| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
Enables specifying a path to a connlabel.conf to load instead of the
default one at /etc/xtables/connlabel.conf.
nfct_labelmap_new() already allows supplying a custom path to load
labels from, so it just needs to be passed in there.
Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
Instead of parsing them directly inline during argument parsing, put
them into a list and do it afterwards.
Preparation for introduction a new `--labelmap` option to specify the
path to the label mapping file.
Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If kernel provided the event timestamp, then use it, else fall back
to gettimeofday.
This needs a recent kernel with
netfilter: conntrack: add conntrack event timestamp
and net.netfilter.nf_conntrack_timestamp sysctl set to 1.
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
calloc() expects the number of elements in the first parameter, not the
second. Swap them and while at it drop one pointless cast (the function
returns a void pointer anyway).
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
Align behaviour with that of mnl_nfct_update_cb(): Just free the
nf_conntrack object and return. Do not increment counter variable, and
certainly do not try to print an uninitialized buffer.
Fixes: a7abf3f5dc7c4 ("conntrack: skip ENOENT when -U/-D finds a stale conntrack entry")
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Enhance helper function to parse mark and mask (if available), bail out
if input is not correct.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
strtoul() is called with no error checking at all, add a helper
function to validate input is correct for values less than
UINT32_MAX.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Recent updates make the conntrack parser slightly more robust. A few
test lines include:
... -w 11-s 2001:DB8::1.1.1.1 ...
where space is missing. These are typos rather than valid input.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The manual says
COMMANDS
These options specify the particular operation to perform.
Only one of them can be specified at any given time.
-L --dump
List connection tracking or expectation table
So, naturally, "conntrack -Lo extended" should work,
but it doesn't, it's equivalent to "conntrack -L",
and you need "conntrack -L -o extended".
This violates user expectations (borne of the Utility Syntax Guidelines)
and contradicts the manual.
optarg is unused, anyway. Unclear why any of these were :: at all?
Signed-off-by: Ahelenia Ziemiańska <nabijaczleweli@nabijaczleweli.xyz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
As seen in the parsing code above, L4PROTO should be set to IPPROTO_TCP, not the port number itself.
Fixes: 40efc1ebb15b ("conntrack: cleanup command line tool protocol extensions")
Co-Developed-by: Reinhard Nißl <reinhard.nissl@fee.de>
Signed-off-by: Stephan Brunner <s.brunner@stephan-brunner.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After an RPC call to portmap using the portmap program number (100000),
subsequent RPC calls are not handled correctly by connection tracking.
This results in client connections to ports specified in RPC replies
failing to operate.
This issue arises because after an RPC call to portmap using the
program number 100000, conntrackd adds an expectation table entry
for the portmap port (typically 111). Due to this expectation table
entry, subsequent RPC call connections are treated as sibling
connections. Due to kernel restrictions, the connection helper for
sibling connections cannot be changed. This is enforced in the kernel's
handling in "net/netfilter/nf_conntrack_netlink.c", within the
"ctnetlink_change_helper" function, after the comment:
/* don't change helper of sibling connections */.
Due to this kernel restriction, the private RPC data (struct rpc_info)
sent from conntrackd to kernel-space is discarded by the kernel.
To resolve this, the proposed change is to eliminate the creation of
an expectation table entry for the portmap port. The portmap port has
to be opened via an iptables/nftables rule anyway, so adding an
expectation table entry for the portmap port is unnecessary.
Why do our existing clients make RPC calls using the portmap program
number? They use these calls for cyclic keepalive messages to verify
that the link between the client and server is operational.
Signed-Off-By: Daniel Pfeil <pda@keba.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Install signal handlers after everything is initialized as there is a
race condition that can happen when the process gets terminated after
the signal handler is installed but before all fields in the global
state are set up correctly, leading to a SIGSEGV as the cleanup code
dereferences uninitialized pointers.
Signed-off-by: Markus Breitenberger <bre@keba.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
If no configuration file or an invalid parameter is provided, the daemon
should exit with a failure status.
Signed-off-by: Donald Yandt <donald.yandt@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Vector data will be lost if reallocation fails, leading to undefined
behaviour.
Signed-off-by: Donald Yandt <donald.yandt@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
In case XML output is requested, refrain from appending "[USERSPACE]"
and details to the output.
Signed-off-by: Ignacy Gawędzki <ignacy.gawedzki@green-communications.fr>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
As of kernel 6.6-rc, your ruleset must use either the 'connlabel' match
in iptables or the 'ct label' statement in nftables to attach labels to
conntrack entries. Update documentation to describe this behaviour.
This patch addresses a corner case scenario: conntrack already contains
entries but ruleset that specifies connlabel did not get loaded yet.
In such case, skip ENOSPC errors for conntracks that have no ct label
extension.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1622
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add a helper function and use it to check for the maximum number of
channels, bail out if it is exceeded.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
`inet_aton` expects a `struct in_addr *`. In a number of calls, we pass
pointers to structs or unions which contain a `struct in_addr` member. Pass
pointers to the members instead. In another call, we pass a pointer to a
uint32_t. Cast it.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Change it to take a `const char *`. It doesn't modify the string and yacc
passes string literals, so cause compiler warnings.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Contrary to the comment that yacc and lex generate dirty code, none of
the warnings being suppressed are in the generated code. Stop suppressing
them in order to fix the code.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
One per line.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Four misspellings and a missing pronoun.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Add a shell script that creates many conntrack entries and it updates
the mark to cover for recent bugs in the 1.4.7 release when moving to
libmnl. This test can be extended to cover for more commands.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GET requests report either error via NLMSG_ERROR or the corresponding
entry, therefore, there is always a reply from the kernel.
The NLM_F_ACK flag results in two netlink messages as reply in case of
success for GET requests, one containing the entry and another with the
explicit acknowledgment.
nfct_mnl_request() leaves the explicit acknowledment in the buffer,
filling it up with unhandled netlink messages, leading to the following
error:
conntrack v1.4.7 (conntrack-tools): Operation failed: No buffer space available
Fixes: b7a396b70015 ("conntrack: use libmnl for updating conntrack table")
Reported-by: Tony He <huangya90@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
-U and -D commands iterate over the netlink dump and it might try to
update/delete an entry which is not in the kernel anymore. Skip ENOENT
errors.
The -U command uses printf and it continues on error, instead bail out
with exit_error().
This problem is present in 1.4.6, this is related to the recent
updates to use libmnl in 1.4.7.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Set the family from the conntrack object, otherwise, if -f is not specified
and the kernel bails out with:
# conntrack -U -p tcp -m 1
Operation failed: Not supported
conntrack v1.4.7 (conntrack-tools): Operation failed: Not supported
Fixes: b7a396b70015 ("conntrack: use libmnl for updating conntrack table")
Reported-by: Tony He <huangya90@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When creating new rules with (e.g. with `conntrack -I -m 123 -u UNSET ...`),
the mark from `-m` was overriden by value from `-u`.
This behavior was introduced in 1a5828f491c6a1593f30cb5f1551fe9f9cf76a8d
("conntrack: enable kernel-based status filtering with -L -u STATUS") for
filtering the output of `-L` option but caused a regression in other cases.
[ fw@strlen.de: likely copy&waste bug, status and mark are
completely different things ]
Fixes: 1a5828f491c6 ("conntrack: enable kernel-based status filtering with -L -u STATUS")
Signed-off-by: Jacek Tomasiak <jtomasiak@arista.com>
Signed-off-by: Jacek Tomasiak <jacek.tomasiak@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Instead of silencing EEXIST error with -A/--add, unset NLM_F_EXCL
netlink flag.
Do not ignore error from kernel for command invocation.
This patch revisits e42ea65e9c93 ("conntrack: introduce new -A
command").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
The function unconditionally dereferenced its parameter, yet it is
possible for the passed 'cur_tmpl' pointer when called from exit_error()
to be still NULL: It is assigned to by alloc_tmpl_objects() at start of
do_parse(), though callers of that function might call exit_error() in
beforehand.
Fixes: 258b4540f4512 ("conntrack: add struct ct_tmpl")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Setting 'ret' without calling BUFFER_SIZE() is pointless.
Fixes: 1c596b9ec8f26 ("conntrack: implement save output format")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
| |
The variable is overwritten immediately in the next iteration and the
loop can't exit before doing that.
Instead of dropping the assignment, one could add a return code check -
but since event_cb() never fails, that check is pointless as well.
Fixes: e0dac21ed02e3 ("conntrack: use libmnl for conntrack events")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
If the link target length exceeds 'sizeof(tmp)' bytes, readlink() will
return 'sizeof(tmp)'. Using this value as index is illegal.
Fixes: b031cd2102d9b ("conntrack: pretty-print the portid")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Use a more modern alternative to bzip2.
Suggested-by: Jan Engelhardt <jengelh@inai.de>
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
read_config_yy.c: In function ‘yyparse’:
read_config_yy.c:1765:16: warning: implicit declaration of function ‘yylex’ [-Wimplicit-function-declaration]
1765 | yychar = yylex ();
| ^~~~~
read_config_yy.c:1765:16: warning: nested extern declaration of ‘yylex’ [-Wnested-externs]
read_config_yy.y:120:17: warning: implicit declaration of function ‘dlog’ [-Wimplicit-function-declaration]
120 | dlog(LOG_ERR, "LogFile path is longer than %u characters",
| ^~~~
read_config_yy.y:120:17: warning: nested extern declaration of ‘dlog’ [-Wnested-externs]
read_config_yy.y:240:14: warning: implicit declaration of function ‘inet_aton’; did you mean ‘in6_pton’? [-Wimplicit-function-declaration]
240 | if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.in)) {
| ^~~~~~~~~
| in6_pton
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1637
Signed-off-by: Sam James <sam@gentoo.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1637
Signed-off-by: Sam James <sam@gentoo.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
These will become fatal with Clang 16 and GCC 14 anyway, but let's
address the real problem (followup commit).
We do have to keep one wrt yyerror() & const char * though, but
the issue is contained to the code Bison generates.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1637
Signed-off-by: Sam James <sam@gentoo.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Compilation breaks with 1.0.8 and lower versions, bump dependencies.
Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
The array's size in struct sockaddr_un is only UNIX_PATH_MAX and
according to unix(7), it should hold a null-terminated string. So adjust
config reader to reject paths of length UNIX_PATH_MAX and above and
adjust the internal arrays to aid the compiler.
Fixes: f196de88cdd97 ("src: fix strncpy -Wstringop-truncation warnings")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
| |
Use strtoul() instead and remove check for negative value.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
IPPROTO_MPTCP defeats the purpose of IPPROTO_MAX to check for the
maximum layer 4 protocol supported in the IP header.
Use IPPROTO_RAW (255) instead.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Extend manpage to document the new -A/--add command.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The -A command works exactly the same way as -I except that it
does not fail if the ct entry already exists.
This command is useful for the batched ct loads to not abort if
some entries being applied exist.
The ct entry dump in the "save" format is now switched to use the
-A command as well for the generated output.
Also tests added to cover the -A command.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The old way of the commands_v_options initialization made it more
difficult and error-prone to add a map for a new command, because one
would have to calculate a proper "index" for the initializer and fill
the gap with zeros.
As a preparation step for adding the new "-A" command support,
switch to C99 initializer syntax for commands_v_options.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the -U command has a special case handling
in the do_parse because it does not have EXP_ counterpart.
Generalizing it would simplify adding support for new commands
w/o EXP_ counterpart.
As a preparation step for adding the new "-A" command support,
make the -U command be handled the same way as the rest.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make sure the protocol (-p) option is included in the -o save
ct entry dumps for L4 protocols unknown to the conntrack tool.
Do not use getprotobynumber for unknown protocols to ensure
"-o save" data incompatibility between hosts having different
/etc/protocols contents.
Include testcases covering the issue.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Before this commit it was possible to successfully create a ct entry
passing -p 256 and -p some_nonsense.
In both cases an entry with the protocol=0 would be created.
Do not allow invalid protocol values to -p option.
Include testcases covering the issue.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Withouth reply l4 protocol being set consistently the mnl_cb_run
(in fact the kernel) would return EINVAL.
Make sure the reply l4 protocol is set properly for unknown
protocols.
Include testcases covering the issue.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Use nfct_mnl_request() to build and send the netlink command. Remove
dump_cb() since this is a copy of the new libmnl's mnl_nfct_dump_cb()
callback function.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
