summaryrefslogtreecommitdiffstats
path: root/include
Commit message (Collapse)AuthorAgeFilesLines
* include: sync IPS_* bits with current in the Linux kernelPablo Neira Ayuso2011-02-061-1/+9
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for CTA_SECCTXPablo Neira Ayuso2011-01-163-1/+13
| | | | | | | This patch adds support for the new attribute CTA_SECCTX that supersedes CTA_SECMARK. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Merge branch 'master' of git://dev.medozas.de/libnetfilter_conntrackPablo Neira Ayuso2010-12-211-14/+14
|\
| * src: declare non-modified data as constJan Engelhardt2010-11-091-14/+14
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | src: replace CTA_PROTOINFO_DCCP_SEQ by CTA_PROTOINFO_DCCP_HANDSHAKE_SEQPablo Neira Ayuso2010-12-181-1/+1
|/ | | | | | | | | | | This patch uses CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ instead which is the name that is used in the Linux kernel header. Thus, both the headers and the internal copy for the library are in sync. This problem was probably introduced at the time that we added support for the DCCP handshake sequence number. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: export already implement low-level functionsPablo Neira Ayuso2010-11-091-0/+18
| | | | | | | | | | | This patch exports several low-level function that allow to build and parse netlink messages that contain ctnetlink expectation information. They have been in the tree for quite so long, but they were not exported. To leave the library in a consistent state (ctnetlink conntrack functions provide the similar functionality) I have decided to export them. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow to use nfct handler for conntrack and expectations at the same timePablo Neira Ayuso2010-11-081-1/+2
| | | | | | | | | | This patch re-works the callback handling to allow the use the same socket to send/receive commands and listen to events of both conntrack and expectation subsystems. Now you can register one callback for conntrack and one for expectation with the same handler with no problems (before this patch, this was not possible, you required two different handlers). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: add support for CTA_EXPECT_FLAGSPablo Neira Ayuso2010-10-073-0/+8
| | | | | | This patch allows to set the expectation flags from user-space. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: add CTA_EXPECT_ZONE supportPablo Neira Ayuso2010-10-073-2/+3
| | | | | | | We also remove the reference to CTA_EXPECT_QUEUENR with was not ever pushed into Linux kernel mainline. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix warning in compilationPablo Neira Ayuso2010-10-031-2/+2
| | | | | | | | | | | This warning has been there for quite some time, fix it by relaxing the const type checking. callback.c: In function `__expect_callback': callback.c:30: warning: passing argument 2 of `__parse_expect' from incompatible pointer type ../../include/internal/prototypes.h:32: note: expected `const struct nfattr **' but argument is of type `struct nfattr **' Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: add zone supportPablo Neira Ayuso2010-05-033-0/+3
| | | | | | Add Patrick's zone support for libnetfilter_conntrack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for TCP window scale factorPablo Neira Ayuso2010-02-162-0/+3
| | | | | | | | This patch adds the missing bits to support the modification of the TCP window scale factor in a conntrack entry. The kernel support has been already there since 2.6.23. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* header: counters are 64-bits longPablo Neira Ayuso2010-01-241-4/+4
| | | | | | | | | | This patch fixes wrong comments in the libnetfilter_conntrack.h header file. The counters of the user-space conntrack object has always been 64-bits long (even if during some time they were 32-bits long in the kernel). This does not break backward compatibility, but users (like ulogd2) has to fix this to avoid truncating the counters. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: add new callback interface while keeping backward compatibilityPablo Neira Ayuso2009-07-162-0/+17
| | | | | | | | | This patch the new expectation callback interface. This change is like 20ed81b10714dfe78e31e9721e2d4f42b4beabb2 but related to expectations. The netlink message contains the portID that is useful to identify the origin of the message. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rename ATTR_DCCP_SEQ by ATTR_DCCP_HANDSHAKE_SEQPablo Neira Ayuso2009-07-162-2/+2
| | | | | | | | | | | This patch renames the attribute constant to access the DCCP handshake sequence number that was recently committed in 19f35b21dbe2bb4386eeced4e0d87f3b2e1dd8bf. No release with the old name has been done, so no problems about backward compatibility although it'd be better if I don't push changes that I have to modify very soon afterwards. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* headers: include u64 get/set prototype in libnetfilter_conntrack.hPablo Neira Ayuso2009-07-161-0/+7
| | | | | | | This patch adds the prototype of the u64 getter/setter to the header file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for DCCP 64-bits sequence number trackingPablo Neira Ayuso2009-07-143-0/+3
| | | | | | | | | From: Pablo Neira Ayuso <pablo@netfilter.org> This patch adds the support for the DCCP sequence number tracking that is included in the upcoming Linux kernel 2.6.31. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bsf: add support for IPv6 address filteringPablo Neira Ayuso2009-07-142-0/+19
| | | | | | | | | | | | This patch adds support to auto-generate BSF code for IPv6. It requires a Linux kernel >= 2.6.29. The maximum number of addresses is limited to 20 (12 BSF lines per IPv6 address comparison). I am not sure that to remove this limit is useful given that oprofile does not show very good numbers for very large (in terms of lines) filters. This completes one feature that is available in IPv4 but that was missing in IPv6. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: recover some obsolete enums and constants not to break backwardPablo Neira Ayuso2009-06-214-2/+92
| | | | | | | | This patch partially reverts 76e6042107de23790f0532e3bf3c396cba27e5aa since it recovers some obsolete enums and constants that are required to avoid breaking compilation of old versions of the conntrack-tools. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tcp: add support for SYN_SENT2 statePablo Neira Ayuso2009-06-101-1/+2
| | | | | | | | | This patch adds support for the new SYN_SENT2 state that Jozsef has introduced to support TCP simultaneous open in 2.6.31. We can safely include support for this feature now since the LISTEN state was not ever really used. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: shrink helper name field to 16 bytesPablo Neira Ayuso2009-05-301-1/+4
| | | | | | | | | | xt_helper uses a length size of 30 bytes. However, no helper name in the tree has exceeded 16 bytes length so far. Since 2.6.29, the maximum length accepted limited to 16 bytes, this limit is enforced during module loading. With this patch we save bytes in the conntrack objects. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* api: add new callback interface while keeping backward compatibilityPablo Neira Ayuso2009-05-232-0/+21
| | | | | | | | | | | This patch adds nfct_callback_register2() and nfct_callback_unregister2() that allows to register a callback function with a new callback interface that includes the Netlink message. This fixes an early design error. This is not nice but it is the only way to resolve this problem without breaking backward (I don't like function versioning, it is messy). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add DCCP role attributePablo Neira Ayuso2009-04-244-0/+10
| | | | | | | This patch adds DCCP role attribute support. This needs Linux kernel >= 2.6.30. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* snprintf: remove duplicated protocol string definitionsPablo Neira Ayuso2009-04-142-0/+10
| | | | | | | | This patch merges duplicated protocol string definitions in the snprintf infrastructure. I have also fixed the size of the string array. This patch is a cleanup. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add initial DCCP supportPablo Neira Ayuso2009-04-144-2/+44
| | | | | | This patch adds initial DCCP support for libnetfilter_conntrack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* header: refresh nfnetlink_conntrack.h copyPablo Neira Ayuso2009-04-101-6/+6
| | | | | | This patch refreshes the nfnetlink_conntrack.h copy against 2.6.29. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: deprecate several header files with obsolete enumsPablo Neira Ayuso2009-03-066-163/+20
| | | | | | | This patch deprecates several header files that contain enums that were define in the very old libnetfilter_conntrack API. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove reminiscent of NFCT_DIR_ORIGINAL and old prototypesPablo Neira Ayuso2009-02-171-285/+0
| | | | | | | | This patch removes a reminiscent constant of the old API whose value is the same of __DIR_ORIG. This patch also removes the prototype definition from libnetfilter_conntrack.h. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove old deprecated APIPablo Neira Ayuso2009-02-174-72/+1
| | | | | | | | | This patch removes the first API version which was scheduled in 2007. That API had several major limitations that the new one solved. I don't know of any known existing client of this old API. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* headers: add CTA_NAT_SEQ_UNSPEC to linux_nfnetlink_conntrack.hPablo Neira Ayuso2008-12-101-0/+1
| | | | | | | This patch fixes an inconsistency in enum cta_natseq. The CTA_NAT_SEQ_UNSPEC was missing. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* automake: add missing stack.h to include/internal/Makefile.amPablo Neira Ayuso2008-11-291-1/+1
| | | | | | | This patch fixes a missing stack.h file in Makefile.am. Maintaining a Makefile.am for the header files sucks a lot. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bsf: major rework of the BSF generation codePablo Neira Ayuso2008-11-252-4/+21
| | | | | | | | | | | | | | | | This patch reworks the BSF automatic generation code. This feature needs more love and it has several limitations like that the maximum number of IPs are 127 due to BSF code restrictions. See this patch as a first step forward. This patch also adds the stack data type, which is used to resolve jump dynamically instead of the previous static approach. This patch also includes fixes in the limitations, previous calculations were wrong. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* API: add nfct_attr_is_set_array functionPablo Neira Ayuso2008-10-301-0/+4
| | | | | | | This new function checks for the presence of a given set of attributes that are passed as an array. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* groups: add attribute group APIPablo Neira Ayuso2008-10-305-1/+95
| | | | | | | | | | | | This new API allows you to set and get some logical set of attributes. This is not intended to replace the existing per-attribute get/set API but to provide more efficient way to get/set certain attributes. This change includes an example file (conntrack_grp_create.c) of the use of the attribute group API. See ATTR_GRP_* for more information on the existing groups. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* API: use of __builtin_expect in error checking pathsPablo Neira Ayuso2008-10-301-0/+3
| | | | | | | | | This patch introduces likely() and unlikely() that use __builtin_expect to assist the compiler in the branch decisions. I am assuming that we have no clients of libnetfilter_conntrack that use gcc < 2.96. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* objopt: use indirect calls instead of switchPablo Neira Ayuso2008-10-301-0/+2
| | | | | | This patch replaces the use of switch by indirect function calls. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* helper: explicit helper assignation supportlibnetfilter_conntrack-0.0.97Pablo Neira Ayuso2008-10-132-0/+4
| | | | | | | | This patch adds support for explicit helper assignation. This support will not be of any help without the appropriate kernel support that will go into the Linux kernel 2.6.29 -sic-. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* compare: add two new flags for different level of comparisonsPablo Neira Ayuso2008-10-021-0/+2
| | | | | | | | This patch adds NFCT_CMP_MASK and NFCT_CMP_STRICT which determines the level of strictness that is applied to the comparison of two conntrack objects. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cleanup: split internal.h into several internal header filesPablo Neira Ayuso2008-07-2514-414/+465
| | | | | | | This patch cleanups the internal headers by splitting them into several logical pieces. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Extend high-level API for netlink BSF to add negative logicPablo Neira Ayuso2008-07-182-0/+15
| | | | | | | This patch introduces nfct_filter_set_logic() to set the filtering logic which results in a more flexible solution. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* add berkeley socket filtering high-level APIPablo Neira Ayuso2008-07-172-0/+99
| | | | | | | | This patch adds an abstraction level to berkeley sockets filter (BSF) for Netlink sockets available since Linux kernel 2.6.26. This provides an easy way to attach filters without knowing about BSF at all. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* add full support of SCTPPablo Neira Ayuso2008-05-213-0/+26
|
* fix __nfct_l4 structure layout (specifically, ICMP)Pablo Neira Ayuso2008-05-161-5/+21
| | | | fix nfct_cmp(): add port comparison, better ICMP support
* improve nfct_copy/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-05-142-1/+9
|
* - bump version to 0.0.92/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-161-1/+9
| | | | | | | | - recover the ID support - add support for timeout comparison - ignore set operation for counters and use attributes - fix broken status comparison - statify several __snprintf functions
* fix missing bitset in the autocomplete code/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-131-0/+22
|
* - add nfct_cmp (replacement for nfct_compare a bit more flexible)/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-132-1/+23
| | | | | | - add nfct_copy - conditional build of original and reply tuples - fix secmark parsing
* add nfct_send/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-091-0/+4
|
* - fix broken 'deprecated backward compatibility'svn_t_libnetfilter_conntrack-0.0.89/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-02-221-0/+9
| | | | - fix glibc 2.7.20 compilation (based on patch from Paul P. Konkoff)
* add support for NAT sequence adjusment/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-02-092-0/+12
|