| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove the global template object, add it to struct ct_cmd. This patch
prepares for the batch support.
The global cur_tmpl pointer is used to access the template from the
callbacks and the exit_error() path.
Note that it should be possible to remove this global cur_tmpl pointer
by passing the new command object as parameter to the callbacks and
exit_error().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This new object stores the result of the command parser, this prepares
for batch support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
DESTROY events already include the portid. Add some /proc glue
to lookup the portid.
Problem is that there is no direct mapping to a name.
Lookup steps are:
1. Obtain the portid inode from /proc/net/netlink.
If we can't even find that, no luck.
2. assume portid == pid and search
/proc/portid/fd/ for a socket with matching inode.
This is modeled on iproute2 ss tool.
If /proc/portid/fd/ comes up empty, entire process space
(/proc/*/fd) is searched for a matching inode.
As this is quite some work, cache the last portid result (including
'not found', so that 'conntrack -F' generating 10000k events will do
this lookup only once.
The lookup won't work in case the deleting/flushing program has already
exited; in that case [USERSPACE] tag and portid are still included.
Example:
$ conntrack -E -o userspace
[DESTROY] tcp 6 src=192... dst=192... sport=4404 dport=22 ... [USERSPACE] portid=5146 progname=conntrack
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit allows dumping conntrack entries in the format
used by the conntrack parameters, aka "save" output format.
This is useful for saving ct entry data to allow applying
it later on.
To enable the "save" output the "-o save" parameter needs
to be passed to the conntrack tool invocation.
[ pablo@netfilter.org: several updates to the original patch ]
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@cloud.ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This allows users to flush IPv4 entries only through:
conntrack -F -f ipv4
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch allows you to filter event through -f, e.g.
conntrack -E -f ipv4
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
2bcbae4c14b2 ("conntrack: -f family filter does not work") restored the
fallback to IPv4 if -f is not specified, which was the original
behaviour.
This patch modifies the default to use the unspec family if -f is not
specified for the following ct commands:
- list
- update
- delete
- get
(these two commands below do not support for -f though, but in case this is
extended in the future to support it):
- flush
- event
The existing code that parses IPv4 and IPv6 addresses already infers the
family, which simplifies the introduction of this update.
The expect commands are not updated, they still require many mandatory
options for filtering.
This patch includes a few test updates too.
Based on patch from Mikhail Sennikovsky.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
While at it, also allow to display up to 4 counters that are sent
by kernel but that we do not know.
This is useful to list counters that a new kernel supports with
and older release of conntrack-tools.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
This patch adds support for the IPS_HW_OFFLOAD flag which specifies that
this conntrack entry has been offloaded into the hardware.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Code assumed host architecture to be Little Endian. Instead produce a
proper mask by pushing the set bits into most significant position and
apply htonl() on the result.
Fixes: 3f6a2e90936bb ("conntrack: add support for CIDR notation")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
# conntrack -L -u OFFLOAD
tcp 6 431984 ESTABLISHED src=192.168.10.2 dst=10.0.1.2 sport=32824 dport=5201 src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=32824 [OFFLOAD] mark=0 secctx=null use=2
tcp 6 431984 ESTABLISHED src=192.168.10.2 dst=10.0.1.2 sport=32826 dport=5201 src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=32826 [OFFLOAD] mark=0 secctx=null use=2
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
/etc/protocols defines protocol zero as 'ip' for IPv4, and
'hopopt' for IPv6, which can be used with conntrack as '-p ip'
or '-p hopopt'. However it's equivalent, '-p 0' is considered
unsupported. Change the range check in findproto() to allow
zero as well.
Signed-off-by: Brian Haley <bhaley@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following command:
# conntrack -E -o userspace &
# conntrack -F
[DESTROY] tcp 6 src=122.127.186.172 dst=192.168.10.195 sport=443 dport=48232 packets=56 bytes=5313 src=192.168.10.195 dst=122.127.186.172 sport=48232 dport=443 packets=49 bytes=5174 [ASSURED] [USERSPACE]
prints the [USERSPACE] tag at the end of the event, this tells users if
this event has been triggered by process, eg. via conntrack command
invocation.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Use libmnl instead libnfnetlink infrastructure.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Add parameter to nfct_mnl_socket_open() to subscribe to events.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
"conntrack -L -f ipv4" and "conntrack -L -f ipv6" each prints both
protocols. This is because the family filtering is now enabled only if
filter_mark_kernel_set is true.
Fixes: 8b8377163697 ("conntrack: send mark filter to kernel iff set")
Signed-off-by: Ronald Wahl <ronald.wahl@raritan.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
When read cpu conntrack stats from /proc/net/stat/nf_conntrack,
it only shows stats from cpu0.
This patch list all cpus' conntrack stats like what `nfexp_stats_cb` did.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The goal of this patch is to fix the ipv6 support when conntrackd is
cross-compiled. The AC_RUN_IFELSE macro must be avoided as much as possible.
See section 6.6 of the gnu autoconf:
"If you really need to test for a runtime behavior while configuring, you can
write a test program to determine the result, and compile and run it using
AC_RUN_IFELSE. Avoid running test programs if possible, because this prevents
people from configuring your package for cross-compiling."
Let's remove this check and test the returned error to handle the case where
ipv6 is not supported (inet_pton() returns -1 when the family is not supported).
Reported-by: Zhenlin Zhang <zhenlin.zhang@6wind.com>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Refactor and improve nat support to allow conntrack to manage IPv6
NAT entries.
Refactor and improve conntrack nat tests to include IPv6 NAT.
Signed-off-by: Neil Wilson <neil@aldur.co.uk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Do not set a mark filter to ctnetlink if the user doesn't explicitly
specify this.
Fixes: aa925010951e ("conntrack: allow to filter by mark from kernel-space")
Reported-by: Joseph Conley <joseph.j.conley@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
|
|
|
|
|
| |
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for using CIDR notation in --{orig,tuple}-{src,dst} arguments,
instead of free-form formatting netmask in --mask-{src,dst}.
Example:
conntrack -L -s 2001:db8::/56
Instead of:
conntrack -L -s 2001:db8:: --mask-src ffff:ffff:ffff:ff00::
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
|
|
|
|
|
|
|
|
|
| |
Prepare for CIDR support, by splitting nfct_set_addr_from_opt()
into nfct_parse_addr_from_opt() for parsing
and nfct_set_addr_opt() for storing.
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch extends --mask-src and --mask-dst to also work
with the conntrack table, with commands -L, -D, -E and -U.
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This option was already silently allowed by 991fc4ae,
but didn't have any effect.
This patch adds the check and documents it.
Cc: Clemence Faure <clemence.faure@sophos.com>
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Store tuple-src and tuple-dst in exptuple,
as used by the EXP_CREATE case.
Verified with doc/cli/test.sh
Also reorder the cases, so the netmask case is last.
Reported-by: Szilárd Pfeiffer <pfeiffer.szilard@balabit.hu>
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
{} is mask-src and mask-dst, [] is tuple-src and tuple-dst
mask-* should be stored in mask, tuple-* should be stored in exptuple.
This reverts commit 3309fdb4413cb32f9b95e05064dc9dbb56550939
since it mixed up {} and [].
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for zone directions.
Since all options have the orig/reply as a prefix, I named it --orig-zone
and --reply-zone to stay consistent with the rest of the cmdline options.
As for the option chars, there was no unallocated reasonable combination,
thus only long options are officially exposed in the help, similarly as in
other cases.
Test suite results, after patch: OK: 79 BAD: 0
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Extensions register protocols by lowercase protocol name, but value of
proto command line option may be uppercase. Extension related options
cannot be used when protocol name comparision fails.
Signed-off-by: Szilárd Pfeiffer <pfeiffer.szilard@balabit.hu>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
| |
Signed-off-by: Szilárd Pfeiffer <pfeiffer.szilard@balabit.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Szilárd Pfeiffer <pfeiffer.szilard@balabit.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When updating labels we always have to send the same sized bitmask as
we received, as the bits we do omit will otherwise cleared as "padding".
Mask has to have the same size as the labels, otherwise it will not be
encoded by libnetfilter_conntrack, as different sizes are not accepted
by the kernel either.
Finally, kernel only retains old bit values that we send as zeroes in
BOTH the label and the mask, due to XOR used in bit manipulation.
This patch fixes all these issues and allows updates to set new labels
without accidentally clearing old ones.
Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
If we fail to update an entry, just try to continue with the next one
instead of exiting.
Can happen f.e. when using "conntrack -U --add-label bla", but the
conntrack entry in the kernel does not have the label extension set.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
new options "--label-add" and "--label-delete" to alter connlabels
assigned to a connection.
Signed-off-by: Clemence Faure <clemence.faure@sophos.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Using -l foo -l bar caused the "foo" label to be lost.
Merge multiple -l options so "-l foo,bar" and "-l foo -l bar" have same
effect.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
Rename get_table to generic "optional argument handling" helper,
so it can be re-used in upcoming patch.
While at it, avoid copy&paste of "labelmap" handling.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
Use selected the family, instead of inconditionally request for IPv4.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
short options were always reported as "unknown argument".
getopt(3) says:
if [it] finds an option character in argv that was not included in
optstring, or if it detects a missing option argument, it returns '?'
and sets the external variable optopt to the actual option character.
If the first character [...] of optstring is a colon (':'),
then getopt() returns ':' instead of '?' to indicate a missing option
argument.
Signed-off-by: Clemence Faure <clemence.faure@sophos.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
commit d343b8c (conntrack: add connlabel format attribute) erronously
removed _UNKNOWN format, i.e. conntrack -L displayed
[UPDATE] tcp 6 114 TIME_WAIT src=..
^^^^^
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
| |
Signed-off-by: Clemence Faure <clemence.faure@sophos.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The fractional portion of timestamps reported by conntrack
is printed as a left-justified integer instead of fixed-width
and zero-padded.
Closes netfilter's bugzilla 817:
https://bugzilla.netfilter.org/show_bug.cgi?id=817
Reported-by: hoffman@stanford.edu
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for:
conntrack -L dying
conntrack -L unconfirmed
To display the list of dying and unconfirmed conntracks. This provides
some instrumentation in case that `conntrack -C` really deviates from
what `conntrack -L | wc -l` says.
Users like to check this to make sure things are going OK. Still, some
conntrack objects may be still in the dying and the unconfirmed list.
With this patch, we can also dump their content, before it was not
possible.
In normal cases both lists would be simply empty, or in the case of
the dying list, you can observe that entries go slightly down in
number.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
/proc/sys/net/netfilter/nf_conntrack_count
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since Linux kernel >= 3.6.x, we can dump the conntrack statistics
via ctnetlink instead of using the /proc interface:
conntrack -S
cpu=0 searched=9177 found=387086 new=250451 invalid=1 ignore=4 delete=254093 delete_list=5467 insert=1825 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=1 searched=390 found=37493 new=1531 invalid=0 ignore=0 delete=345 delete_list=345 insert=1531 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=2 searched=333 found=68061 new=1895 invalid=0 ignore=1 delete=607 delete_list=607 insert=1896 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=3 searched=71 found=13364 new=1254 invalid=0 ignore=0 delete=75 delete_list=75 insert=1254 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
conntrack -S exp
cpu=0 expect_new=9177 expect_create=387284 expect_delete=251141
cpu=1 expect_new=390 expect_create=37496 expect_delete=1531
cpu=2 expect_new=333 expect_create=68117 expect_delete=1895
cpu=3 expect_new=71 expect_create=13366 expect_delete=1255
Note that the output is not backward-compatible, but we fail back to previous
output in case that ctnetlink stats dumping is not available.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
else, piping "conntrack -E expect" output will be buffered/delayed,
which is not what users expect. Normal conntrack events are already
flushed.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|