| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
This patch adds an userspace port of the SANE helper that is currently
implemented in the kernel. This requires Linux kernel 3.12 to work.
|
| |
|
|
|
|
|
| |
Open the socket from the main function, then pass it as parameter
to the corresponding interpreter.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Add helper function nfct_mnl_talk and use it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch is a cleanup to split this function in smaller chunks.
It is required to prepare default protocol timeout tuning via
netlink.
|
| |
|
|
|
|
|
| |
The kernel bails out for unsupported protocols. Moreover, we
don't need to upgrade to support new protocols.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch allows you to disable userspace helper support and
conntrack timeout tuning at build stage.
By default, both features are enabled, to avoid breaking backward
compatibility.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Modularize timeout and helper extensions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for the DHCPv6 helper.
1) nfct helper add dhcpv6 inet6 udp
2) ip6tables -I OUTPUT -t raw -p udp --sport 546 -j CT --helper dhcpv6
3) run conntrackd
You should see:
% conntrack -L exp -f ipv6
279 proto=17 src=:: dst=ff02::1:2 sport=0 dport=546 mask-src=:: mask-dst=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff sport=0 dport=65535 master-src=fe80::221:ccff:fe4a:7f9c master-dst=ff02::1:2 sport=546 dport=547 PERMANENT class=0 helper=dhcpv6
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This requires the Linux kernel 3.12.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
If we fail to update an entry, just try to continue with the next one
instead of exiting.
Can happen f.e. when using "conntrack -U --add-label bla", but the
conntrack entry in the kernel does not have the label extension set.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
new options "--label-add" and "--label-delete" to alter connlabels
assigned to a connection.
Signed-off-by: Clemence Faure <clemence.faure@sophos.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Using -l foo -l bar caused the "foo" label to be lost.
Merge multiple -l options so "-l foo,bar" and "-l foo -l bar" have same
effect.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
Rename get_table to generic "optional argument handling" helper,
so it can be re-used in upcoming patch.
While at it, avoid copy&paste of "labelmap" handling.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Use selected the family, instead of inconditionally request for IPv4.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Set to zero the entire address if needed, not just 4 bytes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
short options were always reported as "unknown argument".
getopt(3) says:
if [it] finds an option character in argv that was not included in
optstring, or if it detects a missing option argument, it returns '?'
and sets the external variable optopt to the actual option character.
If the first character [...] of optstring is a colon (':'),
then getopt() returns ':' instead of '?' to indicate a missing option
argument.
Signed-off-by: Clemence Faure <clemence.faure@sophos.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
commit d343b8c (conntrack: add connlabel format attribute) erronously
removed _UNKNOWN format, i.e. conntrack -L displayed
[UPDATE] tcp 6 114 TIME_WAIT src=..
^^^^^
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- check if ct has label attribute, and at least one label
(bit) is set
- serialize bitmap into array-of-u32, in network byte order
- add code to build new nfct_bitmask object from array-of-u32
Current parse functions don't have length information,
this adds optional parse2() which gets struct netattr pointer.
Attributes that want to use parse2 need to set .maxsize to nonzero
value.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
| |
Signed-off-by: Clemence Faure <clemence.faure@sophos.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch simplifies the expectation filtering by looking up for the
master conntrack. If it does not exists, then we assume that we don't
want this expectation either.
This simplification also fixes the current broken expectation filtering,
since the master conntrack from expectations has neither reply tuple
nor state, however, the filtering code assumes the opposite.
This partially reverts (479a37a conntrackd: fix crash with IPv6 expectation
in the filtering code) since it was incorrectly setting the reply tuple
of the master conntrack.
Thanks to Bill Fink for providing feedback to resolve this issue.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Jul 5 00:41:06 sen-fw1 kernel: [274422.060695] conntrackd[4821]: segfault at 0 ip 000000000040c660 sp 00007fffebb098a8 error 4 in conntrackd[400000+3d000]
> #0 0x000000000040f217 in jhash2 (k=0x0, length=4, initval=0) at ../include/jhash.h:99
> a = 2654435769 b = 2654435769 c = 0 len = 4
> #1 0x000000000040f564 in ct_filter_hash6 (data=0x0, table=0x16ef630) at filter.c:57
> #2 0x000000000040ad34 in hashtable_hash (table=0x16ef630, data=0x0) at hash.c:63
> #3 0x000000000040fd19 in __ct_filter_test_ipv6 (f=0x16eeba0, ct=0x1703760) at filter.c:265
> id_src = 51 id_dst = 24051376 src = 0x1703760 dst = 0x0
The master conntrack of the expectation has no reply tuple. However, the
filtering routine needs it. To avoid this issue, emulate the source
address in the reply tuple.
While at it, fix incorrect sanity checking that should have caught
this issue.
Thanks to Florian Westphal for initial diagnosing of this bug.
Reported-by: Bill Fink <billfink@mindspring.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch deprecates the `Family' tweak in the configuration file.
Several reasons for this:
* If not specified, this was default to IPv4 only in table dumps from
the kernel. However, non-IPv4 events were still received. This is
inconsistent.
* It's an early tweak that was not documented (not included in any
of the example files).
If we want to support any sort of consistent filtering based on the
family, this should happen in the filtering code.
After this patch, conntrackd uses AF_UNSPEC to dump the conntrack and
expectation tables from the kernel.
Reported-by: Bill Fink <billfink@mindspring.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Use source and destination address, not only source address for
hashing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
main.c:359:6: warning: ignoring return value of 'nice' [..]
main.c:395:7: warning: ignoring return value of 'chdir' [..]
run.c:43:17: warning: declaration of 'signal' shadows a global declaration
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The fractional portion of timestamps reported by conntrack
is printed as a left-justified integer instead of fixed-width
and zero-padded.
Closes netfilter's bugzilla 817:
https://bugzilla.netfilter.org/show_bug.cgi?id=817
Reported-by: hoffman@stanford.edu
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Both representations of this example IPv6 address should be accepted:
fe80::1
fe80:0:0:0:0:0:0:1
This patch fixes the lexical parser for non-abbreviated version, which was not
working.
Signed-off-by: James Guthrie <jag@open.ch>
Signed-off-by: Roman Hoog Antink <rha@open.ch>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for:
conntrack -L dying
conntrack -L unconfirmed
To display the list of dying and unconfirmed conntracks. This provides
some instrumentation in case that `conntrack -C` really deviates from
what `conntrack -L | wc -l` says.
Users like to check this to make sure things are going OK. Still, some
conntrack objects may be still in the dying and the unconfirmed list.
With this patch, we can also dump their content, before it was not
possible.
In normal cases both lists would be simply empty, or in the case of
the dying list, you can observe that entries go slightly down in
number.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The existing code may nest several signal blocking and unblocking
calls in different paths of the code. This may result in deadlocks
while receiving signals.
This patch simplifies the signal blocking approach. Now signals
are blocked in three paths:
1) Internal timers handling, while running timer callback
for expired timers.
2) File descriptor handling, while running file descriptor
callbacks.
3) While handling signals, to avoid that SIGINT and SIGTERM
in a row results in a deadlock.
Thanks a lot to Ulrich Weber <ulrich.weber@sophos.com> for
discussing a fix for this problem.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
ExpectationSync requires Linux kernel >= 3.5 to work sanely, document this.
Still, we don't want to crash if someone enables expectation sync with
old Linux kernels (like 2.6.32).
Reported-by: James Gutholm <gutholmj@evergreen.edu>
Tested-by: James Gutholm <gutholmj@evergreen.edu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Several includes are missing when netfilter libs are not in the
standard path.
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch adds the QueueLen option, that allows you to increase
the maximum number of packets waiting in the nfnetlink_queue to
receive a verdict from userspace.
Rising the default value (1024) is useful to avoid hitting the following
error message: "nf_queue: full at X entries, dropping packets(s)".
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It was set to NFCT_HELPER_NAME_MAX (16 bytes), but we have function
names that are larger, eg. nf-nat-follow-master which is 18 bytes
long.
This leads to hitting malformed message while synchronizing
expectations.
I'll add some new constant to libnetfilter_conntrack instead of
hardcoding this, later.
Reported-by: Gaurav Sinha <gaurav.sinha@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
%pI4 also exists in the Linux kernel.
It would be good to have some generic functions to convert binary data
to address string. Later.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
conntrackd was segfaulting with `ExpectationSync` set to `Off`
and PollSecs (polling mode) in use.
Signed-off-by: Vincent Bernat <bernat@luffy.cx>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Instead of hardcoded path to /usr/lib/conntrack-tools/ which might
not be true if options like --prefix with different location is
passed to conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
How to use this helper in a few steps:
1) You can enable this helper via:
nfct helper add rpc inet tcp
nfct helper add rpc inet udp
2) Configure /etc/conntrackd/conntrackd.conf and launch it.
3) You can test this helper locally with the following rule-set:
iptables -A OUTPUT -t raw -p udp -m udp --dport 111 -j CT --helper rpc
iptables -A OUTPUT -t raw -p tcp -m tcp --dport 111 -j CT --helper rpc
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 111 -j ACCEPT
iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -m udp --dport 111 -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P OUTPUT DROP
4) Configure NFS and export some local directory. Then, mount it with version 3.
mount.nfs -onfsvers=3 127.0.0.1:/srv/cvs /mnt/
You should see permanent expectations created for this.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the user-space helper infrastructure. It also
contains the implementation of the FTP helper in user-space.
There's one example file that you can use to configure conntrackd
as user-space connection tracking helper under:
doc/helper/conntrackd.conf
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch moves the specific ctnetlink code to ctnl.c to prepare
the introduction of the cthelper infrastructure.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch generalizes the select-based file descriptor infrastructure
by allowing you to register file descriptors and its callbacks. Instead
of hardcoding the descriptors that needs to be checked.
Now, struct fds_item contains a callback and pointer to data that is
passed to it:
struct fds_item {
struct list_head head;
int fd;
+ void (*cb)(void *data);
+ void *data;
};
Then, we check which ones are active in the select_main_step() function:
list_for_each_entry(cur, &STATE(fds)->list, head) {
if (FD_ISSET(cur->fd, &readfds))
cur->cb(cur->data);
}
And it invoked the corresponding callback.
I had to slightly modify the channel infrastructure to fit it into
the changes.
This modularity is required for the upcoming cthelper support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
/proc/sys/net/netfilter/nf_conntrack_count
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since Linux kernel >= 3.6.x, we can dump the conntrack statistics
via ctnetlink instead of using the /proc interface:
conntrack -S
cpu=0 searched=9177 found=387086 new=250451 invalid=1 ignore=4 delete=254093 delete_list=5467 insert=1825 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=1 searched=390 found=37493 new=1531 invalid=0 ignore=0 delete=345 delete_list=345 insert=1531 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=2 searched=333 found=68061 new=1895 invalid=0 ignore=1 delete=607 delete_list=607 insert=1896 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=3 searched=71 found=13364 new=1254 invalid=0 ignore=0 delete=75 delete_list=75 insert=1254 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
conntrack -S exp
cpu=0 expect_new=9177 expect_create=387284 expect_delete=251141
cpu=1 expect_new=390 expect_create=37496 expect_delete=1531
cpu=2 expect_new=333 expect_create=68117 expect_delete=1895
cpu=3 expect_new=71 expect_create=13366 expect_delete=1255
Note that the output is not backward-compatible, but we fail back to previous
output in case that ctnetlink stats dumping is not available.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch changes the current behaviour of `-t' and `-F' commands,
that results in flushing the kernel conntrack table. With this patch,
the entries that match the Filter clauses in conntrackd.conf are
ignored.
This fixes the situation in which some local ssh connection to the
firewall is lost during the failover (since `-t' is invoked from the
primary-backup.sh script).
Note that the Filter clause tells what entries have to be ignored,
ie. the entries that do not need to be replicated. It makes sense
not to flush entries that are not replicated (usually traffic to
the local firewall).
Reported-by: Gaurav Sinha <gaurav.sinha@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
While adding the expectation support for conntrackd, I accidentally
broke synchrony in 'conntrackd -c' command.
Basically, conntrackd -c should not return control to the shell
until the cache has been committed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Flushing the external cache, ie. conntrackd -f, while commit is in progress
is not allowed anymore, ie. conntrackd -c.
Note that conntrackd -c is synchronous. Thus, it returns control to the
caller once the commit has finished.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Making all in src
make[1]: Entering directory `/home/oden/RPM/BUILD/conntrack-tools-1.2.0/src'
CC parse.o
parse.c: In function 'msg2ct':
parse.c:258:34: error: 'NULL' undeclared (first use in this function)
parse.c:258:34: note: each undeclared identifier is reported only once for
each function it appears in
parse.c: In function 'msg2exp':
parse.c:438:16: error: 'NULL' undeclared (first use in this function)
Reported-by: Oden Eriksson <oeriksson@mandriva.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Before this patch, we called accept() to likely return EAGAIN.
This is not required as select() will tell us that we're ready
to accept. Therefore, that early accept() invocation complicates
the whole handling just to get the connection accepted a bit
before.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
