| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
flushing already supports filtering on the kernel side for value like
mark, l3num or zone. This patch extends the userspace code to also
support this.
To reduce code duplication the `nfct_filter_dump` struct and associated
logic is reused. Note that filtering by tuple is not supported, since
`CTA_FILTER` is not yet supported on the kernel side for flushing.
Trying to use it returns ENOTSUP.
Signed-off-by: Felix Huettner <felix.huettner@mail.schwarz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Remove boolean, directly check for NFCT_FILTER_DUMP_L3NUM and make sure
it is consistent to what has been described in NFCT_FILTER_DUMP_STATUS.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Instead of asserting or simply ignoring the filter, bail out if setting
up filter fails.
Fixes: c2136262802f ("Adding NFCT_FILTER_DUMP_TUPLE in filter_dump_attr, using kernel CTA_FILTER API")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
based on a kernel side extension of the conntrack api, this patch brings
this extension to userspace.
When dumping the conntrack table we can now filter based on the
conntrack zone directly in kernel space. If the kernel does not yet
support this feature this filtering is ignored.
Signed-off-by: Felix Huettner <felix.huettner@mail.schwarz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Swap object size and number of elements, so number of elements is the
first argument, then object size is the second argument.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Each address in the filter is matched one 32-bit word at a time. If any of the
first three words don't match, we jump to the end of the filter. If the last
word does match, we jump to the end of the filter. However, this is not right:
it means that if any of the first three words of an address don't match, all
subsequent addresses will be skipped. Instead, jump to the next address.
Fix formatting of `nfct_bsf_cmp_k_stack`.
Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690676
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1062
Fixes: dd73e5708cc2 ("bsf: add support for IPv6 address filtering")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
| |
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
Simple example to see conntrack kernel side filtering configuration.
Callback is reading the kernel result, and user is notified when kernel
does not support filtering (so filtering must be done in userspace)
Signed-off-by: Romain Bellan <romain.bellan@wifirst.fr>
Signed-off-by: Florent Fourcot <florent.fourcot@wifirst.fr>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Following kernel side new conntrack filtering API, this patch implements
userspace part. This patch:
* Update headers to get new flag value from kernel
* Use a conntrack struct to configure filtering
* Set netlink flags according to values set in conntrack struct
Signed-off-by: Romain Bellan <romain.bellan@wifirst.fr>
Signed-off-by: Florent Fourcot <florent.fourcot@wifirst.fr>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Validate that filtering by layer 4 protocol number and protocol state
fits into the existing maps that is used internally.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
With addition of MPTCP `IPPROTO_MAX` is greater than 256, so extend the
array to account for the new upper bound.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As part of this effort:
https://fedoraproject.org/wiki/Toolchain/PortingToModernC
I've found an issue with one of the autoconf checks in the conntrack
package. It uses the exit functions without including stdlib. This is
deprecated in C99 because it no longer allows implicit function
declarations. Find attached a patch that changes the check to use return
instead of exit.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1654
Signed-off-by: Peter Fordham <peter.fordham@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When assigning the length to the `struct sock_fprog` object, we
calculate it by multiplying the number of `struct sock_filter` objects,
`j`, by `sizeof(struct sock_filter)` and then dividing by
`sizeof(bsf[0])`, which, since `bsf[0]` is a `struct sock_filter`, is
equal to `sizeof(struct sock_filter)`.
Remove the `sizeof` expressions and just assign `j`.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The BPF for checking the subsystem ID looks for it in the righthand byte of
`nlh->nlmsg_type`. However, it will only be there on little-endian archi-
tectures. The result is that on big-endian architectures the subsystem ID
doesn't match, all packets are immediately accepted, and all filters are
ignored.
Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896716
Fixes: b245e4092c5a ("src: allow to use nfct handler for conntrack and expectations at the same time")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Use a more modern alternative to bzip2.
Suggested-by: Jan Engelhardt <jengelh@inai.de>
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
| |
It doesn't like how memset() is called for a struct nfnlhdr pointer with
large size value. Pass void pointers instead. This also removes the call
from __build_{expect,conntrack}() which is duplicate in
__build_query_{exp,ct}() code-path.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, with kernel 5.15 headers and musl building is failing with
redefinition errors due to a conflict between the kernel and musl headers.
Musl is able to suppres the conflicting kernel header definitions if they
are included after the standard libc ones, however since ICMP definitions
were moved into a separate internal header to avoid duplication this has
stopped working and is breaking the builds.
It seems that the issue is that <netinet/in.h> which contains the UAPI
suppression defines is included in the internal.h header and not in the
proto.h which actually includes the kernel ICMP headers and thus UAPI
supression defines are not present.
Solve this by moving the <netinet/in.h> include before the ICMP kernel
includes in the proto.h
Fixes: bc1cb4b11403 ("conntrack: Move icmp request>reply type mapping to common file")
Signed-off-by: Robert Marko <robimarko@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
Also increment library version, see
'conntrack: add nfct_nlmsg_build_filter() helper'.
While at it, add the LIBVERSION instructions just like in libnftnl.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
| |
This way, 'make check' and 'make distcheck' call them. Omit
ct_stress/ct_events_reliable, they require root.
For test_connlabel to find qa-connlabel.conf during 'make distcheck',
use of 'srcdir' env variable is needed. Add this as a third option to
not break existing use-cases.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
Register the file as extra dist so 'make dist' picks it up.
Fixes: 6510a98f4139f ("api: add connlabel api and attribute")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
| |
`AC_CONFIG_HEADER` has been superseded by `AC_CONFIG_HEADERS`.
`AM_PROG_LIBTOOL` has been superseded by `LT_INIT`.
`AC_DISABLE_STATIC` can be replaced by an argument to `LT_INIT`.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
It is valid to specify CTA_PROTO_NUM with a protocol that is not
natively supported by conntrack. Do not cancel the CTA_TUPLE_PROTO
nest in this case.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This helper function builds the payload of the netlink dump request
including the filtering criteria.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Incorrect mapping of the expected reply message.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
| |
This tells kernel to suppress conntrack entries that do not match
the status bits/bitmask filter.
This is useful to e.g. only list entries that are not assured
(value 0, mask == ASSUED) or entries that only saw one-way traffic
(value 0, mask == SEEN_REPLY).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
conntrack-tools doesn't set the REPL attributes by default for updates,
so for ICMP flows, the update won't be sent as building the repl tuple
will fail.
Signed-off-by: Luuk Paulussen <luuk.paulussen@alliedtelesis.co.nz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nfct_nlmsg_build() may fail for different reasons, for example if
insufficient parameters exist in the ct object. The resulting nlh would
not contain any of the ct attributes.
Some conntrack operations would still operate in such case, for example
an IPCTNL_MSG_CT_DELETE message would just delete all existing conntrack
entries.
While the example as it is does supply correct parameters, it's safer
as reference to validate the return value.
Signed-off-by: Eyal Birger <eyal.birger@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This is breaking `make distcheck'.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
-l is a library selection and needs to go into _LDADD/_LIBADD.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The NFCT_Q_FLUSH command flushes both IPv4 and IPv6 conntrack tables.
Add new command NFCT_Q_FLUSH_FILTER that allows to flush based on the
family to retain backward compatibility on NFCT_Q_FLUSH.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
with more recent kernels "conntrack -L" prints NONE instead of
HEARTBEAT_SENT/RECEIVED because the state is unknown in userspace.
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Found while reading code, compile tested only.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
| |
Signed-off-by: Daniel Gröber <dxld@darkboxed.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Daniel Gröber <dxld@darkboxed.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the invmap_icmp* arrays are duplicated in setter.c and
grp_setter.c. This moves them to a new module 'proto'.
Instead of having the code access the arrays directly we provide new
wrapper functions __icmp{,v6}_reply_type.
Signed-off-by: Daniel Gröber <dxld@darkboxed.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
When type is out of range for the invmap_icmp{,v6} array we leave rtype at
zero which will map to type=255 just like other error cases in this
function.
Signed-off-by: Daniel Gröber <dxld@darkboxed.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Daniel Gröber <dxld@darkboxed.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
The previous BUFFER_SIZE() call already updated the remaining 'len'. So
there is no need to subtract 'size' again. While this just makes the buffer
appear smaller than it is, which is mostly harmless, the subtraction might
underflow as 'size > len' is not checked like BUFFER_SIZE() does.
Signed-off-by: Daniel Gröber <dxld@darkboxed.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We currently use strncpy in a bunch of places which has this weird quirk
where it doesn't write a terminating null byte if the input string is >=
the max length. To mitigate this we write a null byte to the last character
manually.
While this works it is easy to forget. Instead we should just be using
snprintf which has more sensible behaviour as it always writes a null byte
even when truncating the string.
Signed-off-by: Daniel Gröber <dxld@darkboxed.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
The docs currently say "[...] Otherwise, 0 is returned." which is just
completely wrong. Just like nfct_snprintf the expected buffer size is
returned.
Signed-off-by: Daniel Gröber <dxld@darkboxed.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Currently the BUFFER_SIZE macro doesn't take negative 'ret' values into
account. A negative return should just be passed through to the caller,
snprintf will already have set 'errno' properly.
Signed-off-by: Daniel Gröber <dxld@darkboxed.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This flags specifies that this conntrack entry is in hardware.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since version 1.0.8 and commit
c1c0f16c1fedb46547c2e104beeaaeac5933b214, libnetfilter_conntrack depends
on libmnl so add it to Libs.Private.
Otherwise, applications such as dnsmasq will fail to link on:
/home/buildroot/autobuild/instance-0/output-1/host/bin/arm-linux-gcc -Wl,-elf2flt -static -o dnsmasq cache.o rfc1035.o util.o option.o forward.o network.o dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o domain.o dnssec.o blockdata.o tables.o loop.o inotify.o poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o metrics.o -L/home/buildroot/autobuild/instance-0/output-1/host/bin/../arm-buildroot-uclinux-uclibcgnueabi/sysroot/usr/lib -lnetfilter_conntrack -L/home/buildroot/autobuild/instance-0/output-1/host/bin/../arm-buildroot-uclinux-uclibcgnueabi/sysroot/usr/lib -lnfnetlink
/home/buildroot/autobuild/instance-0/output-1/host/opt/ext-toolchain/arm-buildroot-uclinux-uclibcgnueabi/bin/ld.real: /home/buildroot/autobuild/instance-0/output-1/host/bin/../arm-buildroot-uclinux-uclibcgnueabi/sysroot/usr/lib/libnetfilter_conntrack.a(api.o): in function `nfct_fill_hdr.constprop.4':
api.c:(.text+0x34): undefined reference to `mnl_nlmsg_put_header'
Fixes:
- http://autobuild.buildroot.org/results/3fdc2cba20162eb86eaa5c49a056fb40fb18a392
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
parse_mnl.c: In function ‘nfexp_nlmsg_parse’:
parse_mnl.c:142:3: warning: ‘strncpy’ specified bound 16 equals destination size [-Wstringop-truncation]
142 | strncpy(exp->helper_name,
| ^~~~~~~~~~~~~~~~~~~~~~~~~
143 | mnl_attr_get_str(tb[CTA_EXPECT_HELP_NAME]),
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
144 | NFCT_HELPER_NAME_MAX);
| ~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Print [OFFLOAD] tag when listing entries via snprintf() interface.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|