summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* configure: bump version to 0.0.101libnetfilter_conntrack-0.0.101Pablo Neira Ayuso2009-12-231-1/+1
| | | | | | This patch bumps libnetfilter_conntrack version to 0.0.101. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* setobjopt: don't autocomplete the reply tuple for ICMP[v6]Pablo Neira Ayuso2009-12-211-2/+15
| | | | | | | | This patch fixes the autocomplete feature for ICMP[v6] entries that makes the kernel return EINVAL. Basically, we skip the autocomplete since this is already done in the setter. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* snprintf: remove duplicate initializer entryHannes Eder2009-10-081-1/+0
| | | | | Signed-off-by: Hannes Eder <heder@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: make symbols used only in file scope staticHannes Eder2009-10-084-90/+92
| | | | | Signed-off-by: Hannes Eder <heder@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* api: use ANSI style functionHannes Eder2009-10-082-4/+4
| | | | | Signed-off-by: Hannes Eder <heder@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure: bump version to 0.0.100libnetfilter_conntrack-0.0.100Pablo Neira Ayuso2009-07-161-1/+1
| | | | | | This patch bumps libnetfilter_conntrack version to 0.0.100. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: unset all the callback handler in the nfct_close() path.Pablo Neira Ayuso2009-07-161-0/+3
| | | | | | | This patch unsets all the existing callbacks if we call nfct_close(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: add new callback interface while keeping backward compatibilityPablo Neira Ayuso2009-07-164-0/+94
| | | | | | | | | This patch the new expectation callback interface. This change is like 20ed81b10714dfe78e31e9721e2d4f42b4beabb2 but related to expectations. The netlink message contains the portID that is useful to identify the origin of the message. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* dccp: fix endianess in handshake_seqPablo Neira Ayuso2009-07-162-4/+12
| | | | | | | | This patch fixes missing endianess conversion of the new attribute ATTR_HANDSHAKE_SEQ that was included in 19f35b21dbe2bb4386eeced4e0d87f3b2e1d. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rename ATTR_DCCP_SEQ by ATTR_DCCP_HANDSHAKE_SEQPablo Neira Ayuso2009-07-167-16/+17
| | | | | | | | | | | This patch renames the attribute constant to access the DCCP handshake sequence number that was recently committed in 19f35b21dbe2bb4386eeced4e0d87f3b2e1dd8bf. No release with the old name has been done, so no problems about backward compatibility although it'd be better if I don't push changes that I have to modify very soon afterwards. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* headers: include u64 get/set prototype in libnetfilter_conntrack.hPablo Neira Ayuso2009-07-161-0/+7
| | | | | | | This patch adds the prototype of the u64 getter/setter to the header file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for DCCP 64-bits sequence number trackingPablo Neira Ayuso2009-07-149-0/+61
| | | | | | | | | From: Pablo Neira Ayuso <pablo@netfilter.org> This patch adds the support for the DCCP sequence number tracking that is included in the upcoming Linux kernel 2.6.31. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bsf: add support for IPv6 address filteringPablo Neira Ayuso2009-07-145-0/+226
| | | | | | | | | | | | This patch adds support to auto-generate BSF code for IPv6. It requires a Linux kernel >= 2.6.29. The maximum number of addresses is limited to 20 (12 BSF lines per IPv6 address comparison). I am not sure that to remove this limit is useful given that oprofile does not show very good numbers for very large (in terms of lines) filters. This completes one feature that is available in IPv4 but that was missing in IPv6. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: remove unrequired checking in the protocol informationPablo Neira Ayuso2009-07-081-24/+10
| | | | | | | | | | This patch removes a checking that is performed before building the protocol private information. This checking silently removed any protocol attribute if the configuration is inconsistent. With this change, the kernel reports the error to tell that some attributes are missing. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure: this library requires libnfnetlink 1.0.0Pablo Neira Ayuso2009-06-221-1/+1
| | | | | | This patch updates the version dependency checking. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: recover some obsolete enums and constants not to break backwardPablo Neira Ayuso2009-06-214-2/+92
| | | | | | | | This patch partially reverts 76e6042107de23790f0532e3bf3c396cba27e5aa since it recovers some obsolete enums and constants that are required to avoid breaking compilation of old versions of the conntrack-tools. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tcp: add support for SYN_SENT2 statePablo Neira Ayuso2009-06-107-8/+9
| | | | | | | | | This patch adds support for the new SYN_SENT2 state that Jozsef has introduced to support TCP simultaneous open in 2.6.31. We can safely include support for this feature now since the LISTEN state was not ever really used. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: shrink helper name field to 16 bytesPablo Neira Ayuso2009-05-301-1/+4
| | | | | | | | | | xt_helper uses a length size of 30 bytes. However, no helper name in the tree has exceeded 16 bytes length so far. Since 2.6.29, the maximum length accepted limited to 16 bytes, this limit is enforced during module loading. With this patch we save bytes in the conntrack objects. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* snprintf: perform strict checking for the protocol state valuePablo Neira Ayuso2009-05-302-6/+21
| | | | | | | | This patch avoids possible out-of-bound array access if protocol states higher than the accepted are used. Reported-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* api: add new callback interface while keeping backward compatibilityPablo Neira Ayuso2009-05-234-0/+97
| | | | | | | | | | | This patch adds nfct_callback_register2() and nfct_callback_unregister2() that allows to register a callback function with a new callback interface that includes the Netlink message. This fixes an early design error. This is not nice but it is the only way to resolve this problem without breaking backward (I don't like function versioning, it is messy). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add DCCP role attributePablo Neira Ayuso2009-04-249-6/+44
| | | | | | | This patch adds DCCP role attribute support. This needs Linux kernel >= 2.6.30. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* copy: add missing ATTR_DCCP_STATE in nfct_copy()Pablo Neira Ayuso2009-04-241-0/+7
| | | | | | This patch adds the missing ATTR_DCCP_STATE in nfct_copy(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* snprintf: fix missing port output in DCCPPablo Neira Ayuso2009-04-242-0/+2
| | | | | | | | | | This patch adds missing DCCP ports in the output: # conntrack -D -p dccp dccp 33 18 RESPOND src=1.1.1.1 dst=2.2.2.2 packets=0 bytes=0 [UNREPLIED] src=2.2.2.2 dst=1.1.1.1 packets=0 bytes=0 mark=0 secmark=0 use=2 conntrack v0.9.12 (conntrack-tools): 1 flow entries have been deleted. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parse: fix SCTP vtag parsingPablo Neira Ayuso2009-04-181-2/+2
| | | | | | This patch fixes an unfortunate bug in the SCTP vtag parsing. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* snprintf: fix output of GRE dstkey in XMLPablo Neira Ayuso2009-04-181-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* snprintf: fix missing protocol state support in XML outputPablo Neira Ayuso2009-04-141-5/+27
| | | | | | | This patch adds the missing bits to display the protocol state in the XML output. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* snprintf: remove duplicated protocol string definitionsPablo Neira Ayuso2009-04-145-72/+67
| | | | | | | | This patch merges duplicated protocol string definitions in the snprintf infrastructure. I have also fixed the size of the string array. This patch is a cleanup. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add initial DCCP supportPablo Neira Ayuso2009-04-1411-11/+138
| | | | | | This patch adds initial DCCP support for libnetfilter_conntrack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* header: refresh nfnetlink_conntrack.h copyPablo Neira Ayuso2009-04-101-6/+6
| | | | | | This patch refreshes the nfnetlink_conntrack.h copy against 2.6.29. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove debian/ directoryPablo Neira Ayuso2009-03-067-60/+0
| | | | | | | This patch removes the debian directory. According to the debian policy, this directory should not be in source tree. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: deprecate several header files with obsolete enumsPablo Neira Ayuso2009-03-066-163/+20
| | | | | | | This patch deprecates several header files that contain enums that were define in the very old libnetfilter_conntrack API. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for UDPlite transport protocolPablo Neira Ayuso2009-03-053-2/+5
| | | | | | This patch adds support for UDPlite transport protocol. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for GRE transport protocolPablo Neira Ayuso2009-03-053-3/+21
| | | | | | | This patch adds support for GRE transport protocol. Tested-by: Byan Buff <bduff@ecessa.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove reminiscent of NFCT_DIR_ORIGINAL and old prototypesPablo Neira Ayuso2009-02-173-289/+4
| | | | | | | | This patch removes a reminiscent constant of the old API whose value is the same of __DIR_ORIG. This patch also removes the prototype definition from libnetfilter_conntrack.h. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: reset age interface since old API has been removedPablo Neira Ayuso2009-02-171-1/+1
| | | | | | This patch resets the library age since the old API has been removed Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove old deprecated APIPablo Neira Ayuso2009-02-1717-1903/+5
| | | | | | | | | This patch removes the first API version which was scheduled in 2007. That API had several major limitations that the new one solved. I don't know of any known existing client of this old API. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: do not inconditionally include TCP state into netlink messagelibnetfilter_conntrack-0.0.99Pablo Neira Ayuso2008-12-111-2/+5
| | | | | | | | This patch remove the inconditional inclusion of the TCP state attribute in netlink messages. We cannot assume this for update messages. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* headers: add CTA_NAT_SEQ_UNSPEC to linux_nfnetlink_conntrack.hPablo Neira Ayuso2008-12-101-0/+1
| | | | | | | This patch fixes an inconsistency in enum cta_natseq. The CTA_NAT_SEQ_UNSPEC was missing. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* utils: fix wrong use of errno in example filesPablo Neira Ayuso2008-12-1017-62/+116
| | | | | | | | | | | | This patch removes the use of strerr(errno) when the returned valued is != -1. This fixes random segfaults in my x86_64 machines. According to the documentation, errno should not be used unless the returned value is -1. This patch also includes some missing nfct_close() calls in the examples. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* api: fix minor issues in the kerneldoc style documentationPablo Neira Ayuso2008-12-091-25/+24
| | | | | | | This patch fixes some minor issues that confuse kernel-doc in the generation of the API reference documentation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* version: bump to 0.0.99Pablo Neira Ayuso2008-11-291-1/+1
| | | | | | Bump libnetfilter_conntrack version to 0.0.99 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* automake: add missing stack.h to include/internal/Makefile.amPablo Neira Ayuso2008-11-291-1/+1
| | | | | | | This patch fixes a missing stack.h file in Makefile.am. Maintaining a Makefile.am for the header files sucks a lot. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* api: fix bogus netlink flags in nfexp_build_querylibnetfilter_conntrack-0.0.98Pablo Neira Ayuso2008-11-291-2/+2
| | | | | | | This patch removes unnecessary flags included in NFCT_Q_DUMP, and NFCT_Q_DESTROY requests for expectations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* api: fix bogus netlink flags in nfct_build_queryPablo Neira Ayuso2008-11-291-3/+3
| | | | | | | This patch removes unnecessary flags included in NFCT_Q_DUMP, NFCT_Q_DUMP_RESET and NFCT_Q_DESTROY requests. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bsf: remove unnecessary function inlinePablo Neira Ayuso2008-11-281-9/+9
| | | | | | | | | This patch removes unnecessary function inlining in the BSF code generation. There is not reason to get any significant performance improvement in an operation that should be done in the initialization path. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bsf: major rework of the BSF generation codePablo Neira Ayuso2008-11-259-268/+420
| | | | | | | | | | | | | | | | This patch reworks the BSF automatic generation code. This feature needs more love and it has several limitations like that the maximum number of IPs are 127 due to BSF code restrictions. See this patch as a first step forward. This patch also adds the stack data type, which is used to resolve jump dynamically instead of the previous static approach. This patch also includes fixes in the limitations, previous calculations were wrong. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* helper: fix missing copy function for helper namePablo Neira Ayuso2008-11-232-0/+13
| | | | | | | | | | | | This patch fixes a NULL dereference to a function pointer in nfct_copy() that is triggered when you try to copy the helper name. This patch also adds an assertion to easily report similar problems in the future. Thanks to <pageexec@freemail.hu> for his detailed debugging report. Reported-by: Wolfram Schlich <lists@wolfram.schlich.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* qa: add test file to check for missing indirect function callsPablo Neira Ayuso2008-11-234-2/+111
| | | | | | | | This patch adds a rudimentary test file to check for possible unset indirect function calls. This automated test should be run after adding a new attribute. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: set specific array size for the APIPablo Neira Ayuso2008-11-237-8/+8
| | | | | | | This patch adds the size of the arrays to set to NULL unset elements. This helps to spot unset functions for new attributes. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* version: bump to 0.0.98Pablo Neira Ayuso2008-10-301-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>