| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
Updated:
src/extra/pktbuff.c: If pktb was created in family AF_BRIDGE, then pktb->len
will include the bytes in the network header.
So set the IPv4 length to "tail - network_header"
rather than len
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At least on the local interface, the MAC header of an IPv6 packet specifies
IPv6 protocol (rather than IP). This surprised me, since the first octet of
the IP datagram is the IP version, but I guess it's an efficiency thing.
Without this patch, pktb_alloc() returns NULL when an IPv6 packet is
encountered.
Updated:
src/extra/pktbuff.c: - Treat ETH_P_IPV6 the same as ETH_P_IP.
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Without this patch, AF_INET6 pktb_alloc() creates a pktb with NULL
network_header. But in src/extra/ipv6.c, nfq_ip6_get_hdr() assumes that
pktb->network_header is valid.
Updated:
src/extra/pktbuff.c: Treat AF_INET6 the same as AF_INET.
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
skb->tail is used in many places, so it's important to keep it up to date.
Updated:
src/extra/pktbuff.c: Fix pktb_trim()
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Updated:
src/extra/ipv4.c: - Rename pkt formal arg of nfq_ip_mangle to pktb
(to match all other struct pkt_buff args)
- Make it clear that packet buffer is the user-space one
- Sentence-case all parameter descriptions
- Fix \param 3 of nfq_pkt_snprintf_ip to match prototype
- Revised description of nfq_pkt_snprintf_ip for English
usage, but left the "strange behaviour" bit at the end.
(I know kernel developers hate snprintf: the purpose of the
return code was not a blanket buffer overrun check but
rather an amount to subtract from the size argument to the
next snprintf call.
It was therefore a bit of a screw-up to have snprintf take
an unsigned size_t argument so the -ve size looks like a
huge +ve one and snprintf keeps writing :(
The programmer needs to use a signed type for size and
explicitly test it for still being +ve before every
snprintf call; with ssize_t, snprintf could have done
nothing and returned zero with a -ve size so the
programmer only needs to check right at the end.
Ah well...)
src/extra/ipv6.c: - Use \returns for all return values
- Fix \param 3 of nfq_ip6_snprintf to match prototype
- Sentence-case all parameter descriptions
- Change IPv4 to IPv6 in a comment
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
On big endian arches UDP/TCP checksum is incorrectly computed when
payload length is odd.
Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
The documentation generally uses OSI layer numbering, where TCP (i.e. Transport)
is layer 4 so that IP is layer 3.
Bring pktb_mangle documentation into line with this.
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Clang (but not gcc) warned about this. Gcc (but not clang) used to warn that
nfq_set_verdict_mark is deprecated, but this has stopped since re-defining
EXPORT_SYMBOL.
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Modify the definition and use of EXPORT_SYMBOL as was done for libmnl in
commit 444d6dc9.
Additionally, avoid generating long (>80ch) lines when inserting
EXPORT_SYMBOL.
Finally, re-align multi-line parameter blocks with opening parenthesis.
[ I have mangled the original patch to not split the function definition and
its return value. --pablo ]
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(These updates only cover functions used in a recent project)
src/extra/ipv4.c: - nfq_ip_set_transport_header(): Add explanatory notes
- nfq_ip_mangle()
- Advise that there is a return code
- Note that IPv4 length is updated as well as checksum
src/extra/pktbuff.c: - pktb_alloc(): Minor rewording (English usage)
- pktb_mangle(): Document
src/extra/udp.c: - nfq_udp_get_hdr(): Fix params
- nfq_udp_get_payload(): Fix params
- nfq_udp_get_payload_len(): Fix params
- nfq_udp_mangle_ipv4(): Rewrite documentation
src/nlmsg.c: - nfq_nlmsg_verdict_put(): Document
- nfq_nlmsg_cfg_put_cmd():
- Change name (was: nfq_nlmsg_cfg_build_request)
- Fix params
- Delete function return documentation (void fn)
- nfq_nlmsg_cfg_put_params(); Document (params only)
- nfq_nlmsg_cfg_put_qmaxlen(): Document (params only)
- nfq_nlmsg_parse:
- Change name (was: nfq_pkt_parse)
- Fix params
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
One would expect nfq_udp_mangle_ipv4() to take care of the length field
in the UDP header but it did not. With this patch, it does. This patch
is very unlikely to adversely affect any existing userspace software
(that did its own length adjustment), because UDP checksumming was
broken.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
The level 4 protocol is part of the UDP and TCP calculations.
nfq_checksum_tcpudp_ipv4() was using IPPROTO_TCP in this calculation,
which gave the wrong answer for UDP.
Based on patch from Alin Nastac, and patch description from Duncan Roe.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This reverts commit 58cb0668dc15c78cd3af9eeaedf29386e86ecac1.
Prepare a new patch to keep this update consistent with libmnl.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
clang ignores the visibility attribute if its not defined before the
definition. As a result these symbols become hidden and consumers of
this library fail to link due to these missing symbols.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
The source uses linux names for members of tcphdr. For example
"source" instead of "th_sport", ... musl libc's headers need
_GNU_SOURCE defined in order to expose these.
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Similar to 7335cbe ("extra: fix wrong implementation in
nfq_udp_get_payload").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The result of inet_ntoa() will be overwritten by the next call to
inet_ntoa(), so using it twice in the same snprintf() call causes
wrong result.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
These functions are internal and they belong to the libnetfilter_queue scope,
so let's add the corresponding nfq_ prefix.
Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As of f40eabb01 (add pkt_buff and protocol helper functions)
libnetfilter_queue accidentally exports the internal function named
'checksum'. This is a bit too generic and may cause crashes with
applications that worked fine before.
This patch makes the functions checksum, checksum_tcpudp_ipv4 and
checksum_tcpudp_ipv6 local by building with fvis-hidden and adding
EXPORTs for the legacy api calls and the ones that seem to have missing
EXPORT tags (mainly pktbuff api).
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch updates the doxygen documentation for the new API.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Fix wrong arithmetics and missing pktb->len update
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
pktb_expand_tail returns 0 if there is no room for the mangling.
Note that we don't support dynamic reallocation, instead the
caller is responsible for allocating the extra room via pktb_alloc
according to the maximum amount of bytes it needs for the mangling.
Since pkt_buff layout is not exposed, we can change this in the
future if we prefer dynamic reallocation.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|