summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* local: Avoid sockaddr_un::sun_path buffer overflowHEADmasterPhil Sutter2022-08-312-5/+5
| | | | | | | | | | The array's size in struct sockaddr_un is only UNIX_PATH_MAX and according to unix(7), it should hold a null-terminated string. So adjust config reader to reject paths of length UNIX_PATH_MAX and above and adjust the internal arrays to aid the compiler. Fixes: f196de88cdd97 ("src: fix strncpy -Wstringop-truncation warnings") Signed-off-by: Phil Sutter <phil@nwl.cc>
* conntrack: slightly simplify parse_proto_num() by using strtoul()Pablo Neira Ayuso2022-07-111-3/+2
| | | | | | Use strtoul() instead and remove check for negative value. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: use IPPROTO_RAWPablo Neira Ayuso2022-07-111-1/+1
| | | | | | | | | IPPROTO_MPTCP defeats the purpose of IPPROTO_MAX to check for the maximum layer 4 protocol supported in the IP header. Use IPPROTO_RAW (255) instead. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: update manpage with new -A commandPablo Neira Ayuso2022-07-111-3/+8
| | | | | | Extend manpage to document the new -A/--add command. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: introduce new -A commandMikhail Sennikovsky2022-07-0812-10/+117
| | | | | | | | | | | | | | The -A command works exactly the same way as -I except that it does not fail if the ct entry already exists. This command is useful for the batched ct loads to not abort if some entries being applied exist. The ct entry dump in the "save" format is now switched to use the -A command as well for the generated output. Also tests added to cover the -A command. Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: use C99 initializer syntax for option mapMikhail Sennikovsky2022-07-0810-211/+212
| | | | | | | | | | | | | The old way of the commands_v_options initialization made it more difficult and error-prone to add a map for a new command, because one would have to calculate a proper "index" for the initializer and fill the gap with zeros. As a preparation step for adding the new "-A" command support, switch to C99 initializer syntax for commands_v_options. Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: generalize command parsingMikhail Sennikovsky2022-07-081-13/+10
| | | | | | | | | | | | | Currently the -U command has a special case handling in the do_parse because it does not have EXP_ counterpart. Generalizing it would simplify adding support for new commands w/o EXP_ counterpart. As a preparation step for adding the new "-A" command support, make the -U command be handled the same way as the rest. Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: fix -o save dump for unknown protocolsMikhail Sennikovsky2022-06-272-0/+35
| | | | | | | | | | | | | | Make sure the protocol (-p) option is included in the -o save ct entry dumps for L4 protocols unknown to the conntrack tool. Do not use getprotobynumber for unknown protocols to ensure "-o save" data incompatibility between hosts having different /etc/protocols contents. Include testcases covering the issue. Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: fix protocol number parsingMikhail Sennikovsky2022-06-272-2/+27
| | | | | | | | | | | | Before this commit it was possible to successfully create a ct entry passing -p 256 and -p some_nonsense. In both cases an entry with the protocol=0 would be created. Do not allow invalid protocol values to -p option. Include testcases covering the issue. Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: set reply l4 proto for unknown protocolMikhail Sennikovsky2022-06-272-0/+38
| | | | | | | | | | | | Withouth reply l4 protocol being set consistently the mnl_cb_run (in fact the kernel) would return EINVAL. Make sure the reply l4 protocol is set properly for unknown protocols. Include testcases covering the issue. Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: update CT_GET to use libmnlPablo Neira Ayuso2022-06-201-48/+3
| | | | | | | | Use nfct_mnl_request() to build and send the netlink command. Remove dump_cb() since this is a copy of the new libmnl's mnl_nfct_dump_cb() callback function. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: pass command object to nfct_mnl_request()Pablo Neira Ayuso2022-06-201-11/+14
| | | | | | | This patch comes in preparation for updating the CT_GET command to use libmnl. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: use same modifier socket for bulk opsMikhail Sennikovsky2022-06-201-6/+21
| | | | | | | | | | For bulk ct entry loads (with -R option) reusing the same mnl modifier socket for all entries results in reduction of entries creation time, which becomes especially signifficant when loading tens of thouthand of entries. Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: build: always add ports to sync messagePablo Neira Ayuso2022-06-201-6/+9
| | | | | | | Ports are used to uniquely identify the flow, this information must be included inconditionally to sync message. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: unbreak event modeFlorian Westphal2022-05-161-1/+1
| | | | | | | | read() occurs from the wrong socket so 'conntrack -E' hangs without reporting any events. Fixes: 5ec684be0854 ("conntrack: consolidate socket open call") Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrack: remove -o userspaceFlorian Westphal2022-05-162-5/+4
| | | | | | | | | | This flag makes life a lot harder because lack of the flag hides very useful information. Remove it and always tag events triggered by userspace flush. Option is still parsed for backwards compatibility sake. Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrack: consolidate socket open callPablo Neira Ayuso2022-05-021-48/+17
| | | | | | | Create netlink socket once and reuse it, rather than open + close it over and over again. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* connntrack: Fix for memleak when parsing -j argPhil Sutter2022-03-281-0/+2
| | | | | | | Have to free the strings allocated by split_address_and_port(). Fixes: 29b390a212214 ("conntrack: Support IPv6 NAT") Signed-off-by: Phil Sutter <phil@nwl.cc>
* Drop pointless assignmentsPhil Sutter2022-03-282-2/+1
| | | | | | | These variables are not referred to after assigning within their scope (or until they're overwritten). Signed-off-by: Phil Sutter <phil@nwl.cc>
* Don't call exit() from signal handlerPhil Sutter2022-03-281-1/+1
| | | | | | | Coverity tool complains that exit() is not signal-safe and therefore should not be called from within a signal handler. Call _exit() instead. Signed-off-by: Phil Sutter <phil@nwl.cc>
* read_config_yy: Drop extra argument from dlog() callPhil Sutter2022-03-281-1/+1
| | | | | | | False priority value was never printed. Fixes: dfb88dae65fbd ("conntrackd: change scheduler and priority via configuration file") Signed-off-by: Phil Sutter <phil@nwl.cc>
* helpers: ftp: Avoid ugly castsPhil Sutter2022-03-281-11/+9
| | | | | | | | Coverity tool complains about accessing a local variable at non-zero offset. Avoid this by using a helper union. This should silence the checker, although the code is still probably not Big Endian-safe. Signed-off-by: Phil Sutter <phil@nwl.cc>
* Fix potential buffer overrun in snprintf() callsPhil Sutter2022-03-282-3/+3
| | | | | | | When consecutively printing into the same buffer at increasing offset, reduce buffer size passed to snprintf() to not defeat its size checking. Signed-off-by: Phil Sutter <phil@nwl.cc>
* cache: Fix features array allocationPhil Sutter2022-03-281-2/+2
| | | | | | | | struct cache::features is of type struct cache_feature **, allocate and populate accordingly. Fixes: ad31f852c3454 ("initial import of the conntrack daemon to Netfilter SVN") Signed-off-by: Phil Sutter <phil@nwl.cc>
* hash: Flush tables when destroyingPhil Sutter2022-03-281-0/+1
| | | | | | | This is cosmetics only, but stops valgrind from complaining about definitely lost memory. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nfct: remove lazy bindingPablo Neira Ayuso2022-03-0916-47/+246
| | | | | | | | | | | | | | | | | | | | | | | Since cd5135377ac4 ("conntrackd: cthelper: Set up userspace helpers when daemon starts"), userspace conntrack helpers do not depend on a previous invocation of nfct to set up the userspace helpers. Move helper definitions to nfct-extensions/helper.c since existing deployments might still invoke nfct, even if not required anymore. This patch was motivated by the removal of the lazy binding. Phil Sutter says: "For security purposes, distributions might want to pass -Wl,-z,now linker flags to all builds, thereby disabling lazy binding globally. In the past, nfct relied upon lazy binding: It uses the helper objects' parsing functions without but doesn't provide all symbols the objects use." Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: use libmnl for flushing conntrack tableMikhail Sennikovsky2022-03-081-5/+8
| | | | | | | | Use libmnl and libnetfilter_conntrack mnl helpers to flush the conntrack table entries. Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: use libmnl for ct entries deletionMikhail Sennikovsky2022-03-081-19/+28
| | | | | | | | Use libmnl and libnetfilter_conntrack mnl helpers to delete the conntrack table entries. Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: use libmnl for updating conntrack tableMikhail Sennikovsky2022-03-081-43/+61
| | | | | | | | Use libmnl and libnetfilter_conntrack mnl helpers to update the conntrack table entries. Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add nfct_mnl_request()Pablo Neira Ayuso2022-03-081-28/+17
| | | | | | | Provide a helper function to build and send the netlink request, this allows to consolidate nfct_mnl_get() and nfct_mnl_create(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: rename nfct_mnl_recv() to __nfct_mnl_dump()Pablo Neira Ayuso2022-03-081-3/+3
| | | | | | | nfct_mnl_recv() is misleading, this helper function allows you to perform a netlink dump, rename it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: fix compiler warningsFlorian Westphal2022-01-172-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | .... those do not indicate bugs, but they are distracting. 'exp_filter_add' at filter.c:513:2: __builtin_strncpy specified bound 16 equals destination size [-Wstringop-truncation] This warning is because the size argument passed to strncpy() is identical to buffer size, i.e. if hit the resulting string is not 0-terminated. read_config_yy.y:1625: warning: '__builtin_snprintf' output may be truncated before the last format character [-Wformat-truncation=] 1625 | snprintf(policy->name, CTD_HELPER_NAME_LEN, "%s", $2); read_config_yy.y:1399: warning: '__builtin_snprintf' output may be ... 1399 | snprintf(conf.stats.logfile, FILENAME_MAXLEN, "%s", $2); read_config_yy.y:707: warning: '__builtin_snprintf' output may be ... 707 | snprintf(conf.local.path, UNIX_PATH_MAX, "%s", $2); read_config_yy.y:179: warning: '__builtin_snprintf' output may be ... 179 | snprintf(conf.lockfile, FILENAME_MAXLEN, "%s", $2); read_config_yy.y:124: warning: '__builtin_snprintf' output may be ... 124 | snprintf(conf.logfile, FILENAME_MAXLEN, "%s", $2); ... its because the _MAXLEN constants are one less than the output buffer size, i.e. could use either .._MAXLEN + 1 or sizeof, this uses sizeof(). Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrackd: cthelper: ssdp: Fix parsing of IPv6 M-SEARCH requests.Aaron Thompson2022-01-091-6/+2
| | | | | | | | Use the already correctly determined transport header offset instead of assuming that the packet is IPv4. Signed-off-by: Aaron Thompson <dev@aaront.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: pass sock to nfct_mnl_*() functionsMikhail Sennikovsky2021-12-241-53/+62
| | | | | | | | In preparation for using multiple instances of mnl sockets required for conntrack entries update and delete support. Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: use libmnl to create entryPablo Neira Ayuso2021-12-241-6/+26
| | | | | | | Use libmnl to create entries through the new nfct_mnl_create() helper function. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add netlink flags to nfct_mnl_nlmsghdr_put()Pablo Neira Ayuso2021-12-241-4/+4
| | | | | | | Moreover, remove NLM_F_DUMP for IPCTNL_MSG_CT_GET_STATS since ctnetlink ignores this flag, this is simple netlink get command, not a dump. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add nfct_mnl_talk() and nfct_mnl_recv() helper functionsPablo Neira Ayuso2021-12-241-20/+34
| | | | | | Add helper function to consolidate nfct_mnl_dump() and nfct_mnl_get(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: replace `AM_PROG_LEX` with `AC_PROG_LEX`Jeremy Sowden2021-12-171-1/+1
| | | | | | | | | | | | | `AM_PROG_LEX` calls `AC_PROG_LEX` with no arguments, but this usage is deprecated. The only difference between `AM_PROG_LEX` and `AC_PROG_LEX` is that the former defines `$LEX` as "./build-aux/missing lex" if no lex is found to ensure a useful error is reported when make is run. How- ever, the configure script checks that we have a working lex and exits with an error if none is available, so `$LEX` will never be called and we can replace `AM_PROG_LEX` with `AC_PROG_LEX`. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: remove MAINTAINERCLEANFILESJeremy Sowden2021-12-171-1/+0
| | | | | | | | | automake generates rules to remove the files generated by bison and flex by default, so there is no need to add them explicitly to MAINTAINERCLEANFILES. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: only require bison and flex if the generated files do not existJeremy Sowden2021-12-171-2/+2
| | | | | | | | | | | | automake recommends including the files generated by bison and flex in distribution tar-balls and runs bison and flex during `make dist` to generate them. Thus, in the normal case where the software is being compiled by an end-user, the generated files already exist and bison and flex are not required. Therefore, amend the configure script only to require them if the generated files do not exist. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: use libmnl for listing conntrack tablePablo Neira Ayuso2021-11-141-20/+16
| | | | | | | Use libmnl and libnetfilter_conntrack mnl helpers to dump the conntrack table entries. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: enhance mnl_nfct_dump_cb()Pablo Neira Ayuso2021-11-141-12/+39
| | | | | | Add missing features in dump_cb() to mnl_nfct_dump_cb(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: pass filter_dump object to nfct_mnl_dump()Pablo Neira Ayuso2021-11-141-5/+10
| | | | | | In preparation for kernel filtering support for nfct_mnl_dump(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: do not include conntrack ID in hashtable cmpPablo Neira Ayuso2021-11-081-10/+1
| | | | | | | | | Depending on your conntrackd configuration, events might get lost, leaving stuck entries in the cache forever. Skip checking the conntrack ID to allow for lazy cleanup by when a new entry that is represented by the same tuple is added. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack.8: minor copy editŠtěpán Němec2021-09-281-12/+11
| | | | | Signed-off-by: Štěpán Němec <snemec@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: fix dependency-tracking of yacc-generated headerJeremy Sowden2021-09-271-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | List it as a built source in order to force make to create it before compilation. Otherwise, a parallel make can end up attempting to compile the output of lex before yacc has finished generating its own output: $ make -j17 [...] YACC read_config_yy.c LEX read_config_lex.c CC stack.o CC resync.o CC cthelper.o CC helpers.o CC utils.o CC expect.o CC systemd.o CC nfct.o CC nfct-extensions/helper.o CC nfct-extensions/timeout.o CC read_config_lex.o read_config_lex.l:25:10: fatal error: read_config_yy.h: No such file or directory 25 | #include "read_config_yy.h" | ^~~~~~~~~~~~~~~~~~ compilation terminated. make[2]: *** [Makefile:701: read_config_lex.o] Error 1 make[2]: *** Waiting for unfinished jobs.... updating read_config_yy.h make[2]: Leaving directory '/space/azazel/work/git/netfilter/conntrack-tools/src' make[1]: *** [Makefile:743: all-recursive] Error 1 make[1]: Leaving directory '/space/azazel/work/git/netfilter/conntrack-tools/src' make: *** [Makefile:541: all-recursive] Error 1 Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: clean yacc- and lex-generated files with maintainer-cleanJeremy Sowden2021-09-271-1/+1
| | | | | | | | | Automake expects to distribute yacc- and lex-generated sources, so that the user doesn't need to regenerate them. Therefore, the appropriate target to clean them is `maintainer-clean`. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: remove yacc-generated header from EXTRA_DISTJeremy Sowden2021-09-271-2/+0
| | | | | | | | Automake generates yacc and lex output files and includes them in distributions as a matter of course. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: replace `AM_PROG_LIBTOOL` and `AC_DISABLE_STATIC` with `LT_INIT`Jeremy Sowden2021-09-271-2/+1
| | | | | | | | `AM_PROG_LIBTOOL` is superseded by `LT_INIT`, which also accepts options to control the defaults for creating shared or static libraries. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: quote AC_INIT argumentsJeremy Sowden2021-09-271-1/+1
| | | | | Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>