summaryrefslogtreecommitdiffstats
path: root/src/conntrack/parse.c
Commit message (Collapse)AuthorAgeFilesLines
* src: replace old libnfnetlink parserPablo Neira Ayuso2019-05-021-627/+0
| | | | | | Use the new libmnl version, remove duplicated code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add synproxy supportPablo Neira Ayuso2018-03-241-0/+28
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add zone attribute to tupleDaniel Borkmann2015-09-291-0/+12
| | | | | | | | This patch adds the front-end to the recent ctnetlink interface changes that add the zone attribute into the tuple. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Use stdint types everywhereFelix Janda2015-05-251-41/+41
| | | | | Signed-off-by: Felix Janda <felix.janda@posteo.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: CONNLABELS are not a nested attributeFlorian Westphal2013-06-181-9/+5
| | | | | | | This fixes construction of the conntrack object when CTA_LABEL attribute is present. Signed-off-by: Florian Westphal <fw@strlen.de>
* libnetfilter_conntrack: don't ignore ATTR_CONNLABELSAfschin Hormozdiary2013-05-201-0/+24
| | | | | | | | | | | | | | The libnfnetlink based backend 'build.c' currently ignores ATTR_CONNLABELS and ATTR_CONNLABELS_MASK. The libmnl based backend 'build_mnl.c' instead handles both attributes correct. Add function to set CTA_LABELS and CTA_LABELS_MASK if required. Signed-off-by: Afschin Hormozdiary <Afschin.Hormozdiary@sophos.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* api: add connlabel api and attributeFlorian Westphal2013-05-061-0/+1
| | | | | | | | | | | | | | | | | | | | | | adds new labelmap api to create a name <-> bit mapping from a text file (default: /etc/xtables/connlabel.conf). nfct_labelmap_new(filename) is used to create the map, nfct_labelmap_destroy() releases the resources allocated for the map. Two functions are added to make map lookups: nfct_labelmap_get_name(map, bit) returns the name of a bit, nfct_labelmap_get_bit returns the bit associated with a name. The connlabel attribute is represented by a nfct_bitmask object, the nfct_bitmask api can be used to test/set/get individual bits ("labels"). The exisiting nfct_attr_get/set interfaces can be used to read or replace the existing labels associated with a conntrack with a new set. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: put nf_expect and nf_conntrack into dietPablo Neira Ayuso2012-01-041-47/+47
| | | | | | | | | | | | | | | | Now, struct nf_expect takes only 192 bytes, instead of 1KB. struct nf_conntrack takes 296 bytes instead of 328 bytes. The size of the nf_expect structure has been reduced by rearranging the layout of the nf_conntrack structure. For the nf_conntrack case, this removes the allocation of room for attributes that the master tuple does not use (more specifically, the NATseq bytes). This patch modifies the binary layout of struct nf_conntrack. This should not be a problem since the definition of this object is opaque (it can be only accessed via get/set API). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: fix size of CTA_PROTOINFO_TCP_FLAGS_ORIGINAL in ARMPablo Neira Ayuso2011-12-311-2/+2
| | | | | | | | | | | | | We have to use sizeof(struct nf_ct_tcp_flags) instead of sizeof(u_int16_t) to avoid problems in Intel IXP4xx network processor (ARM big endian). For more information, please see: http://markmail.org/message/afhn66qzyebyf7cs#query:+page:1+mid:7bw756ncuyosv23c+state:results Reported-by: Lutz Jaenicke <ljaenicke@innominate.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: clarify licensing terms of library (GPLv2+)Pablo Neira Ayuso2011-12-301-3/+5
| | | | | | | | | | | | | | | | This patch is *not* changing the licensing terms of this library (which was initially released under GPLv2 and later on extended to GPLv2+ after contacting all the contributors who kindly agreed to extend it to any later GPL version). Jan says: "In libnetfilter_conntrack, there are many .c files declaring GNU GPL incorporated herein by reference without telling which version(s) exactly apply. Given src/main.c for example is actually GPL-2.0+, the reference made is ambiguous." This patch should definitely clarify this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: export NFCT_HELPER_NAME_MAXPablo Neira Ayuso2011-12-241-2/+2
| | | | | | | NFCT_HELPER_NAME_MAX is 16, which is the maximum helper name allowed since 2.6.29. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: fix subscript is above array bounds in secctxPablo Neira Ayuso2011-02-241-1/+1
| | | | | | | | | | | | | | > CC parse.lo > parse.c: In function ‘__parse_conntrack’: > parse.c:434:15: warning: array subscript is above array bounds > > struct nfattr *tb[CTA_SECCTX_MAX] > 434: ct->secctx = strdup(NFA_DATA(tb[CTA_SECCTX-1])) > > CTA_SECCTX has value 19, and CTA_SECCTX_MAX is just 1. Reported-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add timestamp supportPablo Neira Ayuso2011-02-171-0/+23
| | | | | | | | | | | | This patch adds the connection tracking extension that allows conntrack timestamping. This requires a Linux kernel >= 2.6.38. We have now 65 attributes, we need 96 bits to store what attributes are set in the objects. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for CTA_SECCTXPablo Neira Ayuso2011-01-161-0/+17
| | | | | | | This patch adds support for the new attribute CTA_SECCTX that supersedes CTA_SECMARK. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: replace CTA_PROTOINFO_DCCP_SEQ by CTA_PROTOINFO_DCCP_HANDSHAKE_SEQPablo Neira Ayuso2010-12-181-2/+2
| | | | | | | | | | | This patch uses CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ instead which is the name that is used in the Linux kernel header. Thus, both the headers and the internal copy for the library are in sync. This problem was probably introduced at the time that we added support for the DCCP handshake sequence number. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix warning in compilationPablo Neira Ayuso2010-10-031-1/+1
| | | | | | | | | | | This warning has been there for quite some time, fix it by relaxing the const type checking. callback.c: In function `__expect_callback': callback.c:30: warning: passing argument 2 of `__parse_expect' from incompatible pointer type ../../include/internal/prototypes.h:32: note: expected `const struct nfattr **' but argument is of type `struct nfattr **' Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: add zone supportPablo Neira Ayuso2010-05-031-0/+5
| | | | | | Add Patrick's zone support for libnetfilter_conntrack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parse: fix access to u64 attributes in netlink messagesPablo Neira Ayuso2010-03-041-11/+19
| | | | | | | | | | This patch fixes parsing of 64 bits attributes (that are unaligned) in ctnetlink. It would be better to add nfnl_get_uX() functions similar to those in include/net/netlink.h to libnfnetlink to avoid this sort of errors. Reported-by: Jan Engelhardt <jengelh@medozas.es> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for TCP window scale factorPablo Neira Ayuso2010-02-161-0/+14
| | | | | | | | This patch adds the missing bits to support the modification of the TCP window scale factor in a conntrack entry. The kernel support has been already there since 2.6.23. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* dccp: fix endianess in handshake_seqPablo Neira Ayuso2009-07-161-2/+3
| | | | | | | | This patch fixes missing endianess conversion of the new attribute ATTR_HANDSHAKE_SEQ that was included in 19f35b21dbe2bb4386eeced4e0d87f3b2e1d. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rename ATTR_DCCP_SEQ by ATTR_DCCP_HANDSHAKE_SEQPablo Neira Ayuso2009-07-161-2/+2
| | | | | | | | | | | This patch renames the attribute constant to access the DCCP handshake sequence number that was recently committed in 19f35b21dbe2bb4386eeced4e0d87f3b2e1dd8bf. No release with the old name has been done, so no problems about backward compatibility although it'd be better if I don't push changes that I have to modify very soon afterwards. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for DCCP 64-bits sequence number trackingPablo Neira Ayuso2009-07-141-0/+5
| | | | | | | | | From: Pablo Neira Ayuso <pablo@netfilter.org> This patch adds the support for the DCCP sequence number tracking that is included in the upcoming Linux kernel 2.6.31. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add DCCP role attributePablo Neira Ayuso2009-04-241-0/+5
| | | | | | | This patch adds DCCP role attribute support. This needs Linux kernel >= 2.6.30. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parse: fix SCTP vtag parsingPablo Neira Ayuso2009-04-181-2/+2
| | | | | | This patch fixes an unfortunate bug in the SCTP vtag parsing. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add initial DCCP supportPablo Neira Ayuso2009-04-141-0/+17
| | | | | | This patch adds initial DCCP support for libnetfilter_conntrack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* helper: explicit helper assignation supportlibnetfilter_conntrack-0.0.97Pablo Neira Ayuso2008-10-131-0/+19
| | | | | | | | This patch adds support for explicit helper assignation. This support will not be of any help without the appropriate kernel support that will go into the Linux kernel 2.6.29 -sic-. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cleanup: split internal.h into several internal header filesPablo Neira Ayuso2008-07-251-1/+1
| | | | | | | This patch cleanups the internal headers by splitting them into several logical pieces. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* fix wrong ATTR_*_L3PROTO handling in the message buildingPablo Neira Ayuso2008-06-161-8/+14
| | | | | | - include missing ATTR_MASTER_L3PROTO attribute into messages - include ATTR_[ORIG|REPL]_L3PROTO iff there is at least another layer 3 attribute
* add full support of SCTPPablo Neira Ayuso2008-05-211-3/+31
|
* - add nfct_cmp (replacement for nfct_compare a bit more flexible)/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-131-1/+1
| | | | | | - add nfct_copy - conditional build of original and reply tuples - fix secmark parsing
* This rather trivial patch adds ICMPv6 support for libnetfilter_conntrack,/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-03-251-0/+18
| | | | | | but only for the new API - deprecated/extensions was left unchanged. Signed-off-by: Krzysztof Oledzki <ole@ans.pl>
* add support for NAT sequence adjusment/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-02-091-0/+53
|
* - add support for secmark/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2007-12-171-0/+5
| | | | - fix typo s/test_but/test_bit/
* Add support for conntrack master setup/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2007-12-081-0/+25
|
* add support for TCP flagssvn_t_libnetfilter_conntrack-0.0.82/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2007-09-121-0/+16
|
* add support for 64 bits counters (Krzysztof Oledzki)/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2007-05-291-8/+24
|
* introduce the new expectation API/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2007-05-011-13/+4
|
* Set status bit if whatever status flags are available, not only for ASSURED ↵/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=pablo/emailAddress=pablo@netfilter.org2007-03-211-4/+1
| | | | and SEEN_REPLY
* Minor fix in the counter parsing: replace htonl by ntonl, anyway they are ↵/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=pablo/emailAddress=pablo@netfilter.org2006-12-291-2/+2
| | | | actually the same function so this should not break anything.
* Introduce the new libnetfilter_conntrack API, features:/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=pablo/emailAddress=pablo@netfilter.org2006-12-191-0/+295
- object oriented infrastructure - extensible and configurable output (XML) - low level functions to interact with netlink details - fairly documented Still backward compatible.