summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* conntrack: support flush filteringHEADmasterFelix Huettner2024-01-246-0/+78
| | | | | | | | | | | | | | flushing already supports filtering on the kernel side for value like mark, l3num or zone. This patch extends the userspace code to also support this. To reduce code duplication the `nfct_filter_dump` struct and associated logic is reused. Note that filtering by tuple is not supported, since `CTA_FILTER` is not yet supported on the kernel side for flushing. Trying to use it returns ENOTSUP. Signed-off-by: Felix Huettner <felix.huettner@mail.schwarz> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: mnl: clean up check for mismatching l3num and tuple filterPablo Neira Ayuso2024-01-241-3/+4
| | | | | | | Remove boolean, directly check for NFCT_FILTER_DUMP_L3NUM and make sure it is consistent to what has been described in NFCT_FILTER_DUMP_STATUS. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: api: bail out if setting up filter for flush/dump failsPablo Neira Ayuso2024-01-241-2/+4
| | | | | | | | Instead of asserting or simply ignoring the filter, bail out if setting up filter fails. Fixes: c2136262802f ("Adding NFCT_FILTER_DUMP_TUPLE in filter_dump_attr, using kernel CTA_FILTER API") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* dump: support filtering by zoneFelix Huettner2024-01-246-0/+32
| | | | | | | | | | | | based on a kernel side extension of the conntrack api, this patch brings this extension to userspace. When dumping the conntrack table we can now filter based on the conntrack zone directly in kernel space. If the kernel does not yet support this feature this filtering is ignored. Signed-off-by: Felix Huettner <felix.huettner@mail.schwarz> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: reverse calloc() invocationPablo Neira Ayuso2023-10-023-6/+6
| | | | | | | | Swap object size and number of elements, so number of elements is the first argument, then object size is the second argument. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrack: fix BPF for filtering IPv6 addressesJeremy Sowden2023-09-141-4/+4
| | | | | | | | | | | | | | | | Each address in the filter is matched one 32-bit word at a time. If any of the first three words don't match, we jump to the end of the filter. If the last word does match, we jump to the end of the filter. However, this is not right: it means that if any of the first three words of an address don't match, all subsequent addresses will be skipped. Instead, jump to the next address. Fix formatting of `nfct_bsf_cmp_k_stack`. Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690676 Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1062 Fixes: dd73e5708cc2 ("bsf: add support for IPv6 address filtering") Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* Ignore `configure~`Jeremy Sowden2023-09-141-0/+1
| | | | | Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* utils: add NFCT_FILTER_DUMP_TUPLE exampleRomain Bellan2023-09-143-0/+75
| | | | | | | | | | Simple example to see conntrack kernel side filtering configuration. Callback is reading the kernel result, and user is notified when kernel does not support filtering (so filtering must be done in userspace) Signed-off-by: Romain Bellan <romain.bellan@wifirst.fr> Signed-off-by: Florent Fourcot <florent.fourcot@wifirst.fr> Signed-off-by: Florian Westphal <fw@strlen.de>
* Adding NFCT_FILTER_DUMP_TUPLE in filter_dump_attr, using kernel CTA_FILTER APIRomain Bellan2023-09-147-5/+100
| | | | | | | | | | | | | Following kernel side new conntrack filtering API, this patch implements userspace part. This patch: * Update headers to get new flag value from kernel * Use a conntrack struct to configure filtering * Set netlink flags according to values set in conntrack struct Signed-off-by: Romain Bellan <romain.bellan@wifirst.fr> Signed-off-by: Florent Fourcot <florent.fourcot@wifirst.fr> Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrack: add sanity check to netlink socket filter APIPablo Neira Ayuso2023-03-281-2/+15
| | | | | | | Validate that filtering by layer 4 protocol number and protocol state fits into the existing maps that is used internally. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: increase the length of `l4proto_map`Jeremy Sowden2023-01-111-4/+6
| | | | | | | | With addition of MPTCP `IPPROTO_MAX` is greater than 256, so extend the array to account for the new upper bound. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure: C99 compatibility issuesPeter Fordham2023-01-101-2/+2
| | | | | | | | | | | | | | | | As part of this effort: https://fedoraproject.org/wiki/Toolchain/PortingToModernC I've found an issue with one of the autoconf checks in the conntrack package. It uses the exit functions without including stdlib. This is deprecated in C99 because it no longer allows implicit function declarations. Find attached a patch that changes the check to use return instead of exit. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1654 Signed-off-by: Peter Fordham <peter.fordham@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: simplify calculation of `struct sock_fprog` lengthJeremy Sowden2023-01-021-1/+1
| | | | | | | | | | | | | When assigning the length to the `struct sock_fprog` object, we calculate it by multiplying the number of `struct sock_filter` objects, `j`, by `sizeof(struct sock_filter)` and then dividing by `sizeof(bsf[0])`, which, since `bsf[0]` is a `struct sock_filter`, is equal to `sizeof(struct sock_filter)`. Remove the `sizeof` expressions and just assign `j`. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: fix BPF code for filtering on big-endian architecturesJeremy Sowden2023-01-021-1/+6
| | | | | | | | | | | | | The BPF for checking the subsystem ID looks for it in the righthand byte of `nlh->nlmsg_type`. However, it will only be there on little-endian archi- tectures. The result is that on big-endian architectures the subsystem ID doesn't match, all packets are immediately accepted, and all filters are ignored. Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896716 Fixes: b245e4092c5a ("src: allow to use nfct handler for conntrack and expectations at the same time") Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Makefile: Create LZMA-compressed dist-filesPhil Sutter2022-12-091-1/+1
| | | | | | | | Use a more modern alternative to bzip2. Suggested-by: Jan Engelhardt <jengelh@inai.de> Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Phil Sutter <phil@nwl.cc>
* expect/conntrack: Avoid spurious covscan overrun warningPhil Sutter2022-03-294-6/+6
| | | | | | | | | It doesn't like how memset() is called for a struct nfnlhdr pointer with large size value. Pass void pointers instead. This also removes the call from __build_{expect,conntrack}() which is duplicate in __build_query_{exp,ct}() code-path. Signed-off-by: Phil Sutter <phil@nwl.cc>
* conntrack: fix build with kernel 5.15 and muslRobert Marko2022-02-242-1/+1
| | | | | | | | | | | | | | | | | | | | | | Currently, with kernel 5.15 headers and musl building is failing with redefinition errors due to a conflict between the kernel and musl headers. Musl is able to suppres the conflicting kernel header definitions if they are included after the standard libc ones, however since ICMP definitions were moved into a separate internal header to avoid duplication this has stopped working and is breaking the builds. It seems that the issue is that <netinet/in.h> which contains the UAPI suppression defines is included in the internal.h header and not in the proto.h which actually includes the kernel ICMP headers and thus UAPI supression defines are not present. Solve this by moving the <netinet/in.h> include before the ICMP kernel includes in the proto.h Fixes: bc1cb4b11403 ("conntrack: Move icmp request>reply type mapping to common file") Signed-off-by: Robert Marko <robimarko@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* libnetfilter_conntrack: bump version to 1.0.9libnetfilter_conntrack-1.0.9Florian Westphal2022-02-142-5/+21
| | | | | | | | | Also increment library version, see 'conntrack: add nfct_nlmsg_build_filter() helper'. While at it, add the LIBVERSION instructions just like in libnftnl. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: Add simple tests to TESTS variablePhil Sutter2022-02-082-0/+10
| | | | | | | | | | | This way, 'make check' and 'make distcheck' call them. Omit ct_stress/ct_events_reliable, they require root. For test_connlabel to find qa-connlabel.conf during 'make distcheck', use of 'srcdir' env variable is needed. Add this as a third option to not break existing use-cases. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: Fix for missing qa-connlabel.conf in tarballPhil Sutter2022-02-081-0/+2
| | | | | | | Register the file as extra dist so 'make dist' picks it up. Fixes: 6510a98f4139f ("api: add connlabel api and attribute") Signed-off-by: Phil Sutter <phil@nwl.cc>
* build: update obsolete autoconf macrosJeremy Sowden2022-02-071-3/+2
| | | | | | | | | | | `AC_CONFIG_HEADER` has been superseded by `AC_CONFIG_HEADERS`. `AM_PROG_LIBTOOL` has been superseded by `LT_INIT`. `AC_DISABLE_STATIC` can be replaced by an argument to `LT_INIT`. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: don't cancel nest on unknown layer 4 protocolsPablo Neira Ayuso2021-12-101-2/+1
| | | | | | | | It is valid to specify CTA_PROTO_NUM with a protocol that is not natively supported by conntrack. Do not cancel the CTA_TUPLE_PROTO nest in this case. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add nfct_nlmsg_build_filter() helperPablo Neira Ayuso2021-11-143-16/+25
| | | | | | | This helper function builds the payload of the netlink dump request including the filtering criteria. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: fix invmap_icmpv6 entriesKen-ichirou MATSUZAWA2021-10-111-2/+2
| | | | | | | Incorrect mapping of the expected reply message. Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: add CTA_STATS_CHAIN_TOOLONG from linux 5.15 uapiFlorian Westphal2021-09-081-0/+1
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add support for status dump filterFlorian Westphal2021-08-053-2/+21
| | | | | | | | | | | This tells kernel to suppress conntrack entries that do not match the status bits/bitmask filter. This is useful to e.g. only list entries that are not assured (value 0, mask == ASSUED) or entries that only saw one-way traffic (value 0, mask == SEEN_REPLY). Signed-off-by: Florian Westphal <fw@strlen.de>
* include: sync uapi header with nf-nextFlorian Westphal2021-08-051-5/+19
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrack: Don't use ICMP attrs in decision to build repl tupleLuuk Paulussen2021-03-191-4/+1
| | | | | | | | | conntrack-tools doesn't set the REPL attributes by default for updates, so for ICMP flows, the update won't be sent as building the repl tuple will fail. Signed-off-by: Luuk Paulussen <luuk.paulussen@alliedtelesis.co.nz> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: check return value of nfct_nlmsg_build()Eyal Birger2021-01-034-4/+21
| | | | | | | | | | | | | | | | nfct_nlmsg_build() may fail for different reasons, for example if insufficient parameters exist in the ct object. The resulting nlh would not contain any of the ct attributes. Some conntrack operations would still operate in such case, for example an IPCTNL_MSG_CT_DELETE message would just delete all existing conntrack entries. While the example as it is does supply correct parameters, it's safer as reference to validate the return value. Signed-off-by: Eyal Birger <eyal.birger@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: missing internal/proto.h in Makefile.amPablo Neira Ayuso2020-12-081-1/+1
| | | | | | This is breaking `make distcheck'. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Update .gitignoreJan Engelhardt2020-12-081-0/+13
| | | | | Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: use the right automake variablesJan Engelhardt2020-12-081-20/+20
| | | | | | | -l is a library selection and needs to go into _LDADD/_LIBADD. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add flush filter commandPablo Neira Ayuso2020-10-292-0/+4
| | | | | | | | The NFCT_Q_FLUSH command flushes both IPv4 and IPv6 conntrack tables. Add new command NFCT_Q_FLUSH_FILTER that allows to flush based on the family to retain backward compatibility on NFCT_Q_FLUSH. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: add CTA_STATS_CLASH_RESOLVEFlorian Westphal2020-08-261-0/+1
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrack: sctp: update statesFlorian Westphal2020-08-142-0/+4
| | | | | | | | with more recent kernels "conntrack -L" prints NONE instead of HEARTBEAT_SENT/RECEIVED because the state is unknown in userspace. Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: dccp print function should use dccp stateFlorian Westphal2020-08-141-1/+1
| | | | | | Found while reading code, compile tested only. Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrack: Fix buffer overflows in __snprintf_protoinfo* like in *2str fnsDaniel Gröber2020-07-011-15/+39
| | | | | Signed-off-by: Daniel Gröber <dxld@darkboxed.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: Fix buffer overflow in protocol related snprintf functionsDaniel Gröber2020-07-012-10/+24
| | | | | Signed-off-by: Daniel Gröber <dxld@darkboxed.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: Move icmp request>reply type mapping to common fileDaniel Gröber2020-07-016-65/+62
| | | | | | | | | | | Currently the invmap_icmp* arrays are duplicated in setter.c and grp_setter.c. This moves them to a new module 'proto'. Instead of having the code access the arrays directly we provide new wrapper functions __icmp{,v6}_reply_type. Signed-off-by: Daniel Gröber <dxld@darkboxed.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: Fix buffer overflow on invalid icmp type in settersDaniel Gröber2020-07-012-7/+12
| | | | | | | | | When type is out of range for the invmap_icmp{,v6} array we leave rtype at zero which will map to type=255 just like other error cases in this function. Signed-off-by: Daniel Gröber <dxld@darkboxed.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: Add ARRAY_SIZE() macroDaniel Gröber2020-07-011-0/+2
| | | | | Signed-off-by: Daniel Gröber <dxld@darkboxed.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: Fix incorrect snprintf size calculationDaniel Gröber2020-07-011-1/+1
| | | | | | | | | | The previous BUFFER_SIZE() call already updated the remaining 'len'. So there is no need to subtract 'size' again. While this just makes the buffer appear smaller than it is, which is mostly harmless, the subtraction might underflow as 'size > len' is not checked like BUFFER_SIZE() does. Signed-off-by: Daniel Gröber <dxld@darkboxed.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: Replace strncpy with snprintf to improve null byte handlingDaniel Gröber2020-07-015-18/+15
| | | | | | | | | | | | | | We currently use strncpy in a bunch of places which has this weird quirk where it doesn't write a terminating null byte if the input string is >= the max length. To mitigate this we write a null byte to the last character manually. While this works it is easy to forget. Instead we should just be using snprintf which has more sensible behaviour as it always writes a null byte even when truncating the string. Signed-off-by: Daniel Gröber <dxld@darkboxed.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Fix nfexp_snprintf return value docsDaniel Gröber2020-07-011-2/+3
| | | | | | | | | The docs currently say "[...] Otherwise, 0 is returned." which is just completely wrong. Just like nfct_snprintf the expected buffer size is returned. Signed-off-by: Daniel Gröber <dxld@darkboxed.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Handle negative snprintf return values properlyDaniel Gröber2020-07-014-3/+11
| | | | | | | | | Currently the BUFFER_SIZE macro doesn't take negative 'ret' values into account. A negative return should just be passed through to the caller, snprintf will already have set 'errno' properly. Signed-off-by: Daniel Gröber <dxld@darkboxed.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add IPS_HW_OFFLOAD flagPablo Neira Ayuso2020-04-282-3/+19
| | | | | | This flags specifies that this conntrack entry is in hardware. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnetfilter_conntrack.pc.in: add LIBMNL_LIBS to Libs.PrivateFabrice Fontaine2020-04-141-1/+1
| | | | | | | | | | | | | | | | | | Since version 1.0.8 and commit c1c0f16c1fedb46547c2e104beeaaeac5933b214, libnetfilter_conntrack depends on libmnl so add it to Libs.Private. Otherwise, applications such as dnsmasq will fail to link on: /home/buildroot/autobuild/instance-0/output-1/host/bin/arm-linux-gcc -Wl,-elf2flt -static -o dnsmasq cache.o rfc1035.o util.o option.o forward.o network.o dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o domain.o dnssec.o blockdata.o tables.o loop.o inotify.o poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o metrics.o -L/home/buildroot/autobuild/instance-0/output-1/host/bin/../arm-buildroot-uclinux-uclibcgnueabi/sysroot/usr/lib -lnetfilter_conntrack -L/home/buildroot/autobuild/instance-0/output-1/host/bin/../arm-buildroot-uclinux-uclibcgnueabi/sysroot/usr/lib -lnfnetlink /home/buildroot/autobuild/instance-0/output-1/host/opt/ext-toolchain/arm-buildroot-uclinux-uclibcgnueabi/bin/ld.real: /home/buildroot/autobuild/instance-0/output-1/host/bin/../arm-buildroot-uclinux-uclibcgnueabi/sysroot/usr/lib/libnetfilter_conntrack.a(api.o): in function `nfct_fill_hdr.constprop.4': api.c:(.text+0x34): undefined reference to `mnl_nlmsg_put_header' Fixes: - http://autobuild.buildroot.org/results/3fdc2cba20162eb86eaa5c49a056fb40fb18a392 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnetfilter_conntrack: bump version to 1.0.8libnetfilter_conntrack-1.0.8Pablo Neira Ayuso2020-04-011-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: parse_mnl: fix gcc compile warningPablo Neira Ayuso2020-04-011-0/+1
| | | | | | | | | | | | | parse_mnl.c: In function ‘nfexp_nlmsg_parse’: parse_mnl.c:142:3: warning: ‘strncpy’ specified bound 16 equals destination size [-Wstringop-truncation] 142 | strncpy(exp->helper_name, | ^~~~~~~~~~~~~~~~~~~~~~~~~ 143 | mnl_attr_get_str(tb[CTA_EXPECT_HELP_NAME]), | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 144 | NFCT_HELPER_NAME_MAX); | ~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: support for IPS_OFFLOADPablo Neira Ayuso2019-08-092-4/+26
| | | | | | Print [OFFLOAD] tag when listing entries via snprintf() interface. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>