| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
If connlabel.conf was not found, fall back to manually parsing arguments
as plain numbers.
If nfct_labelmap_new() has failed, nfct_labelmap_get_name() segfaults.
Therefore make sure it is not called in connlabel_get_name() if that's
the case.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
Pablo suggested to print full config file path for connlabel.conf
parsing errors.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This structure is an extensible containers of parameters, so we don't
need to propagate interface updates in every extension file in case
we need to add new parameters in the future.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for connlabel to nftables.
For examples:
# iptables-translate -A INPUT -m connlabel --label bit40
nft add rule ip filter INPUT ct label bit40 counter
# iptables-translate -A INPUT -m connlabel ! --label bit40 --set
nft add rule ip filter INPUT ct label set bit40 ct label and bit40 != bit40 counter
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When connlabel.conf is empty, nfct_labelmap_new will return NULL and
set errno to 0. So we will miss to check this situation, and cause NULL
deference in nfct_labelmap_get_bit.
Input the following commands will reproduce this crash:
# echo > /etc/xtables/connlabel.conf
# iptables -A INPUT -m connlabel --label abc
Segmentation fault (core dumped)
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
else, static builds will print this for every iptables invocation,
even 'iptables -L'. Delay open until we need to translate a mapping.
Reported-by: Thomas De Schampheleire <patrickdepinguin@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pablo suggested to make it depend on lnf-conntrack, and get rid of
the example config file as well.
The problem is that the file must be in a fixed path,
/etc/xtables/connlabel.conf, else userspace needs to "guess-the-right-file"
when translating names to their bit values (and vice versa).
Originally "make install" did put an example file into /etc/xtables/,
but distributors complained about iptables ignoring the sysconfdir.
So rather remove the example file, the man-page explains the format,
and connlabels are inherently system-specific anyway.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
allows to "tag" connections with up to 128 label names.
Labels are defined in /etc/xtables/connlabel.conf, example:
0 from eth0
1 via eth0
Labels can then be attached to flows, e.g.
-A PREROUTING -i eth0 -m connlabel --label "from eth0" --set
Signed-off-by: Florian Westphal <fw@strlen.de>
|
