| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
`inet_aton` expects a `struct in_addr *`. In a number of calls, we pass
pointers to structs or unions which contain a `struct in_addr` member. Pass
pointers to the members instead. In another call, we pass a pointer to a
uint32_t. Cast it.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Change it to take a `const char *`. It doesn't modify the string and yacc
passes string literals, so cause compiler warnings.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Contrary to the comment that yacc and lex generate dirty code, none of
the warnings being suppressed are in the generated code. Stop suppressing
them in order to fix the code.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
One per line.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Four misspellings and a missing pronoun.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Add a shell script that creates many conntrack entries and it updates
the mark to cover for recent bugs in the 1.4.7 release when moving to
libmnl. This test can be extended to cover for more commands.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GET requests report either error via NLMSG_ERROR or the corresponding
entry, therefore, there is always a reply from the kernel.
The NLM_F_ACK flag results in two netlink messages as reply in case of
success for GET requests, one containing the entry and another with the
explicit acknowledgment.
nfct_mnl_request() leaves the explicit acknowledment in the buffer,
filling it up with unhandled netlink messages, leading to the following
error:
conntrack v1.4.7 (conntrack-tools): Operation failed: No buffer space available
Fixes: b7a396b70015 ("conntrack: use libmnl for updating conntrack table")
Reported-by: Tony He <huangya90@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
-U and -D commands iterate over the netlink dump and it might try to
update/delete an entry which is not in the kernel anymore. Skip ENOENT
errors.
The -U command uses printf and it continues on error, instead bail out
with exit_error().
This problem is present in 1.4.6, this is related to the recent
updates to use libmnl in 1.4.7.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Set the family from the conntrack object, otherwise, if -f is not specified
and the kernel bails out with:
# conntrack -U -p tcp -m 1
Operation failed: Not supported
conntrack v1.4.7 (conntrack-tools): Operation failed: Not supported
Fixes: b7a396b70015 ("conntrack: use libmnl for updating conntrack table")
Reported-by: Tony He <huangya90@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When creating new rules with (e.g. with `conntrack -I -m 123 -u UNSET ...`),
the mark from `-m` was overriden by value from `-u`.
This behavior was introduced in 1a5828f491c6a1593f30cb5f1551fe9f9cf76a8d
("conntrack: enable kernel-based status filtering with -L -u STATUS") for
filtering the output of `-L` option but caused a regression in other cases.
[ fw@strlen.de: likely copy&waste bug, status and mark are
completely different things ]
Fixes: 1a5828f491c6 ("conntrack: enable kernel-based status filtering with -L -u STATUS")
Signed-off-by: Jacek Tomasiak <jtomasiak@arista.com>
Signed-off-by: Jacek Tomasiak <jacek.tomasiak@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of silencing EEXIST error with -A/--add, unset NLM_F_EXCL
netlink flag.
Do not ignore error from kernel for command invocation.
This patch revisits e42ea65e9c93 ("conntrack: introduce new -A
command").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
The function unconditionally dereferenced its parameter, yet it is
possible for the passed 'cur_tmpl' pointer when called from exit_error()
to be still NULL: It is assigned to by alloc_tmpl_objects() at start of
do_parse(), though callers of that function might call exit_error() in
beforehand.
Fixes: 258b4540f4512 ("conntrack: add struct ct_tmpl")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
Setting 'ret' without calling BUFFER_SIZE() is pointless.
Fixes: 1c596b9ec8f26 ("conntrack: implement save output format")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
| |
The variable is overwritten immediately in the next iteration and the
loop can't exit before doing that.
Instead of dropping the assignment, one could add a return code check -
but since event_cb() never fails, that check is pointless as well.
Fixes: e0dac21ed02e3 ("conntrack: use libmnl for conntrack events")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
If the link target length exceeds 'sizeof(tmp)' bytes, readlink() will
return 'sizeof(tmp)'. Using this value as index is illegal.
Fixes: b031cd2102d9b ("conntrack: pretty-print the portid")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
Use a more modern alternative to bzip2.
Suggested-by: Jan Engelhardt <jengelh@inai.de>
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
read_config_yy.c: In function ‘yyparse’:
read_config_yy.c:1765:16: warning: implicit declaration of function ‘yylex’ [-Wimplicit-function-declaration]
1765 | yychar = yylex ();
| ^~~~~
read_config_yy.c:1765:16: warning: nested extern declaration of ‘yylex’ [-Wnested-externs]
read_config_yy.y:120:17: warning: implicit declaration of function ‘dlog’ [-Wimplicit-function-declaration]
120 | dlog(LOG_ERR, "LogFile path is longer than %u characters",
| ^~~~
read_config_yy.y:120:17: warning: nested extern declaration of ‘dlog’ [-Wnested-externs]
read_config_yy.y:240:14: warning: implicit declaration of function ‘inet_aton’; did you mean ‘in6_pton’? [-Wimplicit-function-declaration]
240 | if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.in)) {
| ^~~~~~~~~
| in6_pton
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1637
Signed-off-by: Sam James <sam@gentoo.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1637
Signed-off-by: Sam James <sam@gentoo.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
These will become fatal with Clang 16 and GCC 14 anyway, but let's
address the real problem (followup commit).
We do have to keep one wrt yyerror() & const char * though, but
the issue is contained to the code Bison generates.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1637
Signed-off-by: Sam James <sam@gentoo.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Compilation breaks with 1.0.8 and lower versions, bump dependencies.
Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
The array's size in struct sockaddr_un is only UNIX_PATH_MAX and
according to unix(7), it should hold a null-terminated string. So adjust
config reader to reject paths of length UNIX_PATH_MAX and above and
adjust the internal arrays to aid the compiler.
Fixes: f196de88cdd97 ("src: fix strncpy -Wstringop-truncation warnings")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
| |
Use strtoul() instead and remove check for negative value.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
IPPROTO_MPTCP defeats the purpose of IPPROTO_MAX to check for the
maximum layer 4 protocol supported in the IP header.
Use IPPROTO_RAW (255) instead.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Extend manpage to document the new -A/--add command.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The -A command works exactly the same way as -I except that it
does not fail if the ct entry already exists.
This command is useful for the batched ct loads to not abort if
some entries being applied exist.
The ct entry dump in the "save" format is now switched to use the
-A command as well for the generated output.
Also tests added to cover the -A command.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The old way of the commands_v_options initialization made it more
difficult and error-prone to add a map for a new command, because one
would have to calculate a proper "index" for the initializer and fill
the gap with zeros.
As a preparation step for adding the new "-A" command support,
switch to C99 initializer syntax for commands_v_options.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the -U command has a special case handling
in the do_parse because it does not have EXP_ counterpart.
Generalizing it would simplify adding support for new commands
w/o EXP_ counterpart.
As a preparation step for adding the new "-A" command support,
make the -U command be handled the same way as the rest.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make sure the protocol (-p) option is included in the -o save
ct entry dumps for L4 protocols unknown to the conntrack tool.
Do not use getprotobynumber for unknown protocols to ensure
"-o save" data incompatibility between hosts having different
/etc/protocols contents.
Include testcases covering the issue.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before this commit it was possible to successfully create a ct entry
passing -p 256 and -p some_nonsense.
In both cases an entry with the protocol=0 would be created.
Do not allow invalid protocol values to -p option.
Include testcases covering the issue.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Withouth reply l4 protocol being set consistently the mnl_cb_run
(in fact the kernel) would return EINVAL.
Make sure the reply l4 protocol is set properly for unknown
protocols.
Include testcases covering the issue.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Use nfct_mnl_request() to build and send the netlink command. Remove
dump_cb() since this is a copy of the new libmnl's mnl_nfct_dump_cb()
callback function.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch comes in preparation for updating the CT_GET command to use
libmnl.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
For bulk ct entry loads (with -R option) reusing the same mnl
modifier socket for all entries results in reduction of entries
creation time, which becomes especially signifficant when loading
tens of thouthand of entries.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Ports are used to uniquely identify the flow, this information must be
included inconditionally to sync message.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
read() occurs from the wrong socket so 'conntrack -E' hangs without
reporting any events.
Fixes: 5ec684be0854 ("conntrack: consolidate socket open call")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
This flag makes life a lot harder because lack of the flag hides
very useful information. Remove it and always tag events triggered
by userspace flush.
Option is still parsed for backwards compatibility sake.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Create netlink socket once and reuse it, rather than open + close it
over and over again.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Have to free the strings allocated by split_address_and_port().
Fixes: 29b390a212214 ("conntrack: Support IPv6 NAT")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
These variables are not referred to after assigning within their scope
(or until they're overwritten).
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
Coverity tool complains that exit() is not signal-safe and therefore
should not be called from within a signal handler. Call _exit() instead.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
False priority value was never printed.
Fixes: dfb88dae65fbd ("conntrackd: change scheduler and priority via configuration file")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
Coverity tool complains about accessing a local variable at non-zero
offset. Avoid this by using a helper union. This should silence the
checker, although the code is still probably not Big Endian-safe.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
When consecutively printing into the same buffer at increasing offset,
reduce buffer size passed to snprintf() to not defeat its size checking.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
struct cache::features is of type struct cache_feature **, allocate and
populate accordingly.
Fixes: ad31f852c3454 ("initial import of the conntrack daemon to Netfilter SVN")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
This is cosmetics only, but stops valgrind from complaining about
definitely lost memory.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since cd5135377ac4 ("conntrackd: cthelper: Set up userspace helpers when
daemon starts"), userspace conntrack helpers do not depend on a previous
invocation of nfct to set up the userspace helpers.
Move helper definitions to nfct-extensions/helper.c since existing
deployments might still invoke nfct, even if not required anymore.
This patch was motivated by the removal of the lazy binding.
Phil Sutter says:
"For security purposes, distributions might want to pass -Wl,-z,now
linker flags to all builds, thereby disabling lazy binding globally.
In the past, nfct relied upon lazy binding: It uses the helper objects'
parsing functions without but doesn't provide all symbols the objects
use."
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Use libmnl and libnetfilter_conntrack mnl helpers to flush the conntrack
table entries.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Use libmnl and libnetfilter_conntrack mnl helpers to delete
the conntrack table entries.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Use libmnl and libnetfilter_conntrack mnl helpers to update the conntrack
table entries.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|