| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This option requires Linux kernel >= 2.6.38, you have to enable conntrack
timestamping with:
echo 1 > /proc/sys/net/netfilter/nf_conntrack_timestamp
# conntrack -L -o ktimestamp
udp 17 59 src=192.168.1.128 dst=192.168.1.1 sport=52050 dport=53 src=192.168.1.1 dst=192.168.1.128 sport=53 dport=52050 [ASSURED] mark=0 delta-time=121 [start=Thu Feb 17 17:41:18 2011] use=1
# conntrack -L
conntrack v0.9.15 (conntrack-tools): 20 flow entries have been shown.
udp 17 31 src=192.168.1.128 dst=192.168.1.1 sport=52050 dport=53 src=192.168.1.1 dst=192.168.1.128 sport=53 dport=52050 [ASSURED] mark=0 delta-time=149 use=1
# conntrack -E -o ktimestamp
...
[DESTROY] udp 17 src=192.168.1.128 dst=192.168.1.1 sport=40162 dport=53 src=192.168.1.1 dst=192.168.1.128 sport=53 dport=40162 [ASSURED] delta-time=3 [start=Thu Feb 17 17:44:57 2011] [stop=Thu Feb 17 17:45:00 2011]
# conntrack -E
[DESTROY] udp 17 src=192.168.1.128 dst=77.226.252.14 sport=123 dport=123 src=77.226.252.14 dst=192.168.1.128 sport=123 dport=123 delta-time=8
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
So far, conntrack only allows to listen to events of new expectations.
With this patch, we can listen to events of destroyed expectations.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds `--zone' to the command line tool. This adds
the missing user-space support for Patrick's McHardy iptables
CT target.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch cleans up nat_parse() and it also displays nicer
error message for malformed arguments.
% conntrack -L --src-nat :80
conntrack v0.9.14 (conntrack-tools): No IP specified
Try `conntrack -h' or 'conntrack --help' for more information.
% conntrack -L --src-nat 1.1.1.1:
conntrack v0.9.14 (conntrack-tools): No port specified after `:'
Try `conntrack -h' or 'conntrack --help' for more information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch fixes the filtering if the IP matches an entry but the PORT
does not matches. Without this patch, the entry is shown when it
should be not.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch restricts the behaviour that we previously introduced
in 142606c60808b3ab0496155ac3d086765e6baef3.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch adds the missing bits to allow to filter with --any-nat
based on the IP address.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch fixes another scenario in which the flow has some
PAT mangling and we passed the src-nat address that we want
to use to perform the filtering.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
With this patch, conntrack does not show bogus entries that have no NAT
applied due to a relaxed checking.
conntrack -L --src-nat :80
tcp 6 342824 ESTABLISHED src=XX.214.188.80 dst=66.XX.7.180 sport=80 dport=13749 packets=4 bytes=6000 [UNREPLIED] src=66.XX.7.180 dst=XX.214.188.80 sport=13749 dport=80 packets=0 bytes=0 mark=0 secmark=0 use=1
conntrack v0.9.14 (conntrack-tools): 1 flow entries have been shown.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
In 142606c60808b3ab0496155ac3d086765e6baef3, I re-introduced the
inconsistent behaviour that I described in
85f94171a71880c744f265268f33ad58819caa74. Great.
This patch fixes this again.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch adds the --any-nat option that allows to display src-NATted
OR dst-NATted flows.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch allows the following command to filter port-based NAT:
$ conntrack -L --dst-nat :9999
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch is a cleanup, it puts all the commands and options code
together. This makes easier and less error-prone the task to add
new commands and options.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch is a cleanup, it expands an array that contains the
correspondence between the option-flags and the option-names.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The patch that I committed in 2e06d62d341fdf936dbc1fa944d5e03f761aaf0e
was incomplete. With it, `-L --src-nat --dst-nat' shows source-natted
OR destination-natted flows. This patch changes the behaviour to
show source-natted AND destination-natted flows.
This is the consistent behaviour that we expect from conntrack
(this is how it works for other options indeed).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch fixes the filtering with --src-nat and --dst-nat options.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch reverts 0865d22af0ec5876f721d44c90ac898fdfa435aa since
it breaks conntrack listing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Since > 0.9.6, the conntrack listing with the options --src-nat
and --dst-nat does not work. This patch fixes the problem.
Reported-by: Mohit Mehta <mohit.mehta@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Read an integer right away with fscanf() instead of read()-ing to a
buffer, which was actually to small for the terminating '\0', and
atoi()-ing. Furthermore read() might not read enough, though unlikely
here.
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Avoid this error:
conntrack v0.9.13 (conntrack-tools): Operation failed: No such file or
directory
when using 'conntrack -E -e ALL ...'.
This is caused by the fact that netfilter expectations also get
delivered, but things are not setup for this, nfnl_catch returns -1
and errno = ENOENT.
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
When 'conntrack' is called with no arguments then garbage is printed
after the usage message. This patch fixes this.
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch adds GRE support for the command line tool conntrack.
With this patch, we support all protocols available in the kernel.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.
|
| |
|
|
|
|
| |
This patch fixes an English typo in an output message.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch adds DCCP support for the command line tool conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch adds SCTP support to the command line tool conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch adds UDPlite support for the command line tool conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch extends the generic_opt_check() function to add
extra information on the possible option combinations. Under
some specific situations, like the creation and getting of
a conntrack, you may specify the original or the reply tuple
but at least one MUST be present. This handling has been
always tricky, it still remains but we're more user friendly
at least.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch removes the broken command checking. This is better
handled by the option checkings which comes just after this one.
This patch also fixes some inconsistencies in the command
parameter checking when long names are used.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch adds `-S' command to display kernel statistics. Using
raw `cat' on /proc and the hexadecimal output is not very handy.
This option parses the /proc entry and display the information
is a more human friendly way.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch fixes some missing bits for the `-C' conntrack command
like the manpage information, the usage help, the `--counters'
synonymous and the commands vs. options checking.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
The option --status can be used with -I. Currently, this behaviour
is broken.
conntrack v0.9.9 (conntrack-tools): Illegal option `--status' with this command
Try `conntrack -h' or 'conntrack --help' for more information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch adds the -C command, to display the table counter. In the
case of `-C conntrack' the tool reads the proc interface. For
expectation, it loops on the table to count the number of entries
(as there is not proc interface to display the number of
expectations).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
With this patch, you can filter expected connections:
# conntrack -L --status EXPECTED
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch move the options release to free_options(). It also
move the free_options call after the error checking because
exit_error already free the option.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With this patch, you can specify the following command to dump the
expectation table, instead of writing 'expect'.
# conntrack -L e
also, it is valid the following command:
# conntrack -L ex
# conntrack -L exp
and so on.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch replaces a couple of hardcoded buffer sizes by sizeof()
calls. This sort of code is error-prone.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch fixes a wrong warning display to stdout instead of stderr.
Make the warning message homogeneous to others.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch relaxes the parameter checking as now we don't need to
pass --status when we create a conntrack via command line interface.
In this case, the conntrack entry is created only with the
IPS_CONFIRMED flag.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch cleanups the NAT filtering. The former code had three
branches, one if src and dst NAT are set, else one if src NAT is
set, else one if dst NAT is set.
Now, we check if src NAT is set or if dst NAT is set.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch fixes the dump counter displayed with -L expect.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch fixes filtering for unsupported protocol. Thus, you can
use -L -p 47 or -L -p gre to filter `gre' traffic.
Based on an initial patch from Bryan Duff <bduff@astrocorp.com>.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
The mark-based filtering for events does not work if the mark is not
present in the event message. This happens because nfct_cmp() skips
the comparison of the compared objects since it they do not have the
same attributes set. This patch make use of the new NFCT_CMP_MASK
flag that returns false if the first object passed as parameter is
set and the second is not.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch removes the use of snprintf and directly print the XML header
to the standard output. This simplifies the handling.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch cleans up the update path for the conntrack utility.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Insert string `conntrack-tools' in error messages to explicitly print
that this version is inside the conntrack-tools package.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
From: Pablo Neira Ayuso <pablo@netfilter.org>
If getopt_long returns '?', show an error telling that some
arguments are missing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Remove extra \n in error message.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Remove duplicated optarg checkings for options that require mandatory
paramaters. This checking is already done by getopt_long().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Use %zu instead of %u for size_t to remove compilation warning.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
