summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* src: put nf_expect and nf_conntrack into dietPablo Neira Ayuso2012-01-0417-537/+524
| | | | | | | | | | | | | | | | Now, struct nf_expect takes only 192 bytes, instead of 1KB. struct nf_conntrack takes 296 bytes instead of 328 bytes. The size of the nf_expect structure has been reduced by rearranging the layout of the nf_conntrack structure. For the nf_conntrack case, this removes the allocation of room for attributes that the master tuple does not use (more specifically, the NATseq bytes). This patch modifies the binary layout of struct nf_conntrack. This should not be a problem since the definition of this object is opaque (it can be only accessed via get/set API). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: remove reference to licensing terms from headersPablo Neira Ayuso2012-01-026-42/+0
| | | | | | | | | | This patch removes the reference to the licensing terms of the library in the header files. This patch does *not* change the license of the library at all, which is still GPLv2+, of course. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: fix size of CTA_PROTOINFO_TCP_FLAGS_ORIGINAL in ARMPablo Neira Ayuso2011-12-313-4/+10
| | | | | | | | | | | | | We have to use sizeof(struct nf_ct_tcp_flags) instead of sizeof(u_int16_t) to avoid problems in Intel IXP4xx network processor (ARM big endian). For more information, please see: http://markmail.org/message/afhn66qzyebyf7cs#query:+page:1+mid:7bw756ncuyosv23c+state:results Reported-by: Lutz Jaenicke <ljaenicke@innominate.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: clarify licensing terms of library (GPLv2+)Pablo Neira Ayuso2011-12-3030-96/+136
| | | | | | | | | | | | | | | | This patch is *not* changing the licensing terms of this library (which was initially released under GPLv2 and later on extended to GPLv2+ after contacting all the contributors who kindly agreed to extend it to any later GPL version). Jan says: "In libnetfilter_conntrack, there are many .c files declaring GNU GPL incorporated herein by reference without telling which version(s) exactly apply. Given src/main.c for example is actually GPL-2.0+, the reference made is ambiguous." This patch should definitely clarify this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Merge branch 'master' of git://dev.medozas.de/libnetfilter_conntrackPablo Neira Ayuso2011-12-272-8/+7
|\
| * build: disable implicit .tar.gz archive generation and use POSIX modeJan Engelhardt2011-12-171-1/+2
| |
| * build: use AC_CONFIG_AUX_DIR and stash away toolsJan Engelhardt2011-12-172-4/+2
| |
| * Update .gitignoreJan Engelhardt2011-12-171-3/+3
| | | | | | | | Only ignore these paths if they are a directory.
* | utils: fix expect_get to work with expect_createPablo Neira Ayuso2011-12-241-2/+2
| | | | | | | | | | | | | | expect_get now allows you get the expectation that has been created with expect_create. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | src: export NFCT_HELPER_NAME_MAXPablo Neira Ayuso2011-12-246-14/+17
| | | | | | | | | | | | | | NFCT_HELPER_NAME_MAX is 16, which is the maximum helper name allowed since 2.6.29. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | expect: modify output by moving zone and flags to the end of the linePablo Neira Ayuso2011-12-241-18/+18
| | | | | | | | | | | | | | | | Now, the output of nfexp_snprintf looks like this: 299 proto=6 src=192.168.1.130 dst=130.89.148.12 sport=0 dport=45420 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.1.130 master-dst=130.89.148.12 sport=46368 dport=21 helper=ftp Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | expect: support CTA_EXPECT_HELP_NAMEPablo Neira Ayuso2011-12-247-0/+34
|/ | | | | | | | This patch adds support for CTA_EXPECT_HELP_NAME. We now have the ATTR_EXP_HELPER_NAME attribute. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: add nfexp_send()Pablo Neira Ayuso2011-12-082-0/+37
| | | | | | It is like nfct_send() but for expectations, for API symmetry. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: nfexp_snprintf displays mask and master tuple informationPablo Neira Ayuso2011-12-064-14/+47
| | | | | | | | | | | | | | | | This patch adds mask and master tuple information regarding one expectation. This information has been not shown so far. I consider that it is interesting because you can use this information to troubleshoot expectation issues. Moreover, you can know which is the master conntrack that this expectation is attached to. This extends the text-based output for `conntrack -L exp'. This can be considered a backward compatibily issue since existing tools that are parsing this interface may break. But this is not our fault, we provide an API to the conntrack table via libnetfilter_conntrack. People should use those. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: nfexp_snprintf prints expectation timeout if presentPablo Neira Ayuso2011-10-271-2/+14
| | | | | | Otherwise, we don't print it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: fix missing parsing of master tuplePablo Neira Ayuso2011-10-271-6/+15
| | | | | | | The master tuple was not parsed. This patch also fixes an incorrect use of the exp->set field for the expectation and mask tuples. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: fix missing nfct_copy function not included in doxygen reportPablo Neira Ayuso2011-10-131-4/+0
| | | | | | | | This closes netfilter bugzilla #754: http://bugzilla.netfilter.org/show_bug.cgi?id=754 Reported-by: <abirvalg@lavabit.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: objopt: NO_EFFECTJiri Popelka2011-06-131-1/+1
| | | | | | | | | | | | static analysis (analysis based only on compiling of sources, not based on running of binary) of the code revealed the following problem: conntrack/objopt.c:63: self_assign: Assignment operation "ct->snat.l4max.all = ct->snat.l4max.all" has no effect. Signed-off-by: Jiri Popelka <jpopelka@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* utils: add nfct_destroy() to all examples in utilsAndrew Beverley2011-05-1411-0/+46
| | | | | | | | | | This patch adds nfct_destroy() to all the examples in the utils folder. Although this may be obvious to some, when I wrote my first code using libnetfilter_conntract, I used the examples but subsequently missed out all the calls to nfct_destroy(). Signed-off-by: Andrew Beverley <andy@andybev.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: Linux kernel-style for compilation messagesPablo Neira Ayuso2011-03-151-0/+3
| | | | | | I guess that Jan Engelhardt is going to like this? :-) Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: bump version to 0.9.1libnetfilter_conntrack-0.9.1Pablo Neira Ayuso2011-02-242-2/+2
| | | | | | This patch bumps version to 0.9.1 and it bumps the API revision number. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: fix subscript is above array bounds in secctxPablo Neira Ayuso2011-02-241-1/+1
| | | | | | | | | | | | | | > CC parse.lo > parse.c: In function ‘__parse_conntrack’: > parse.c:434:15: warning: array subscript is above array bounds > > struct nfattr *tb[CTA_SECCTX_MAX] > 434: ct->secctx = strdup(NFA_DATA(tb[CTA_SECCTX-1])) > > CTA_SECCTX has value 19, and CTA_SECCTX_MAX is just 1. Reported-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: deprecate low level APIPablo Neira Ayuso2011-02-223-79/+101
| | | | | | | | | | | | This patch deprecates the low level API. This API is not currently used by any known clients (at least, at a quick glance at google). These functions are a problem if we plan to port libnetfilter_conntrack upon libmnl since they contain specific libnfnetlink bits. I have also added __build_query_[ct|exp] to avoid compilation warnings. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: deprecate nfct_sizeof() and nfct_maxsize() functionsPablo Neira Ayuso2011-02-172-2/+6
| | | | | | | | | These functions are evil since they allow the use of memcpy() instead of nfct_copy(). This is a problem because it violates the design principle that the library follows, that is to provide opaque objects in which the client code does not care on the binary layout. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add NFCT_CP_OVERRIDE flag for nfct_copy()Pablo Neira Ayuso2011-02-174-0/+17
| | | | | | | | Thus, we have a fast version of nfct_copy() which allows to copy the destination to the origin. After this call, the destination is a clone of the origin. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: fix segfault in nfct_copy() if secctx of origin is not setPablo Neira Ayuso2011-02-171-2/+5
| | | | | | This problem was caught by qa/test_api. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add timestamp supportPablo Neira Ayuso2011-02-1713-28/+276
| | | | | | | | | | | | This patch adds the connection tracking extension that allows conntrack timestamping. This requires a Linux kernel >= 2.6.38. We have now 65 attributes, we need 96 bits to store what attributes are set in the objects. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: sync IPS_* bits with current in the Linux kernelPablo Neira Ayuso2011-02-061-1/+9
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* api: fix use-after-free bug in nfct_destroy()Pablo Neira Ayuso2011-01-211-1/+1
| | | | | | | | | | This patch fixes an embarasing a use-after-free in nfct_destroy() that was introduced by myself in: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_conntrack.git;a=commit;h=fdda1474cc8654430f245b7f01c30e8ff171fa60 Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for CTA_SECCTXPablo Neira Ayuso2011-01-1611-1/+76
| | | | | | | This patch adds support for the new attribute CTA_SECCTX that supersedes CTA_SECMARK. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* qa: resolve compiler warningsJan Engelhardt2010-12-302-5/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | -Wall flags this: make test_api test_filter make[1]: Entering directory `/home/jengelh/code/libnetfilter_conntrack/qa' CC test_api.o test_api.c:16:8: warning: return type defaults to "int" test_api.c: In function "eval_sigterm": test_api.c:23:18: warning: too many arguments for format test_api.c: In function "main": test_api.c:55:2: warning: implicit declaration of function "fork" test_api.c:34:22: warning: unused variable "h" test_api.c:102:1: warning: control reaches end of non-void function test_api.c: In function "eval_sigterm": test_api.c:29:1: warning: control reaches end of non-void function CCLD test_api CC test_filter.o test_filter.c: In function "main": test_filter.c:58:4: warning: implicit declaration of function "inet_addr" test_filter.c:74:2: warning: implicit declaration of function "strerror" test_filter.c:74:2: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’ test_filter.c:75:1: warning: control reaches end of non-void function CCLD test_filter make[1]: Leaving directory `/home/jengelh/code/libnetfilter_conntrack/qa' Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* utils: resolve compiler warningsJan Engelhardt2010-12-3019-26/+49
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The addition of -Wall flagged some legitimate warnings: make expect_dump expect_create expect_get expect_delete expect_flush expect_events expect_create_userspace conntrack_create conntrack_dump conntrack_update conntrack_delete conntrack_flush conntrack_create_nat conntrack_get conntrack_events conntrack_master conntrack_filter conntrack_grp_create ctexp_events make[1]: Entering directory `/home/jengelh/code/libnetfilter_conntrack/utils' CC expect_dump.o expect_dump.c: In function "main": expect_dump.c:36:3: warning: implicit declaration of function "strerror" expect_dump.c:36:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’ CCLD expect_dump CC expect_create.o expect_create.c: In function "main": expect_create.c:31:2: warning: implicit declaration of function "inet_addr" expect_create.c:54:3: warning: implicit declaration of function "strerror" expect_create.c:54:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’ expect_create.c:117:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’ CCLD expect_create CC expect_get.o expect_get.c: In function "main": expect_get.c:33:2: warning: implicit declaration of function "inet_addr" expect_get.c:59:3: warning: implicit declaration of function "strerror" expect_get.c:59:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’ CCLD expect_get CC expect_delete.o expect_delete.c: In function "main": expect_delete.c:21:2: warning: implicit declaration of function "inet_addr" expect_delete.c:46:3: warning: implicit declaration of function "strerror" expect_delete.c:46:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’ CCLD expect_delete CC expect_flush.o expect_flush.c: In function "main": expect_flush.c:23:3: warning: implicit declaration of function "strerror" expect_flush.c:23:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’ CCLD expect_flush CC expect_events.o expect_events.c: In function "main": expect_events.c:44:3: warning: implicit declaration of function "strerror" expect_events.c:44:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’ CCLD expect_events CC expect_create_userspace.o expect_create_userspace.c: In function "main": expect_create_userspace.c:31:2: warning: implicit declaration of function "inet_addr" expect_create_userspace.c:58:3: warning: implicit declaration of function "strerror" expect_create_userspace.c:58:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’ expect_create_userspace.c:121:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’ CCLD expect_create_userspace CC conntrack_create.o conntrack_create.c: In function "main": conntrack_create.c:21:2: warning: implicit declaration of function "inet_addr" conntrack_create.c:43:3: warning: implicit declaration of function "strerror" conntrack_create.c:43:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’ CCLD conntrack_create CC conntrack_dump.o conntrack_dump.c: In function "main": conntrack_dump.c:37:3: warning: implicit declaration of function "strerror" conntrack_dump.c:37:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’ conntrack_dump.c:24:7: warning: unused variable "buf" CCLD conntrack_dump CC conntrack_update.o conntrack_update.c: In function "main": conntrack_update.c:21:2: warning: implicit declaration of function "inet_addr" conntrack_update.c:43:3: warning: implicit declaration of function "strerror" conntrack_update.c:43:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’ CCLD conntrack_update CC conntrack_delete.o conntrack_delete.c: In function "main": conntrack_delete.c:21:2: warning: implicit declaration of function "inet_addr" conntrack_delete.c:38:3: warning: implicit declaration of function "strerror" conntrack_delete.c:38:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’ CCLD conntrack_delete CC conntrack_flush.o conntrack_flush.c: In function "main": conntrack_flush.c:24:3: warning: implicit declaration of function "strerror" conntrack_flush.c:24:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’ conntrack_flush.c:12:7: warning: unused variable "buf" CCLD conntrack_flush CC conntrack_create_nat.o conntrack_create_nat.c: In function "main": conntrack_create_nat.c:21:2: warning: implicit declaration of function "inet_addr" conntrack_create_nat.c:45:3: warning: implicit declaration of function "strerror" conntrack_create_nat.c:45:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’ CCLD conntrack_create_nat CC conntrack_get.o conntrack_get.c: In function "main": conntrack_get.c:33:2: warning: implicit declaration of function "inet_addr" conntrack_get.c:52:3: warning: implicit declaration of function "strerror" conntrack_get.c:52:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’ CCLD conntrack_get CC conntrack_events.o conntrack_events.c: In function "main": conntrack_events.c:45:3: warning: implicit declaration of function "strerror" conntrack_events.c:45:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’ conntrack_events.c:29:7: warning: unused variable "buf" conntrack_events.c:28:23: warning: unused variable "ct" conntrack_events.c:26:11: warning: unused variable "family" CCLD conntrack_events CC conntrack_master.o conntrack_master.c: In function "main": conntrack_master.c:22:2: warning: implicit declaration of function "inet_addr" conntrack_master.c:44:3: warning: implicit declaration of function "strerror" conntrack_master.c:44:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’ conntrack_master.c:86:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’ CCLD conntrack_master CC conntrack_filter.o conntrack_filter.c: In function "main": conntrack_filter.c:58:3: warning: implicit declaration of function "inet_addr" conntrack_filter.c:98:3: warning: implicit declaration of function "strerror" conntrack_filter.c:98:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’ conntrack_filter.c:31:7: warning: unused variable "buf" conntrack_filter.c:30:23: warning: unused variable "ct" conntrack_filter.c:27:11: warning: unused variable "family" CCLD conntrack_filter CC conntrack_grp_create.o conntrack_grp_create.c: In function "main": conntrack_grp_create.c:21:3: warning: implicit declaration of function "inet_addr" conntrack_grp_create.c:49:3: warning: implicit declaration of function "strerror" conntrack_grp_create.c:49:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’ CCLD conntrack_grp_create CC ctexp_events.o ctexp_events.c: In function "main": ctexp_events.c:63:3: warning: implicit declaration of function "strerror" ctexp_events.c:63:3: warning: format "%s" expects type ‘char *’, but argument 3 has type ‘int’ CCLD ctexp_events make[1]: Leaving directory `/home/jengelh/code/libnetfilter_conntrack/utils' Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: use -Wall across the entire sourceJan Engelhardt2010-12-304-6/+1
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: remove unused LIBTOOL_DEPSJan Engelhardt2010-12-301-2/+0
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* Merge branch 'master' of git://dev.medozas.de/libnetfilter_conntrackPablo Neira Ayuso2010-12-2121-41/+41
|\
| * utils: use sizeof(buf) over hardcoded numberJan Engelhardt2010-11-096-6/+6
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * src: declare non-modified data as constJan Engelhardt2010-11-0914-34/+34
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * src: remove redundant castsJan Engelhardt2010-11-091-1/+1
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | callback: remove unused goto tagPablo Neira Ayuso2010-12-181-1/+0
| | | | | | | | | | | | This fixes a minor problem introduced in b245e4092c5a7f09729e64868a42e13f48a Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | src: replace CTA_PROTOINFO_DCCP_SEQ by CTA_PROTOINFO_DCCP_HANDSHAKE_SEQPablo Neira Ayuso2010-12-183-4/+4
|/ | | | | | | | | | | This patch uses CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ instead which is the name that is used in the Linux kernel header. Thus, both the headers and the internal copy for the library are in sync. This problem was probably introduced at the time that we added support for the DCCP handshake sequence number. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: export already implement low-level functionsPablo Neira Ayuso2010-11-092-14/+32
| | | | | | | | | | | This patch exports several low-level function that allow to build and parse netlink messages that contain ctnetlink expectation information. They have been in the tree for quite so long, but they were not exported. To leave the library in a consistent state (ctnetlink conntrack functions provide the similar functionality) I have decided to export them. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* utils: expect_events now listens to all sort of expectation eventsPablo Neira Ayuso2010-11-091-1/+3
| | | | | | | With this patch, the expect_events example also listens to other sort of expectation events that were added in Linux kernel 2.6.37-rc. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow to use nfct handler for conntrack and expectations at the same timePablo Neira Ayuso2010-11-0815-156/+282
| | | | | | | | | | This patch re-works the callback handling to allow the use the same socket to send/receive commands and listen to events of both conntrack and expectation subsystems. Now you can register one callback for conntrack and one for expectation with the same handler with no problems (before this patch, this was not possible, you required two different handlers). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Merge branch 'master' of git://dev.medozas.de/libnetfilter_conntrackPablo Neira Ayuso2010-11-071-6/+9
|\
| * build: run autoupdate to replace obsolete constructsJan Engelhardt2010-10-311-4/+3
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * build: use AC_OUTPUTJan Engelhardt2010-10-311-2/+5
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * build: default to not building static librariesJan Engelhardt2010-10-311-0/+1
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | doc: update README file (including re-license to GPLv2+)Pablo Neira Ayuso2010-11-021-9/+15
|/ | | | | | | This patch updates the README file and it includes the re-licensing of this library to make it GPLv2+. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Update .gitignoreJan Engelhardt2010-10-302-0/+20
|
* build: no need for error message in PKG_CHECK_MODULESJan Engelhardt2010-10-304-20/+5
| | | | | | | | | | PKG_CHECK_MODULES already produces its own (and more verbose) messsage when a module cannot be found. Mucking around with CFLAGS and LIBS is also not needed since pkgconfig takes care of providing variables, so let's use them in Makefile.am. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>