| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
The ct_echo_event and ct_mark_filter tests break `make distcheck'. Get them
out of the way until this is corrently integrated into automake.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
| |
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
testing mark filter in root by
# ./qa/ct_mark_filter.sh
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
This patch adds mark filter for event listener, using same struct
nfct_filter_dump_mark at dump.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
This breaks static builds where the toolchain completely lacks libdl.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nssocket forks and change netns pre-establishd by ip(8), serves its
socket descriptor to parent via nssocket(). Since this socket is
isolated, it can be used to create regression tests for conntrack.
This also adds a conntrack event testcase as a first user.
A ct_echo_event.sh script is provided to build and run this test
automatically:
# ./qa/ct_echo_event.sh
make: Entering directory...
...debug output like:
[NEW] tcp 6 2 SYN_SENT src=10.255.255.249 dst=10.255.255.250 sport...
[UPDATE] tcp 6 2 SYN_RECV src=10.255.255.249 dst=10.255.255.250 sport...
...
[DESTROY] icmp 1 src=10.255.255.249 dst=10.255.255.250 type=8 code=0...
# echo $?
0
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
| |
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
for nfct_bitmask_clear() and nfct_bitmask_equal()
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
This patch adds two functions, useful for ulogd IPFIX
output module.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Relax checking for MARK and ZONE to treat 'attribute not
set' like 'attribute is set to 0'.
This matches kernel behaviour, conntracks are always in zone 0,
except if specified differently. Same for connmark.
The kernel will also not include the zone/mark attributes in dumps
unless they have non-zero values.
This makes qa/test_api pass again with the updated test cases.
Reported-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Test all combinations of flags/attribute states for both
ZONE and MARK.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
nfct_filter_dump_set_attr() will set the bit.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As reported by Ken-ichirou MATSUZAWA:
"conntrack -L --zone 0" doesn't list any output.
nfct_cmp(mask_obj, ct, NFCT_CMP_MASK)
considers ct to not match since the zone attribute
in ct is not set for the default (0) zone.
libnetfilter_conntrack should be more permissive and return
that these are equal iff 'mask_obj' has ATTR_ZONE with a 0 value,
and ct object has ATTR_ZONE not set.
These 3 checks currently fail, even though they really should not:
assert(test_cmp_attr32(ATTR_ZONE, true, false, 0, 0, NFCT_CMP_STRICT) == 1);
assert(test_cmp_attr32(ATTR_ZONE, false, true, 0, 0, NFCT_CMP_STRICT) == 1);
assert(test_cmp_attr32(ATTR_ZONE, true, false, 0, 0, NFCT_CMP_MASK) == 1);
Altough in all 3 cases the zone is only set in one conntrack, the value
is zero, so it should be equal to a conntrack object without the zone
bit set.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
unsigned, < 0 is always false.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Stefan reported that the *_catch() functions documentation was imprecise
on some aspects.
Reported-by: Stefan Nicolae Stancu <Stefan.Stancu@cern.ch>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Substract the netlink + nfnetlink headers to pass the payload length
to nfct_payload_parse().
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
also bump LIBVERSION, we've added new interfaces and retained
backwards compatibility.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nfct_labelmap_new returns NULL on failure, e.g. when file cannot be
opened. It will also fail if no labels have been parsed, and in this
case, content of errno is random.
Avoid it by making sure that errno is re-set when no labels were found.
While at it, also change ptr test when parsing so reviewers don't
need to triple check that this cannot result in out-of-bounds read.
Reported-by: Afschin Hormozdiary <Afschin.Hormozdiary@sophos.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Only dump the contents of the system-wide connlabel.conf if present
instead of expecting same content as the qa config.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nfct_snprintf doesn't print connlabels, as they're system specific
and can easily generate lots of output.
This adds a new helper function, nfct_snprintf_labels. It behaves like
nfct_snprintf, except that the label names in the labelmap whose bits are
contained in connlabel attribute bitset are added to the buffer.
output looks like this:
output looks like this:
... mark=0 use=1 labels=eth0-in,eth1-in
or
<labels>
<label>eth0-in</label>
<label>eth1-in</label>
</labels>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
Must free ct and exp using the _destroy functions, else we leak attributes with malloc'd data.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Can always lift this restriction later but for now enforce
strict label naming.
This is mainly to make sure that e.g. using
conntrack ... -o xml,connlabels
will output the expected format, without nasty surprises.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
Can't be zero, it was already tested.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
This fixes construction of the conntrack object when CTA_LABEL
attribute is present.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
For each attribute:
- copy ct2 attrs to ct1 (so they're the same)
- change value of attr
- call nfct_cmp to check of cmp now fails
Unfortunately, most attributes fail this test at this time, thus
added a TODO exclusion list to make the test pass for now.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
The expect cmp function ignored most of the attributes.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Normal comparision succeeds when the _common_ attribute subset
have same values.
When STRICT matching is specified, the comparision should succeed only when
both objects have same attribute subset and attribute values match.
However, STRICT comparision often fails as an attribute missing in both
objects is erronously considered an error.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Some of these checks will fail due to errors in nfct_cmp STRICT handling
and missing comparision of attributes in the nfexpect_cmp functions.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The libnfnetlink based backend 'build.c' currently ignores
ATTR_CONNLABELS and ATTR_CONNLABELS_MASK.
The libmnl based backend 'build_mnl.c' instead handles
both attributes correct.
Add function to set CTA_LABELS and CTA_LABELS_MASK
if required.
Signed-off-by: Afschin Hormozdiary <Afschin.Hormozdiary@sophos.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
allows to set/clear only a subset of the in-kernel label set, e.g.
"set bit 1 and do not change any others".
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
adds new labelmap api to create a name <-> bit mapping
from a text file (default: /etc/xtables/connlabel.conf).
nfct_labelmap_new(filename) is used to create the map,
nfct_labelmap_destroy() releases the resources allocated for the map.
Two functions are added to make map lookups:
nfct_labelmap_get_name(map, bit) returns the name of a bit,
nfct_labelmap_get_bit returns the bit associated with a name.
The connlabel attribute is represented by a nfct_bitmask object, the
nfct_bitmask api can be used to test/set/get individual bits
("labels").
The exisiting nfct_attr_get/set interfaces can be used to read or
replace the existing labels associated with a conntrack with a new set.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to use generic getter/setter API with upcoming
conntrack label extension, add helper functions to set/test/unset
bits in a vector of arbitrary size.
Conntrack labels will then be encoded via nfct_bitmask object.
Original idea from Pablo Neira Ayuso.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
For consistency with other tests.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use buf[32] as struct nfct_attr_grp_ipv6 is 32 bytes long. That fixes:
== validate set grp API ==
ERROR: set/get operations don't match for attribute 2 (2 != 1)
ERROR: set/get operations don't match for attribute 3 (3 != 1)
ERROR: set/get operations don't match for attribute 8 (8 != 1)
Shows up with gcc 4.7.1.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|\ |
|
| |
| |
| |
| |
| |
| | |
To include: IPCTNL_MSG_CT_GET_DYING and IPCTNL_MSG_CT_GET_UNCONFIRMED
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|/
|
|
|
|
|
|
| |
cppcheck reported:
[src/conntrack/compare.c:364] -> [src/conntrack/compare.c:364]: (style) Same expression on both sides of '||'.
Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
some attributes are pointers to malloc'd objects. Simply copying the
pointer results in use-after free when the original or the clone is
destroyed.
Fix it by using nfct_copy instead of memcpy and add proper test case
for cloned objects:
- nfct_cmp of orig and clone should return 1 (equal)
- freeing both the original and the clone should
neither leak memory nor result in double-frees.
the testsuite changes revealed a few more problems:
- ct1->timeout == ct2->timeout returned 0, ie. same timeout
was considered "not equal" by nfct_cmp
- secctx comparision causes "Invalid address" valgrind warnings
when pointer is NULL
- NFCT_CP_OVERRIDE did not handle helper attribute and
erronously freed ct1 secctx memory.
While at it, bump qa_test data dummy to 256 (else, valgrind
complains about move-depends-on-uninitialized-memory).
Lastly, fix compilation of test_api by killing bogus ATTR_CONNLABEL.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
The attribute is variable-length and must be thus be set via set_attr_l().
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
am/ltlibrary.am: warning: 'libnetfilter_conntrack.la': linking
libtool libraries using a non-POSIX archiver requires 'AM_PROG_AR'
in 'configure.ac'
(multiple instances)
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
| |
bump current and age since we have new interfaces but we're backward
compatible.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|