| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
Add Patrick's zone support for libnetfilter_conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds the missing bits to support the modification of the
TCP window scale factor in a conntrack entry. The kernel support
has been already there since 2.6.23.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes wrong comments in the libnetfilter_conntrack.h header
file. The counters of the user-space conntrack object has always been
64-bits long (even if during some time they were 32-bits long in the
kernel). This does not break backward compatibility, but users (like
ulogd2) has to fix this to avoid truncating the counters.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch the new expectation callback interface. This change is
like 20ed81b10714dfe78e31e9721e2d4f42b4beabb2 but related to
expectations. The netlink message contains the portID that is useful
to identify the origin of the message.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This patch renames the attribute constant to access the DCCP
handshake sequence number that was recently committed in
19f35b21dbe2bb4386eeced4e0d87f3b2e1dd8bf. No release with
the old name has been done, so no problems about backward
compatibility although it'd be better if I don't push changes
that I have to modify very soon afterwards.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch adds the prototype of the u64 getter/setter to the header
file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
From: Pablo Neira Ayuso <pablo@netfilter.org>
This patch adds the support for the DCCP sequence number tracking
that is included in the upcoming Linux kernel 2.6.31.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support to auto-generate BSF code for IPv6. It
requires a Linux kernel >= 2.6.29. The maximum number of addresses
is limited to 20 (12 BSF lines per IPv6 address comparison). I am
not sure that to remove this limit is useful given that oprofile
does not show very good numbers for very large (in terms of lines)
filters. This completes one feature that is available in IPv4 but
that was missing in IPv6.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch partially reverts 76e6042107de23790f0532e3bf3c396cba27e5aa
since it recovers some obsolete enums and constants that are required
to avoid breaking compilation of old versions of the conntrack-tools.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch adds support for the new SYN_SENT2 state that Jozsef
has introduced to support TCP simultaneous open in 2.6.31. We can
safely include support for this feature now since the LISTEN state
was not ever really used.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds nfct_callback_register2() and nfct_callback_unregister2()
that allows to register a callback function with a new callback interface
that includes the Netlink message. This fixes an early design error.
This is not nice but it is the only way to resolve this problem without
breaking backward (I don't like function versioning, it is messy).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch adds DCCP role attribute support. This needs Linux
kernel >= 2.6.30.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch adds initial DCCP support for libnetfilter_conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch refreshes the nfnetlink_conntrack.h copy against 2.6.29.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch deprecates several header files that contain enums that
were define in the very old libnetfilter_conntrack API.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch removes a reminiscent constant of the old API whose value
is the same of __DIR_ORIG. This patch also removes the prototype
definition from libnetfilter_conntrack.h.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch fixes an inconsistency in enum cta_natseq. The
CTA_NAT_SEQ_UNSPEC was missing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This new function checks for the presence of a given set of
attributes that are passed as an array.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This new API allows you to set and get some logical set of
attributes. This is not intended to replace the existing
per-attribute get/set API but to provide more efficient way
to get/set certain attributes. This change includes an example
file (conntrack_grp_create.c) of the use of the attribute group API.
See ATTR_GRP_* for more information on the existing groups.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds support for explicit helper assignation. This support
will not be of any help without the appropriate kernel support that will
go into the Linux kernel 2.6.29 -sic-.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds NFCT_CMP_MASK and NFCT_CMP_STRICT which determines the
level of strictness that is applied to the comparison of two conntrack
objects.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch cleanups the internal headers by splitting them into several
logical pieces.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch introduces nfct_filter_set_logic() to set the filtering
logic which results in a more flexible solution.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds an abstraction level to berkeley sockets filter (BSF) for
Netlink sockets available since Linux kernel 2.6.26. This provides an
easy way to attach filters without knowing about BSF at all.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
- recover the ID support
- add support for timeout comparison
- ignore set operation for counters and use attributes
- fix broken status comparison
- statify several __snprintf functions
|
|
|
|
|
|
| |
- add nfct_copy
- conditional build of original and reply tuples
- fix secmark parsing
|
| |
|
| |
|
| |
|
|
|
|
| |
- fix typo s/test_but/test_bit/
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
read-only nfnl_handle
- remove unused build_id() from build.c
- bump version to 0.0.81
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
- split expect_api_test.c into small example files expect_*.c
- introduce alias tags for original tuple attributes
- introduce nfexp_sizeof and nfexp_maxsize
- build expectation attributes iif they are set
- fix l3num setting in expect/build.c
|
| |
|
|
|
|
| |
libnetfilter_conntrack.h. The old API will be removed after quite some time.
|
| |
|
|
|
|
|
|
| |
- introduce the new compare infrastructure: much simple than previous
- introduce nfct_maxsize for nf_conntrack object allocated in the stack
- more strict checkings in nfct_set_attr: third parameter is const
|
| |
|
|
|
|
|
|
|
|
| |
ICMP ID is stored as a u_int16_t, but its setter function derefs it's
arguement as a u_int8_t. Additionally the api "doc" claims it's a u8, when
it's not.
This patch fixes both.
|
|
|
|
|
| |
- introduce NFCT_O_PLAIN flag: NFCT_O_DEFAULT points to NFCT_O_PLAIN
- remove commented line in nfct_new()
|
|
|
|
|
|
|
|
|
| |
- object oriented infrastructure
- extensible and configurable output (XML)
- low level functions to interact with netlink details
- fairly documented
Still backward compatible.
|
|
|
|
| |
<eric@inl.fr>)
|
| |
|
|
|
|
| |
o Update copyright date
|