summaryrefslogtreecommitdiffstats
path: root/src/expect
Commit message (Collapse)AuthorAgeFilesLines
* expect: missing layer 3 protocol number in NAT informationPablo Neira Ayuso2012-09-111-0/+3
| | | | | | It was missing, add it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: fix compilation warning in nfexp_nlmsg_buildPablo Neira Ayuso2012-08-211-9/+0
| | | | | | | | | | build_mnl.c: In function 'nfexp_nlmsg_build': build_mnl.c:18:11: warning: variable 'l3num' set but not used [-Wunused-but-set-variable] This patch relaxes the checking for the L3PROTO. The kernel will report EINVAL in case that something is missing. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: add new API to build/parse ctnetlink messages using libmnlPablo Neira Ayuso2012-05-263-1/+157
| | | | | | | | This patch adds support to build and to parse netlink messages from/to one user-space nf_conntrack object. It uses libmnl, thus libnetfilter_conntrack now depends on this library. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: support NFCT_Q_CREATE_UPDATE in nfexp_queryKelvie Wong2012-05-071-0/+3
| | | | | | | | | This will work as it does in conntrack; it won't pass NLM_F_ACK into ctnetlink_new_expect in the kernel, and will thus invoke ctnetlink_change_expect if the expectation already exists. Signed-off-by: Kelvie Wong <kelvie@ieee.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: fix missing whitespace after expectation flags in nfexp_snprintfPablo Neira Ayuso2012-02-071-1/+5
| | | | | | | | | | | | | | Before: proto=17 src=192.168.11.4 dst=192.168.10.4 sport=0 dport=5060 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.10.4 master-dst=192.168.11.4 sport=5060 dport=5060 PERMANENTclass=0 helper=sip [active since 8s] After: proto=17 src=192.168.11.4 dst=192.168.10.4 sport=0 dport=5060 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.10.4 master-dst=192.168.11.4 sport=5060 dport=5060 PERMANENT class=0 helper=sip [active since 8s] Note the space after PERMANENT. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: fix comparison of expectation class and flagsPablo Neira Ayuso2012-02-071-4/+4
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: CTA_EXPECT_HELP_NAME must be NULL-terminatedPablo Neira Ayuso2012-02-061-1/+1
| | | | | | | Make sure this attribute is a NULL-terminated string, otherwise we hit EINVAL if we set this attribute. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: add expectfn supportPablo Neira Ayuso2012-02-064-0/+27
| | | | | | This patch allows you to set expectfn. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: add NAT supportPablo Neira Ayuso2012-02-064-0/+55
| | | | | | This patch adds ATTR_EXP_NAT_TUPLE and ATTR_EXP_NAT_DIR attributes. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: add class supportPablo Neira Ayuso2012-02-067-0/+53
| | | | | | This patch allows you to specify the expectation class. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: add XML support for nfexp_snprintf()Pablo Neira Ayuso2012-01-223-1/+274
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Example of the XML output: <flow type="new"> <layer3 protonum="2" protoname="IPv4"> <expected> <src>192.168.0.2</src> <dst>192.168.1.2</dst> </expected> <mask> <src>255.255.255.255</src> <dst>255.255.255.255</dst> </mask> <master> <src>192.168.0.2</src> <dst>192.168.1.2</dst> </master> </layer3> <layer4 protonum="6" protoname="tcp"> <expected> <sport>0</sport> <dport>41739</dport> </expected> <mask> <sport>0</sport> <dport>65535</dport> </mask> <master> <sport>36390</sport> <dport>21</dport> </master> </layer4> <meta> <helper-name>ftp</helper-name> <timeout>300</timeout> <zone>0</zone> </meta> </flow> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: add nfexp_cmpPablo Neira Ayuso2012-01-043-0/+94
| | | | | | | | | This patch adds nfexp_cmp that allows you to compare two expectation objects. This includes the extension of test_api for this new function. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: put nf_expect and nf_conntrack into dietPablo Neira Ayuso2012-01-044-33/+21
| | | | | | | | | | | | | | | | Now, struct nf_expect takes only 192 bytes, instead of 1KB. struct nf_conntrack takes 296 bytes instead of 328 bytes. The size of the nf_expect structure has been reduced by rearranging the layout of the nf_conntrack structure. For the nf_conntrack case, this removes the allocation of room for attributes that the master tuple does not use (more specifically, the NATseq bytes). This patch modifies the binary layout of struct nf_conntrack. This should not be a problem since the definition of this object is opaque (it can be only accessed via get/set API). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: clarify licensing terms of library (GPLv2+)Pablo Neira Ayuso2011-12-307-21/+35
| | | | | | | | | | | | | | | | This patch is *not* changing the licensing terms of this library (which was initially released under GPLv2 and later on extended to GPLv2+ after contacting all the contributors who kindly agreed to extend it to any later GPL version). Jan says: "In libnetfilter_conntrack, there are many .c files declaring GNU GPL incorporated herein by reference without telling which version(s) exactly apply. Given src/main.c for example is actually GPL-2.0+, the reference made is ambiguous." This patch should definitely clarify this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: export NFCT_HELPER_NAME_MAXPablo Neira Ayuso2011-12-241-2/+2
| | | | | | | NFCT_HELPER_NAME_MAX is 16, which is the maximum helper name allowed since 2.6.29. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: modify output by moving zone and flags to the end of the linePablo Neira Ayuso2011-12-241-18/+18
| | | | | | | | Now, the output of nfexp_snprintf looks like this: 299 proto=6 src=192.168.1.130 dst=130.89.148.12 sport=0 dport=45420 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.1.130 master-dst=130.89.148.12 sport=46368 dport=21 helper=ftp Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: support CTA_EXPECT_HELP_NAMEPablo Neira Ayuso2011-12-245-0/+32
| | | | | | | | This patch adds support for CTA_EXPECT_HELP_NAME. We now have the ATTR_EXP_HELPER_NAME attribute. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: add nfexp_send()Pablo Neira Ayuso2011-12-081-0/+32
| | | | | | It is like nfct_send() but for expectations, for API symmetry. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: nfexp_snprintf displays mask and master tuple informationPablo Neira Ayuso2011-12-062-2/+25
| | | | | | | | | | | | | | | | This patch adds mask and master tuple information regarding one expectation. This information has been not shown so far. I consider that it is interesting because you can use this information to troubleshoot expectation issues. Moreover, you can know which is the master conntrack that this expectation is attached to. This extends the text-based output for `conntrack -L exp'. This can be considered a backward compatibily issue since existing tools that are parsing this interface may break. But this is not our fault, we provide an API to the conntrack table via libnetfilter_conntrack. People should use those. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: nfexp_snprintf prints expectation timeout if presentPablo Neira Ayuso2011-10-271-2/+14
| | | | | | Otherwise, we don't print it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: fix missing parsing of master tuplePablo Neira Ayuso2011-10-271-6/+15
| | | | | | | The master tuple was not parsed. This patch also fixes an incorrect use of the exp->set field for the expectation and mask tuples. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: deprecate low level APIPablo Neira Ayuso2011-02-221-31/+39
| | | | | | | | | | | | This patch deprecates the low level API. This API is not currently used by any known clients (at least, at a quick glance at google). These functions are a problem if we plan to port libnetfilter_conntrack upon libmnl since they contain specific libnfnetlink bits. I have also added __build_query_[ct|exp] to avoid compilation warnings. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: use -Wall across the entire sourceJan Engelhardt2010-12-301-2/+0
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: declare non-modified data as constJan Engelhardt2010-11-093-3/+3
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* expect: export already implement low-level functionsPablo Neira Ayuso2010-11-091-14/+14
| | | | | | | | | | | This patch exports several low-level function that allow to build and parse netlink messages that contain ctnetlink expectation information. They have been in the tree for quite so long, but they were not exported. To leave the library in a consistent state (ctnetlink conntrack functions provide the similar functionality) I have decided to export them. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow to use nfct handler for conntrack and expectations at the same timePablo Neira Ayuso2010-11-083-74/+19
| | | | | | | | | | This patch re-works the callback handling to allow the use the same socket to send/receive commands and listen to events of both conntrack and expectation subsystems. Now you can register one callback for conntrack and one for expectation with the same handler with no problems (before this patch, this was not possible, you required two different handlers). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: no need for error message in PKG_CHECK_MODULESJan Engelhardt2010-10-301-2/+1
| | | | | | | | | | PKG_CHECK_MODULES already produces its own (and more verbose) messsage when a module cannot be found. Mucking around with CFLAGS and LIBS is also not needed since pkgconfig takes care of providing variables, so let's use them in Makefile.am. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: remove -fPIC flagJan Engelhardt2010-10-301-1/+1
| | | | | | libtool automatically adds PIC flags as needed. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* expect: add missing tags for expectation eventsPablo Neira Ayuso2010-10-081-0/+6
| | | | | | | | | This patch adds missing tags such as [UPDATE] and [DESTROY] for expectation events. The Linux kernel does not support any of this expectation events yet, but we include it for future use. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: add support for CTA_EXPECT_FLAGSPablo Neira Ayuso2010-10-075-3/+44
| | | | | | This patch allows to set the expectation flags from user-space. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: add CTA_EXPECT_ZONE supportPablo Neira Ayuso2010-10-075-2/+34
| | | | | | | We also remove the reference to CTA_EXPECT_QUEUENR with was not ever pushed into Linux kernel mainline. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix warning in compilationPablo Neira Ayuso2010-10-031-1/+1
| | | | | | | | | | | This warning has been there for quite some time, fix it by relaxing the const type checking. callback.c: In function `__expect_callback': callback.c:30: warning: passing argument 2 of `__parse_expect' from incompatible pointer type ../../include/internal/prototypes.h:32: note: expected `const struct nfattr **' but argument is of type `struct nfattr **' Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: convert documentation from kerneldoc to doxygen formatPablo Neira Ayuso2010-09-061-82/+136
| | | | | | | | Still missing several enumerations that should be documented. You still have to look at libnetfilter_conntrack.h to check conntrack object attributes. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: make symbols used only in file scope staticHannes Eder2009-10-081-14/+14
| | | | | Signed-off-by: Hannes Eder <heder@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* api: use ANSI style functionHannes Eder2009-10-081-2/+2
| | | | | Signed-off-by: Hannes Eder <heder@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expect: add new callback interface while keeping backward compatibilityPablo Neira Ayuso2009-07-162-0/+77
| | | | | | | | | This patch the new expectation callback interface. This change is like 20ed81b10714dfe78e31e9721e2d4f42b4beabb2 but related to expectations. The netlink message contains the portID that is useful to identify the origin of the message. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove reminiscent of NFCT_DIR_ORIGINAL and old prototypesPablo Neira Ayuso2009-02-171-2/+2
| | | | | | | | This patch removes a reminiscent constant of the old API whose value is the same of __DIR_ORIG. This patch also removes the prototype definition from libnetfilter_conntrack.h. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* api: fix bogus netlink flags in nfexp_build_querylibnetfilter_conntrack-0.0.98Pablo Neira Ayuso2008-11-291-2/+2
| | | | | | | This patch removes unnecessary flags included in NFCT_Q_DUMP, and NFCT_Q_DESTROY requests for expectations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cleanup: split internal.h into several internal header filesPablo Neira Ayuso2008-07-258-8/+8
| | | | | | | This patch cleanups the internal headers by splitting them into several logical pieces. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Use union of char buffer and message header to ensure proper byteFabian Hugelshofer2008-06-181-4/+6
| | | | | | alignment. Signed-off-by: Fabian Hugelshofer <hugelshofer2006@gmx.ch>
* several cleanups for Makefile.am/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-131-10/+6
|
* fix several compilation warnings (reported by J.Engelhardt)/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2007-12-091-0/+2
|
* The getters have to point to the right sized types, otherwise they don't ↵/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2007-09-021-3/+3
| | | | work on big-endian. Philip Craig <philipc@snapgear.com>
* nfexp_snprintf behaves as snprintf C99/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2007-06-072-27/+14
|
* - add warning note to ctnl_test.c: old API is deprecated/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2007-05-062-23/+54
| | | | | | | | - split expect_api_test.c into small example files expect_*.c - introduce alias tags for original tuple attributes - introduce nfexp_sizeof and nfexp_maxsize - build expectation attributes iif they are set - fix l3num setting in expect/build.c
* introduce the new expectation API/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2007-05-019-0/+894