| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
Signed-off-by: Daniel Gröber <dxld@darkboxed.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds the front-end to the recent ctnetlink interface
changes that add the zone attribute into the tuple.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nfct_snprintf doesn't print connlabels, as they're system specific
and can easily generate lots of output.
This adds a new helper function, nfct_snprintf_labels. It behaves like
nfct_snprintf, except that the label names in the labelmap whose bits are
contained in connlabel attribute bitset are added to the buffer.
output looks like this:
output looks like this:
... mark=0 use=1 labels=eth0-in,eth1-in
or
<labels>
<label>eth0-in</label>
<label>eth1-in</label>
</labels>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Example of the XML output:
<flow type="new">
<layer3 protonum="2" protoname="IPv4">
<expected>
<src>192.168.0.2</src>
<dst>192.168.1.2</dst>
</expected>
<mask>
<src>255.255.255.255</src>
<dst>255.255.255.255</dst>
</mask>
<master>
<src>192.168.0.2</src>
<dst>192.168.1.2</dst>
</master>
</layer3>
<layer4 protonum="6" protoname="tcp">
<expected>
<sport>0</sport>
<dport>41739</dport>
</expected>
<mask>
<sport>0</sport>
<dport>65535</dport>
</mask>
<master>
<sport>36390</sport>
<dport>21</dport>
</master>
</layer4>
<meta>
<helper-name>ftp</helper-name>
<timeout>300</timeout>
<zone>0</zone>
</meta>
</flow>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now, struct nf_expect takes only 192 bytes, instead of 1KB.
struct nf_conntrack takes 296 bytes instead of 328 bytes.
The size of the nf_expect structure has been reduced by rearranging
the layout of the nf_conntrack structure. For the nf_conntrack case,
this removes the allocation of room for attributes that the master
tuple does not use (more specifically, the NATseq bytes).
This patch modifies the binary layout of struct nf_conntrack.
This should not be a problem since the definition of this
object is opaque (it can be only accessed via get/set API).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is *not* changing the licensing terms of this library (which
was initially released under GPLv2 and later on extended to GPLv2+ after
contacting all the contributors who kindly agreed to extend it to any
later GPL version).
Jan says: "In libnetfilter_conntrack, there are many .c files declaring
GNU GPL incorporated herein by reference without telling which version(s)
exactly apply. Given src/main.c for example is actually GPL-2.0+,
the reference made is ambiguous."
This patch should definitely clarify this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the connection tracking extension that allows
conntrack timestamping.
This requires a Linux kernel >= 2.6.38.
We have now 65 attributes, we need 96 bits to store what attributes
are set in the objects.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch adds support for the new attribute CTA_SECCTX that
supersedes CTA_SECMARK.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds some missing attribute checkings in the XML
output that may result in inconsistent output (thus, displaying
some attributes out of <meta dir="independent">...</meta>)
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Add Patrick's zone support for libnetfilter_conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch avoids possible out-of-bound array access if protocol
states higher than the accepted are used.
Reported-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch adds missing DCCP ports in the output:
# conntrack -D -p dccp
dccp 33 18 RESPOND src=1.1.1.1 dst=2.2.2.2 packets=0 bytes=0 [UNREPLIED] src=2.2.2.2 dst=1.1.1.1 packets=0 bytes=0 mark=0 secmark=0 use=2
conntrack v0.9.12 (conntrack-tools): 1 flow entries have been deleted.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch adds the missing bits to display the protocol state
in the XML output.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch merges duplicated protocol string definitions in the
snprintf infrastructure. I have also fixed the size of the string
array. This patch is a cleanup.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch adds initial DCCP support for libnetfilter_conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch adds support for UDPlite transport protocol.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch adds support for GRE transport protocol.
Tested-by: Byan Buff <bduff@ecessa.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
We have to cast the counters to unsigned long long to fix
a compilation warning in 64-bits platforms.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch cleanups the internal headers by splitting them into several
logical pieces.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
- recover the ID support
- add support for timeout comparison
- ignore set operation for counters and use attributes
- fix broken status comparison
- statify several __snprintf functions
|
|
|
|
|
|
| |
but only for the new API - deprecated/extensions was left unchanged.
Signed-off-by: Krzysztof Oledzki <ole@ans.pl>
|
|
|
|
| |
- fix glibc 2.7.20 compilation (based on patch from Paul P. Konkoff)
|
| |
|
| |
|
|
|
|
| |
- fix typo s/test_but/test_bit/
|
|
|
|
| |
not just the number of bytes written. Emulate snprintf behaviour as in specified in C99
|
|
|
|
| |
C99 convention)
|
|
|
|
|
| |
- fix wrong port display in the XML output (Morten Isaksen)
- use ntohs instead htons in snprintf_default.c
|
| |
|
|
- object oriented infrastructure
- extensible and configurable output (XML)
- low level functions to interact with netlink details
- fairly documented
Still backward compatible.
|