summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* doc: update README file (including re-license to GPLv2+)Pablo Neira Ayuso2010-11-021-9/+15
| | | | | | | This patch updates the README file and it includes the re-licensing of this library to make it GPLv2+. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Update .gitignoreJan Engelhardt2010-10-302-0/+20
|
* build: no need for error message in PKG_CHECK_MODULESJan Engelhardt2010-10-304-20/+5
| | | | | | | | | | PKG_CHECK_MODULES already produces its own (and more verbose) messsage when a module cannot be found. Mucking around with CFLAGS and LIBS is also not needed since pkgconfig takes care of providing variables, so let's use them in Makefile.am. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: remove -fPIC flagJan Engelhardt2010-10-303-3/+3
| | | | | | libtool automatically adds PIC flags as needed. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: remove unused $(all_includes)Jan Engelhardt2010-10-301-1/+1
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: remove statements without effectJan Engelhardt2010-10-301-4/+0
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: use sh -e, remove autom4te.cacheJan Engelhardt2010-10-301-1/+2
| | | | | | | sh -e (-x) will provide the same functionality as the run function previously. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: set Libs.private for pkgconfig fileJan Engelhardt2010-10-301-0/+1
| | | | | | | Similar to the commit in iptables, add Libs.private to tell about dependencies for static linking. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* conntrack: fix independent metadata checkings in XML outputPablo Neira Ayuso2010-10-281-2/+8
| | | | | | | | This patch adds some missing attribute checkings in the XML output that may result in inconsistent output (thus, displaying some attributes out of <meta dir="independent">...</meta>) Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: add missing tags for expectation eventsPablo Neira Ayuso2010-10-081-0/+6
| | | | | | | | | This patch adds missing tags such as [UPDATE] and [DESTROY] for expectation events. The Linux kernel does not support any of this expectation events yet, but we include it for future use. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* utils: add user-space expectation examplePablo Neira Ayuso2010-10-072-1/+133
| | | | | | This patch adds an example on how to set up a user-space expectation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* utils: more realistic expectation creation for FTP helperPablo Neira Ayuso2010-10-073-9/+9
| | | | | | | | This patch changes the existing example to make it more realistic. It also removes the timeout setup since this field is ignored by ctnetlink if we specify a kernel-space conntrack helper to be used. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: add support for CTA_EXPECT_FLAGSPablo Neira Ayuso2010-10-078-3/+52
| | | | | | This patch allows to set the expectation flags from user-space. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: add CTA_EXPECT_ZONE supportPablo Neira Ayuso2010-10-078-4/+37
| | | | | | | We also remove the reference to CTA_EXPECT_QUEUENR with was not ever pushed into Linux kernel mainline. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix warning in compilationPablo Neira Ayuso2010-10-033-4/+4
| | | | | | | | | | | This warning has been there for quite some time, fix it by relaxing the const type checking. callback.c: In function `__expect_callback': callback.c:30: warning: passing argument 2 of `__parse_expect' from incompatible pointer type ../../include/internal/prototypes.h:32: note: expected `const struct nfattr **' but argument is of type `struct nfattr **' Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* add .gitignore to rootdirJan Engelhardt2010-09-121-0/+20
| | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: no need for error message in PKG_CHECK_MODULESJan Engelhardt2010-09-121-4/+1
| | | | | | | | PKG_CHECK_MODULES already produces its own (and more verbose) messsage when a module cannot be found. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: run AC_CANONICAL_HOST onlyJan Engelhardt2010-09-121-2/+2
| | | | | | | | | | There is no need to call AC_CANONICAL_SYSTEM when only AC_CANONICAL_HOST is needed. Also, checking for $target is factually incorrect, since we do not produce object code like a compiler. Use $host, which specifies the triple/quadrople where the compiled program is supposed to run. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: use simpler autoreconf in autogenJan Engelhardt2010-09-121-5/+1
| | | | | | | | | | Note: the use of -i seems required, otherwise autoreconf barfs about missing tools (depcomp, etc.). Since they are provided in the tarballs as files anyway rather than like previously as symlinks, I do not see a problem using -i. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: avoid use of deprecated INCLUDESJan Engelhardt2010-09-121-1/+1
| | | | | | | | Make_global.am:7: "INCLUDES" is the old name for "AM_CPPFLAGS" (or "*_CPPFLAGS") qa/Makefile.am:1: "Make_global.am" included from here Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: use modern call syntax for AC_INIT, AM_INIT_AUTOMAKEJan Engelhardt2010-09-122-4/+2
| | | | | | | | automake options also need to definitely go into configure.ac, otherwise they only apply to a single directory. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: use autoconf-suggested naming of filesJan Engelhardt2010-09-121-0/+0
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: minor improvements for doxygen config filePablo Neira Ayuso2010-09-081-2/+2
| | | | | | | | With this patch, we put stack.c and bsf.c out of the documentation since they are only for internal use. We also include the relevant exported libnetfilter_*.h headers. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: bump version to 0.9.0libnetfilter_conntrack-0.9.0Pablo Neira Ayuso2010-09-082-2/+2
| | | | | | This patch bumps version to 0.9.0 and it bumps the API revision number. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: fix EINVAL if not TCP attributes are set for Linux kernel <= 2.6.25Pablo Neira Ayuso2010-09-081-0/+24
| | | | | | | | | | This patch fixes an EINVAL error that we hit in Linux kernel <= 2.6.25. Basically, if we send an empty CTA_PROTOINFO_TCP attribute nest, the kernel returns EINVAL. To fix this, we previously check if there is any TCP attribute set. Reported-by: Rui Sousa <rui.sousa@mindspeed.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: convert documentation from kerneldoc to doxygen formatPablo Neira Ayuso2010-09-065-229/+610
| | | | | | | | Still missing several enumerations that should be documented. You still have to look at libnetfilter_conntrack.h to check conntrack object attributes. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: add libtool m4 supportPablo Neira Ayuso2010-09-043-1/+5
| | | | | | | | libtoolize: Consider adding `AC_CONFIG_MACRO_DIR([m4])' to configure.in and libtoolize: rerunning libtoolize, to keep the correct libtool macros in-tree libtoolize: Consider adding `-I m4' to ACLOCAL_AMFLAGS in Makefile.am. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: fix regression with helpers for Linux kernel >= 2.6.34Pablo Neira Ayuso2010-09-031-1/+1
| | | | | | | | | | Since Linux kernel 2.6.34, the attribute validation for CTA_HELP_NAME requires that the string must be NULL terminated. I think that this should be fixed in the kernel instead since it breaks old binaries of the library. However, we're already in 2.6.36-rc, so let's fix it in user-space and hope that everyone upgrades. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: bump version to 0.0.102libnetfilter_conntrack-0.0.102Pablo Neira Ayuso2010-07-152-2/+2
| | | | | | This patch bumps version to 0.0.102 and it bumps the API revision number. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: fix NAT sequence adjustment setterPablo Neira Ayuso2010-07-131-4/+4
| | | | | | This patch fixes the NAT sequence adjustment setter (they were swapped!). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: add missing setters for TCP window scale factor supportPablo Neira Ayuso2010-07-091-0/+12
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bsf: fix filtering for several network address/maskPablo Neira Ayuso2010-07-071-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes kernel-space filtering via BSF for several network addresses. The problem is that we store the network address of the netlink message in the ALU. Then, we perform an AND of the network mask and the address, this operation is stored again in the ALU. If we compare the address with a second address, we have to reload the address to the ALU. The following example clarifies the problem, in the following order, we want to filter: 1) 224.0.0.0/4 2) 127.0.0.1/32 Now, we receive traffic from 127.0.0.1, it should be filtered. However, without this patch, it is not. Let's see why: ALU 7f000001 (addr=127.0.0.1) AND f0000000 (cidr=4) ------------------------------- ALU 70000000 this is stored in the ALU. Then, we check for 127.0.0.1: ALU 70000000 (addr=127.0.0.1) <-- it should be 7f000001 AND ffffffff (cidr=32) ------------------------------- ALU 70000000 This does not match 7f000001. To fix this, we have to reload 7f000001 to the ALU. Thus, the second comparison works fine. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: print zone before usePablo Neira Ayuso2010-06-131-5/+5
| | | | | | | | | make output of nfct_snprintf() similar to /proc/net/nf_conntrack. tcp 6 23 TIME_WAIT src=XX.208.XX.243 dst=XX.14.XX.100 sport=35917 dport=80 packets=10 bytes=2555 src=XX.14.XX.100 dst=XX.208.XX.243 sport=80 dport=35917 packets=9 bytes=1163 [ASSURED] mark=0 secmark=0 use=2 zone=1 ^^^^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: add zone supportPablo Neira Ayuso2010-05-0311-0/+63
| | | | | | Add Patrick's zone support for libnetfilter_conntrack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parse: fix access to u64 attributes in netlink messagesPablo Neira Ayuso2010-03-041-11/+19
| | | | | | | | | | This patch fixes parsing of 64 bits attributes (that are unaligned) in ctnetlink. It would be better to add nfnl_get_uX() functions similar to those in include/net/netlink.h to libnfnetlink to avoid this sort of errors. Reported-by: Jan Engelhardt <jengelh@medozas.es> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for TCP window scale factorPablo Neira Ayuso2010-02-166-0/+55
| | | | | | | | This patch adds the missing bits to support the modification of the TCP window scale factor in a conntrack entry. The kernel support has been already there since 2.6.23. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* header: counters are 64-bits longPablo Neira Ayuso2010-01-241-4/+4
| | | | | | | | | | This patch fixes wrong comments in the libnetfilter_conntrack.h header file. The counters of the user-space conntrack object has always been 64-bits long (even if during some time they were 32-bits long in the kernel). This does not break backward compatibility, but users (like ulogd2) has to fix this to avoid truncating the counters. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure: bump version to 0.0.101libnetfilter_conntrack-0.0.101Pablo Neira Ayuso2009-12-231-1/+1
| | | | | | This patch bumps libnetfilter_conntrack version to 0.0.101. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* setobjopt: don't autocomplete the reply tuple for ICMP[v6]Pablo Neira Ayuso2009-12-211-2/+15
| | | | | | | | This patch fixes the autocomplete feature for ICMP[v6] entries that makes the kernel return EINVAL. Basically, we skip the autocomplete since this is already done in the setter. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* snprintf: remove duplicate initializer entryHannes Eder2009-10-081-1/+0
| | | | | Signed-off-by: Hannes Eder <heder@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: make symbols used only in file scope staticHannes Eder2009-10-084-90/+92
| | | | | Signed-off-by: Hannes Eder <heder@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* api: use ANSI style functionHannes Eder2009-10-082-4/+4
| | | | | Signed-off-by: Hannes Eder <heder@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure: bump version to 0.0.100libnetfilter_conntrack-0.0.100Pablo Neira Ayuso2009-07-161-1/+1
| | | | | | This patch bumps libnetfilter_conntrack version to 0.0.100. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: unset all the callback handler in the nfct_close() path.Pablo Neira Ayuso2009-07-161-0/+3
| | | | | | | This patch unsets all the existing callbacks if we call nfct_close(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: add new callback interface while keeping backward compatibilityPablo Neira Ayuso2009-07-164-0/+94
| | | | | | | | | This patch the new expectation callback interface. This change is like 20ed81b10714dfe78e31e9721e2d4f42b4beabb2 but related to expectations. The netlink message contains the portID that is useful to identify the origin of the message. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* dccp: fix endianess in handshake_seqPablo Neira Ayuso2009-07-162-4/+12
| | | | | | | | This patch fixes missing endianess conversion of the new attribute ATTR_HANDSHAKE_SEQ that was included in 19f35b21dbe2bb4386eeced4e0d87f3b2e1d. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rename ATTR_DCCP_SEQ by ATTR_DCCP_HANDSHAKE_SEQPablo Neira Ayuso2009-07-167-16/+17
| | | | | | | | | | | This patch renames the attribute constant to access the DCCP handshake sequence number that was recently committed in 19f35b21dbe2bb4386eeced4e0d87f3b2e1dd8bf. No release with the old name has been done, so no problems about backward compatibility although it'd be better if I don't push changes that I have to modify very soon afterwards. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* headers: include u64 get/set prototype in libnetfilter_conntrack.hPablo Neira Ayuso2009-07-161-0/+7
| | | | | | | This patch adds the prototype of the u64 getter/setter to the header file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for DCCP 64-bits sequence number trackingPablo Neira Ayuso2009-07-149-0/+61
| | | | | | | | | From: Pablo Neira Ayuso <pablo@netfilter.org> This patch adds the support for the DCCP sequence number tracking that is included in the upcoming Linux kernel 2.6.31. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bsf: add support for IPv6 address filteringPablo Neira Ayuso2009-07-145-0/+226
| | | | | | | | | | | | This patch adds support to auto-generate BSF code for IPv6. It requires a Linux kernel >= 2.6.29. The maximum number of addresses is limited to 20 (12 BSF lines per IPv6 address comparison). I am not sure that to remove this limit is useful given that oprofile does not show very good numbers for very large (in terms of lines) filters. This completes one feature that is available in IPv4 but that was missing in IPv6. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>