| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
static analysis (analysis based only on compiling of sources, not based
on running of binary) of the code revealed the following problem:
conntrack/objopt.c:63: self_assign: Assignment operation
"ct->snat.l4max.all = ct->snat.l4max.all"
has no effect.
Signed-off-by: Jiri Popelka <jpopelka@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
> CC parse.lo
> parse.c: In function ‘__parse_conntrack’:
> parse.c:434:15: warning: array subscript is above array bounds
>
> struct nfattr *tb[CTA_SECCTX_MAX]
> 434: ct->secctx = strdup(NFA_DATA(tb[CTA_SECCTX-1]))
>
> CTA_SECCTX has value 19, and CTA_SECCTX_MAX is just 1.
Reported-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch deprecates the low level API. This API is not currently
used by any known clients (at least, at a quick glance at google).
These functions are a problem if we plan to port libnetfilter_conntrack
upon libmnl since they contain specific libnfnetlink bits.
I have also added __build_query_[ct|exp] to avoid compilation warnings.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
These functions are evil since they allow the use of memcpy() instead
of nfct_copy(). This is a problem because it violates the design
principle that the library follows, that is to provide opaque objects
in which the client code does not care on the binary layout.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Thus, we have a fast version of nfct_copy() which allows to
copy the destination to the origin. After this call, the
destination is a clone of the origin.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This problem was caught by qa/test_api.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the connection tracking extension that allows
conntrack timestamping.
This requires a Linux kernel >= 2.6.38.
We have now 65 attributes, we need 96 bits to store what attributes
are set in the objects.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes an embarasing a use-after-free in nfct_destroy()
that was introduced by myself in:
http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_conntrack.git;a=commit;h=fdda1474cc8654430f245b7f01c30e8ff171fa60
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch adds support for the new attribute CTA_SECCTX that
supersedes CTA_SECMARK.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|\ |
|
| |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| | |
This fixes a minor problem introduced in b245e4092c5a7f09729e64868a42e13f48a
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|/
|
|
|
|
|
|
|
|
|
| |
This patch uses CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ instead which is the
name that is used in the Linux kernel header. Thus, both the headers
and the internal copy for the library are in sync.
This problem was probably introduced at the time that we added support
for the DCCP handshake sequence number.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This patch exports several low-level function that allow to build
and parse netlink messages that contain ctnetlink expectation
information. They have been in the tree for quite so long, but
they were not exported. To leave the library in a consistent state
(ctnetlink conntrack functions provide the similar functionality)
I have decided to export them.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch re-works the callback handling to allow the use the same socket
to send/receive commands and listen to events of both conntrack and
expectation subsystems. Now you can register one callback for conntrack
and one for expectation with the same handler with no problems (before
this patch, this was not possible, you required two different handlers).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
PKG_CHECK_MODULES already produces its own (and more verbose) messsage
when a module cannot be found.
Mucking around with CFLAGS and LIBS is also not needed since pkgconfig
takes care of providing variables, so let's use them in Makefile.am.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
| |
libtool automatically adds PIC flags as needed.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
| |
This patch adds some missing attribute checkings in the XML
output that may result in inconsistent output (thus, displaying
some attributes out of <meta dir="independent">...</meta>)
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch adds missing tags such as [UPDATE] and [DESTROY]
for expectation events. The Linux kernel does not support
any of this expectation events yet, but we include it for
future use.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch allows to set the expectation flags from user-space.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
We also remove the reference to CTA_EXPECT_QUEUENR with was not ever
pushed into Linux kernel mainline.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This warning has been there for quite some time, fix it by relaxing the
const type checking.
callback.c: In function `__expect_callback':
callback.c:30: warning: passing argument 2 of `__parse_expect' from incompatible pointer type
../../include/internal/prototypes.h:32: note: expected `const struct nfattr **' but argument is of type `struct nfattr **'
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes an EINVAL error that we hit in Linux kernel <= 2.6.25.
Basically, if we send an empty CTA_PROTOINFO_TCP attribute nest, the
kernel returns EINVAL. To fix this, we previously check if there is
any TCP attribute set.
Reported-by: Rui Sousa <rui.sousa@mindspeed.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Still missing several enumerations that should be documented.
You still have to look at libnetfilter_conntrack.h to check
conntrack object attributes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Since Linux kernel 2.6.34, the attribute validation for CTA_HELP_NAME
requires that the string must be NULL terminated. I think that this
should be fixed in the kernel instead since it breaks old binaries of
the library. However, we're already in 2.6.36-rc, so let's fix it
in user-space and hope that everyone upgrades.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch fixes the NAT sequence adjustment setter (they were swapped!).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes kernel-space filtering via BSF for several
network addresses. The problem is that we store the network
address of the netlink message in the ALU. Then, we perform
an AND of the network mask and the address, this operation
is stored again in the ALU. If we compare the address with
a second address, we have to reload the address to the ALU.
The following example clarifies the problem, in the following
order, we want to filter:
1) 224.0.0.0/4
2) 127.0.0.1/32
Now, we receive traffic from 127.0.0.1, it should be filtered.
However, without this patch, it is not. Let's see why:
ALU 7f000001 (addr=127.0.0.1)
AND f0000000 (cidr=4)
-------------------------------
ALU 70000000
this is stored in the ALU. Then, we check for 127.0.0.1:
ALU 70000000 (addr=127.0.0.1) <-- it should be 7f000001
AND ffffffff (cidr=32)
-------------------------------
ALU 70000000
This does not match 7f000001. To fix this, we have to reload
7f000001 to the ALU. Thus, the second comparison works fine.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
make output of nfct_snprintf() similar to /proc/net/nf_conntrack.
tcp 6 23 TIME_WAIT src=XX.208.XX.243 dst=XX.14.XX.100 sport=35917 dport=80 packets=10 bytes=2555 src=XX.14.XX.100 dst=XX.208.XX.243 sport=80 dport=35917 packets=9 bytes=1163 [ASSURED] mark=0 secmark=0 use=2 zone=1
^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Add Patrick's zone support for libnetfilter_conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes parsing of 64 bits attributes (that are unaligned)
in ctnetlink. It would be better to add nfnl_get_uX() functions
similar to those in include/net/netlink.h to libnfnetlink to avoid
this sort of errors.
Reported-by: Jan Engelhardt <jengelh@medozas.es>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds the missing bits to support the modification of the
TCP window scale factor in a conntrack entry. The kernel support
has been already there since 2.6.23.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch fixes the autocomplete feature for ICMP[v6] entries
that makes the kernel return EINVAL. Basically, we skip the
autocomplete since this is already done in the setter.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch unsets all the existing callbacks if we call
nfct_close().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch the new expectation callback interface. This change is
like 20ed81b10714dfe78e31e9721e2d4f42b4beabb2 but related to
expectations. The netlink message contains the portID that is useful
to identify the origin of the message.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch fixes missing endianess conversion of the new
attribute ATTR_HANDSHAKE_SEQ that was included in
19f35b21dbe2bb4386eeced4e0d87f3b2e1d.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This patch renames the attribute constant to access the DCCP
handshake sequence number that was recently committed in
19f35b21dbe2bb4386eeced4e0d87f3b2e1dd8bf. No release with
the old name has been done, so no problems about backward
compatibility although it'd be better if I don't push changes
that I have to modify very soon afterwards.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
From: Pablo Neira Ayuso <pablo@netfilter.org>
This patch adds the support for the DCCP sequence number tracking
that is included in the upcoming Linux kernel 2.6.31.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support to auto-generate BSF code for IPv6. It
requires a Linux kernel >= 2.6.29. The maximum number of addresses
is limited to 20 (12 BSF lines per IPv6 address comparison). I am
not sure that to remove this limit is useful given that oprofile
does not show very good numbers for very large (in terms of lines)
filters. This completes one feature that is available in IPv4 but
that was missing in IPv6.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch removes a checking that is performed before building the
protocol private information. This checking silently removed any
protocol attribute if the configuration is inconsistent. With this
change, the kernel reports the error to tell that some attributes
are missing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch adds support for the new SYN_SENT2 state that Jozsef
has introduced to support TCP simultaneous open in 2.6.31. We can
safely include support for this feature now since the LISTEN state
was not ever really used.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch avoids possible out-of-bound array access if protocol
states higher than the accepted are used.
Reported-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds nfct_callback_register2() and nfct_callback_unregister2()
that allows to register a callback function with a new callback interface
that includes the Netlink message. This fixes an early design error.
This is not nice but it is the only way to resolve this problem without
breaking backward (I don't like function versioning, it is messy).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch adds DCCP role attribute support. This needs Linux
kernel >= 2.6.30.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch adds the missing ATTR_DCCP_STATE in nfct_copy().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|