| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
flushing already supports filtering on the kernel side for value like
mark, l3num or zone. This patch extends the userspace code to also
support this.
To reduce code duplication the `nfct_filter_dump` struct and associated
logic is reused. Note that filtering by tuple is not supported, since
`CTA_FILTER` is not yet supported on the kernel side for flushing.
Trying to use it returns ENOTSUP.
Signed-off-by: Felix Huettner <felix.huettner@mail.schwarz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
based on a kernel side extension of the conntrack api, this patch brings
this extension to userspace.
When dumping the conntrack table we can now filter based on the
conntrack zone directly in kernel space. If the kernel does not yet
support this feature this filtering is ignored.
Signed-off-by: Felix Huettner <felix.huettner@mail.schwarz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Following kernel side new conntrack filtering API, this patch implements
userspace part. This patch:
* Update headers to get new flag value from kernel
* Use a conntrack struct to configure filtering
* Set netlink flags according to values set in conntrack struct
Signed-off-by: Romain Bellan <romain.bellan@wifirst.fr>
Signed-off-by: Florent Fourcot <florent.fourcot@wifirst.fr>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
With addition of MPTCP `IPPROTO_MAX` is greater than 256, so extend the
array to account for the new upper bound.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, with kernel 5.15 headers and musl building is failing with
redefinition errors due to a conflict between the kernel and musl headers.
Musl is able to suppres the conflicting kernel header definitions if they
are included after the standard libc ones, however since ICMP definitions
were moved into a separate internal header to avoid duplication this has
stopped working and is breaking the builds.
It seems that the issue is that <netinet/in.h> which contains the UAPI
suppression defines is included in the internal.h header and not in the
proto.h which actually includes the kernel ICMP headers and thus UAPI
supression defines are not present.
Solve this by moving the <netinet/in.h> include before the ICMP kernel
includes in the proto.h
Fixes: bc1cb4b11403 ("conntrack: Move icmp request>reply type mapping to common file")
Signed-off-by: Robert Marko <robimarko@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
This helper function builds the payload of the netlink dump request
including the filtering criteria.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
This tells kernel to suppress conntrack entries that do not match
the status bits/bitmask filter.
This is useful to e.g. only list entries that are not assured
(value 0, mask == ASSUED) or entries that only saw one-way traffic
(value 0, mask == SEEN_REPLY).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
This is breaking `make distcheck'.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The NFCT_Q_FLUSH command flushes both IPv4 and IPv6 conntrack tables.
Add new command NFCT_Q_FLUSH_FILTER that allows to flush based on the
family to retain backward compatibility on NFCT_Q_FLUSH.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
with more recent kernels "conntrack -L" prints NONE instead of
HEARTBEAT_SENT/RECEIVED because the state is unknown in userspace.
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Currently the invmap_icmp* arrays are duplicated in setter.c and
grp_setter.c. This moves them to a new module 'proto'.
Instead of having the code access the arrays directly we provide new
wrapper functions __icmp{,v6}_reply_type.
Signed-off-by: Daniel Gröber <dxld@darkboxed.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Daniel Gröber <dxld@darkboxed.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Currently the BUFFER_SIZE macro doesn't take negative 'ret' values into
account. A negative return should just be passed through to the caller,
snprintf will already have set 'errno' properly.
Signed-off-by: Daniel Gröber <dxld@darkboxed.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This flags specifies that this conntrack entry is in hardware.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Print [OFFLOAD] tag when listing entries via snprintf() interface.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Use the new libmnl version, remove duplicated code.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Changes in the netlink attribute layout is considered to be a kernel ABI
breakage, so report this immediately and stop execution, instead of lazy
error back to the client application, which cannot do anything with
this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Get rid of copy&paster definitions that were made long time ago, this is
causing problems.
Copy and rename nf_conntrack_common.h to linux_nf_conntrack_common.h,
then include it from libnetfilter_conntrack.h
After that change, we can remove the status flags definition in
libnetfilter_conntrack.h that was copied and pasted from the above file.
This helps us solve compilation errors due to redeclaration:
/usr/include/libnetfilter_conntrack/libnetfilter_conntrack.h:729:6: error: redeclaration of ‘enum ip_conntrack_status’
In file included from nf-log.c:12:0: /usr/include/linux/netfilter/nf_conntrack_common.h:37:6: note: originally defined here
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
The conntrackd daemon lacks support for syncing IPv6 NATed connections.
This patch adds support for managing the IPv6 part of struct __nfct_nat,
also updating the corresponsing symbols.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The conntrackd daemon lacks support for syncing IPv6 NATed connections.
This patch prepares the ground to give support to such operations:
* replace uint32_t with union __nfct_address in struct __nfct_nat.
* update all users of the former uint32_t to support the new struct
A follow-up patch gives support to actually manage the IPv6 NAT.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
|
| |
|
|
|
|
|
|
| |
This patch adds the front-end to the recent ctnetlink interface
changes that add the zone attribute into the tuple.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds mark filter for event listener, using same struct
nfct_filter_dump_mark at dump.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
This patch adds two functions, useful for ulogd IPFIX
output module.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nfct_snprintf doesn't print connlabels, as they're system specific
and can easily generate lots of output.
This adds a new helper function, nfct_snprintf_labels. It behaves like
nfct_snprintf, except that the label names in the labelmap whose bits are
contained in connlabel attribute bitset are added to the buffer.
output looks like this:
output looks like this:
... mark=0 use=1 labels=eth0-in,eth1-in
or
<labels>
<label>eth0-in</label>
<label>eth1-in</label>
</labels>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
allows to set/clear only a subset of the in-kernel label set, e.g.
"set bit 1 and do not change any others".
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
adds new labelmap api to create a name <-> bit mapping
from a text file (default: /etc/xtables/connlabel.conf).
nfct_labelmap_new(filename) is used to create the map,
nfct_labelmap_destroy() releases the resources allocated for the map.
Two functions are added to make map lookups:
nfct_labelmap_get_name(map, bit) returns the name of a bit,
nfct_labelmap_get_bit returns the bit associated with a name.
The connlabel attribute is represented by a nfct_bitmask object, the
nfct_bitmask api can be used to test/set/get individual bits
("labels").
The exisiting nfct_attr_get/set interfaces can be used to read or
replace the existing labels associated with a conntrack with a new set.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In order to use generic getter/setter API with upcoming
conntrack label extension, add helper functions to set/test/unset
bits in a vector of arbitrary size.
Conntrack labels will then be encoded via nfct_bitmask object.
Original idea from Pablo Neira Ayuso.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
To include: IPCTNL_MSG_CT_GET_DYING and IPCTNL_MSG_CT_GET_UNCONFIRMED
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds the ATTR_HELPER_INFO that can be used to send binary data
that will be attached to the conntrack. This is useful for the
user-space connection tracking support.
This patch also adds a new interface:
nfct_set_attr_l(attr, type, value, length);
that is used to set the variable length helper information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds support to build and to parse netlink messages
from/to one user-space nf_conntrack object. It uses libmnl, thus
libnetfilter_conntrack now depends on this library.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support to build and to parse netlink messages
from/to one user-space nf_conntrack object. It uses libmnl, thus
libnetfilter_conntrack now depends on this library.
This is the first patch in the direction of removing the dependency
on the veteran libnfnetlink.
I have decided to update LIBVERSION in this patch. I know it's
recommended to do this before releasing the software. I prefer to
do this so snapshot packages get the correct LIBVERSION.
Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
|
| |
|
|
|
|
|
|
|
|
| |
The previous patch was incomplete. This fixes several issues with
it like the IPV4 and IPV6 address are mutually exclusive, thus,
the getter operation works. No sane way to support the setter
operation correctly, thus, it's been documented that it has no
effect.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows you to set and to get the address for both IPv4 and IPV6
using the same interface. This can simplify much redundant code that
needs to support both protocols.
This relies on some fixed layout union:
union nfct_attr_grp_addr {
u_int32_t ip;
u_int32_t ip6[4];
u_int32_t addr[4];
};
But I don't see this library will support anything different from
IPv4 and IPv6 as layer 3 protocol. If that happens and some point,
we can add some new attribute group and deprecate this one.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds the infrastructure to allow filtered dumping.
See utils/conntrack_dump_filter.c for instance.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch allows you to set expectfn.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch adds ATTR_EXP_NAT_TUPLE and ATTR_EXP_NAT_DIR attributes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch allows you to specify the expectation class.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Example of the XML output:
<flow type="new">
<layer3 protonum="2" protoname="IPv4">
<expected>
<src>192.168.0.2</src>
<dst>192.168.1.2</dst>
</expected>
<mask>
<src>255.255.255.255</src>
<dst>255.255.255.255</dst>
</mask>
<master>
<src>192.168.0.2</src>
<dst>192.168.1.2</dst>
</master>
</layer3>
<layer4 protonum="6" protoname="tcp">
<expected>
<sport>0</sport>
<dport>41739</dport>
</expected>
<mask>
<sport>0</sport>
<dport>65535</dport>
</mask>
<master>
<sport>36390</sport>
<dport>21</dport>
</master>
</layer4>
<meta>
<helper-name>ftp</helper-name>
<timeout>300</timeout>
<zone>0</zone>
</meta>
</flow>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch adds nfexp_cmp that allows you to compare two expectation
objects.
This includes the extension of test_api for this new function.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now, struct nf_expect takes only 192 bytes, instead of 1KB.
struct nf_conntrack takes 296 bytes instead of 328 bytes.
The size of the nf_expect structure has been reduced by rearranging
the layout of the nf_conntrack structure. For the nf_conntrack case,
this removes the allocation of room for attributes that the master
tuple does not use (more specifically, the NATseq bytes).
This patch modifies the binary layout of struct nf_conntrack.
This should not be a problem since the definition of this
object is opaque (it can be only accessed via get/set API).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch removes the reference to the licensing terms of the
library in the header files.
This patch does *not* change the license of the library at all,
which is still GPLv2+, of course.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We have to use sizeof(struct nf_ct_tcp_flags) instead of
sizeof(u_int16_t) to avoid problems in Intel IXP4xx network
processor (ARM big endian).
For more information, please see:
http://markmail.org/message/afhn66qzyebyf7cs#query:+page:1+mid:7bw756ncuyosv23c+state:results
Reported-by: Lutz Jaenicke <ljaenicke@innominate.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
