summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* src: Fix indenting weirdness is pktbuff.c w/out changing indentHEADmasterDuncan Roe38 hours1-4/+3
| | | | | | | | | In pktb_alloc, declare struct ethhdr *ethhdr at function start, thus avoiding cute braces on case AF_BRIDGE. This costs nothing and generates less code. Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Fix value returned by nfq_tcp_get_payload_len()Duncan Roe8 days1-1/+1
| | | | | | | Remember to subtract the TCP header length. Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: doc: Final polish for current roundDuncan Roe8 days4-36/+86
| | | | | | | | | | | | | | | | - Ensure all functions that return something have a \returns - Demote more checksum functions to their own groups (reduces number of functions on main pages) - Clarify wording where appropriate - Add \sa (see also) where appropriate - Fix documented function name for nfq_tcp_get_hdr (no other mismatches noticed, but there may be some) - Add warnings regarding changing length of tcp packet - Make group names unique within libnetfilter_queue (else man pages would be overwritten) Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Always use pktb as formal arg of type struct pkt_buffDuncan Roe2020-01-037-17/+17
| | | | | | | | | | | All remaining instances of pkt refer to something other than a pkt_buff. In the prototype for nfq_nlmsg_parse, pkt is changed to attr. Inconsistent whitespace in headers has been left for another day. Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: doc: Eliminate doxygen warnings from libnetfilter_queue.cDuncan Roe2020-01-031-9/+11
| | | | | | | | | | | | | - Change items of the form #<word> to "\b <word>". (#<word> is rather obscurely documented to be a reference to a documented entity) - Re-work text wrapping in above change to keep lines within 80cc - Add 2 missing \param directives 12 warnings fixed Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: libnetfilter_queue.c: whitespace: remove trailing spacesDuncan Roe2020-01-031-21/+21
| | | | | Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: checksum.c: remove redundant 0xFFFF mask of uint16_tDuncan Roe2020-01-031-2/+2
| | | | | Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: doc: tcp.c: fix remaining doxygen warningsDuncan Roe2019-12-301-4/+4
| | | | | Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: doxygen.cfg.in: Eliminate 20 doxygen warningsDuncan Roe2019-12-301-5/+6
| | | | | | | | - Add 5 opaque or internal items to the EXCLUDE_SYMBOLS list - Remove 4 obsolete configuration lines Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: whitespace: Remove trailing spaces from doxygen.cfg.inDuncan Roe2019-12-301-34/+34
| | | | | Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: pktb_mangle has signed offset arg so can mangle MAC header with -ve oneDuncan Roe2019-12-302-4/+6
| | | | | | | | | - Update prototype - Update doxygen documentation - Update declaration Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add mangle functions for IPv6, IPv6/TCP and IPv6/UDPDuncan Roe2019-12-306-0/+111
| | | | | Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: more IPv6 checksum fixesDuncan Roe2019-12-301-5/+5
| | | | | | | | | | | - Fix calculation of header length - Upgrade calculation of payload length: Allow for extra headers before the UDP header. - Delete "sum += ... s6_addr16[i] >> 16" lines, since uint16_t >> 16 == 0 - Use upgraded payload length in pseudo-header Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: doc: Eliminate doxygen warnings from udp.cDuncan Roe2019-12-161-20/+30
| | | | | | | | | | | | | | | - Make it clear that packet buffer is the user-space one - Use \returns for all return values - Make function names in doc agree with prototypes - Make number and names of params in doc agree with prototypes - Divide functions into a hierarchy: top-level: Functions all programs that modify data will use (nfq_udp_snprintf is optional) 2nd-level: Rarely-used (except internally) functions - Add see-also snprintf Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: doc: udp.c: rename 1 more formal pkt arg to pktbDuncan Roe2019-12-161-4/+4
| | | | | Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Fix value returned by nfq_udp_get_payload_len()Duncan Roe2019-12-111-1/+1
| | | | | | | Remember to subtract the UDP header length. Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: doc: Fully document available verdictsDuncan Roe2019-12-091-2/+30
| | | | | | | | | | | | Updated: src/nlmsg.c - Document NF_DROP, NF_ACCEPT, NF_STOP, NF_REPEAT and NF_QUEUE_NR(new_queue). - Make line number of examples/nf-queue.c into a hyperlink. - Add hint that "cb" in function names is short for "callback". Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: doc: Update sample code to agree with documentationDuncan Roe2019-12-091-3/+2
| | | | | | | | | | Updated: src/nlmsg.c: Update nfq_nlmsg_verdict_put_pkt() sample code to use pktb_len() as recommended in src/extra/pktbuff.c, pktb_len() doco Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Minor tweak to pktb_len function descriptionDuncan Roe2019-12-071-1/+1
| | | | | Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: doc: Major re-work of user packet buffer documentationDuncan Roe2019-12-071-37/+117
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Divide functions into a hierarchy: top-level: Functions all programs that modify data will use 2nd-level: Rarely-used functions 3rd-level: Functions not to use (should have been declared static) Only the top-level functions appear on the "User-space network packet buffer" page, which looks a lot less daunting than it used to. Parameter descriptions all match prototypes All non-void functions have a "Returns" paragraph Code change: pktb_alloc: set errno to EPROTONOSUPPORT before doing error return because protocol is not supported Detailed other updates (top-level) pktb_alloc: - Add "Errors" para - Add "See also" para pktb_data, pktb_len: Add "appropriate use" line pktb_mangle: Add warning to use a different function unless mangling MAC hddr pktb_mangled: Add usage hint line Detailed other updates (2nd-level) pktb_mac_header: Point out only for AF_BRIDGE pktb_tailroom: Point out no dynamic expansion pktb_transport_header: Add note that programmer must code to set this Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Fix test for IPv6 headerDuncan Roe2019-12-071-1/+1
| | | | | | | | | | | | Updated: src/extra/ipv6.c: Only test the first 4 bits of the putative IPv6 header to be 6, since all the other bits are up for grabs. (I have seen nonzero Flow Control on the local interface and RFC2474 & RFC3168 document Traffic Class use). Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: Delete code not needed since Linux 3.8Duncan Roe2019-11-261-17/+0
| | | | | | | | The removed code sent configuration commands NFQNL_CFG_CMD_PF_UNBIND & NFQNL_CFG_CMD_PF_BIND which the kernel required prior to 3.8. Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Fix IPv4 checksum calculation in AF_BRIDGE packet bufferDuncan Roe2019-11-211-1/+1
| | | | | | | | | | | | Updated: src/extra/pktbuff.c: If pktb was created in family AF_BRIDGE, then pktb->len will include the bytes in the network header. So set the IPv4 length to "tail - network_header" rather than len Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Make sure pktb_alloc() works for IPv6 over AF_BRIDGEDuncan Roe2019-11-161-0/+1
| | | | | | | | | | | | | | | | At least on the local interface, the MAC header of an IPv6 packet specifies IPv6 protocol (rather than IP). This surprised me, since the first octet of the IP datagram is the IP version, but I guess it's an efficiency thing. Without this patch, pktb_alloc() returns NULL when an IPv6 packet is encountered. Updated: src/extra/pktbuff.c: - Treat ETH_P_IPV6 the same as ETH_P_IP. Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Make sure pktb_alloc() works for AF_INET6 since we document that it doesDuncan Roe2019-11-121-0/+1
| | | | | | | | | | | | | Without this patch, AF_INET6 pktb_alloc() creates a pktb with NULL network_header. But in src/extra/ipv6.c, nfq_ip6_get_hdr() assumes that pktb->network_header is valid. Updated: src/extra/pktbuff.c: Treat AF_INET6 the same as AF_INET. Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: pktb_trim() was not updating tail after updating lenDuncan Roe2019-11-121-0/+1
| | | | | | | | | | | skb->tail is used in many places, so it's important to keep it up to date. Updated: src/extra/pktbuff.c: Fix pktb_trim() Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: doc: Eliminate doxygen warnings from ipv{4,6}.cDuncan Roe2019-11-042-33/+34
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Updated: src/extra/ipv4.c: - Rename pkt formal arg of nfq_ip_mangle to pktb (to match all other struct pkt_buff args) - Make it clear that packet buffer is the user-space one - Sentence-case all parameter descriptions - Fix \param 3 of nfq_pkt_snprintf_ip to match prototype - Revised description of nfq_pkt_snprintf_ip for English usage, but left the "strange behaviour" bit at the end. (I know kernel developers hate snprintf: the purpose of the return code was not a blanket buffer overrun check but rather an amount to subtract from the size argument to the next snprintf call. It was therefore a bit of a screw-up to have snprintf take an unsigned size_t argument so the -ve size looks like a huge +ve one and snprintf keeps writing :( The programmer needs to use a signed type for size and explicitly test it for still being +ve before every snprintf call; with ssize_t, snprintf could have done nothing and returned zero with a -ve size so the programmer only needs to check right at the end. Ah well...) src/extra/ipv6.c: - Use \returns for all return values - Fix \param 3 of nfq_ip6_snprintf to match prototype - Sentence-case all parameter descriptions - Change IPv4 to IPv6 in a comment Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: doc: Fix spelling of CTA_LABELS in examples/nf-queue.cDuncan Roe2019-11-041-1/+1
| | | | | Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: doc: Update the Main Page to be nft-focussedDuncan Roe2019-11-041-26/+37
| | | | | | | | | | | | | | | | Updated: src/libnetfilter_queue.c: - ip_queue withdrawn in kernel 3.5 - Update some URLs - libmnl is a dependency - Multiword section headers need a tag - Re-work cinematic to refer to nft - Some native English speaker updates (e.g. enqueue *is* a word) - Prefer nf-queue.c over deprecated doxygen doco Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Eliminate useless spaces before tabsDuncan Roe2019-11-041-9/+9
| | | | | | | | | | | | | | The extra spaces had no effect on how the file looked (except cat -A). This patch reduces the file size by a few bytes, but the main motivation was that my editor makes this change automatically. Updated: src/libnetfilter_queue.c: Leading whitespace is canonically tabbed Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: doc: Document nfq_nlmsg_verdict_put_mark() and nfq_nlmsg_verdict_put_pkt()Duncan Roe2019-10-301-1/+44
| | | | | | | This completes the "Verdict helpers" module. Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Florian Westphal <fw@strlen.de>
* checksum: Fix TCP/UDP checksum computation on big endian archesAlin Nastac2019-10-091-2/+8
| | | | | | | | On big endian arches UDP/TCP checksum is incorrectly computed when payload length is odd. Signed-off-by: Alin Nastac <alin.nastac@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: doc: Minor fixDuncan Roe2019-10-081-1/+1
| | | | | | | | | | The documentation generally uses OSI layer numbering, where TCP (i.e. Transport) is layer 4 so that IP is layer 3. Bring pktb_mangle documentation into line with this. Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Fix invalid conversion specifierDuncan Roe2019-10-081-1/+1
| | | | | | | | | Clang (but not gcc) warned about this. Gcc (but not clang) used to warn that nfq_set_verdict_mark is deprecated, but this has stopped since re-defining EXPORT_SYMBOL. Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doxygen: remove EXPORT_SYMBOL from the outputPablo Neira Ayuso2019-10-081-1/+1
| | | | | | | | Add input filter to remove the internal EXPORT_SYMBOL macro that turns on the compiler visibility attribute. Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Enable clang buildDuncan Roe2019-10-088-127/+112
| | | | | | | | | | | | | | | | Modify the definition and use of EXPORT_SYMBOL as was done for libmnl in commit 444d6dc9. Additionally, avoid generating long (>80ch) lines when inserting EXPORT_SYMBOL. Finally, re-align multi-line parameter blocks with opening parenthesis. [ I have mangled the original patch to not split the function definition and its return value. --pablo ] Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: doc: Miscellaneous updatesDuncan Roe2019-10-084-25/+63
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (These updates only cover functions used in a recent project) src/extra/ipv4.c: - nfq_ip_set_transport_header(): Add explanatory notes - nfq_ip_mangle() - Advise that there is a return code - Note that IPv4 length is updated as well as checksum src/extra/pktbuff.c: - pktb_alloc(): Minor rewording (English usage) - pktb_mangle(): Document src/extra/udp.c: - nfq_udp_get_hdr(): Fix params - nfq_udp_get_payload(): Fix params - nfq_udp_get_payload_len(): Fix params - nfq_udp_mangle_ipv4(): Rewrite documentation src/nlmsg.c: - nfq_nlmsg_verdict_put(): Document - nfq_nlmsg_cfg_put_cmd(): - Change name (was: nfq_nlmsg_cfg_build_request) - Fix params - Delete function return documentation (void fn) - nfq_nlmsg_cfg_put_params(); Document (params only) - nfq_nlmsg_cfg_put_qmaxlen(): Document (params only) - nfq_nlmsg_parse: - Change name (was: nfq_pkt_parse) - Fix params Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Update UDP header length field after manglingDuncan Roe2019-10-061-0/+2
| | | | | | | | | | One would expect nfq_udp_mangle_ipv4() to take care of the length field in the UDP header but it did not. With this patch, it does. This patch is very unlikely to adversely affect any existing userspace software (that did its own length adjustment), because UDP checksumming was broken. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* checksum: Fix UDP checksum calculationPablo Neira Ayuso2019-09-304-10/+12
| | | | | | | | | | The level 4 protocol is part of the UDP and TCP calculations. nfq_checksum_tcpudp_ipv4() was using IPPROTO_TCP in this calculation, which gave the wrong answer for UDP. Based on patch from Alin Nastac, and patch description from Duncan Roe. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: Add information about retrieving UID/GID/SECCTX fieldslibnetfilter_queue-1.0.3Piotr Radoslaw Sawicki2017-06-271-1/+19
| | | | | | | Add information about retrieving UID/GID/SECCTX fields Signed-off-by: Piotr Radoslaw Sawicki <piotr.sawicki@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: bump library release version tooPablo Neira Ayuso2017-06-261-1/+1
| | | | | | Old APIs still remain, so just increase current and age. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: bump version to 1.0.3Richard Weinberger2017-06-261-1/+1
| | | | | | | | | Time to make a new version such that distros can pick this version. Many distros ship only 1.0.2 which is almost five years old and does not support recent netfilter features such as NFQA_CT. Signed-off-by: Richard Weinberger <richard@nod.at> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: extend the doxygen section about NFQA_CFG_F_GSOFlorian Westphal2017-06-231-1/+12
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* examples: set dummy connmark value to show use of NFQA_CT nested attributeFlorian Westphal2017-06-211-0/+14
| | | | | | | We can now get/set conntrack attributes via nfqueue, show a minimal example that sets the connmark from userspace. Signed-off-by: Florian Westphal <fw@strlen.de>
* Revert "src: Declare the define visibility attribute together"Pablo Neira Ayuso2017-04-149-82/+162
| | | | | | | | This reverts commit 58cb0668dc15c78cd3af9eeaedf29386e86ecac1. Prepare a new patch to keep this update consistent with libmnl. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Declare the define visibility attribute togetherKhem Raj2017-04-149-162/+82
| | | | | | | | | clang ignores the visibility attribute if its not defined before the definition. As a result these symbols become hidden and consumers of this library fail to link due to these missing symbols. Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Correct typo in the location of internal.h in #includeKhem Raj2017-04-141-1/+1
| | | | | Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: check result of malloc when creating queueVictor Julien2016-07-031-0/+2
| | | | | Signed-off-by: Victor Julien <victor@inliniac.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: make nfq_open_nfnl thread-safeFlorian Westphal2016-06-201-5/+4
| | | | | | | | | | | | | nfq_open_nfnl uses an intermediate static object, so when it is invoked by distinct threads at the same time there is a small chance that some threads end up with another threads nfq_handle pointer stored in ->data. The result is that the affected queue will be stuck because the thread that was supposed to service it is handling another/wrong queue instead. Tested-by: Michal Tesar <mtesar@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nlmsg: add lacking attributes validationKen-ichirou MATSUZAWA2015-10-051-0/+9
| | | | | | | | This patch adds four (actually two) attributes validation with comparing to current kernel header. Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>