summaryrefslogtreecommitdiffstats
path: root/extensions/libxt_connlabel.c
Commit message (Collapse)AuthorAgeFilesLines
* extensions: libxt_connlabel: Add translation to nftLiping Zhang2016-07-161-0/+22
| | | | | | | | | | | | | | | Add translation for connlabel to nftables. For examples: # iptables-translate -A INPUT -m connlabel --label bit40 nft add rule ip filter INPUT ct label bit40 counter # iptables-translate -A INPUT -m connlabel ! --label bit40 --set nft add rule ip filter INPUT ct label set bit40 ct label and bit40 != bit40 counter Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Acked-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_connlabel: fix crash when connlabel.conf is emptyLiping Zhang2016-07-161-3/+10
| | | | | | | | | | | | | | When connlabel.conf is empty, nfct_labelmap_new will return NULL and set errno to 0. So we will miss to check this situation, and cause NULL deference in nfct_labelmap_get_bit. Input the following commands will reproduce this crash: # echo > /etc/xtables/connlabel.conf # iptables -A INPUT -m connlabel --label abc Segmentation fault (core dumped) Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: libxt_connlabel: do not open config file from _init hookFlorian Westphal2014-09-051-7/+20
| | | | | | | | else, static builds will print this for every iptables invocation, even 'iptables -L'. Delay open until we need to translate a mapping. Reported-by: Thomas De Schampheleire <patrickdepinguin@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: libxt_connlabel: use libnetfilter_conntrackFlorian Westphal2013-07-161-114/+28
| | | | | | | | | | | | | | | | | Pablo suggested to make it depend on lnf-conntrack, and get rid of the example config file as well. The problem is that the file must be in a fixed path, /etc/xtables/connlabel.conf, else userspace needs to "guess-the-right-file" when translating names to their bit values (and vice versa). Originally "make install" did put an example file into /etc/xtables/, but distributors complained about iptables ignoring the sysconfdir. So rather remove the example file, the man-page explains the format, and connlabels are inherently system-specific anyway. Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: add connlabel matchFlorian Westphal2013-05-061-0/+210
allows to "tag" connections with up to 128 label names. Labels are defined in /etc/xtables/connlabel.conf, example: 0 from eth0 1 via eth0 Labels can then be attached to flows, e.g. -A PREROUTING -i eth0 -m connlabel --label "from eth0" --set Signed-off-by: Florian Westphal <fw@strlen.de>