| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
For bulk ct entry loads (with -R option) reusing the same mnl
modifier socket for all entries results in reduction of entries
creation time, which becomes especially signifficant when loading
tens of thouthand of entries.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Ports are used to uniquely identify the flow, this information must be
included inconditionally to sync message.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
read() occurs from the wrong socket so 'conntrack -E' hangs without
reporting any events.
Fixes: 5ec684be0854 ("conntrack: consolidate socket open call")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
This flag makes life a lot harder because lack of the flag hides
very useful information. Remove it and always tag events triggered
by userspace flush.
Option is still parsed for backwards compatibility sake.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Create netlink socket once and reuse it, rather than open + close it
over and over again.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Have to free the strings allocated by split_address_and_port().
Fixes: 29b390a212214 ("conntrack: Support IPv6 NAT")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
These variables are not referred to after assigning within their scope
(or until they're overwritten).
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
Coverity tool complains that exit() is not signal-safe and therefore
should not be called from within a signal handler. Call _exit() instead.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
False priority value was never printed.
Fixes: dfb88dae65fbd ("conntrackd: change scheduler and priority via configuration file")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
Coverity tool complains about accessing a local variable at non-zero
offset. Avoid this by using a helper union. This should silence the
checker, although the code is still probably not Big Endian-safe.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
When consecutively printing into the same buffer at increasing offset,
reduce buffer size passed to snprintf() to not defeat its size checking.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
struct cache::features is of type struct cache_feature **, allocate and
populate accordingly.
Fixes: ad31f852c3454 ("initial import of the conntrack daemon to Netfilter SVN")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
This is cosmetics only, but stops valgrind from complaining about
definitely lost memory.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since cd5135377ac4 ("conntrackd: cthelper: Set up userspace helpers when
daemon starts"), userspace conntrack helpers do not depend on a previous
invocation of nfct to set up the userspace helpers.
Move helper definitions to nfct-extensions/helper.c since existing
deployments might still invoke nfct, even if not required anymore.
This patch was motivated by the removal of the lazy binding.
Phil Sutter says:
"For security purposes, distributions might want to pass -Wl,-z,now
linker flags to all builds, thereby disabling lazy binding globally.
In the past, nfct relied upon lazy binding: It uses the helper objects'
parsing functions without but doesn't provide all symbols the objects
use."
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Use libmnl and libnetfilter_conntrack mnl helpers to flush the conntrack
table entries.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Use libmnl and libnetfilter_conntrack mnl helpers to delete
the conntrack table entries.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Use libmnl and libnetfilter_conntrack mnl helpers to update the conntrack
table entries.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Provide a helper function to build and send the netlink request, this allows
to consolidate nfct_mnl_get() and nfct_mnl_create().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
nfct_mnl_recv() is misleading, this helper function allows you to
perform a netlink dump, rename it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
.... those do not indicate bugs, but they are distracting.
'exp_filter_add' at filter.c:513:2:
__builtin_strncpy specified bound 16 equals destination size [-Wstringop-truncation]
This warning is because the size argument passed to strncpy() is
identical to buffer size, i.e. if hit the resulting string is not
0-terminated.
read_config_yy.y:1625: warning: '__builtin_snprintf' output may be truncated before the last format character [-Wformat-truncation=]
1625 | snprintf(policy->name, CTD_HELPER_NAME_LEN, "%s", $2);
read_config_yy.y:1399: warning: '__builtin_snprintf' output may be ...
1399 | snprintf(conf.stats.logfile, FILENAME_MAXLEN, "%s", $2);
read_config_yy.y:707: warning: '__builtin_snprintf' output may be ...
707 | snprintf(conf.local.path, UNIX_PATH_MAX, "%s", $2);
read_config_yy.y:179: warning: '__builtin_snprintf' output may be ...
179 | snprintf(conf.lockfile, FILENAME_MAXLEN, "%s", $2);
read_config_yy.y:124: warning: '__builtin_snprintf' output may be ...
124 | snprintf(conf.logfile, FILENAME_MAXLEN, "%s", $2);
... its because the _MAXLEN constants are one less than the output
buffer size, i.e. could use either .._MAXLEN + 1 or sizeof, this uses
sizeof().
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Use the already correctly determined transport header offset instead of
assuming that the packet is IPv4.
Signed-off-by: Aaron Thompson <dev@aaront.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
In preparation for using multiple instances of mnl sockets
required for conntrack entries update and delete support.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Use libmnl to create entries through the new nfct_mnl_create() helper
function.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Moreover, remove NLM_F_DUMP for IPCTNL_MSG_CT_GET_STATS since ctnetlink
ignores this flag, this is simple netlink get command, not a dump.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Add helper function to consolidate nfct_mnl_dump() and nfct_mnl_get().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
automake generates rules to remove the files generated by bison
and flex by default, so there is no need to add them explicitly to
MAINTAINERCLEANFILES.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Use libmnl and libnetfilter_conntrack mnl helpers to dump the conntrack
table entries.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Add missing features in dump_cb() to mnl_nfct_dump_cb().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
In preparation for kernel filtering support for nfct_mnl_dump().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Depending on your conntrackd configuration, events might get lost,
leaving stuck entries in the cache forever. Skip checking the conntrack
ID to allow for lazy cleanup by when a new entry that is represented by
the same tuple is added.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
List it as a built source in order to force make to create it before
compilation. Otherwise, a parallel make can end up attempting to
compile the output of lex before yacc has finished generating its own
output:
$ make -j17
[...]
YACC read_config_yy.c
LEX read_config_lex.c
CC stack.o
CC resync.o
CC cthelper.o
CC helpers.o
CC utils.o
CC expect.o
CC systemd.o
CC nfct.o
CC nfct-extensions/helper.o
CC nfct-extensions/timeout.o
CC read_config_lex.o
read_config_lex.l:25:10: fatal error: read_config_yy.h: No such file or directory
25 | #include "read_config_yy.h"
| ^~~~~~~~~~~~~~~~~~
compilation terminated.
make[2]: *** [Makefile:701: read_config_lex.o] Error 1
make[2]: *** Waiting for unfinished jobs....
updating read_config_yy.h
make[2]: Leaving directory '/space/azazel/work/git/netfilter/conntrack-tools/src'
make[1]: *** [Makefile:743: all-recursive] Error 1
make[1]: Leaving directory '/space/azazel/work/git/netfilter/conntrack-tools/src'
make: *** [Makefile:541: all-recursive] Error 1
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Automake expects to distribute yacc- and lex-generated sources, so that
the user doesn't need to regenerate them. Therefore, the appropriate
target to clean them is `maintainer-clean`.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Automake generates yacc and lex output files and includes them in
distributions as a matter of course.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This fixes this warning:
#warning "libnetfilter_queue/linux_nfnetlink_queue.h is deprecated, add #include <linux/netfilter/nfnetlink_queue.h> to your source code before #include <libnetfilter_queue/libnetfilter_queue.h>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
In some use-cases, zone is used to differetiate conntrack state. This preserves that uniqueness by adding zone into the cache in addtion to 5-tuple data
This preserves external-cache uniqueness per zone when synced.
Fixes: a08af5d26297 ("conntrack: fix zone sync issue")
Signed-off-by: Adam Casella <adam.casella1984@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While at it, also fix up commit
5ec55c2a0a264 ("conntrack: add support for CLASH_RESOLVED counter").
The intention was to also print unknown statistic counters provided
the attributes are of type u32, but mnl_attr_type_valid() needs the
correct max-attr number for this to work.
With this fix in place, conntrack -S shows:
cpu=3 found=0 inv[..] clash_resolve=0 unknown1=8200
on a modified kernel.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
conntrack tool prints [UNREPLIED] if a conntrack entry lacks the
SEEN_REPLY bit. Accept this as '-u' argument too.
If requested, mask is set to SEEN_REPLY and value remains 0 (bit not set).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
This change is backwards compatible:
Old kernels do not recognize CTA_STATUS_MASK attribute and will
ignore it (no filtering in kernel).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Add a new setting to allow conntrackd to autoconfigure the userspace
helpers at startup.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Add ct_parse_be32() and ct_parse_be128() and use them to deal with
an IP address which is already in network byte order.
Reported-by: Tao Gong <gongtao0607@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit implements the --load-file option which allows processing
conntrack commands stored in file. Most often this would be used as
a counter-part for the -o save option, which outputs conntrack entries
in the format of the conntrack tool options. This could be useful when
one needs to add/update/delete a large set of ct entries with a single
conntrack tool invocation. This patch introduces a ct_cmd_list, which
represents a list of ct_cmd elements.
Expected syntax is "conntrack --load-file file". If "-" is given as a
file name, stdin is used. No other commands or options are allowed to
be specified in conjunction with the --load-file command. It is however
possible to specify multiple --load-file file pairs.
Example:
Copy all entries from ct zone 11 to ct zone 12:
conntrack -L -w 11 -o save | sed "s/-w 11/-w 12/g" | \
conntrack --load-file -
Joint work with Pablo.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix memleak in parser:
==8445== 3,808 bytes in 2 blocks are definitely lost in loss record 6 of 6
==8445== at 0x483577F: malloc (vg_replace_malloc.c:299)
==8445== by 0x112636: merge_options (conntrack.c:1056)
==8445== by 0x112636: do_parse (conntrack.c:2903)
==8445== by 0x11343E: ct_file_parse_line (conntrack.c:3672)
==8445== by 0x11343E: ct_parse_file (conntrack.c:3693)
==8445== by 0x10D819: main (conntrack.c:3750)
Fixes: 8f76d6360dbf ("conntrack: add struct ct_cmd")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Wrap code to display command stats in a function.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Prepare for the batch support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Pass the command object to the nat, mark and IP address userspace
filters.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Pass the command object to the userspace filter routine.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Pass command object to initialize the userspace filter.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Pass the command object to prepare for batch support.
Move ct_cmd structure definition right at the top of file otherwise
compilation breaks.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Fall back to 65536 buckets and 262144 entries.
It would be probably good to add code to autoadjust by reading
/proc/sys/net/netfilter/nf_conntrack_buckets and
/proc/sys/net/nf_conntrack_max.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1491
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
They are equivalent of 'on' and 'off' and makes the config easier to understand.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|