| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Remember to subtract the TCP header length.
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Ensure all functions that return something have a \returns
- Demote more checksum functions to their own groups
(reduces number of functions on main pages)
- Clarify wording where appropriate
- Add \sa (see also) where appropriate
- Fix documented function name for nfq_tcp_get_hdr
(no other mismatches noticed, but there may be some)
- Add warnings regarding changing length of tcp packet
- Make group names unique within libnetfilter_queue
(else man pages would be overwritten)
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
All remaining instances of pkt refer to something other than a pkt_buff.
In the prototype for nfq_nlmsg_parse, pkt is changed to attr.
Inconsistent whitespace in headers has been left for another day.
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Change items of the form #<word> to "\b <word>".
(#<word> is rather obscurely documented to be a reference to a documented
entity)
- Re-work text wrapping in above change to keep lines within 80cc
- Add 2 missing \param directives
12 warnings fixed
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
| |
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
| |
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
| |
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
- Update prototype
- Update doxygen documentation
- Update declaration
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
- Fix calculation of header length
- Upgrade calculation of payload length: Allow for extra headers before
the UDP header.
- Delete "sum += ... s6_addr16[i] >> 16" lines, since uint16_t >> 16 == 0
- Use upgraded payload length in pseudo-header
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Make it clear that packet buffer is the user-space one
- Use \returns for all return values
- Make function names in doc agree with prototypes
- Make number and names of params in doc agree with prototypes
- Divide functions into a hierarchy:
top-level: Functions all programs that modify data will use
(nfq_udp_snprintf is optional)
2nd-level: Rarely-used (except internally) functions
- Add see-also snprintf
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Remember to subtract the UDP header length.
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Updated:
src/nlmsg.c - Document NF_DROP, NF_ACCEPT, NF_STOP, NF_REPEAT and
NF_QUEUE_NR(new_queue).
- Make line number of examples/nf-queue.c into a hyperlink.
- Add hint that "cb" in function names is short for "callback".
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Updated:
src/nlmsg.c: Update nfq_nlmsg_verdict_put_pkt() sample code to use pktb_len()
as recommended in src/extra/pktbuff.c, pktb_len() doco
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Divide functions into a hierarchy:
top-level: Functions all programs that modify data will use
2nd-level: Rarely-used functions
3rd-level: Functions not to use (should have been declared static)
Only the top-level functions appear on the "User-space network packet buffer"
page, which looks a lot less daunting than it used to.
Parameter descriptions all match prototypes
All non-void functions have a "Returns" paragraph
Code change:
pktb_alloc: set errno to EPROTONOSUPPORT before doing error return because
protocol is not supported
Detailed other updates (top-level)
pktb_alloc: - Add "Errors" para
- Add "See also" para
pktb_data, pktb_len: Add "appropriate use" line
pktb_mangle: Add warning to use a different function unless mangling MAC hddr
pktb_mangled: Add usage hint line
Detailed other updates (2nd-level)
pktb_mac_header: Point out only for AF_BRIDGE
pktb_tailroom: Point out no dynamic expansion
pktb_transport_header: Add note that programmer must code to set this
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Updated:
src/extra/ipv6.c: Only test the first 4 bits of the putative IPv6 header to be
6, since all the other bits are up for grabs.
(I have seen nonzero Flow Control on the local interface and
RFC2474 & RFC3168 document Traffic Class use).
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Updated:
src/extra/pktbuff.c: If pktb was created in family AF_BRIDGE, then pktb->len
will include the bytes in the network header.
So set the IPv4 length to "tail - network_header"
rather than len
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At least on the local interface, the MAC header of an IPv6 packet specifies
IPv6 protocol (rather than IP). This surprised me, since the first octet of
the IP datagram is the IP version, but I guess it's an efficiency thing.
Without this patch, pktb_alloc() returns NULL when an IPv6 packet is
encountered.
Updated:
src/extra/pktbuff.c: - Treat ETH_P_IPV6 the same as ETH_P_IP.
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Without this patch, AF_INET6 pktb_alloc() creates a pktb with NULL
network_header. But in src/extra/ipv6.c, nfq_ip6_get_hdr() assumes that
pktb->network_header is valid.
Updated:
src/extra/pktbuff.c: Treat AF_INET6 the same as AF_INET.
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
skb->tail is used in many places, so it's important to keep it up to date.
Updated:
src/extra/pktbuff.c: Fix pktb_trim()
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Updated:
src/extra/ipv4.c: - Rename pkt formal arg of nfq_ip_mangle to pktb
(to match all other struct pkt_buff args)
- Make it clear that packet buffer is the user-space one
- Sentence-case all parameter descriptions
- Fix \param 3 of nfq_pkt_snprintf_ip to match prototype
- Revised description of nfq_pkt_snprintf_ip for English
usage, but left the "strange behaviour" bit at the end.
(I know kernel developers hate snprintf: the purpose of the
return code was not a blanket buffer overrun check but
rather an amount to subtract from the size argument to the
next snprintf call.
It was therefore a bit of a screw-up to have snprintf take
an unsigned size_t argument so the -ve size looks like a
huge +ve one and snprintf keeps writing :(
The programmer needs to use a signed type for size and
explicitly test it for still being +ve before every
snprintf call; with ssize_t, snprintf could have done
nothing and returned zero with a -ve size so the
programmer only needs to check right at the end.
Ah well...)
src/extra/ipv6.c: - Use \returns for all return values
- Fix \param 3 of nfq_ip6_snprintf to match prototype
- Sentence-case all parameter descriptions
- Change IPv4 to IPv6 in a comment
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Updated:
src/libnetfilter_queue.c: - ip_queue withdrawn in kernel 3.5
- Update some URLs
- libmnl is a dependency
- Multiword section headers need a tag
- Re-work cinematic to refer to nft
- Some native English speaker updates
(e.g. enqueue *is* a word)
- Prefer nf-queue.c over deprecated doxygen doco
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The extra spaces had no effect on how the file looked (except cat -A).
This patch reduces the file size by a few bytes, but the main motivation was
that my editor makes this change automatically.
Updated:
src/libnetfilter_queue.c: Leading whitespace is canonically tabbed
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This completes the "Verdict helpers" module.
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
On big endian arches UDP/TCP checksum is incorrectly computed when
payload length is odd.
Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
The documentation generally uses OSI layer numbering, where TCP (i.e. Transport)
is layer 4 so that IP is layer 3.
Bring pktb_mangle documentation into line with this.
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Clang (but not gcc) warned about this. Gcc (but not clang) used to warn that
nfq_set_verdict_mark is deprecated, but this has stopped since re-defining
EXPORT_SYMBOL.
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Modify the definition and use of EXPORT_SYMBOL as was done for libmnl in
commit 444d6dc9.
Additionally, avoid generating long (>80ch) lines when inserting
EXPORT_SYMBOL.
Finally, re-align multi-line parameter blocks with opening parenthesis.
[ I have mangled the original patch to not split the function definition and
its return value. --pablo ]
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(These updates only cover functions used in a recent project)
src/extra/ipv4.c: - nfq_ip_set_transport_header(): Add explanatory notes
- nfq_ip_mangle()
- Advise that there is a return code
- Note that IPv4 length is updated as well as checksum
src/extra/pktbuff.c: - pktb_alloc(): Minor rewording (English usage)
- pktb_mangle(): Document
src/extra/udp.c: - nfq_udp_get_hdr(): Fix params
- nfq_udp_get_payload(): Fix params
- nfq_udp_get_payload_len(): Fix params
- nfq_udp_mangle_ipv4(): Rewrite documentation
src/nlmsg.c: - nfq_nlmsg_verdict_put(): Document
- nfq_nlmsg_cfg_put_cmd():
- Change name (was: nfq_nlmsg_cfg_build_request)
- Fix params
- Delete function return documentation (void fn)
- nfq_nlmsg_cfg_put_params(); Document (params only)
- nfq_nlmsg_cfg_put_qmaxlen(): Document (params only)
- nfq_nlmsg_parse:
- Change name (was: nfq_pkt_parse)
- Fix params
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
One would expect nfq_udp_mangle_ipv4() to take care of the length field
in the UDP header but it did not. With this patch, it does. This patch
is very unlikely to adversely affect any existing userspace software
(that did its own length adjustment), because UDP checksumming was
broken.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
The level 4 protocol is part of the UDP and TCP calculations.
nfq_checksum_tcpudp_ipv4() was using IPPROTO_TCP in this calculation,
which gave the wrong answer for UDP.
Based on patch from Alin Nastac, and patch description from Duncan Roe.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Add information about retrieving UID/GID/SECCTX fields
Signed-off-by: Piotr Radoslaw Sawicki <piotr.sawicki@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Old APIs still remain, so just increase current and age.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
This reverts commit 58cb0668dc15c78cd3af9eeaedf29386e86ecac1.
Prepare a new patch to keep this update consistent with libmnl.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
clang ignores the visibility attribute if its not defined before the
definition. As a result these symbols become hidden and consumers of
this library fail to link due to these missing symbols.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Victor Julien <victor@inliniac.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nfq_open_nfnl uses an intermediate static object, so when it is invoked
by distinct threads at the same time there is a small chance that some
threads end up with another threads nfq_handle pointer stored in ->data.
The result is that the affected queue will be stuck because the thread
that was supposed to service it is handling another/wrong queue instead.
Tested-by: Michal Tesar <mtesar@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds four (actually two) attributes validation with
comparing to current kernel header.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds security context information structures
and functions.
This will allow userspace to find the security context of each
packet (if it exists) and make decisions based on that.
It should work for SELinux and SMACK.
Signed-off-by: Roman Kubiak <r.kubiak@samsung.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
The source uses linux names for members of tcphdr. For example
"source" instead of "th_sport", ... musl libc's headers need
_GNU_SOURCE defined in order to expose these.
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Similar to 7335cbe ("extra: fix wrong implementation in
nfq_udp_get_payload").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The result of inet_ntoa() will be overwritten by the next call to
inet_ntoa(), so using it twice in the same snprintf() call causes
wrong result.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
There is confusion on what this command actually does and why
examples commonly PF_UNBIND at startup.
Since these are obsolete document that its not needed starting
with Linux 3.8.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
With this patch libnetfilter_queue is able to parse UID/GID
socket information.
Signed-off-by: Valentina Giusti <Valentina.Giusti@bmw-carit.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|