| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |\ |
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |/
|
|
|
|
|
|
|
|
|
| |
This patch uses CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ instead which is the
name that is used in the Linux kernel header. Thus, both the headers
and the internal copy for the library are in sync.
This problem was probably introduced at the time that we added support
for the DCCP handshake sequence number.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch re-works the callback handling to allow the use the same socket
to send/receive commands and listen to events of both conntrack and
expectation subsystems. Now you can register one callback for conntrack
and one for expectation with the same handler with no problems (before
this patch, this was not possible, you required two different handlers).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
PKG_CHECK_MODULES already produces its own (and more verbose) messsage
when a module cannot be found.
Mucking around with CFLAGS and LIBS is also not needed since pkgconfig
takes care of providing variables, so let's use them in Makefile.am.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
| |
libtool automatically adds PIC flags as needed.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
| |
This patch adds some missing attribute checkings in the XML
output that may result in inconsistent output (thus, displaying
some attributes out of <meta dir="independent">...</meta>)
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This warning has been there for quite some time, fix it by relaxing the
const type checking.
callback.c: In function `__expect_callback':
callback.c:30: warning: passing argument 2 of `__parse_expect' from incompatible pointer type
../../include/internal/prototypes.h:32: note: expected `const struct nfattr **' but argument is of type `struct nfattr **'
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch fixes an EINVAL error that we hit in Linux kernel <= 2.6.25.
Basically, if we send an empty CTA_PROTOINFO_TCP attribute nest, the
kernel returns EINVAL. To fix this, we previously check if there is
any TCP attribute set.
Reported-by: Rui Sousa <rui.sousa@mindspeed.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Still missing several enumerations that should be documented.
You still have to look at libnetfilter_conntrack.h to check
conntrack object attributes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Since Linux kernel 2.6.34, the attribute validation for CTA_HELP_NAME
requires that the string must be NULL terminated. I think that this
should be fixed in the kernel instead since it breaks old binaries of
the library. However, we're already in 2.6.36-rc, so let's fix it
in user-space and hope that everyone upgrades.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch fixes the NAT sequence adjustment setter (they were swapped!).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes kernel-space filtering via BSF for several
network addresses. The problem is that we store the network
address of the netlink message in the ALU. Then, we perform
an AND of the network mask and the address, this operation
is stored again in the ALU. If we compare the address with
a second address, we have to reload the address to the ALU.
The following example clarifies the problem, in the following
order, we want to filter:
1) 224.0.0.0/4
2) 127.0.0.1/32
Now, we receive traffic from 127.0.0.1, it should be filtered.
However, without this patch, it is not. Let's see why:
ALU 7f000001 (addr=127.0.0.1)
AND f0000000 (cidr=4)
-------------------------------
ALU 70000000
this is stored in the ALU. Then, we check for 127.0.0.1:
ALU 70000000 (addr=127.0.0.1) <-- it should be 7f000001
AND ffffffff (cidr=32)
-------------------------------
ALU 70000000
This does not match 7f000001. To fix this, we have to reload
7f000001 to the ALU. Thus, the second comparison works fine.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
make output of nfct_snprintf() similar to /proc/net/nf_conntrack.
tcp 6 23 TIME_WAIT src=XX.208.XX.243 dst=XX.14.XX.100 sport=35917 dport=80 packets=10 bytes=2555 src=XX.14.XX.100 dst=XX.208.XX.243 sport=80 dport=35917 packets=9 bytes=1163 [ASSURED] mark=0 secmark=0 use=2 zone=1
^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Add Patrick's zone support for libnetfilter_conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch fixes parsing of 64 bits attributes (that are unaligned)
in ctnetlink. It would be better to add nfnl_get_uX() functions
similar to those in include/net/netlink.h to libnfnetlink to avoid
this sort of errors.
Reported-by: Jan Engelhardt <jengelh@medozas.es>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds the missing bits to support the modification of the
TCP window scale factor in a conntrack entry. The kernel support
has been already there since 2.6.23.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch fixes the autocomplete feature for ICMP[v6] entries
that makes the kernel return EINVAL. Basically, we skip the
autocomplete since this is already done in the setter.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch fixes missing endianess conversion of the new
attribute ATTR_HANDSHAKE_SEQ that was included in
19f35b21dbe2bb4386eeced4e0d87f3b2e1d.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch renames the attribute constant to access the DCCP
handshake sequence number that was recently committed in
19f35b21dbe2bb4386eeced4e0d87f3b2e1dd8bf. No release with
the old name has been done, so no problems about backward
compatibility although it'd be better if I don't push changes
that I have to modify very soon afterwards.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
From: Pablo Neira Ayuso <pablo@netfilter.org>
This patch adds the support for the DCCP sequence number tracking
that is included in the upcoming Linux kernel 2.6.31.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support to auto-generate BSF code for IPv6. It
requires a Linux kernel >= 2.6.29. The maximum number of addresses
is limited to 20 (12 BSF lines per IPv6 address comparison). I am
not sure that to remove this limit is useful given that oprofile
does not show very good numbers for very large (in terms of lines)
filters. This completes one feature that is available in IPv4 but
that was missing in IPv6.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch removes a checking that is performed before building the
protocol private information. This checking silently removed any
protocol attribute if the configuration is inconsistent. With this
change, the kernel reports the error to tell that some attributes
are missing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch adds support for the new SYN_SENT2 state that Jozsef
has introduced to support TCP simultaneous open in 2.6.31. We can
safely include support for this feature now since the LISTEN state
was not ever really used.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch avoids possible out-of-bound array access if protocol
states higher than the accepted are used.
Reported-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch adds nfct_callback_register2() and nfct_callback_unregister2()
that allows to register a callback function with a new callback interface
that includes the Netlink message. This fixes an early design error.
This is not nice but it is the only way to resolve this problem without
breaking backward (I don't like function versioning, it is messy).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch adds DCCP role attribute support. This needs Linux
kernel >= 2.6.30.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch adds the missing ATTR_DCCP_STATE in nfct_copy().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch adds missing DCCP ports in the output:
# conntrack -D -p dccp
dccp 33 18 RESPOND src=1.1.1.1 dst=2.2.2.2 packets=0 bytes=0 [UNREPLIED] src=2.2.2.2 dst=1.1.1.1 packets=0 bytes=0 mark=0 secmark=0 use=2
conntrack v0.9.12 (conntrack-tools): 1 flow entries have been deleted.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch fixes an unfortunate bug in the SCTP vtag parsing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch adds the missing bits to display the protocol state
in the XML output.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch merges duplicated protocol string definitions in the
snprintf infrastructure. I have also fixed the size of the string
array. This patch is a cleanup.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch adds initial DCCP support for libnetfilter_conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch adds support for UDPlite transport protocol.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch adds support for GRE transport protocol.
Tested-by: Byan Buff <bduff@ecessa.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch removes a reminiscent constant of the old API whose value
is the same of __DIR_ORIG. This patch also removes the prototype
definition from libnetfilter_conntrack.h.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch remove the inconditional inclusion of the TCP state
attribute in netlink messages. We cannot assume this for update
messages.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch fixes some minor issues that confuse kernel-doc in the
generation of the API reference documentation.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch removes unnecessary flags included in NFCT_Q_DUMP,
NFCT_Q_DUMP_RESET and NFCT_Q_DESTROY requests.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch removes unnecessary function inlining in the BSF code
generation. There is not reason to get any significant performance
improvement in an operation that should be done in the
initialization path.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch reworks the BSF automatic generation code. This
feature needs more love and it has several limitations like
that the maximum number of IPs are 127 due to BSF code
restrictions. See this patch as a first step forward.
This patch also adds the stack data type, which is used to
resolve jump dynamically instead of the previous static
approach.
This patch also includes fixes in the limitations, previous
calculations were wrong.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes a NULL dereference to a function pointer in
nfct_copy() that is triggered when you try to copy the helper
name. This patch also adds an assertion to easily report similar
problems in the future.
Thanks to <pageexec@freemail.hu> for his detailed debugging report.
Reported-by: Wolfram Schlich <lists@wolfram.schlich.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch adds the size of the arrays to set to NULL unset
elements. This helps to spot unset functions for new attributes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This new function checks for the presence of a given set of
attributes that are passed as an array.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
