| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
| |
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
There is confusion on what this command actually does and why
examples commonly PF_UNBIND at startup.
Since these are obsolete document that its not needed starting
with Linux 3.8.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
[ Mangled this patch to indicate that this kernel does not support
UID/GID retrieval not to confuse users --pablo ]
Signed-off-by: Valentina Giusti <Valentina.Giusti@bmw-carit.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
With this patch libnetfilter_queue is able to parse UID/GID
socket information.
Signed-off-by: Valentina Giusti <Valentina.Giusti@bmw-carit.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
These functions are internal and they belong to the libnetfilter_queue scope,
so let's add the corresponding nfq_ prefix.
Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As of f40eabb01 (add pkt_buff and protocol helper functions)
libnetfilter_queue accidentally exports the internal function named
'checksum'. This is a bit too generic and may cause crashes with
applications that worked fine before.
This patch makes the functions checksum, checksum_tcpudp_ipv4 and
checksum_tcpudp_ipv6 local by building with fvis-hidden and adding
EXPORTs for the legacy api calls and the ones that seem to have missing
EXPORT tags (mainly pktbuff api).
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|\
| |
| |
| |
| |
| |
| |
| | |
Get the following patches into master:
examples/nf-queue: receive large gso packets
src: add new GSO handling capabilities
examples/nf-queue: handle recv error, use larger buffer
|
| |
| |
| |
| | |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
| |
| |
| |
| |
| | |
allows userspace to ask for large gso packets via nfqueue.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We ask for 0xffff copy size, so we need a buffer that can
hold 0xffff, plus a few more bytes to allow for netlink attributes.
Also, turn off/handle ENOBUFS.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Valgrind generates error reports during a call
to the nfq_unbind_pf function:
==00:00:00:08.662 22111== 4 errors in context 1 of 1:
==00:00:00:08.662 22111== Syscall param socketcall.sendto(msg) points
to uninitialised byte(s)
...
==00:00:00:08.662 22111== Uninitialised value was created by a stack allocation
==00:00:00:08.662 22111== at 0x679C30B: __build_send_cfg_msg
(libnetfilter_queue.c:178
Signed-off-by: Tamas K Lengyel <tamas.k.lengyel@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
Suggested by Eric Leblond.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
This patch improves the doxygen documentation and adds a reference
to an external article.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
1. struct nlattr *attr[NFQA_MAX+1] must be initialized.
Otherwise, attr[FOO] might be non-null after parsing
even if that attribute isn't present in the message.
2. mnl_attr_get_payload will never return NULL (if the
attribute is NULL, it returns MNL_ATTR_HDRLEN.)
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
am/ltlibrary.am: warning: 'libnetfilter_queue.la': linking libtool
libraries using a non-POSIX archiver requires 'AM_PROG_AR' in
'configure.ac'
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
LIBVERSION is already correctly updates, previous release was:
3:0:2
and this is:
4:0:3
This release includes new interfaces, but we're still backward compatible.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
libnetfilter_queue.c: In function 'nfq_get_payload':
libnetfilter_queue.c:1116:8: warning: pointer targets in assignment differ in signedness [-Wpointer-sign]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
nf-queue.c: In function ‘main’:
nf-queue.c:146:12: warning: unused variable ‘id’ [-Wunused-variable]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch updates the doxygen documentation for the new API.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Fix wrong arithmetics and missing pktb->len update
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
pktb_expand_tail returns 0 if there is no room for the mangling.
Note that we don't support dynamic reallocation, instead the
caller is responsible for allocating the extra room via pktb_alloc
according to the maximum amount of bytes it needs for the mangling.
Since pkt_buff layout is not exposed, we can change this in the
future if we prefer dynamic reallocation.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Implement API to set per-queue flags. This is initially used
to implement fail-open support in NFQUEUE.
[ Pablo mangled this patch to bump LIBVERSION as well ]
Signed-off-by: Krishna Kumar <krkumar2@in.ibm.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Compilation can fail when libnfnetlink is not in a directory searched
by default. Reason is the empty KERNELDIR variable which makes for a
gcc command like:
gcc -I. -I../include -I -Wall -I/usr/include/libnfnetlink-1.0.0+git28
-Wall -c libnetfilter_queue.c
What one would expect is that gcc would search in the (non-existent)
directory "-Wall" and just continue as usual, since -Wall is specified
again. Instead, gcc versions before 4.6 attempt to search the
(similarly non-existent) directory "-I/usr/[...]" and thus miss.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
| |
The result of AC_EXEEXT is never used -- there is no ${EXEEXT} to be
found in the Makefiles.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
| |
|
|
|
|
| |
Only ignore these paths if they are a directory.
|
|
|
|
|
|
|
|
|
|
|
|
| |
The verdict NF_STOLEN must not be used.
When using NF_REPEAT, one way to prevent re-queueing of the
same packet is to also set an nfmark using nfq_set_verdict2,
and set up the nefilter rules to only queue a packet when the
mark is not (yet) set.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
add nfq_set_verdict_batch() and nfq_set_verdict_batch2 (to also
set the nfmark of all packets).
verdicts sent by the _batch variant will affect all queued skbs
whose id is smaller or equal to the given id.
This facility is available from Linux 3.1 onwards.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
|
|
|
|
|
|
|
| |
Makefile.am:12: EXTRA_DIST multiply defined in condition TRUE ...
Makefile.am:3: ... "EXTRA_DIST" previously defined here
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
src/Makefile.am: C objects in subdir but "AM_PROG_CC_C_O"
not in "configure.ac"
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
| |
NFQNL_COPY_NONE means noop and should not be used.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch documents the ENOBUFS error in the example file, that
is a common problem is that question over and over again in the
mailing list.
I (Pablo) have mangled this patch with some comestic cleanups. BTW,
Mistick Levi sent a similar patch in the same timeline (amazing how
sometimes the same works can clash).
Signed-off-by: Alessandro Vesely <vesely@tana.it>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|\ |
|
| |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| | |
This patch documents some performance tweaks for libnetfilter_queue
applications.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|