| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
The previous patch was incomplete. This fixes several issues with
it like the IPV4 and IPV6 address are mutually exclusive, thus,
the getter operation works. No sane way to support the setter
operation correctly, thus, it's been documented that it has no
effect.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows you to set and to get the address for both IPv4 and IPV6
using the same interface. This can simplify much redundant code that
needs to support both protocols.
This relies on some fixed layout union:
union nfct_attr_grp_addr {
u_int32_t ip;
u_int32_t ip6[4];
u_int32_t addr[4];
};
But I don't see this library will support anything different from
IPv4 and IPv6 as layer 3 protocol. If that happens and some point,
we can add some new attribute group and deprecate this one.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
For ICMP flows:
conntrack -U -s 192.168.1.114 -m 1
returned -EINVAL. It seems we were including the reply tuple
imcompletely.
Reported-by: <abirvalg@lavabit.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds the infrastructure to allow filtered dumping.
See utils/conntrack_dump_filter.c for instance.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Example of the XML output:
<flow type="new">
<layer3 protonum="2" protoname="IPv4">
<expected>
<src>192.168.0.2</src>
<dst>192.168.1.2</dst>
</expected>
<mask>
<src>255.255.255.255</src>
<dst>255.255.255.255</dst>
</mask>
<master>
<src>192.168.0.2</src>
<dst>192.168.1.2</dst>
</master>
</layer3>
<layer4 protonum="6" protoname="tcp">
<expected>
<sport>0</sport>
<dport>41739</dport>
</expected>
<mask>
<sport>0</sport>
<dport>65535</dport>
</mask>
<master>
<sport>36390</sport>
<dport>21</dport>
</master>
</layer4>
<meta>
<helper-name>ftp</helper-name>
<timeout>300</timeout>
<zone>0</zone>
</meta>
</flow>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch adds nfexp_cmp that allows you to compare two expectation
objects.
This includes the extension of test_api for this new function.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
They seem to be accidentally swapped. Fix this.
Spotted by qa/test_api.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now, struct nf_expect takes only 192 bytes, instead of 1KB.
struct nf_conntrack takes 296 bytes instead of 328 bytes.
The size of the nf_expect structure has been reduced by rearranging
the layout of the nf_conntrack structure. For the nf_conntrack case,
this removes the allocation of room for attributes that the master
tuple does not use (more specifically, the NATseq bytes).
This patch modifies the binary layout of struct nf_conntrack.
This should not be a problem since the definition of this
object is opaque (it can be only accessed via get/set API).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We have to use sizeof(struct nf_ct_tcp_flags) instead of
sizeof(u_int16_t) to avoid problems in Intel IXP4xx network
processor (ARM big endian).
For more information, please see:
http://markmail.org/message/afhn66qzyebyf7cs#query:+page:1+mid:7bw756ncuyosv23c+state:results
Reported-by: Lutz Jaenicke <ljaenicke@innominate.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is *not* changing the licensing terms of this library (which
was initially released under GPLv2 and later on extended to GPLv2+ after
contacting all the contributors who kindly agreed to extend it to any
later GPL version).
Jan says: "In libnetfilter_conntrack, there are many .c files declaring
GNU GPL incorporated herein by reference without telling which version(s)
exactly apply. Given src/main.c for example is actually GPL-2.0+,
the reference made is ambiguous."
This patch should definitely clarify this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
NFCT_HELPER_NAME_MAX is 16, which is the maximum helper name
allowed since 2.6.29.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds mask and master tuple information regarding one
expectation. This information has been not shown so far. I consider
that it is interesting because you can use this information to
troubleshoot expectation issues. Moreover, you can know which is
the master conntrack that this expectation is attached to.
This extends the text-based output for `conntrack -L exp'. This
can be considered a backward compatibily issue since existing
tools that are parsing this interface may break. But this is not
our fault, we provide an API to the conntrack table via
libnetfilter_conntrack. People should use those.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This closes netfilter bugzilla #754:
http://bugzilla.netfilter.org/show_bug.cgi?id=754
Reported-by: <abirvalg@lavabit.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
static analysis (analysis based only on compiling of sources, not based
on running of binary) of the code revealed the following problem:
conntrack/objopt.c:63: self_assign: Assignment operation
"ct->snat.l4max.all = ct->snat.l4max.all"
has no effect.
Signed-off-by: Jiri Popelka <jpopelka@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
> CC parse.lo
> parse.c: In function ‘__parse_conntrack’:
> parse.c:434:15: warning: array subscript is above array bounds
>
> struct nfattr *tb[CTA_SECCTX_MAX]
> 434: ct->secctx = strdup(NFA_DATA(tb[CTA_SECCTX-1]))
>
> CTA_SECCTX has value 19, and CTA_SECCTX_MAX is just 1.
Reported-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch deprecates the low level API. This API is not currently
used by any known clients (at least, at a quick glance at google).
These functions are a problem if we plan to port libnetfilter_conntrack
upon libmnl since they contain specific libnfnetlink bits.
I have also added __build_query_[ct|exp] to avoid compilation warnings.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
These functions are evil since they allow the use of memcpy() instead
of nfct_copy(). This is a problem because it violates the design
principle that the library follows, that is to provide opaque objects
in which the client code does not care on the binary layout.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Thus, we have a fast version of nfct_copy() which allows to
copy the destination to the origin. After this call, the
destination is a clone of the origin.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This problem was caught by qa/test_api.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the connection tracking extension that allows
conntrack timestamping.
This requires a Linux kernel >= 2.6.38.
We have now 65 attributes, we need 96 bits to store what attributes
are set in the objects.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch fixes an embarasing a use-after-free in nfct_destroy()
that was introduced by myself in:
http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_conntrack.git;a=commit;h=fdda1474cc8654430f245b7f01c30e8ff171fa60
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch adds support for the new attribute CTA_SECCTX that
supersedes CTA_SECMARK.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |\ |
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |/
|
|
|
|
|
|
|
|
|
| |
This patch uses CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ instead which is the
name that is used in the Linux kernel header. Thus, both the headers
and the internal copy for the library are in sync.
This problem was probably introduced at the time that we added support
for the DCCP handshake sequence number.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch re-works the callback handling to allow the use the same socket
to send/receive commands and listen to events of both conntrack and
expectation subsystems. Now you can register one callback for conntrack
and one for expectation with the same handler with no problems (before
this patch, this was not possible, you required two different handlers).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
PKG_CHECK_MODULES already produces its own (and more verbose) messsage
when a module cannot be found.
Mucking around with CFLAGS and LIBS is also not needed since pkgconfig
takes care of providing variables, so let's use them in Makefile.am.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
| |
libtool automatically adds PIC flags as needed.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
| |
This patch adds some missing attribute checkings in the XML
output that may result in inconsistent output (thus, displaying
some attributes out of <meta dir="independent">...</meta>)
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This warning has been there for quite some time, fix it by relaxing the
const type checking.
callback.c: In function `__expect_callback':
callback.c:30: warning: passing argument 2 of `__parse_expect' from incompatible pointer type
../../include/internal/prototypes.h:32: note: expected `const struct nfattr **' but argument is of type `struct nfattr **'
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch fixes an EINVAL error that we hit in Linux kernel <= 2.6.25.
Basically, if we send an empty CTA_PROTOINFO_TCP attribute nest, the
kernel returns EINVAL. To fix this, we previously check if there is
any TCP attribute set.
Reported-by: Rui Sousa <rui.sousa@mindspeed.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Still missing several enumerations that should be documented.
You still have to look at libnetfilter_conntrack.h to check
conntrack object attributes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Since Linux kernel 2.6.34, the attribute validation for CTA_HELP_NAME
requires that the string must be NULL terminated. I think that this
should be fixed in the kernel instead since it breaks old binaries of
the library. However, we're already in 2.6.36-rc, so let's fix it
in user-space and hope that everyone upgrades.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch fixes the NAT sequence adjustment setter (they were swapped!).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes kernel-space filtering via BSF for several
network addresses. The problem is that we store the network
address of the netlink message in the ALU. Then, we perform
an AND of the network mask and the address, this operation
is stored again in the ALU. If we compare the address with
a second address, we have to reload the address to the ALU.
The following example clarifies the problem, in the following
order, we want to filter:
1) 224.0.0.0/4
2) 127.0.0.1/32
Now, we receive traffic from 127.0.0.1, it should be filtered.
However, without this patch, it is not. Let's see why:
ALU 7f000001 (addr=127.0.0.1)
AND f0000000 (cidr=4)
-------------------------------
ALU 70000000
this is stored in the ALU. Then, we check for 127.0.0.1:
ALU 70000000 (addr=127.0.0.1) <-- it should be 7f000001
AND ffffffff (cidr=32)
-------------------------------
ALU 70000000
This does not match 7f000001. To fix this, we have to reload
7f000001 to the ALU. Thus, the second comparison works fine.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
make output of nfct_snprintf() similar to /proc/net/nf_conntrack.
tcp 6 23 TIME_WAIT src=XX.208.XX.243 dst=XX.14.XX.100 sport=35917 dport=80 packets=10 bytes=2555 src=XX.14.XX.100 dst=XX.208.XX.243 sport=80 dport=35917 packets=9 bytes=1163 [ASSURED] mark=0 secmark=0 use=2 zone=1
^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Add Patrick's zone support for libnetfilter_conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch fixes parsing of 64 bits attributes (that are unaligned)
in ctnetlink. It would be better to add nfnl_get_uX() functions
similar to those in include/net/netlink.h to libnfnetlink to avoid
this sort of errors.
Reported-by: Jan Engelhardt <jengelh@medozas.es>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds the missing bits to support the modification of the
TCP window scale factor in a conntrack entry. The kernel support
has been already there since 2.6.23.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch fixes the autocomplete feature for ICMP[v6] entries
that makes the kernel return EINVAL. Basically, we skip the
autocomplete since this is already done in the setter.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch fixes missing endianess conversion of the new
attribute ATTR_HANDSHAKE_SEQ that was included in
19f35b21dbe2bb4386eeced4e0d87f3b2e1d.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch renames the attribute constant to access the DCCP
handshake sequence number that was recently committed in
19f35b21dbe2bb4386eeced4e0d87f3b2e1dd8bf. No release with
the old name has been done, so no problems about backward
compatibility although it'd be better if I don't push changes
that I have to modify very soon afterwards.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
From: Pablo Neira Ayuso <pablo@netfilter.org>
This patch adds the support for the DCCP sequence number tracking
that is included in the upcoming Linux kernel 2.6.31.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support to auto-generate BSF code for IPv6. It
requires a Linux kernel >= 2.6.29. The maximum number of addresses
is limited to 20 (12 BSF lines per IPv6 address comparison). I am
not sure that to remove this limit is useful given that oprofile
does not show very good numbers for very large (in terms of lines)
filters. This completes one feature that is available in IPv4 but
that was missing in IPv6.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch removes a checking that is performed before building the
protocol private information. This checking silently removed any
protocol attribute if the configuration is inconsistent. With this
change, the kernel reports the error to tell that some attributes
are missing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
