summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* src: add support for DCCP 64-bits sequence number trackingPablo Neira Ayuso2009-07-146-0/+58
| | | | | | | | | From: Pablo Neira Ayuso <pablo@netfilter.org> This patch adds the support for the DCCP sequence number tracking that is included in the upcoming Linux kernel 2.6.31. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bsf: add support for IPv6 address filteringPablo Neira Ayuso2009-07-142-0/+194
| | | | | | | | | | | | This patch adds support to auto-generate BSF code for IPv6. It requires a Linux kernel >= 2.6.29. The maximum number of addresses is limited to 20 (12 BSF lines per IPv6 address comparison). I am not sure that to remove this limit is useful given that oprofile does not show very good numbers for very large (in terms of lines) filters. This completes one feature that is available in IPv4 but that was missing in IPv6. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: remove unrequired checking in the protocol informationPablo Neira Ayuso2009-07-081-24/+10
| | | | | | | | | | This patch removes a checking that is performed before building the protocol private information. This checking silently removed any protocol attribute if the configuration is inconsistent. With this change, the kernel reports the error to tell that some attributes are missing. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tcp: add support for SYN_SENT2 statePablo Neira Ayuso2009-06-101-1/+1
| | | | | | | | | This patch adds support for the new SYN_SENT2 state that Jozsef has introduced to support TCP simultaneous open in 2.6.31. We can safely include support for this feature now since the LISTEN state was not ever really used. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* snprintf: perform strict checking for the protocol state valuePablo Neira Ayuso2009-05-302-6/+21
| | | | | | | | This patch avoids possible out-of-bound array access if protocol states higher than the accepted are used. Reported-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* api: add new callback interface while keeping backward compatibilityPablo Neira Ayuso2009-05-232-0/+76
| | | | | | | | | | | This patch adds nfct_callback_register2() and nfct_callback_unregister2() that allows to register a callback function with a new callback interface that includes the Netlink message. This fixes an early design error. This is not nice but it is the only way to resolve this problem without breaking backward (I don't like function versioning, it is messy). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add DCCP role attributePablo Neira Ayuso2009-04-245-6/+34
| | | | | | | This patch adds DCCP role attribute support. This needs Linux kernel >= 2.6.30. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* copy: add missing ATTR_DCCP_STATE in nfct_copy()Pablo Neira Ayuso2009-04-241-0/+7
| | | | | | This patch adds the missing ATTR_DCCP_STATE in nfct_copy(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* snprintf: fix missing port output in DCCPPablo Neira Ayuso2009-04-242-0/+2
| | | | | | | | | | This patch adds missing DCCP ports in the output: # conntrack -D -p dccp dccp 33 18 RESPOND src=1.1.1.1 dst=2.2.2.2 packets=0 bytes=0 [UNREPLIED] src=2.2.2.2 dst=1.1.1.1 packets=0 bytes=0 mark=0 secmark=0 use=2 conntrack v0.9.12 (conntrack-tools): 1 flow entries have been deleted. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parse: fix SCTP vtag parsingPablo Neira Ayuso2009-04-181-2/+2
| | | | | | This patch fixes an unfortunate bug in the SCTP vtag parsing. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* snprintf: fix output of GRE dstkey in XMLPablo Neira Ayuso2009-04-181-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* snprintf: fix missing protocol state support in XML outputPablo Neira Ayuso2009-04-141-5/+27
| | | | | | | This patch adds the missing bits to display the protocol state in the XML output. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* snprintf: remove duplicated protocol string definitionsPablo Neira Ayuso2009-04-143-72/+57
| | | | | | | | This patch merges duplicated protocol string definitions in the snprintf infrastructure. I have also fixed the size of the string array. This patch is a cleanup. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add initial DCCP supportPablo Neira Ayuso2009-04-147-9/+94
| | | | | | This patch adds initial DCCP support for libnetfilter_conntrack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for UDPlite transport protocolPablo Neira Ayuso2009-03-053-2/+5
| | | | | | This patch adds support for UDPlite transport protocol. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for GRE transport protocolPablo Neira Ayuso2009-03-053-3/+21
| | | | | | | This patch adds support for GRE transport protocol. Tested-by: Byan Buff <bduff@ecessa.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove reminiscent of NFCT_DIR_ORIGINAL and old prototypesPablo Neira Ayuso2009-02-172-4/+4
| | | | | | | | This patch removes a reminiscent constant of the old API whose value is the same of __DIR_ORIG. This patch also removes the prototype definition from libnetfilter_conntrack.h. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove old deprecated APIPablo Neira Ayuso2009-02-1712-1830/+3
| | | | | | | | | This patch removes the first API version which was scheduled in 2007. That API had several major limitations that the new one solved. I don't know of any known existing client of this old API. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: do not inconditionally include TCP state into netlink messagelibnetfilter_conntrack-0.0.99Pablo Neira Ayuso2008-12-111-2/+5
| | | | | | | | This patch remove the inconditional inclusion of the TCP state attribute in netlink messages. We cannot assume this for update messages. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* api: fix minor issues in the kerneldoc style documentationPablo Neira Ayuso2008-12-091-25/+24
| | | | | | | This patch fixes some minor issues that confuse kernel-doc in the generation of the API reference documentation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* api: fix bogus netlink flags in nfexp_build_querylibnetfilter_conntrack-0.0.98Pablo Neira Ayuso2008-11-291-2/+2
| | | | | | | This patch removes unnecessary flags included in NFCT_Q_DUMP, and NFCT_Q_DESTROY requests for expectations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* api: fix bogus netlink flags in nfct_build_queryPablo Neira Ayuso2008-11-291-3/+3
| | | | | | | This patch removes unnecessary flags included in NFCT_Q_DUMP, NFCT_Q_DUMP_RESET and NFCT_Q_DESTROY requests. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bsf: remove unnecessary function inlinePablo Neira Ayuso2008-11-281-9/+9
| | | | | | | | | This patch removes unnecessary function inlining in the BSF code generation. There is not reason to get any significant performance improvement in an operation that should be done in the initialization path. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bsf: major rework of the BSF generation codePablo Neira Ayuso2008-11-255-263/+319
| | | | | | | | | | | | | | | | This patch reworks the BSF automatic generation code. This feature needs more love and it has several limitations like that the maximum number of IPs are 127 due to BSF code restrictions. See this patch as a first step forward. This patch also adds the stack data type, which is used to resolve jump dynamically instead of the previous static approach. This patch also includes fixes in the limitations, previous calculations were wrong. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* helper: fix missing copy function for helper namePablo Neira Ayuso2008-11-232-0/+13
| | | | | | | | | | | | This patch fixes a NULL dereference to a function pointer in nfct_copy() that is triggered when you try to copy the helper name. This patch also adds an assertion to easily report similar problems in the future. Thanks to <pageexec@freemail.hu> for his detailed debugging report. Reported-by: Wolfram Schlich <lists@wolfram.schlich.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: set specific array size for the APIPablo Neira Ayuso2008-11-237-8/+8
| | | | | | | This patch adds the size of the arrays to set to NULL unset elements. This helps to spot unset functions for new attributes. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* API: add nfct_attr_is_set_array functionPablo Neira Ayuso2008-10-301-0/+28
| | | | | | | This new function checks for the presence of a given set of attributes that are passed as an array. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* groups: add attribute group APIPablo Neira Ayuso2008-10-305-1/+428
| | | | | | | | | | | | This new API allows you to set and get some logical set of attributes. This is not intended to replace the existing per-attribute get/set API but to provide more efficient way to get/set certain attributes. This change includes an example file (conntrack_grp_create.c) of the use of the attribute group API. See ATTR_GRP_* for more information on the existing groups. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* snprintf: fix compilation warning in 64-bits platformsPablo Neira Ayuso2008-10-301-2/+2
| | | | | | | We have to cast the counters to unsigned long long to fix a compilation warning in 64-bits platforms. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* API: use of __builtin_expect in error checking pathsPablo Neira Ayuso2008-10-302-10/+10
| | | | | | | | | This patch introduces likely() and unlikely() that use __builtin_expect to assist the compiler in the branch decisions. I am assuming that we have no clients of libnetfilter_conntrack that use gcc < 2.96. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* objopt: use indirect calls instead of switchPablo Neira Ayuso2008-10-301-63/+99
| | | | | | This patch replaces the use of switch by indirect function calls. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* helper: explicit helper assignation supportlibnetfilter_conntrack-0.0.97Pablo Neira Ayuso2008-10-134-0/+50
| | | | | | | | This patch adds support for explicit helper assignation. This support will not be of any help without the appropriate kernel support that will go into the Linux kernel 2.6.29 -sic-. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* compare: add two new flags for different level of comparisonsPablo Neira Ayuso2008-10-022-194/+344
| | | | | | | | This patch adds NFCT_CMP_MASK and NFCT_CMP_STRICT which determines the level of strictness that is applied to the comparison of two conntrack objects. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* API: fix endianess issueAlbert Veli2008-07-291-2/+2
| | | | | | | | In nfct_build_query() the *data argument is converted into a u_int8_t*. This works for little-endian but not for big-endian. Signed-off-by: Albert Veli <albert.veli@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cleanup: split internal.h into several internal header filesPablo Neira Ayuso2008-07-2530-34/+44
| | | | | | | This patch cleanups the internal headers by splitting them into several logical pieces. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Extend high-level API for netlink BSF to add negative logicPablo Neira Ayuso2008-07-182-19/+104
| | | | | | | This patch introduces nfct_filter_set_logic() to set the filtering logic which results in a more flexible solution. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* add berkeley socket filtering high-level APIPablo Neira Ayuso2008-07-174-1/+550
| | | | | | | | This patch adds an abstraction level to berkeley sockets filter (BSF) for Netlink sockets available since Linux kernel 2.6.26. This provides an easy way to attach filters without knowing about BSF at all. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Use union of char buffer and message header to ensure proper byteFabian Hugelshofer2008-06-182-12/+18
| | | | | | alignment. Signed-off-by: Fabian Hugelshofer <hugelshofer2006@gmx.ch>
* fix wrong ATTR_*_L3PROTO handling in the message buildingPablo Neira Ayuso2008-06-161-8/+14
| | | | | | - include missing ATTR_MASTER_L3PROTO attribute into messages - include ATTR_[ORIG|REPL]_L3PROTO iff there is at least another layer 3 attribute
* fix bug in nfct_cmp() with IPv6 addresslibnetfilter_conntrack-0.0.94Pablo Neira Ayuso2008-05-271-4/+4
|
* define ICMPV6_NI_QUERY and ICMPV6_NI_REPLY if not setPablo Neira Ayuso2008-05-271-0/+8
|
* add full support of SCTPPablo Neira Ayuso2008-05-217-3/+136
|
* fix nfct_copy with NFCT_CP_ORIG and NFCT_CP_REPLY flagsPablo Neira Ayuso2008-05-201-8/+15
|
* fix __nfct_l4 structure layout (specifically, ICMP)Pablo Neira Ayuso2008-05-161-8/+82
| | | | fix nfct_cmp(): add port comparison, better ICMP support
* compare layer 3 and layer 4 protocol number before addresses/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-05-161-28/+28
|
* improve nfct_copy/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-05-142-49/+474
|
* Add missing master tuple getters (reported by Max Wilhelm)/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-292-0/+50
|
* - bump version to 0.0.92/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-165-19/+79
| | | | | | | | - recover the ID support - add support for timeout comparison - ignore set operation for counters and use attributes - fix broken status comparison - statify several __snprintf functions
* fix missing bitset in the autocomplete code/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-131-0/+3
|
* - add nfct_cmp (replacement for nfct_compare a bit more flexible)/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-136-63/+243
| | | | | | - add nfct_copy - conditional build of original and reply tuples - fix secmark parsing