| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
4b6df76 conntrack: fix autogenerated BPF code for IPv6 filtering aimed
to fix a bug the IPv6 BPF filtering. However, it didn't fix it for
NFCT_FILTER_LOGIC_POSITIVE case since jump is still miscalculated.
This chunk below shows the BPF code to filter IPv6 address 2:4:6::
{0x00020004, 0x00060000, 0x0, 0x0 } in case that NFCT_FILTER_LOGIC_POSITIVE
is used, ie. if that address matches, accept the event.
(0032) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000004
(0033) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(0034) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=09 k=00020004
[ this above compares second 4 bytes with 00020004, if comparison fails
it jumps to 003e ]
(0035) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000008
(0036) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(0037) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=06 k=00060000
[ this above compares second 4 bytes with 00060000, if comparison fails
it jumps to 003e ]
(0038) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=0000000c
(0039) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(003a) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=03 k=00000000
[ this above compares third 4 bytes with 00000000, if comparison fails
it jumps to 003e ]
(003b) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000010
(003c) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(003d) code= BPF_JMP|BPF_JEQ|BPF_K jt=01 jf=00 k=00000000
[ this above compares last 4 bytes with 00000000, if comparison succeded
it jumps to 003f, which means, accept event ]
(003e) code= BPF_RET|BPF_K jt=00 jf=00 k=00000000
---- final verdict ----
(003f) code= BPF_RET|BPF_K jt=00 jf=00 k=ffffffff
Just for the record: This chunk below shows the BPF code to filter IPv6
address 2:4:6:: {0x00020004, 0x00060000, 0x0, 0x0 } in case that
NFCT_FILTER_LOGIC_NEGATIVE is used, ie. if that address matches, drop
the event.
[...]
(0032) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000004
(0033) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(0034) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=09 k=00020004
[ this above compares first 4 bytes with 00020004, if comparison fails
it jumps to 003e ]
(0035) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000008
(0036) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(0037) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=06 k=00060000
[ this above compares second 4 bytes with 00060000, if comparison fails
it jumps to 003e ]
(0038) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=0000000c
(0039) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(003a) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=03 k=00000000
[ this above compares third 4 bytes with 00000000, if comparison fails
it jumps to 003e ]
(003b) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000010
(003c) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(003d) code= BPF_JMP|BPF_JEQ|BPF_K jt=01 jf=00 k=00000000
[ this above compares last 4 bytes with 00000000, if comparison succeded
it jumps to 003e ]
(003e) code= BPF_JMP|BPF_JA jt=00 jf=00 k=00000001
(003f) code= BPF_RET|BPF_K jt=00 jf=00 k=00000000
[ default action specified by 003e is to drop the event ]
Tested-by: Eric Leblond <eric@regit.org>
Reported-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BPF code generated for IPv6 filtering was wrong.
Assuming you want to allow all traffic except ::1, the filter that
libnetfilter_conntrack generates for the IPv6 address part looks like:
[...]
(0032) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000004
(0033) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(0034) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=0a k=00000000
(0035) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000008 [0]
(0036) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff [1]
(0037) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=07 k=00000000 [2]
(0038) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=0000000c [3]
(0039) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff [4]
(003a) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=04 k=00000000 [5]
(003b) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000010 [6]
(003c) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff [7]
(003d) code= BPF_JMP|BPF_JEQ|BPF_K jt=01 jf=00 k=00000001 [8]
(003e) code= BPF_JMP|BPF_JA jt=00 jf=00 k=00000001 [9]
(003f) code= BPF_RET|BPF_K jt=00 jf=00 k=00000000 [A]
Line 32 loads the first 4 bytes for the 32 bytes IPv6 address, then
line 33 performs the binary AND with the first 4 bytes of the mask.
Line 34 evaluated false for the case 2::1 that Eric reported (since 0x2
is not 0x0). Thus, jumping to line 3f that returns reject. However,
2::1 should be allowed.
This false-jump case depends on the logic we're using, for the negative
logic case, the jump offset is 9 to accept it. In the positive case
(ie. accept this event message if matching happens), it has to be 10 (A),
to reject it.
Reported-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds more verbose output for the automatic BPF filter
generation to sieve netlink messages that are receive via
ctnetlink.
This code is disabled by default, only useful for debugging so
far. It shouldn't be hard to provide a function to explicitly
print instead.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds the ATTR_HELPER_INFO that can be used to send binary data
that will be attached to the conntrack. This is useful for the
user-space connection tracking support.
This patch also adds a new interface:
nfct_set_attr_l(attr, type, value, length);
that is used to set the variable length helper information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds support to build and to parse netlink messages
from/to one user-space nf_conntrack object. It uses libmnl, thus
libnetfilter_conntrack now depends on this library.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support to build and to parse netlink messages
from/to one user-space nf_conntrack object. It uses libmnl, thus
libnetfilter_conntrack now depends on this library.
This is the first patch in the direction of removing the dependency
on the veteran libnfnetlink.
I have decided to update LIBVERSION in this patch. I know it's
recommended to do this before releasing the software. I prefer to
do this so snapshot packages get the correct LIBVERSION.
Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
The previous patch was incomplete. This fixes several issues with
it like the IPV4 and IPV6 address are mutually exclusive, thus,
the getter operation works. No sane way to support the setter
operation correctly, thus, it's been documented that it has no
effect.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows you to set and to get the address for both IPv4 and IPV6
using the same interface. This can simplify much redundant code that
needs to support both protocols.
This relies on some fixed layout union:
union nfct_attr_grp_addr {
u_int32_t ip;
u_int32_t ip6[4];
u_int32_t addr[4];
};
But I don't see this library will support anything different from
IPv4 and IPv6 as layer 3 protocol. If that happens and some point,
we can add some new attribute group and deprecate this one.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
For ICMP flows:
conntrack -U -s 192.168.1.114 -m 1
returned -EINVAL. It seems we were including the reply tuple
imcompletely.
Reported-by: <abirvalg@lavabit.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds the infrastructure to allow filtered dumping.
See utils/conntrack_dump_filter.c for instance.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Example of the XML output:
<flow type="new">
<layer3 protonum="2" protoname="IPv4">
<expected>
<src>192.168.0.2</src>
<dst>192.168.1.2</dst>
</expected>
<mask>
<src>255.255.255.255</src>
<dst>255.255.255.255</dst>
</mask>
<master>
<src>192.168.0.2</src>
<dst>192.168.1.2</dst>
</master>
</layer3>
<layer4 protonum="6" protoname="tcp">
<expected>
<sport>0</sport>
<dport>41739</dport>
</expected>
<mask>
<sport>0</sport>
<dport>65535</dport>
</mask>
<master>
<sport>36390</sport>
<dport>21</dport>
</master>
</layer4>
<meta>
<helper-name>ftp</helper-name>
<timeout>300</timeout>
<zone>0</zone>
</meta>
</flow>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch adds nfexp_cmp that allows you to compare two expectation
objects.
This includes the extension of test_api for this new function.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
They seem to be accidentally swapped. Fix this.
Spotted by qa/test_api.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now, struct nf_expect takes only 192 bytes, instead of 1KB.
struct nf_conntrack takes 296 bytes instead of 328 bytes.
The size of the nf_expect structure has been reduced by rearranging
the layout of the nf_conntrack structure. For the nf_conntrack case,
this removes the allocation of room for attributes that the master
tuple does not use (more specifically, the NATseq bytes).
This patch modifies the binary layout of struct nf_conntrack.
This should not be a problem since the definition of this
object is opaque (it can be only accessed via get/set API).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have to use sizeof(struct nf_ct_tcp_flags) instead of
sizeof(u_int16_t) to avoid problems in Intel IXP4xx network
processor (ARM big endian).
For more information, please see:
http://markmail.org/message/afhn66qzyebyf7cs#query:+page:1+mid:7bw756ncuyosv23c+state:results
Reported-by: Lutz Jaenicke <ljaenicke@innominate.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is *not* changing the licensing terms of this library (which
was initially released under GPLv2 and later on extended to GPLv2+ after
contacting all the contributors who kindly agreed to extend it to any
later GPL version).
Jan says: "In libnetfilter_conntrack, there are many .c files declaring
GNU GPL incorporated herein by reference without telling which version(s)
exactly apply. Given src/main.c for example is actually GPL-2.0+,
the reference made is ambiguous."
This patch should definitely clarify this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
NFCT_HELPER_NAME_MAX is 16, which is the maximum helper name
allowed since 2.6.29.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds mask and master tuple information regarding one
expectation. This information has been not shown so far. I consider
that it is interesting because you can use this information to
troubleshoot expectation issues. Moreover, you can know which is
the master conntrack that this expectation is attached to.
This extends the text-based output for `conntrack -L exp'. This
can be considered a backward compatibily issue since existing
tools that are parsing this interface may break. But this is not
our fault, we provide an API to the conntrack table via
libnetfilter_conntrack. People should use those.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This closes netfilter bugzilla #754:
http://bugzilla.netfilter.org/show_bug.cgi?id=754
Reported-by: <abirvalg@lavabit.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
static analysis (analysis based only on compiling of sources, not based
on running of binary) of the code revealed the following problem:
conntrack/objopt.c:63: self_assign: Assignment operation
"ct->snat.l4max.all = ct->snat.l4max.all"
has no effect.
Signed-off-by: Jiri Popelka <jpopelka@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
> CC parse.lo
> parse.c: In function ‘__parse_conntrack’:
> parse.c:434:15: warning: array subscript is above array bounds
>
> struct nfattr *tb[CTA_SECCTX_MAX]
> 434: ct->secctx = strdup(NFA_DATA(tb[CTA_SECCTX-1]))
>
> CTA_SECCTX has value 19, and CTA_SECCTX_MAX is just 1.
Reported-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch deprecates the low level API. This API is not currently
used by any known clients (at least, at a quick glance at google).
These functions are a problem if we plan to port libnetfilter_conntrack
upon libmnl since they contain specific libnfnetlink bits.
I have also added __build_query_[ct|exp] to avoid compilation warnings.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
These functions are evil since they allow the use of memcpy() instead
of nfct_copy(). This is a problem because it violates the design
principle that the library follows, that is to provide opaque objects
in which the client code does not care on the binary layout.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Thus, we have a fast version of nfct_copy() which allows to
copy the destination to the origin. After this call, the
destination is a clone of the origin.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This problem was caught by qa/test_api.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the connection tracking extension that allows
conntrack timestamping.
This requires a Linux kernel >= 2.6.38.
We have now 65 attributes, we need 96 bits to store what attributes
are set in the objects.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes an embarasing a use-after-free in nfct_destroy()
that was introduced by myself in:
http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_conntrack.git;a=commit;h=fdda1474cc8654430f245b7f01c30e8ff171fa60
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch adds support for the new attribute CTA_SECCTX that
supersedes CTA_SECMARK.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|\ |
|
| |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|/
|
|
|
|
|
|
|
|
|
| |
This patch uses CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ instead which is the
name that is used in the Linux kernel header. Thus, both the headers
and the internal copy for the library are in sync.
This problem was probably introduced at the time that we added support
for the DCCP handshake sequence number.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch re-works the callback handling to allow the use the same socket
to send/receive commands and listen to events of both conntrack and
expectation subsystems. Now you can register one callback for conntrack
and one for expectation with the same handler with no problems (before
this patch, this was not possible, you required two different handlers).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
PKG_CHECK_MODULES already produces its own (and more verbose) messsage
when a module cannot be found.
Mucking around with CFLAGS and LIBS is also not needed since pkgconfig
takes care of providing variables, so let's use them in Makefile.am.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
| |
libtool automatically adds PIC flags as needed.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
| |
This patch adds some missing attribute checkings in the XML
output that may result in inconsistent output (thus, displaying
some attributes out of <meta dir="independent">...</meta>)
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This warning has been there for quite some time, fix it by relaxing the
const type checking.
callback.c: In function `__expect_callback':
callback.c:30: warning: passing argument 2 of `__parse_expect' from incompatible pointer type
../../include/internal/prototypes.h:32: note: expected `const struct nfattr **' but argument is of type `struct nfattr **'
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes an EINVAL error that we hit in Linux kernel <= 2.6.25.
Basically, if we send an empty CTA_PROTOINFO_TCP attribute nest, the
kernel returns EINVAL. To fix this, we previously check if there is
any TCP attribute set.
Reported-by: Rui Sousa <rui.sousa@mindspeed.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Still missing several enumerations that should be documented.
You still have to look at libnetfilter_conntrack.h to check
conntrack object attributes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Since Linux kernel 2.6.34, the attribute validation for CTA_HELP_NAME
requires that the string must be NULL terminated. I think that this
should be fixed in the kernel instead since it breaks old binaries of
the library. However, we're already in 2.6.36-rc, so let's fix it
in user-space and hope that everyone upgrades.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch fixes the NAT sequence adjustment setter (they were swapped!).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes kernel-space filtering via BSF for several
network addresses. The problem is that we store the network
address of the netlink message in the ALU. Then, we perform
an AND of the network mask and the address, this operation
is stored again in the ALU. If we compare the address with
a second address, we have to reload the address to the ALU.
The following example clarifies the problem, in the following
order, we want to filter:
1) 224.0.0.0/4
2) 127.0.0.1/32
Now, we receive traffic from 127.0.0.1, it should be filtered.
However, without this patch, it is not. Let's see why:
ALU 7f000001 (addr=127.0.0.1)
AND f0000000 (cidr=4)
-------------------------------
ALU 70000000
this is stored in the ALU. Then, we check for 127.0.0.1:
ALU 70000000 (addr=127.0.0.1) <-- it should be 7f000001
AND ffffffff (cidr=32)
-------------------------------
ALU 70000000
This does not match 7f000001. To fix this, we have to reload
7f000001 to the ALU. Thus, the second comparison works fine.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
make output of nfct_snprintf() similar to /proc/net/nf_conntrack.
tcp 6 23 TIME_WAIT src=XX.208.XX.243 dst=XX.14.XX.100 sport=35917 dport=80 packets=10 bytes=2555 src=XX.14.XX.100 dst=XX.208.XX.243 sport=80 dport=35917 packets=9 bytes=1163 [ASSURED] mark=0 secmark=0 use=2 zone=1
^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Add Patrick's zone support for libnetfilter_conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes parsing of 64 bits attributes (that are unaligned)
in ctnetlink. It would be better to add nfnl_get_uX() functions
similar to those in include/net/netlink.h to libnfnetlink to avoid
this sort of errors.
Reported-by: Jan Engelhardt <jengelh@medozas.es>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds the missing bits to support the modification of the
TCP window scale factor in a conntrack entry. The kernel support
has been already there since 2.6.23.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch fixes the autocomplete feature for ICMP[v6] entries
that makes the kernel return EINVAL. Basically, we skip the
autocomplete since this is already done in the setter.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|