121:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’
CCLD expect_create_userspace
CC conntrack_create.o
conntrack_create.c: In function "main":
conntrack_create.c:21:2: warning: implicit declaration of function "inet_addr"
conntrack_create.c:43:3: warning: implicit declaration of function "strerror"
conntrack_create.c:43:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’
CCLD conntrack_create
CC conntrack_dump.o
conntrack_dump.c: In function "main":
conntrack_dump.c:37:3: warning: implicit declaration of function "strerror"
conntrack_dump.c:37:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’
conntrack_dump.c:24:7: warning: unused variable "buf"
CCLD conntrack_dump
CC conntrack_update.o
conntrack_update.c: In function "main":
conntrack_update.c:21:2: warning: implicit declaration of function "inet_addr"
conntrack_update.c:43:3: warning: implicit declaration of function "strerror"
conntrack_update.c:43:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’
CCLD conntrack_update
CC conntrack_delete.o
conntrack_delete.c: In function "main":
conntrack_delete.c:21:2: warning: implicit declaration of function "inet_addr"
conntrack_delete.c:38:3: warning: implicit declaration of function "strerror"
conntrack_delete.c:38:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’
CCLD conntrack_delete
CC conntrack_flush.o
conntrack_flush.c: In function "main":
conntrack_flush.c:24:3: warning: implicit declaration of function "strerror"
conntrack_flush.c:24:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’
conntrack_flush.c:12:7: warning: unused variable "buf"
CCLD conntrack_flush
CC conntrack_create_nat.o
conntrack_create_nat.c: In function "main":
conntrack_create_nat.c:21:2: warning: implicit declaration of function "inet_addr"
conntrack_create_nat.c:45:3: warning: implicit declaration of function "strerror"
conntrack_create_nat.c:45:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’
CCLD conntrack_create_nat
CC conntrack_get.o
conntrack_get.c: In function "main":
conntrack_get.c:33:2: warning: implicit declaration of function "inet_addr"
conntrack_get.c:52:3: warning: implicit declaration of function "strerror"
conntrack_get.c:52:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’
CCLD conntrack_get
CC conntrack_events.o
conntrack_events.c: In function "main":
conntrack_events.c:45:3: warning: implicit declaration of function "strerror"
conntrack_events.c:45:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’
conntrack_events.c:29:7: warning: unused variable "buf"
conntrack_events.c:28:23: warning: unused variable "ct"
conntrack_events.c:26:11: warning: unused variable "family"
CCLD conntrack_events
CC conntrack_master.o
conntrack_master.c: In function "main":
conntrack_master.c:22:2: warning: implicit declaration of function "inet_addr"
conntrack_master.c:44:3: warning: implicit declaration of function "strerror"
conntrack_master.c:44:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’
conntrack_master.c:86:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’
CCLD conntrack_master
CC conntrack_filter.o
conntrack_filter.c: In function "main":
conntrack_filter.c:58:3: warning: implicit declaration of function "inet_addr"
conntrack_filter.c:98:3: warning: implicit declaration of function "strerror"
conntrack_filter.c:98:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’
conntrack_filter.c:31:7: warning: unused variable "buf"
conntrack_filter.c:30:23: warning: unused variable "ct"
conntrack_filter.c:27:11: warning: unused variable "family"
CCLD conntrack_filter
CC conntrack_grp_create.o
conntrack_grp_create.c: In function "main":
conntrack_grp_create.c:21:3: warning: implicit declaration of function "inet_addr"
conntrack_grp_create.c:49:3: warning: implicit declaration of function "strerror"
conntrack_grp_create.c:49:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’
CCLD conntrack_grp_create
CC ctexp_events.o
ctexp_events.c: In function "main":
ctexp_events.c:63:3: warning: implicit declaration of function "strerror"
ctexp_events.c:63:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’
CCLD ctexp_events
make[1]: Leaving directory `/home/jengelh/code/libnetfilter_conntrack/utils'
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
With this patch, the expect_events example also listens to other
sort of expectation events that were added in Linux kernel 2.6.37-rc.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch re-works the callback handling to allow the use the same socket
to send/receive commands and listen to events of both conntrack and
expectation subsystems. Now you can register one callback for conntrack
and one for expectation with the same handler with no problems (before
this patch, this was not possible, you required two different handlers).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds an example on how to set up a user-space expectation.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch changes the existing example to make it more realistic.
It also removes the timeout setup since this field is ignored by
ctnetlink if we specify a kernel-space conntrack helper to be used.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support to auto-generate BSF code for IPv6. It
requires a Linux kernel >= 2.6.29. The maximum number of addresses
is limited to 20 (12 BSF lines per IPv6 address comparison). I am
not sure that to remove this limit is useful given that oprofile
does not show very good numbers for very large (in terms of lines)
filters. This completes one feature that is available in IPv4 but
that was missing in IPv6.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch adds support for the new SYN_SENT2 state that Jozsef
has introduced to support TCP simultaneous open in 2.6.31. We can
safely include support for this feature now since the LISTEN state
was not ever really used.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch removes the use of strerr(errno) when the returned
valued is != -1. This fixes random segfaults in my x86_64
machines. According to the documentation, errno should not be
used unless the returned value is -1.
This patch also includes some missing nfct_close() calls in
the examples.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This new API allows you to set and get some logical set of
attributes. This is not intended to replace the existing
per-attribute get/set API but to provide more efficient way
to get/set certain attributes. This change includes an example
file (conntrack_grp_create.c) of the use of the attribute group API.
See ATTR_GRP_* for more information on the existing groups.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds support for explicit helper assignation. This support
will not be of any help without the appropriate kernel support that will
go into the Linux kernel 2.6.29 -sic-.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
In nfct_build_query() the *data argument is converted into a u_int8_t*.
This works for little-endian but not for big-endian.
Signed-off-by: Albert Veli <albert.veli@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Fix wrong use of htonl in the example filter.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch introduces nfct_filter_set_logic() to set the filtering
logic which results in a more flexible solution.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds an abstraction level to berkeley sockets filter (BSF) for
Netlink sockets available since Linux kernel 2.6.26. This provides an
easy way to attach filters without knowing about BSF at all.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The test file requires nf_conntrack_ftp to work properly, otherwise
it returns EINVAL. This patch adds a small comment to remember users
to load the module before going ahead.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Use `make check' to compile the examples in utils/
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
- bump version to 0.0.75
|
|
|
|
|
| |
- fix wrong port display in the XML output (Morten Isaksen)
- use ntohs instead htons in snprintf_default.c
|
|
|
|
| |
how the new API works
|
|
|
|
|
|
|
|
| |
- split expect_api_test.c into small example files expect_*.c
- introduce alias tags for original tuple attributes
- introduce nfexp_sizeof and nfexp_maxsize
- build expectation attributes iif they are set
- fix l3num setting in expect/build.c
|
| |
|
|
|
|
|
| |
- introduce NFCT_O_PLAIN flag: NFCT_O_DEFAULT points to NFCT_O_PLAIN
- remove commented line in nfct_new()
|
|
|
|
|
|
|
|
|
| |
- object oriented infrastructure
- extensible and configurable output (XML)
- low level functions to interact with netlink details
- fairly documented
Still backward compatible.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
o Added the comparison infrastructure for layer-4 protocols
o Added libnetfilter_conntrack_[tcp|udp|icmp|sctp].h that contains the protocol flags used by the comparison infrastructure
o Added nfct_conntrack_compare to compare two conntracks based on flags
o Killed nfct_event_netlink_handler
o nfct_event_[conntrack|expect] requires ROOT privileges (reason: netlink multicast)
o Bumped version to 0.29
|
|
|
|
| |
- have only one place where we specify the includes (Make_global.am)
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Munich, Germany for providing the "fast" hardware to reproduce spurious bugs ;)
List of changes:
o Replace misleading flag NFCT_ANY_GROUP by NFCT_ALL_GROUPS
o Update test file to use NFCT_ALL_GROUPS
o Add missing check of CTA_PROTOINFO_TCP that resulted in a segfault in
conjuction with events.
o Fix ICMP conntracks output
o Add missing prototype definition of nfct_default_expect_display_id in
libnetfilter_conntrack.h
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
o Added some very brief comments to libnetfilter_conntrack.h
o Implemented the conntrack printers API nfct_sprintf_*
o Now nfct_default_conntrack_display display the classical /proc output,
and nfct_default_conntrack_display the classical + conntrack ids
o Use nfnl_talk if there's no data expected from kernel space to be processed,
that is the case of nfct_[get|delete]_conntrack
o Added some missing memset's zeroing
o Code simplification: killed some char *buf where struct nfnlhdr is enough
o Killed protocol handler destructors (fini) and nfct_unregister_proto: The
library is unloaded if something goes wrong (different library versions), the
modules never gets inserted in the proto_list. Fixes a segfault.
o Bumped version to 0.2.0
|
|
|
|
|
|
|
|
|
|
|
| |
o NFCT_COUNTERS splitted in NFCT_COUNTERS_[ORIG|RPLY]
o all global vars are now static
o kill nfct_set_handler, it was too much
o fixed very stupid bug in counters printing
o fixed conntrack getting: invalid netlink flags NLM_F_[ROOT|MATCH]
o nfnl_send returns the proper error to the client, instead of returning -1
o some cleanup's: killed the ret, it was useless
o test for the conntrack API completed, still missing the expectation test
|