summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* conntrack: use same modifier socket for bulk opsMikhail Sennikovsky2022-06-201-6/+21
| | | | | | | | | | For bulk ct entry loads (with -R option) reusing the same mnl modifier socket for all entries results in reduction of entries creation time, which becomes especially signifficant when loading tens of thouthand of entries. Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: build: always add ports to sync messagePablo Neira Ayuso2022-06-201-6/+9
| | | | | | | Ports are used to uniquely identify the flow, this information must be included inconditionally to sync message. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: unbreak event modeFlorian Westphal2022-05-161-1/+1
| | | | | | | | read() occurs from the wrong socket so 'conntrack -E' hangs without reporting any events. Fixes: 5ec684be0854 ("conntrack: consolidate socket open call") Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrack: remove -o userspaceFlorian Westphal2022-05-162-5/+4
| | | | | | | | | | This flag makes life a lot harder because lack of the flag hides very useful information. Remove it and always tag events triggered by userspace flush. Option is still parsed for backwards compatibility sake. Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrack: consolidate socket open callPablo Neira Ayuso2022-05-021-48/+17
| | | | | | | Create netlink socket once and reuse it, rather than open + close it over and over again. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* connntrack: Fix for memleak when parsing -j argPhil Sutter2022-03-281-0/+2
| | | | | | | Have to free the strings allocated by split_address_and_port(). Fixes: 29b390a212214 ("conntrack: Support IPv6 NAT") Signed-off-by: Phil Sutter <phil@nwl.cc>
* Drop pointless assignmentsPhil Sutter2022-03-282-2/+1
| | | | | | | These variables are not referred to after assigning within their scope (or until they're overwritten). Signed-off-by: Phil Sutter <phil@nwl.cc>
* Don't call exit() from signal handlerPhil Sutter2022-03-281-1/+1
| | | | | | | Coverity tool complains that exit() is not signal-safe and therefore should not be called from within a signal handler. Call _exit() instead. Signed-off-by: Phil Sutter <phil@nwl.cc>
* read_config_yy: Drop extra argument from dlog() callPhil Sutter2022-03-281-1/+1
| | | | | | | False priority value was never printed. Fixes: dfb88dae65fbd ("conntrackd: change scheduler and priority via configuration file") Signed-off-by: Phil Sutter <phil@nwl.cc>
* helpers: ftp: Avoid ugly castsPhil Sutter2022-03-281-11/+9
| | | | | | | | Coverity tool complains about accessing a local variable at non-zero offset. Avoid this by using a helper union. This should silence the checker, although the code is still probably not Big Endian-safe. Signed-off-by: Phil Sutter <phil@nwl.cc>
* Fix potential buffer overrun in snprintf() callsPhil Sutter2022-03-282-3/+3
| | | | | | | When consecutively printing into the same buffer at increasing offset, reduce buffer size passed to snprintf() to not defeat its size checking. Signed-off-by: Phil Sutter <phil@nwl.cc>
* cache: Fix features array allocationPhil Sutter2022-03-281-2/+2
| | | | | | | | struct cache::features is of type struct cache_feature **, allocate and populate accordingly. Fixes: ad31f852c3454 ("initial import of the conntrack daemon to Netfilter SVN") Signed-off-by: Phil Sutter <phil@nwl.cc>
* hash: Flush tables when destroyingPhil Sutter2022-03-281-0/+1
| | | | | | | This is cosmetics only, but stops valgrind from complaining about definitely lost memory. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nfct: remove lazy bindingPablo Neira Ayuso2022-03-0916-47/+246
| | | | | | | | | | | | | | | | | | | | | | | Since cd5135377ac4 ("conntrackd: cthelper: Set up userspace helpers when daemon starts"), userspace conntrack helpers do not depend on a previous invocation of nfct to set up the userspace helpers. Move helper definitions to nfct-extensions/helper.c since existing deployments might still invoke nfct, even if not required anymore. This patch was motivated by the removal of the lazy binding. Phil Sutter says: "For security purposes, distributions might want to pass -Wl,-z,now linker flags to all builds, thereby disabling lazy binding globally. In the past, nfct relied upon lazy binding: It uses the helper objects' parsing functions without but doesn't provide all symbols the objects use." Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: use libmnl for flushing conntrack tableMikhail Sennikovsky2022-03-081-5/+8
| | | | | | | | Use libmnl and libnetfilter_conntrack mnl helpers to flush the conntrack table entries. Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: use libmnl for ct entries deletionMikhail Sennikovsky2022-03-081-19/+28
| | | | | | | | Use libmnl and libnetfilter_conntrack mnl helpers to delete the conntrack table entries. Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: use libmnl for updating conntrack tableMikhail Sennikovsky2022-03-081-43/+61
| | | | | | | | Use libmnl and libnetfilter_conntrack mnl helpers to update the conntrack table entries. Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add nfct_mnl_request()Pablo Neira Ayuso2022-03-081-28/+17
| | | | | | | Provide a helper function to build and send the netlink request, this allows to consolidate nfct_mnl_get() and nfct_mnl_create(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: rename nfct_mnl_recv() to __nfct_mnl_dump()Pablo Neira Ayuso2022-03-081-3/+3
| | | | | | | nfct_mnl_recv() is misleading, this helper function allows you to perform a netlink dump, rename it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: fix compiler warningsFlorian Westphal2022-01-172-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | .... those do not indicate bugs, but they are distracting. 'exp_filter_add' at filter.c:513:2: __builtin_strncpy specified bound 16 equals destination size [-Wstringop-truncation] This warning is because the size argument passed to strncpy() is identical to buffer size, i.e. if hit the resulting string is not 0-terminated. read_config_yy.y:1625: warning: '__builtin_snprintf' output may be truncated before the last format character [-Wformat-truncation=] 1625 | snprintf(policy->name, CTD_HELPER_NAME_LEN, "%s", $2); read_config_yy.y:1399: warning: '__builtin_snprintf' output may be ... 1399 | snprintf(conf.stats.logfile, FILENAME_MAXLEN, "%s", $2); read_config_yy.y:707: warning: '__builtin_snprintf' output may be ... 707 | snprintf(conf.local.path, UNIX_PATH_MAX, "%s", $2); read_config_yy.y:179: warning: '__builtin_snprintf' output may be ... 179 | snprintf(conf.lockfile, FILENAME_MAXLEN, "%s", $2); read_config_yy.y:124: warning: '__builtin_snprintf' output may be ... 124 | snprintf(conf.logfile, FILENAME_MAXLEN, "%s", $2); ... its because the _MAXLEN constants are one less than the output buffer size, i.e. could use either .._MAXLEN + 1 or sizeof, this uses sizeof(). Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrackd: cthelper: ssdp: Fix parsing of IPv6 M-SEARCH requests.Aaron Thompson2022-01-091-6/+2
| | | | | | | | Use the already correctly determined transport header offset instead of assuming that the packet is IPv4. Signed-off-by: Aaron Thompson <dev@aaront.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: pass sock to nfct_mnl_*() functionsMikhail Sennikovsky2021-12-241-53/+62
| | | | | | | | In preparation for using multiple instances of mnl sockets required for conntrack entries update and delete support. Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: use libmnl to create entryPablo Neira Ayuso2021-12-241-6/+26
| | | | | | | Use libmnl to create entries through the new nfct_mnl_create() helper function. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add netlink flags to nfct_mnl_nlmsghdr_put()Pablo Neira Ayuso2021-12-241-4/+4
| | | | | | | Moreover, remove NLM_F_DUMP for IPCTNL_MSG_CT_GET_STATS since ctnetlink ignores this flag, this is simple netlink get command, not a dump. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add nfct_mnl_talk() and nfct_mnl_recv() helper functionsPablo Neira Ayuso2021-12-241-20/+34
| | | | | | Add helper function to consolidate nfct_mnl_dump() and nfct_mnl_get(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: replace `AM_PROG_LEX` with `AC_PROG_LEX`Jeremy Sowden2021-12-171-1/+1
| | | | | | | | | | | | | `AM_PROG_LEX` calls `AC_PROG_LEX` with no arguments, but this usage is deprecated. The only difference between `AM_PROG_LEX` and `AC_PROG_LEX` is that the former defines `$LEX` as "./build-aux/missing lex" if no lex is found to ensure a useful error is reported when make is run. How- ever, the configure script checks that we have a working lex and exits with an error if none is available, so `$LEX` will never be called and we can replace `AM_PROG_LEX` with `AC_PROG_LEX`. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: remove MAINTAINERCLEANFILESJeremy Sowden2021-12-171-1/+0
| | | | | | | | | automake generates rules to remove the files generated by bison and flex by default, so there is no need to add them explicitly to MAINTAINERCLEANFILES. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: only require bison and flex if the generated files do not existJeremy Sowden2021-12-171-2/+2
| | | | | | | | | | | | automake recommends including the files generated by bison and flex in distribution tar-balls and runs bison and flex during `make dist` to generate them. Thus, in the normal case where the software is being compiled by an end-user, the generated files already exist and bison and flex are not required. Therefore, amend the configure script only to require them if the generated files do not exist. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: use libmnl for listing conntrack tablePablo Neira Ayuso2021-11-141-20/+16
| | | | | | | Use libmnl and libnetfilter_conntrack mnl helpers to dump the conntrack table entries. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: enhance mnl_nfct_dump_cb()Pablo Neira Ayuso2021-11-141-12/+39
| | | | | | Add missing features in dump_cb() to mnl_nfct_dump_cb(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: pass filter_dump object to nfct_mnl_dump()Pablo Neira Ayuso2021-11-141-5/+10
| | | | | | In preparation for kernel filtering support for nfct_mnl_dump(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: do not include conntrack ID in hashtable cmpPablo Neira Ayuso2021-11-081-10/+1
| | | | | | | | | Depending on your conntrackd configuration, events might get lost, leaving stuck entries in the cache forever. Skip checking the conntrack ID to allow for lazy cleanup by when a new entry that is represented by the same tuple is added. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack.8: minor copy editŠtěpán Němec2021-09-281-12/+11
| | | | | Signed-off-by: Štěpán Němec <snemec@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: fix dependency-tracking of yacc-generated headerJeremy Sowden2021-09-271-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | List it as a built source in order to force make to create it before compilation. Otherwise, a parallel make can end up attempting to compile the output of lex before yacc has finished generating its own output: $ make -j17 [...] YACC read_config_yy.c LEX read_config_lex.c CC stack.o CC resync.o CC cthelper.o CC helpers.o CC utils.o CC expect.o CC systemd.o CC nfct.o CC nfct-extensions/helper.o CC nfct-extensions/timeout.o CC read_config_lex.o read_config_lex.l:25:10: fatal error: read_config_yy.h: No such file or directory 25 | #include "read_config_yy.h" | ^~~~~~~~~~~~~~~~~~ compilation terminated. make[2]: *** [Makefile:701: read_config_lex.o] Error 1 make[2]: *** Waiting for unfinished jobs.... updating read_config_yy.h make[2]: Leaving directory '/space/azazel/work/git/netfilter/conntrack-tools/src' make[1]: *** [Makefile:743: all-recursive] Error 1 make[1]: Leaving directory '/space/azazel/work/git/netfilter/conntrack-tools/src' make: *** [Makefile:541: all-recursive] Error 1 Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: clean yacc- and lex-generated files with maintainer-cleanJeremy Sowden2021-09-271-1/+1
| | | | | | | | | Automake expects to distribute yacc- and lex-generated sources, so that the user doesn't need to regenerate them. Therefore, the appropriate target to clean them is `maintainer-clean`. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: remove yacc-generated header from EXTRA_DISTJeremy Sowden2021-09-271-2/+0
| | | | | | | | Automake generates yacc and lex output files and includes them in distributions as a matter of course. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: replace `AM_PROG_LIBTOOL` and `AC_DISABLE_STATIC` with `LT_INIT`Jeremy Sowden2021-09-271-2/+1
| | | | | | | | `AM_PROG_LIBTOOL` is superseded by `LT_INIT`, which also accepts options to control the defaults for creating shared or static libraries. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: quote AC_INIT argumentsJeremy Sowden2021-09-271-1/+1
| | | | | Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: remove commented-out macros from configure.acJeremy Sowden2021-09-271-25/+0
| | | | | | | This code has been commented out since at least 2007. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: add cluster match scriptPablo Neira Ayuso2021-09-212-0/+441
| | | | | | | This patch adds a script (from 2010!) to set up an active-active setup with the cluster match. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: conntrackd: add #include <linux/netfilter/nfnetlink_queue.h>Pablo Neira Ayuso2021-09-209-0/+9
| | | | | | | | This fixes this warning: #warning "libnetfilter_queue/linux_nfnetlink_queue.h is deprecated, add #include <linux/netfilter/nfnetlink_queue.h> to your source code before #include <libnetfilter_queue/libnetfilter_queue.h> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: cache: fix zone entry uniqueness in external cacheAdam Casella2021-09-201-4/+6
| | | | | | | | | In some use-cases, zone is used to differetiate conntrack state. This preserves that uniqueness by adding zone into the cache in addtion to 5-tuple data This preserves external-cache uniqueness per zone when synced. Fixes: a08af5d26297 ("conntrack: fix zone sync issue") Signed-off-by: Adam Casella <adam.casella1984@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add support for chaintoolong stat counterFlorian Westphal2021-09-081-3/+4
| | | | | | | | | | | | | | | | | While at it, also fix up commit 5ec55c2a0a264 ("conntrack: add support for CLASH_RESOLVED counter"). The intention was to also print unknown statistic counters provided the attributes are of type u32, but mnl_attr_type_valid() needs the correct max-attr number for this to work. With this fix in place, conntrack -S shows: cpu=3 found=0 inv[..] clash_resolve=0 unknown1=8200 on a modified kernel. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests/conntrack: script for stress-testing ct loadMikhail Sennikovsky2021-09-061-0/+163
| | | | | | | | | | The tests/conntrack/bulk-load-stress.sh is intended to be used for stress-testing the bulk load of ct entries from a file (-R option). Script usage detail is given by the ./bulk-load-stress.sh -h Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add shorthand mnemonic for UNREPLIEDFlorian Westphal2021-08-051-0/+12
| | | | | | | | | conntrack tool prints [UNREPLIED] if a conntrack entry lacks the SEEN_REPLY bit. Accept this as '-u' argument too. If requested, mask is set to SEEN_REPLY and value remains 0 (bit not set). Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrack: enable kernel-based status filtering with -L -u STATUSFlorian Westphal2021-08-051-4/+55
| | | | | | | | | This change is backwards compatible: Old kernels do not recognize CTA_STATUS_MASK attribute and will ignore it (no filtering in kernel). Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrackd: cthelper: fix overlapping queue numbers in example filePablo Neira Ayuso2021-05-281-4/+4
| | | | | | | Userspace helpers cannot have overlapping queue number, update the example file to fix the existing overlap. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: manual: Document userspace helper configuration at daemon startupPablo Neira Ayuso2021-05-281-21/+21
| | | | | | Describe how to configure conntrackd using the new simple setup approach. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: cthelper: Set up userspace helpers when daemon startsPablo Neira Ayuso2021-05-285-3/+30
| | | | | | | Add a new setting to allow conntrackd to autoconfigure the userspace helpers at startup. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: fix endianness bug in IPv4 and IPv6 addressPablo Neira Ayuso2021-05-032-13/+28
| | | | | | | | Add ct_parse_be32() and ct_parse_be128() and use them to deal with an IP address which is already in network byte order. Reported-by: Tao Gong <gongtao0607@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>