summaryrefslogtreecommitdiffstats
path: root/utils
Commit message (Collapse)AuthorAgeFilesLines
* utils: nfbpf_compile: Replace pcap_compile_nopcap()Phil Sutter2023-04-211-1/+9
| | | | | | | | The function is deprecated. Eliminate the warning by use of pcap_open_dead(), pcap_compile() and pcap_close() just how pcap_compile_nopcap() is implemented internally in libpcap. Signed-off-by: Phil Sutter <phil@nwl.cc>
* build: use pkg-config for libpcapAlyssa Ross2023-04-041-3/+3
| | | | | | | | | | | | | | | | If building statically, with libpcap built with libnl support, linking will fail, as the compiler won't be able to find the libnl symbols since static libraries don't contain dependency information. To fix this, use pkg-config to find the flags for linking libpcap, since the pkg-config files contain the neccesary dependency information. autoconf will add code to the configure script for initializing pkg-config the first time it seems PKG_CHECK_MODULES, so make the libnfnetlink check the first one in the script, so the initialization code is run unconditionally. Signed-off-by: Alyssa Ross <hi@alyssa.is> Signed-off-by: Phil Sutter <phil@nwl.cc>
* gitignore: Ignore utils/nfsynproxyPhil Sutter2022-12-221-0/+1
| | | | | Fixes: 9e6928f037823 ("utils: add nfsynproxy tool") Signed-off-by: Phil Sutter <phil@nwl.cc>
* Makefile: Fix for 'make distcheck'Phil Sutter2022-12-141-2/+2
| | | | | | | | | Since extensions/ directory does not use automake, some targets have to be added manually. Apart from that, several Makefiles either missed to specify relevant files or did not specify them correctly for 'make dist' to add them to the tarball. Signed-off-by: Phil Sutter <phil@nwl.cc>
* Makefile: Add --enable-profiling configure optionPhil Sutter2022-06-111-0/+1
| | | | | | A little convenience to prepare a build for analysis with gcov/gprof. Signed-off-by: Phil Sutter <phil@nwl.cc>
* build: Fix for failing 'make uninstall'Phil Sutter2020-06-091-0/+5
| | | | | | | | | | | | | | | | | | | | | Support for uninstalling is severely broken: - extensions/GNUmakefile.in defines an 'install' target but lacks a respective 'uninstall' one, causing 'make uninstall' abort with an error message. - iptables/Makefile.am defines an 'install-exec-hook' to create the binary symlinks which are left in place after 'make uninstall'. Fix these problems by defining respective targets containing code copied from automake-generated uninstall targets. While being at it, add a few more uninstall-hooks removing custom directories created by 'make install' if they are empty afterwards. Reported-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Phil Sutter <phil@nwl.cc> Tested-by: Richard Guy Briggs <rgb@redhat.com>
* nfnl_osf: Improve error handlingPhil Sutter2020-05-181-5/+10
| | | | | | | | | | | | | | | | | | | | | | For some error cases, no log message was created - hence apart from the return code there was no indication of failing execution. If a line load fails, don't abort but continue with the remaining file contents. The current pf.os file in this repository serves as proof-of-concept: Lines 700 and 701: Duplicates of lines 698 and 699 because 'W*' and 'W0' parse into the same data. Line 704: Duplicate of line 702 because apart from 'W*' and 'W0', only the first three fields on right-hand side are sent to the kernel. When loading, these dups are ignored (they would bounce if NLM_F_EXCL was given). Upon deletion, they cause ENOENT response from kernel. In order to align duplicate-tolerance in both modes, just ignore that ENOENT. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nfnl_osf: Fix broken conversion to nfnl_query()Phil Sutter2020-05-181-2/+4
| | | | | | | | | | | | | Due to missing NLM_F_ACK flag in request, nfnetlink code in kernel didn't create an own ACK message but left it upon subsystem to ACK or not. Since nfnetlink_osf doesn't ACK by itself, nfnl_query() got stuck waiting for a reply. Whoever did the conversion from deprecated nfnl_talk() obviously didn't even test basic functionality of the tool. Fixes: 52aa15098ebd6 ("nfnl_osf: Replace deprecated nfnl_talk() by nfnl_query()") Signed-off-by: Phil Sutter <phil@nwl.cc>
* utils: nfnl_osf: fix snprintf -Wformat-truncation warningFernando Fernandez Mancera2019-07-251-6/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fedora 30 uses very recent gcc (version 9.1.1 20190503 (Red Hat 9.1.1-1)), osf produces following warnings: -Wformat-truncation warning have been introduced in the version 7.1 of gcc. Also, remove a unneeded address check of "tmp + 1" in nf_osf_strchr(). nfnl_osf.c: In function ‘nfnl_osf_load_fingerprints’: nfnl_osf.c:346:33: warning: ‘%s’ directive output may be truncated writing up to 1023 bytes into a region of size 128 [-Wformat-truncation=] 346 | snprintf(obuf, sizeof(obuf), "%s,", pbeg); | ^~ nfnl_osf.c:346:3: note: ‘snprintf’ output between 2 and 1025 bytes into a destination of size 128 346 | snprintf(obuf, sizeof(obuf), "%s,", pbeg); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ nfnl_osf.c:354:40: warning: ‘%s’ directive output may be truncated writing up to 1023 bytes into a region of size 32 [-Wformat-truncation=] 354 | snprintf(f.genre, sizeof(f.genre), "%s", pbeg); | ^~ nfnl_osf.c:354:4: note: ‘snprintf’ output between 1 and 1024 bytes into a destination of size 32 354 | snprintf(f.genre, sizeof(f.genre), "%s", pbeg); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ nfnl_osf.c:363:43: warning: ‘%s’ directive output may be truncated writing up to 1023 bytes into a region of size 32 [-Wformat-truncation=] 363 | snprintf(f.version, sizeof(f.version), "%s", pbeg); | ^~ nfnl_osf.c:363:3: note: ‘snprintf’ output between 1 and 1024 bytes into a destination of size 32 363 | snprintf(f.version, sizeof(f.version), "%s", pbeg); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ nfnl_osf.c:370:47: warning: ‘%s’ directive output may be truncated writing up to 1023 bytes into a region of size 32 [-Wformat-truncation=] 370 | snprintf(f.subtype, sizeof(f.subtype), "%s", pbeg); | ^~ nfnl_osf.c:370:7: note: ‘snprintf’ output between 1 and 1024 bytes into a destination of size 32 370 | snprintf(f.subtype, sizeof(f.subtype), "%s", pbeg); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* utils: Add a manpage for nfbpf_compilePhil Sutter2019-01-183-1/+73
| | | | | | | | Content is rather sparse, but still better than no manpage at all. Cc: Willem de Bruijn <willemb@google.com> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Fix a few cases of pointless assignmentsPhil Sutter2018-09-241-8/+5
| | | | | | | | This gets rid of a number of assignments which are either redundant or not used afterwards. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* nfnl_osf: Replace deprecated nfnl_talk() by nfnl_query()Phil Sutter2018-09-241-1/+1
| | | | | | | This eliminates the deprecation warning when compiling the sources. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* nfnl_osf: Drop pointless check in xt_osf_strchr()Phil Sutter2018-09-241-1/+1
| | | | | | | | | | Although it remains unclear what the original intention behind the affected code was, but 'tmp + 1' always evaluates true since 'tmp' is a pointer value. Cc: Evgeniy Polyakov <johnpol@2ka.mxt.ru> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* utils: Add a man page for nfnl_osfPhil Sutter2017-10-043-0/+72
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* utils: nfnl_osf: Fix synopsis in help textPhil Sutter2017-10-041-1/+1
| | | | | | | | | | * -d is optional * -h is not really a flag, just anything not recognized triggers the help output. * That '<del rules>' bit is rather confusing than helpful. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* utils: nfsynproxy: fix build with musl libcBaruch Siach2017-03-031-0/+1
| | | | | | | | | | | | | | | | | | | | | | The musl libc exposes some struct tcphdr field only when _GNU_SOURCE is defined. Fix the following build failure: nfsynproxy.c: In function ‘parse_packet’: nfsynproxy.c:34:9: error: ‘const struct tcphdr’ has no member named ‘syn’ if (!th->syn || !th->ack) ^ nfsynproxy.c:34:21: error: ‘const struct tcphdr’ has no member named ‘ack’ if (!th->syn || !th->ack) ^ nfsynproxy.c:42:8: error: ‘const struct tcphdr’ has no member named ‘res2’ if (th->res2 == 0x1) ^ nfsynproxy.c:45:13: error: ‘const struct tcphdr’ has no member named ‘doff’ length = th->doff * 4 - sizeof(*th); ^ Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: update pf.osXose Vazquez Perez2017-02-011-1/+4
| | | | | | | | | | Sync with latest OpenBSD release. Changelog: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os Cc: Pablo Neira Ayuso <pablo@netfilter.org> Cc: netfilter-devel <netfilter-devel@vger.kernel.org> Signed-off-by: Xose Vazquez Perez <xose.vazquez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: update pf.osXose Vazquez Perez2016-05-051-9/+28
| | | | | | | | | | | | Sync with latest *BSD release: https://gitweb.dragonflybsd.org/dragonfly.git/blob_plain/HEAD:/etc/pf.os Changelog: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os Cc: Evgeniy Polyakov <johnpol@2ka.mxt.ru> Cc: Jan Engelhardt <jengelh@medozas.de> Cc: Pablo Neira Ayuso <pablo@netfilter.org> Cc: netfilter-devel <netfilter-devel@vger.kernel.org> Signed-off-by: Xose Vazquez Perez <xose.vazquez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* update FSF address in license textJiri Popelka2014-03-131-1/+1
| | | | | | | http://www.gnu.org/licenses/gpl-2.0.html http://www.fsf.org/about/contact/ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* utils: nfsynproxy: fix error while compiling the BPF filterPablo Neira Ayuso2013-11-181-8/+8
| | | | | | | | | | | Fix the following error while running nfsynproxy here: pcap_compile: not-yet-activated pcap_t passed to pcap_compile According to what I have read, we have to compile the filter once the pcap_t handle has been activated. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* utils: add nfsynproxy toolPatrick McHardy2013-11-182-0/+233
| | | | | | | | | [ Originally synconf, but Jesper D. Brouer suggested to change the name to avoid a possible filename clash. I also include nfsynproxy in the final configure report --pablo ] Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* utils: updates .gitignore to include nfbpf_compilePablo Neira Ayuso2013-04-191-0/+1
| | | | | Reported-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Merge branch 'stable'Pablo Neira Ayuso2013-04-051-1/+1
|\ | | | | | | | | Resolve conflict with Nicolas' Dichtel update on utils/Makefile.am for nfnl_osf.
| * utils: nfnl_osf: use the right nfnetlink libNicolas Dichtel2013-04-051-1/+1
| | | | | | | | | | | | | | If the user specify libnfnetlink_LIBS during the configure, we must use it. Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | utils: nfbpf_compileWillem de Bruijn2013-04-022-2/+67
|/ | | | | | | | | | | | | | | | | | | | | | | | | | A BPF compiler to convert tcpdump expressions to the decimal format accepted by the libxt_bpf. Generate a file and pass that to iptables: nfbpf_compile RAW 'udp dst port 9000' > test.bpf iptables -A OUTPUT -m bpf --bytecode-file test.bpf -j LOG Or pass the output directly to iptables using backticks: iptables -A INPUT -m bpf --bytecode \ "`./nfbpf_compile RAW 'udp dst port 9000'" -j LOG This utility depends on libpcap. The library is only compiled if the option --enable-bpf-compiler is explicitly passed to ./configure and libpcap is found. Pablo has mangled the original patch to rename the utility to nfbpf_compile. Also modified the output to match exactly what -m bpf --bytecode needs. Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nfnl_osf: add missing libnfnetlink_CFLAGS to compile processJan Engelhardt2011-12-311-1/+2
|
* build: move remaining preprocessor flags to CPPFLAGSMike Frysinger2011-06-011-2/+2
| | | | | References; http://bugzilla.netfilter.org/show_bug.cgi?id=713 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: move basic preprocessor flags to regular_CPPFLAGSJan Engelhardt2011-06-011-0/+1
| | | | | | | This is where they belong, after all. References: http://bugzilla.netfilter.org/show_bug.cgi?id=713 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* utils: add missing include flags to MakefileJan Engelhardt2010-05-241-0/+2
| | | | | | | | | | | Fixes this compile error: CC nfnl_osf.o nfnl_osf.c:48:36: fatal error: linux/netfilter/xt_osf.h: No such file or directory compilation terminated. References: http://marc.info/?l=netfilter&m=127449929621579&w=2 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_osf: import nfnl_osf programJan Engelhardt2010-04-064-0/+1179
xt_osf is pretty useless without the actual fingerprint loader. Import nfnl_osf-2009-06-07 and make it a part of the iptables distribution. Cc: Evgeniy Polyakov <johnpol@2ka.mxt.ru> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>