| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit implements the --load-file option which allows processing
conntrack commands stored in file. Most often this would be used as
a counter-part for the -o save option, which outputs conntrack entries
in the format of the conntrack tool options. This could be useful when
one needs to add/update/delete a large set of ct entries with a single
conntrack tool invocation. This patch introduces a ct_cmd_list, which
represents a list of ct_cmd elements.
Expected syntax is "conntrack --load-file file". If "-" is given as a
file name, stdin is used. No other commands or options are allowed to
be specified in conjunction with the --load-file command. It is however
possible to specify multiple --load-file file pairs.
Example:
Copy all entries from ct zone 11 to ct zone 12:
conntrack -L -w 11 -o save | sed "s/-w 11/-w 12/g" | \
conntrack --load-file -
Joint work with Pablo.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix memleak in parser:
==8445== 3,808 bytes in 2 blocks are definitely lost in loss record 6 of 6
==8445== at 0x483577F: malloc (vg_replace_malloc.c:299)
==8445== by 0x112636: merge_options (conntrack.c:1056)
==8445== by 0x112636: do_parse (conntrack.c:2903)
==8445== by 0x11343E: ct_file_parse_line (conntrack.c:3672)
==8445== by 0x11343E: ct_parse_file (conntrack.c:3693)
==8445== by 0x10D819: main (conntrack.c:3750)
Fixes: 8f76d6360dbf ("conntrack: add struct ct_cmd")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Wrap code to display command stats in a function.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Prepare for the batch support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Pass the command object to the nat, mark and IP address userspace
filters.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Pass the command object to the userspace filter routine.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Pass command object to initialize the userspace filter.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Pass the command object to prepare for batch support.
Move ct_cmd structure definition right at the top of file otherwise
compilation breaks.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
We are not interested in sysctl echoing the value it just set.
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This test case covers missing hashtable buckets and max entries configuration options. There should
be a value for them, otherwise the daemon segfaults.
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Fall back to 65536 buckets and 262144 entries.
It would be probably good to add code to autoadjust by reading
/proc/sys/net/netfilter/nf_conntrack_buckets and
/proc/sys/net/nf_conntrack_max.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1491
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This allows for running the script away from the test infrastructure,
which is convenient when developing new tests. This also allows for
reusing the same netns setup from new tests.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces a new scenario with a virtual network layout that was previously designed by
Pablo (see commit 7f1fb5dad90f04caa94f4fcefd1340aeb2c2f0e3).
The scenario is called 'basic_2_peer_network_tcp_notrack' and can be used to test conntrack entry
replication in TCP/NOTRACK mode with both caches disables. In this mode entry syncronization should
happen basically in the same instant the event is produced.
The testcase is very simple, but works really well:
* send 1 ping to a network peer across the router
* verify the conntrack entry has been replicated to the stand-by router
=== 8< ===
$ cd tests ; sudo ./conntrackd-tests.py --single tcp_notrack_replicate_icmp
[conntrackd-tests.py] INFO: --- running test: tcp_notrack_replicate_icmp
[conntrackd-tests.py] INFO: --- passed test: tcp_notrack_replicate_icmp
[conntrackd-tests.py] INFO: ---
[conntrackd-tests.py] INFO: --- finished
[conntrackd-tests.py] INFO: --- passed tests: 1
[conntrackd-tests.py] INFO: --- failed tests: 0
[conntrackd-tests.py] INFO: --- scenario failure: 0
[conntrackd-tests.py] INFO: --- total tests: 1
=== 8< ===
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
framework
Introduce some initial basic testcases for configuration parsing and standard daemon startup and
shutdown routines.
This should give an example of how the framework works.
Here is an example of running this:
=== 8< ===
$ cd tests/conntrackd ; sudo ./conntrackd-tests.py
[conntrackd-tests.py] INFO: --- running test: stats_general
[conntrackd-tests.py] INFO: --- passed test: stats_general
[conntrackd-tests.py] INFO: --- running test: stats_network
[conntrackd-tests.py] INFO: --- passed test: stats_network
[conntrackd-tests.py] INFO: --- running test: stats_runtime
[conntrackd-tests.py] INFO: --- passed test: stats_runtime
[conntrackd-tests.py] INFO: --- running test: stats_process
[conntrackd-tests.py] INFO: --- passed test: stats_process
[conntrackd-tests.py] INFO: --- running test: stats_queue
[conntrackd-tests.py] INFO: --- passed test: stats_queue
[conntrackd-tests.py] INFO: --- running test: stats_ct
[conntrackd-tests.py] INFO: --- passed test: stats_ct
[conntrackd-tests.py] INFO: --- running test: stats_expect
[conntrackd-tests.py] INFO: --- passed test: stats_expect
[conntrackd-tests.py] INFO: ---
[conntrackd-tests.py] INFO: --- finished
[conntrackd-tests.py] INFO: --- passed tests: 7
[conntrackd-tests.py] INFO: --- failed tests: 0
[conntrackd-tests.py] INFO: --- scenario failure: 0
[conntrackd-tests.py] INFO: --- total tests: 7
=== 8< ===
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This test suite should help us develop better tests for conntrack-tools in general and conntrackd
in particular.
The framework is composed of a runner script, written in python3, and 3 yaml files for
configuration and testcase definition:
- scenarios.yaml: contains information on network scenarios for tests to use
- tests.yaml: contains testcase definition
- env.yaml: contains default values for environment variables
The test cases can be anything, from a simple command to an external script call to perform more
complex operations. See follow-up patches to know more on how this works.
The plan is to replace or call from this framework the other testsuites in this tree.
The runner script is rather simple, and it should be more or less straight forward to use it.
On Debian machines, it requires the *python3-yaml* package to be installed as a dependency.
For reference, here are the script options:
=== 8< ===
$ tests/conntrackd/conntrackd-tests.py --help
usage: conntrackd-tests.py [-h] [--tests-file TESTS_FILE]
[--scenarios-file SCENARIOS_FILE]
[--env-file ENV_FILE]
[--single SINGLE]
[--start-scenario START_SCENARIO]
[--stop-scenario STOP_SCENARIO]
[--debug]
Utility to run tests for conntrack-tools
optional arguments:
-h, --help show this help message and exit
--tests-file TESTS_FILE
File with testcase definitions. Defaults to 'tests.yaml'
--scenarios-file SCENARIOS_FILE
File with configuration scenarios for tests. Defaults to 'scenarios.yaml'
--env-file ENV_FILE File with environment variables for scenarios/tests. Defaults to 'env.yaml'
--single SINGLE Execute a single testcase and exit. Use this for developing testcases
--start-scenario START_SCENARIO
Execute scenario start commands and exit. Use this for developing testcases
--stop-scenario STOP_SCENARIO
Execute scenario stop commands and exit. Use this for cleanup
--debug debug mode
=== 8< ===
To run it, simply use:
=== 8< ===
$ cd tests/conntrackd/ ; sudo ./conntrackd-tests.py
[..]
=== 8< ===
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
|
|
|
|
|
| |
They are equivalent of 'on' and 'off' and makes the config easier to understand.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
|
|
|
|
|
| |
Wrap the code to run the command around the do_command_ct() function.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove the global template object, add it to struct ct_cmd. This patch
prepares for the batch support.
The global cur_tmpl pointer is used to access the template from the
callbacks and the exit_error() path.
Note that it should be possible to remove this global cur_tmpl pointer
by passing the new command object as parameter to the callbacks and
exit_error().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This new object stores the result of the command parser, this prepares
for batch support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a script that creates a ip netns testbed. The network
topology looks like this:
veth0---veth0
host nsr1 ns2
veth0----veth0
ns1 veth2
|
veth0
nsr2
* ns1 and ns2 are clients to generate traffic
* nsr1 and nsr2 run conntrackd to synchronize states
* nsr1 is the primary gateway
- veth2 is used to synchronize states
* nsr2 is the backup gateway
- veth0 is used to synchronize states
To set up the testbed:
% sudo ./conntrackd-netns-test.sh start
To test your testbed works, from ns2:
% sudo ip netns exec ns2 nc -l -p 8080
From ns1:
% sudo ip netns exec ns1 nc -vvv 10.0.1.2 8080
From nsr1:
% sudo ip netns exec nsr1 conntrackd -s -C conntrackd-nsr1.conf
cache internal:
current active connections: 1
[...]
cache external:
current active connections: 0
From nsr2:
% sudo ip netns exec nsr1 conntrackd -s -C conntrackd-nsr2.conf
cache internal:
current active connections: 0
[...]
cache external:
current active connections: 1
To stop it:
% sudo ./conntrackd-netns-test.sh stop
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
DESTROY events already include the portid. Add some /proc glue
to lookup the portid.
Problem is that there is no direct mapping to a name.
Lookup steps are:
1. Obtain the portid inode from /proc/net/netlink.
If we can't even find that, no luck.
2. assume portid == pid and search
/proc/portid/fd/ for a socket with matching inode.
This is modeled on iproute2 ss tool.
If /proc/portid/fd/ comes up empty, entire process space
(/proc/*/fd) is searched for a matching inode.
As this is quite some work, cache the last portid result (including
'not found', so that 'conntrack -F' generating 10000k events will do
this lookup only once.
The lookup won't work in case the deleting/flushing program has already
exited; in that case [USERSPACE] tag and portid are still included.
Example:
$ conntrack -E -o userspace
[DESTROY] tcp 6 src=192... dst=192... sport=4404 dport=22 ... [USERSPACE] portid=5146 progname=conntrack
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In busy firewalls that run conntrackd in NOTRACK with both internal and
external caches disabled, external_inject can get lots of traffic. In
case of issues injecting or updating conntrack entries a log entry will
be generated, the infamous inject-addX, inject-updX messages.
But there is nothing end users can do about this error message, which is
purely internal. This patch is basically cosmetic, relaxing the message
from ERROR to WARNING. The information reported is also extended a bit.
The idea is to leave ERROR messages to issues that would *stop* or
*prevent* conntrackd from working at all.
Another nice thing to do in the future is to rate-limit this message,
which is generated in the data path and can easily fill log files. But
ideally, the actual root cause would be fixed, and there would be no
WARNING message reported at all, meaning that all conntrack entries are
smoothly synced between the firewalls in the cluster. We can work on
that later.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Ignore the nano swap file.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@cloud.ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit allows dumping conntrack entries in the format
used by the conntrack parameters, aka "save" output format.
This is useful for saving ct entry data to allow applying
it later on.
To enable the "save" output the "-o save" parameter needs
to be passed to the conntrack tool invocation.
[ pablo@netfilter.org: several updates to the original patch ]
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@cloud.ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This allows users to flush IPv4 entries only through:
conntrack -F -f ipv4
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch allows you to filter event through -f, e.g.
conntrack -E -f ipv4
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
2bcbae4c14b2 ("conntrack: -f family filter does not work") restored the
fallback to IPv4 if -f is not specified, which was the original
behaviour.
This patch modifies the default to use the unspec family if -f is not
specified for the following ct commands:
- list
- update
- delete
- get
(these two commands below do not support for -f though, but in case this is
extended in the future to support it):
- flush
- event
The existing code that parses IPv4 and IPv6 addresses already infers the
family, which simplifies the introduction of this update.
The expect commands are not updated, they still require many mandatory
options for filtering.
This patch includes a few test updates too.
Based on patch from Mikhail Sennikovsky.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
In some use cases, zone is used to differentiate different
conntrack state tables, so zone also should be synchronized
if it is set.
Signed-off-by: Yi Yang <yangyi01@inspur.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Creating icmp ct entry with command like
conntrack -I -t 29 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 \
-q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226
results in nfct_query( NFCT_Q_CREATE ) request would fail
because reply L4 proto is not set while having reply data specified
Set reply L4 proto when reply data is given for the icmp ct entry
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@cloud.ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Add test to cover icmp entry creation/deletion with conntrack
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@cloud.ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
While at it, also allow to display up to 4 counters that are sent
by kernel but that we do not know.
This is useful to list counters that a new kernel supports with
and older release of conntrack-tools.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
A quick revamp on the conntrack-tools manual which is aging a bit.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
ip_conntrack sysctl entries are very old and available for backward
compatibility reasons.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
> (1) The mark in the command line is '10', not '1'.
> (2) The dport in the example is '993', not '3486' and not '34846'.
... text says "has been deleted"; but conntrack prints "have been deleted"
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Extend testsuite with a few more tests.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch adds support for the IPS_HW_OFFLOAD flag which specifies that
this conntrack entry has been offloaded into the hardware.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix for the following warning:
In file included from rpc.c:29:
/usr/include/tirpc/rpc/rpc_msg.h:214:52: warning: 'struct rpc_err' declared inside parameter list will not be visible outside of this definition or declaration
214 | extern void _seterr_reply(struct rpc_msg *, struct rpc_err *);
| ^~~~~~~
Struct rpc_err is declared in rpc/clnt.h which also declares rpc_call(),
therefore rename the local version.
Fixes: 5ededc4476f27 ("conntrackd: search for RPC headers")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Referencing to variables using @...@ means they will be replaced by
configure. This is not needed and may cause problems later.
Suggested-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
As reported in https://bugzilla.netfilter.org/show_bug.cgi?id=1378,
conntrackd refuses to start with a valid IPv6_Destination_Address,
reporting "inet_pton(): IPv6 unsupported" due to a forgotten handling of
err > 0 (i.e. success). This patch fixes the issue.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1378
Signed-off-by: Jan-Martin Raemer <raemer@zit-rlp.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
In recent kernel versions, /proc/net/core/rmem_default is now
/proc/sys/net/core/rmem_default instead.
Refresh docs that mention this file.
Reported-by: Raphaël Bazaud <rbazaud@gmail.com>
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Set an all zero mask when cidr /0 is specified.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes a bug in the Address Accept filter case where if you only
specify either addresses or masks it would never match, eg.
Filter From Usespace {
Address Accept {
IPv4_address 127.0.0.1
}
}
or
Filter From Usespace {
Address Accept {
IPv4_address 0.0.0.0/0
}
}
If lpm filter fails, fall back to hashtable lookup for exact matching.
If lpm filter succeeds, then depending on the policy, skip hashtable
lookup (in case policy is accept) or return mismatch (in case policy is
ignore).
Signed-off-by: Robin Geuze <robing@transip.nl>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Kernel defines NFCTH_TUPLE_L4PROTONUM as of type NLA_U8. When adding a
helper, NFCTH_ATTR_PROTO_L4NUM attribute is correctly set using
nfct_helper_attr_set_u8(), though when deleting
nfct_helper_attr_set_u32() was incorrectly used. Due to alignment, this
causes trouble only on Big Endian.
Fixes: 5e8f64f46cb1d ("conntrackd: add cthelper infrastructure (+ example FTP helper)")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Code assumed host architecture to be Little Endian. Instead produce a
proper mask by pushing the set bits into most significant position and
apply htonl() on the result.
Fixes: 3f6a2e90936bb ("conntrack: add support for CIDR notation")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
-Wstringop-truncation warning was introduced in GCC-8 as truncation
checker for strncpy and strncat.
Systems using gcc version >= 8 would receive the following warnings:
read_config_yy.c: In function ‘yyparse’:
read_config_yy.y:1594:2: warning: ‘strncpy’ specified bound 16 equals destination size [-Wstringop-truncation]
1594 | strncpy(policy->name, $2, CTD_HELPER_NAME_LEN);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
read_config_yy.y:1384:2: warning: ‘strncpy’ specified bound 256 equals destination size [-Wstringop-truncation]
1384 | strncpy(conf.stats.logfile, $2, FILENAME_MAXLEN);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
read_config_yy.y:692:2: warning: ‘strncpy’ specified bound 108 equals destination size [-Wstringop-truncation]
692 | strncpy(conf.local.path, $2, UNIX_PATH_MAX);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
read_config_yy.y:169:2: warning: ‘strncpy’ specified bound 256 equals destination size [-Wstringop-truncation]
169 | strncpy(conf.lockfile, $2, FILENAME_MAXLEN);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
read_config_yy.y:119:2: warning: ‘strncpy’ specified bound 256 equals destination size [-Wstringop-truncation]
119 | strncpy(conf.logfile, $2, FILENAME_MAXLEN);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
main.c: In function ‘main’:
main.c:168:5: warning: ‘strncpy’ specified bound 4096 equals destination size [-Wstringop-truncation]
168 | strncpy(config_file, argv[i], PATH_MAX);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fix the issue by checking for string length first. Also using
snprintf instead.
In addition, correct an off-by-one when warning about maximum config
file path length.
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
# conntrack -L -u OFFLOAD
tcp 6 431984 ESTABLISHED src=192.168.10.2 dst=10.0.1.2 sport=32824 dport=5201 src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=32824 [OFFLOAD] mark=0 secctx=null use=2
tcp 6 431984 ESTABLISHED src=192.168.10.2 dst=10.0.1.2 sport=32826 dport=5201 src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=32826 [OFFLOAD] mark=0 secctx=null use=2
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Service Location Protocol (SLP) uses multicast requests for DA (Directory
agent) and SA (Service agent) discovery. Replies to these requests are
unicast and their source address does not match destination address of the
request so that we need a conntrack helper. A kernel helper was submitted
back in 2013 but was rejected as userspace helper infrastructure is
preferred. This adds an SLP helper to conntrackd.
As the function of SLP helper is the same as what existing mDNS helper
does, src/helpers/slp.c is essentially just a copy of src/helpers/mdns.c,
except for the default timeout and example usage. As with mDNS helper,
there is no NAT support for the time being as that would probably require
kernel side changes and certainly further study (and could possibly work
only for source NAT).
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
When copying value of "Path" option for unix socket, target buffer size is
UNIX_MAX_PATH so that we must not copy more bytes than that. Also make sure
that the path is null terminated and bail out if user provided path is too
long rather than silently truncate it.
Fixes: ce06fb606906 ("conntrackd: use strncpy() to unix path")
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|