| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
This patch adds support to build and to parse netlink messages
from/to one user-space nf_conntrack object. It uses libmnl, thus
libnetfilter_conntrack now depends on this library.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This will work as it does in conntrack; it won't pass NLM_F_ACK into
ctnetlink_new_expect in the kernel, and will thus invoke
ctnetlink_change_expect if the expectation already exists.
Signed-off-by: Kelvie Wong <kelvie@ieee.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before:
proto=17 src=192.168.11.4 dst=192.168.10.4 sport=0 dport=5060 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.10.4 master-dst=192.168.11.4 sport=5060 dport=5060 PERMANENTclass=0 helper=sip [active since 8s]
After:
proto=17 src=192.168.11.4 dst=192.168.10.4 sport=0 dport=5060 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.10.4 master-dst=192.168.11.4 sport=5060 dport=5060 PERMANENT class=0 helper=sip [active since 8s]
Note the space after PERMANENT.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Make sure this attribute is a NULL-terminated string, otherwise
we hit EINVAL if we set this attribute.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch allows you to set expectfn.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch adds ATTR_EXP_NAT_TUPLE and ATTR_EXP_NAT_DIR attributes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch allows you to specify the expectation class.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Example of the XML output:
<flow type="new">
<layer3 protonum="2" protoname="IPv4">
<expected>
<src>192.168.0.2</src>
<dst>192.168.1.2</dst>
</expected>
<mask>
<src>255.255.255.255</src>
<dst>255.255.255.255</dst>
</mask>
<master>
<src>192.168.0.2</src>
<dst>192.168.1.2</dst>
</master>
</layer3>
<layer4 protonum="6" protoname="tcp">
<expected>
<sport>0</sport>
<dport>41739</dport>
</expected>
<mask>
<sport>0</sport>
<dport>65535</dport>
</mask>
<master>
<sport>36390</sport>
<dport>21</dport>
</master>
</layer4>
<meta>
<helper-name>ftp</helper-name>
<timeout>300</timeout>
<zone>0</zone>
</meta>
</flow>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch adds nfexp_cmp that allows you to compare two expectation
objects.
This includes the extension of test_api for this new function.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now, struct nf_expect takes only 192 bytes, instead of 1KB.
struct nf_conntrack takes 296 bytes instead of 328 bytes.
The size of the nf_expect structure has been reduced by rearranging
the layout of the nf_conntrack structure. For the nf_conntrack case,
this removes the allocation of room for attributes that the master
tuple does not use (more specifically, the NATseq bytes).
This patch modifies the binary layout of struct nf_conntrack.
This should not be a problem since the definition of this
object is opaque (it can be only accessed via get/set API).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is *not* changing the licensing terms of this library (which
was initially released under GPLv2 and later on extended to GPLv2+ after
contacting all the contributors who kindly agreed to extend it to any
later GPL version).
Jan says: "In libnetfilter_conntrack, there are many .c files declaring
GNU GPL incorporated herein by reference without telling which version(s)
exactly apply. Given src/main.c for example is actually GPL-2.0+,
the reference made is ambiguous."
This patch should definitely clarify this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
NFCT_HELPER_NAME_MAX is 16, which is the maximum helper name
allowed since 2.6.29.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Now, the output of nfexp_snprintf looks like this:
299 proto=6 src=192.168.1.130 dst=130.89.148.12 sport=0 dport=45420 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.1.130 master-dst=130.89.148.12 sport=46368 dport=21 helper=ftp
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds support for CTA_EXPECT_HELP_NAME.
We now have the ATTR_EXP_HELPER_NAME attribute.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
It is like nfct_send() but for expectations, for API symmetry.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds mask and master tuple information regarding one
expectation. This information has been not shown so far. I consider
that it is interesting because you can use this information to
troubleshoot expectation issues. Moreover, you can know which is
the master conntrack that this expectation is attached to.
This extends the text-based output for `conntrack -L exp'. This
can be considered a backward compatibily issue since existing
tools that are parsing this interface may break. But this is not
our fault, we provide an API to the conntrack table via
libnetfilter_conntrack. People should use those.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Otherwise, we don't print it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
The master tuple was not parsed. This patch also fixes an incorrect
use of the exp->set field for the expectation and mask tuples.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch deprecates the low level API. This API is not currently
used by any known clients (at least, at a quick glance at google).
These functions are a problem if we plan to port libnetfilter_conntrack
upon libmnl since they contain specific libnfnetlink bits.
I have also added __build_query_[ct|exp] to avoid compilation warnings.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
|
| |
This patch exports several low-level function that allow to build
and parse netlink messages that contain ctnetlink expectation
information. They have been in the tree for quite so long, but
they were not exported. To leave the library in a consistent state
(ctnetlink conntrack functions provide the similar functionality)
I have decided to export them.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch re-works the callback handling to allow the use the same socket
to send/receive commands and listen to events of both conntrack and
expectation subsystems. Now you can register one callback for conntrack
and one for expectation with the same handler with no problems (before
this patch, this was not possible, you required two different handlers).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
PKG_CHECK_MODULES already produces its own (and more verbose) messsage
when a module cannot be found.
Mucking around with CFLAGS and LIBS is also not needed since pkgconfig
takes care of providing variables, so let's use them in Makefile.am.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
| |
libtool automatically adds PIC flags as needed.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
| |
This patch adds missing tags such as [UPDATE] and [DESTROY]
for expectation events. The Linux kernel does not support
any of this expectation events yet, but we include it for
future use.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch allows to set the expectation flags from user-space.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
We also remove the reference to CTA_EXPECT_QUEUENR with was not ever
pushed into Linux kernel mainline.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This warning has been there for quite some time, fix it by relaxing the
const type checking.
callback.c: In function `__expect_callback':
callback.c:30: warning: passing argument 2 of `__parse_expect' from incompatible pointer type
../../include/internal/prototypes.h:32: note: expected `const struct nfattr **' but argument is of type `struct nfattr **'
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Still missing several enumerations that should be documented.
You still have to look at libnetfilter_conntrack.h to check
conntrack object attributes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch the new expectation callback interface. This change is
like 20ed81b10714dfe78e31e9721e2d4f42b4beabb2 but related to
expectations. The netlink message contains the portID that is useful
to identify the origin of the message.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch removes a reminiscent constant of the old API whose value
is the same of __DIR_ORIG. This patch also removes the prototype
definition from libnetfilter_conntrack.h.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch removes unnecessary flags included in NFCT_Q_DUMP,
and NFCT_Q_DESTROY requests for expectations.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch cleanups the internal headers by splitting them into several
logical pieces.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
alignment.
Signed-off-by: Fabian Hugelshofer <hugelshofer2006@gmx.ch>
|
| |
|
| |
|
|
|
|
| |
work on big-endian. Philip Craig <philipc@snapgear.com>
|
| |
|
|
|
|
|
|
|
|
| |
- split expect_api_test.c into small example files expect_*.c
- introduce alias tags for original tuple attributes
- introduce nfexp_sizeof and nfexp_maxsize
- build expectation attributes iif they are set
- fix l3num setting in expect/build.c
|
|
|