summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* conntrack: introduce --labelmap option to specify connlabel.conf pathHEADmasterChristoph Heiss8 days3-25/+46
| | | | | | | | | | | Enables specifying a path to a connlabel.conf to load instead of the default one at /etc/xtables/connlabel.conf. nfct_labelmap_new() already allows supplying a custom path to load labels from, so it just needs to be passed in there. Signed-off-by: Christoph Heiss <c.heiss@proxmox.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrack: move label parsing to after argument parsingChristoph Heiss8 days1-18/+44
| | | | | | | | | | | Instead of parsing them directly inline during argument parsing, put them into a list and do it afterwards. Preparation for introduction a new `--labelmap` option to specify the path to the label mapping file. Signed-off-by: Christoph Heiss <c.heiss@proxmox.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrack: prefer kernel-provided event timestamp if it is availableFlorian Westphal2025-02-071-3/+20
| | | | | | | | | | | | | If kernel provided the event timestamp, then use it, else fall back to gettimeofday. This needs a recent kernel with netfilter: conntrack: add conntrack event timestamp and net.netfilter.nf_conntrack_timestamp sysctl set to 1. Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Eliminate warnings with -Wcalloc-transposed-argsPhil Sutter2024-11-0513-17/+17
| | | | | | | | | calloc() expects the number of elements in the first parameter, not the second. Swap them and while at it drop one pointless cast (the function returns a void pointer anyway). Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* conntrack: Fix for ENOENT in mnl_nfct_delete_cb()Phil Sutter2024-11-051-1/+1
| | | | | | | | | | Align behaviour with that of mnl_nfct_update_cb(): Just free the nf_conntrack object and return. Do not increment counter variable, and certainly do not try to print an uninitialized buffer. Fixes: a7abf3f5dc7c4 ("conntrack: skip ENOENT when -U/-D finds a stale conntrack entry") Reviewed-by: Florian Westphal <fw@strlen.de> Signed-off-by: Phil Sutter <phil@nwl.cc>
* conntrack: improve --mark parserPablo Neira Ayuso2024-10-221-7/+27
| | | | | | | Enhance helper function to parse mark and mask (if available), bail out if input is not correct. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: improve --secmark,--id,--zone parserPablo Neira Ayuso2024-10-221-6/+29
| | | | | | | | strtoul() is called with no error checking at all, add a helper function to validate input is correct for values less than UINT32_MAX. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: conntrack: missing space before optionPablo Neira Ayuso2024-10-221-6/+6
| | | | | | | | | | | Recent updates make the conntrack parser slightly more robust. A few test lines include: ... -w 11-s 2001:DB8::1.1.1.1 ... where space is missing. These are typos rather than valid input. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: -L doesn't take a value, so don't discard one (same for -IUDGEFA)Ahelenia Ziemiańska2024-09-161-1/+1
| | | | | | | | | | | | | | | | | | | | | The manual says COMMANDS These options specify the particular operation to perform. Only one of them can be specified at any given time. -L --dump List connection tracking or expectation table So, naturally, "conntrack -Lo extended" should work, but it doesn't, it's equivalent to "conntrack -L", and you need "conntrack -L -o extended". This violates user expectations (borne of the Utility Syntax Guidelines) and contradicts the manual. optarg is unused, anyway. Unclear why any of these were :: at all? Signed-off-by: Ahelenia Ziemiańska <nabijaczleweli@nabijaczleweli.xyz> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: tcp: fix parsing of tuple-port-src and tuple-port-dstStephan Brunner2024-07-161-2/+2
| | | | | | | | As seen in the parsing code above, L4PROTO should be set to IPPROTO_TCP, not the port number itself. Fixes: 40efc1ebb15b ("conntrack: cleanup command line tool protocol extensions") Co-Developed-by: Reinhard Nißl <reinhard.nissl@fee.de> Signed-off-by: Stephan Brunner <s.brunner@stephan-brunner.net>
* conntrackd: helpers/rpc: Don't add expectation table entry for portmap portPfeil Daniel2024-06-191-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | After an RPC call to portmap using the portmap program number (100000), subsequent RPC calls are not handled correctly by connection tracking. This results in client connections to ports specified in RPC replies failing to operate. This issue arises because after an RPC call to portmap using the program number 100000, conntrackd adds an expectation table entry for the portmap port (typically 111). Due to this expectation table entry, subsequent RPC call connections are treated as sibling connections. Due to kernel restrictions, the connection helper for sibling connections cannot be changed. This is enforced in the kernel's handling in "net/netfilter/nf_conntrack_netlink.c", within the "ctnetlink_change_helper" function, after the comment: /* don't change helper of sibling connections */. Due to this kernel restriction, the private RPC data (struct rpc_info) sent from conntrackd to kernel-space is discarded by the kernel. To resolve this, the proposed change is to eliminate the creation of an expectation table entry for the portmap port. The portmap port has to be opened via an iptables/nftables rule anyway, so adding an expectation table entry for the portmap port is unnecessary. Why do our existing clients make RPC calls using the portmap program number? They use these calls for cyclic keepalive messages to verify that the link between the client and server is operational. Signed-Off-By: Daniel Pfeil <pda@keba.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: Fix signal handler race-conditionMarkus Breitenberger2024-05-021-11/+12
| | | | | | | | | | | Install signal handlers after everything is initialized as there is a race condition that can happen when the process gets terminated after the signal handler is installed but before all fields in the global state are set up correctly, leading to a SIGSEGV as the cleanup code dereferences uninitialized pointers. Signed-off-by: Markus Breitenberger <bre@keba.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: exit with failure statusDonald Yandt2024-03-041-3/+2
| | | | | | | | If no configuration file or an invalid parameter is provided, the daemon should exit with a failure status. Signed-off-by: Donald Yandt <donald.yandt@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: prevent memory loss if reallocation failsDonald Yandt2024-03-041-2/+5
| | | | | | | | Vector data will be lost if reallocation fails, leading to undefined behaviour. Signed-off-by: Donald Yandt <donald.yandt@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: don't print [USERSPACE] information in case of XML outputIgnacy Gawędzki2024-02-071-1/+1
| | | | | | | | In case XML output is requested, refrain from appending "[USERSPACE]" and details to the output. Signed-off-by: Ignacy Gawędzki <ignacy.gawedzki@green-communications.fr> Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrack: ct label update requires proper rulesetPablo Neira Ayuso2023-10-132-0/+9
| | | | | | | | | | | | | | As of kernel 6.6-rc, your ruleset must use either the 'connlabel' match in iptables or the 'ct label' statement in nftables to attach labels to conntrack entries. Update documentation to describe this behaviour. This patch addresses a corner case scenario: conntrack already contains entries but ruleset that specifies connlabel did not get loaded yet. In such case, skip ENOSPC errors for conntracks that have no ct label extension. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1622 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack-tools 1.4.8 releaseconntrack-tools-1.4.8Pablo Neira Ayuso2023-09-291-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: consolidate check for maximum number of channelsPablo Neira Ayuso2023-09-251-126/+133
| | | | | | | Add a helper function and use it to check for the maximum number of channels, bail out if it is exceeded. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* read_config_yy: correct arguments passed to `inet_aton`Jeremy Sowden2023-08-281-7/+19
| | | | | | | | | | `inet_aton` expects a `struct in_addr *`. In a number of calls, we pass pointers to structs or unions which contain a `struct in_addr` member. Pass pointers to the members instead. In another call, we pass a pointer to a uint32_t. Cast it. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* read_config_yy: correct `yyerror` prototypeJeremy Sowden2023-08-281-2/+2
| | | | | | | | Change it to take a `const char *`. It doesn't modify the string and yacc passes string literals, so cause compiler warnings. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: stop suppressing warnings for generated sourcesJeremy Sowden2023-08-281-3/+0
| | | | | | | | | Contrary to the comment that yacc and lex generate dirty code, none of the warnings being suppressed are in the generated code. Stop suppressing them in order to fix the code. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: reformat and sort `conntrack_LDADD` and `conntrackd_SOURCES`Jeremy Sowden2023-08-281-17/+60
| | | | | | | One per line. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack, nfct: fix some typo'sJeremy Sowden2023-08-244-5/+5
| | | | | | | Four misspellings and a missing pronoun. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/conntrack: add initial stress test for conntrackPablo Neira Ayuso2023-08-221-0/+62
| | | | | | | | Add a shell script that creates many conntrack entries and it updates the mark to cover for recent bugs in the 1.4.7 release when moving to libmnl. This test can be extended to cover for more commands. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: do not set on NLM_F_ACK in IPCTNL_MSG_CT_GET requestsPablo Neira Ayuso2023-08-221-2/+2
| | | | | | | | | | | | | | | | | | | GET requests report either error via NLMSG_ERROR or the corresponding entry, therefore, there is always a reply from the kernel. The NLM_F_ACK flag results in two netlink messages as reply in case of success for GET requests, one containing the entry and another with the explicit acknowledgment. nfct_mnl_request() leaves the explicit acknowledment in the buffer, filling it up with unhandled netlink messages, leading to the following error: conntrack v1.4.7 (conntrack-tools): Operation failed: No buffer space available Fixes: b7a396b70015 ("conntrack: use libmnl for updating conntrack table") Reported-by: Tony He <huangya90@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: skip ENOENT when -U/-D finds a stale conntrack entryPablo Neira Ayuso2023-08-221-3/+11
| | | | | | | | | | | | | | -U and -D commands iterate over the netlink dump and it might try to update/delete an entry which is not in the kernel anymore. Skip ENOENT errors. The -U command uses printf and it continues on error, instead bail out with exit_error(). This problem is present in 1.4.6, this is related to the recent updates to use libmnl in 1.4.7. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: unbreak -U command, use correct familyPablo Neira Ayuso2023-08-221-2/+4
| | | | | | | | | | | | | Set the family from the conntrack object, otherwise, if -f is not specified and the kernel bails out with: # conntrack -U -p tcp -m 1 Operation failed: Not supported conntrack v1.4.7 (conntrack-tools): Operation failed: Not supported Fixes: b7a396b70015 ("conntrack: use libmnl for updating conntrack table") Reported-by: Tony He <huangya90@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: don't override mark when filtering by statusJacek Tomasiak2023-06-151-2/+1
| | | | | | | | | | | | | | | | | When creating new rules with (e.g. with `conntrack -I -m 123 -u UNSET ...`), the mark from `-m` was overriden by value from `-u`. This behavior was introduced in 1a5828f491c6a1593f30cb5f1551fe9f9cf76a8d ("conntrack: enable kernel-based status filtering with -L -u STATUS") for filtering the output of `-L` option but caused a regression in other cases. [ fw@strlen.de: likely copy&waste bug, status and mark are completely different things ] Fixes: 1a5828f491c6 ("conntrack: enable kernel-based status filtering with -L -u STATUS") Signed-off-by: Jacek Tomasiak <jtomasiak@arista.com> Signed-off-by: Jacek Tomasiak <jacek.tomasiak@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrack: do not silence EEXIST error, use NLM_F_EXCLPablo Neira Ayuso2023-05-181-6/+8
| | | | | | | | | | | | Instead of silencing EEXIST error with -A/--add, unset NLM_F_EXCL netlink flag. Do not ignore error from kernel for command invocation. This patch revisits e42ea65e9c93 ("conntrack: introduce new -A command"). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: Sanitize free_tmpl_objects()Phil Sutter2022-12-211-0/+2
| | | | | | | | | | | The function unconditionally dereferenced its parameter, yet it is possible for the passed 'cur_tmpl' pointer when called from exit_error() to be still NULL: It is assigned to by alloc_tmpl_objects() at start of do_parse(), though callers of that function might call exit_error() in beforehand. Fixes: 258b4540f4512 ("conntrack: add struct ct_tmpl") Signed-off-by: Phil Sutter <phil@nwl.cc>
* conntrack: Fix for unused assignment in ct_save_snprintf()Phil Sutter2022-12-211-1/+0
| | | | | | | Setting 'ret' without calling BUFFER_SIZE() is pointless. Fixes: 1c596b9ec8f26 ("conntrack: implement save output format") Signed-off-by: Phil Sutter <phil@nwl.cc>
* conntrack: Fix for unused assignment in do_command_ct()Phil Sutter2022-12-211-1/+1
| | | | | | | | | | | The variable is overwritten immediately in the next iteration and the loop can't exit before doing that. Instead of dropping the assignment, one could add a return code check - but since event_cb() never fails, that check is pointless as well. Fixes: e0dac21ed02e3 ("conntrack: use libmnl for conntrack events") Signed-off-by: Phil Sutter <phil@nwl.cc>
* conntrack: Fix potential array out of bounds accessPhil Sutter2022-12-211-1/+1
| | | | | | | | If the link target length exceeds 'sizeof(tmp)' bytes, readlink() will return 'sizeof(tmp)'. Using this value as index is illegal. Fixes: b031cd2102d9b ("conntrack: pretty-print the portid") Signed-off-by: Phil Sutter <phil@nwl.cc>
* Makefile: Create LZMA-compressed dist-filesPhil Sutter2022-12-091-1/+1
| | | | | | | | Use a more modern alternative to bzip2. Suggested-by: Jan Engelhardt <jengelh@inai.de> Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Phil Sutter <phil@nwl.cc>
* config: Fix -Wimplicit-function-declarationSam James2022-11-282-1/+13
| | | | | | | | | | | | | | | | | | | | read_config_yy.c: In function ‘yyparse’: read_config_yy.c:1765:16: warning: implicit declaration of function ‘yylex’ [-Wimplicit-function-declaration] 1765 | yychar = yylex (); | ^~~~~ read_config_yy.c:1765:16: warning: nested extern declaration of ‘yylex’ [-Wnested-externs] read_config_yy.y:120:17: warning: implicit declaration of function ‘dlog’ [-Wimplicit-function-declaration] 120 | dlog(LOG_ERR, "LogFile path is longer than %u characters", | ^~~~ read_config_yy.y:120:17: warning: nested extern declaration of ‘dlog’ [-Wnested-externs] read_config_yy.y:240:14: warning: implicit declaration of function ‘inet_aton’; did you mean ‘in6_pton’? [-Wimplicit-function-declaration] 240 | if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.in)) { | ^~~~~~~~~ | in6_pton Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1637 Signed-off-by: Sam James <sam@gentoo.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* network: Fix -Wstrict-prototypesSam James2022-11-241-1/+1
| | | | | | Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1637 Signed-off-by: Sam James <sam@gentoo.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: don't suppress various warningsSam James2022-11-241-1/+1
| | | | | | | | | | | | These will become fatal with Clang 16 and GCC 14 anyway, but let's address the real problem (followup commit). We do have to keep one wrt yyerror() & const char * though, but the issue is contained to the code Bison generates. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1637 Signed-off-by: Sam James <sam@gentoo.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: conntrack-tools requires libnetfilter_conntrack >= 1.0.9Pablo Neira Ayuso2022-10-061-1/+1
| | | | | | | Compilation breaks with 1.0.8 and lower versions, bump dependencies. Reported-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack-tools 1.4.7 releaseconntrack-tools-1.4.7Pablo Neira Ayuso2022-10-061-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* local: Avoid sockaddr_un::sun_path buffer overflowPhil Sutter2022-08-312-5/+5
| | | | | | | | | | The array's size in struct sockaddr_un is only UNIX_PATH_MAX and according to unix(7), it should hold a null-terminated string. So adjust config reader to reject paths of length UNIX_PATH_MAX and above and adjust the internal arrays to aid the compiler. Fixes: f196de88cdd97 ("src: fix strncpy -Wstringop-truncation warnings") Signed-off-by: Phil Sutter <phil@nwl.cc>
* conntrack: slightly simplify parse_proto_num() by using strtoul()Pablo Neira Ayuso2022-07-111-3/+2
| | | | | | Use strtoul() instead and remove check for negative value. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: use IPPROTO_RAWPablo Neira Ayuso2022-07-111-1/+1
| | | | | | | | | IPPROTO_MPTCP defeats the purpose of IPPROTO_MAX to check for the maximum layer 4 protocol supported in the IP header. Use IPPROTO_RAW (255) instead. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: update manpage with new -A commandPablo Neira Ayuso2022-07-111-3/+8
| | | | | | Extend manpage to document the new -A/--add command. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: introduce new -A commandMikhail Sennikovsky2022-07-0812-10/+117
| | | | | | | | | | | | | | The -A command works exactly the same way as -I except that it does not fail if the ct entry already exists. This command is useful for the batched ct loads to not abort if some entries being applied exist. The ct entry dump in the "save" format is now switched to use the -A command as well for the generated output. Also tests added to cover the -A command. Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: use C99 initializer syntax for option mapMikhail Sennikovsky2022-07-0810-211/+212
| | | | | | | | | | | | | The old way of the commands_v_options initialization made it more difficult and error-prone to add a map for a new command, because one would have to calculate a proper "index" for the initializer and fill the gap with zeros. As a preparation step for adding the new "-A" command support, switch to C99 initializer syntax for commands_v_options. Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: generalize command parsingMikhail Sennikovsky2022-07-081-13/+10
| | | | | | | | | | | | | Currently the -U command has a special case handling in the do_parse because it does not have EXP_ counterpart. Generalizing it would simplify adding support for new commands w/o EXP_ counterpart. As a preparation step for adding the new "-A" command support, make the -U command be handled the same way as the rest. Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: fix -o save dump for unknown protocolsMikhail Sennikovsky2022-06-272-0/+35
| | | | | | | | | | | | | | Make sure the protocol (-p) option is included in the -o save ct entry dumps for L4 protocols unknown to the conntrack tool. Do not use getprotobynumber for unknown protocols to ensure "-o save" data incompatibility between hosts having different /etc/protocols contents. Include testcases covering the issue. Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: fix protocol number parsingMikhail Sennikovsky2022-06-272-2/+27
| | | | | | | | | | | | Before this commit it was possible to successfully create a ct entry passing -p 256 and -p some_nonsense. In both cases an entry with the protocol=0 would be created. Do not allow invalid protocol values to -p option. Include testcases covering the issue. Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: set reply l4 proto for unknown protocolMikhail Sennikovsky2022-06-272-0/+38
| | | | | | | | | | | | Withouth reply l4 protocol being set consistently the mnl_cb_run (in fact the kernel) would return EINVAL. Make sure the reply l4 protocol is set properly for unknown protocols. Include testcases covering the issue. Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: update CT_GET to use libmnlPablo Neira Ayuso2022-06-201-48/+3
| | | | | | | | Use nfct_mnl_request() to build and send the netlink command. Remove dump_cb() since this is a copy of the new libmnl's mnl_nfct_dump_cb() callback function. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>