summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* checksum: Fix TCP/UDP checksum computation on big endian archesHEADmasterAlin Nastac9 days1-2/+8
| | | | | | | | On big endian arches UDP/TCP checksum is incorrectly computed when payload length is odd. Signed-off-by: Alin Nastac <alin.nastac@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: doc: Minor fixDuncan Roe10 days1-1/+1
| | | | | | | | | | The documentation generally uses OSI layer numbering, where TCP (i.e. Transport) is layer 4 so that IP is layer 3. Bring pktb_mangle documentation into line with this. Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Fix invalid conversion specifierDuncan Roe10 days1-1/+1
| | | | | | | | | Clang (but not gcc) warned about this. Gcc (but not clang) used to warn that nfq_set_verdict_mark is deprecated, but this has stopped since re-defining EXPORT_SYMBOL. Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doxygen: remove EXPORT_SYMBOL from the outputPablo Neira Ayuso10 days1-1/+1
| | | | | | | | Add input filter to remove the internal EXPORT_SYMBOL macro that turns on the compiler visibility attribute. Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Enable clang buildDuncan Roe10 days8-127/+112
| | | | | | | | | | | | | | | | Modify the definition and use of EXPORT_SYMBOL as was done for libmnl in commit 444d6dc9. Additionally, avoid generating long (>80ch) lines when inserting EXPORT_SYMBOL. Finally, re-align multi-line parameter blocks with opening parenthesis. [ I have mangled the original patch to not split the function definition and its return value. --pablo ] Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: doc: Miscellaneous updatesDuncan Roe10 days4-25/+63
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (These updates only cover functions used in a recent project) src/extra/ipv4.c: - nfq_ip_set_transport_header(): Add explanatory notes - nfq_ip_mangle() - Advise that there is a return code - Note that IPv4 length is updated as well as checksum src/extra/pktbuff.c: - pktb_alloc(): Minor rewording (English usage) - pktb_mangle(): Document src/extra/udp.c: - nfq_udp_get_hdr(): Fix params - nfq_udp_get_payload(): Fix params - nfq_udp_get_payload_len(): Fix params - nfq_udp_mangle_ipv4(): Rewrite documentation src/nlmsg.c: - nfq_nlmsg_verdict_put(): Document - nfq_nlmsg_cfg_put_cmd(): - Change name (was: nfq_nlmsg_cfg_build_request) - Fix params - Delete function return documentation (void fn) - nfq_nlmsg_cfg_put_params(); Document (params only) - nfq_nlmsg_cfg_put_qmaxlen(): Document (params only) - nfq_nlmsg_parse: - Change name (was: nfq_pkt_parse) - Fix params Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Update UDP header length field after manglingDuncan Roe12 days1-0/+2
| | | | | | | | | | One would expect nfq_udp_mangle_ipv4() to take care of the length field in the UDP header but it did not. With this patch, it does. This patch is very unlikely to adversely affect any existing userspace software (that did its own length adjustment), because UDP checksumming was broken. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* checksum: Fix UDP checksum calculationPablo Neira Ayuso2019-09-304-10/+12
| | | | | | | | | | The level 4 protocol is part of the UDP and TCP calculations. nfq_checksum_tcpudp_ipv4() was using IPPROTO_TCP in this calculation, which gave the wrong answer for UDP. Based on patch from Alin Nastac, and patch description from Duncan Roe. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: Add information about retrieving UID/GID/SECCTX fieldslibnetfilter_queue-1.0.3Piotr Radoslaw Sawicki2017-06-271-1/+19
| | | | | | | Add information about retrieving UID/GID/SECCTX fields Signed-off-by: Piotr Radoslaw Sawicki <piotr.sawicki@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: bump library release version tooPablo Neira Ayuso2017-06-261-1/+1
| | | | | | Old APIs still remain, so just increase current and age. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: bump version to 1.0.3Richard Weinberger2017-06-261-1/+1
| | | | | | | | | Time to make a new version such that distros can pick this version. Many distros ship only 1.0.2 which is almost five years old and does not support recent netfilter features such as NFQA_CT. Signed-off-by: Richard Weinberger <richard@nod.at> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: extend the doxygen section about NFQA_CFG_F_GSOFlorian Westphal2017-06-231-1/+12
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* examples: set dummy connmark value to show use of NFQA_CT nested attributeFlorian Westphal2017-06-211-0/+14
| | | | | | | We can now get/set conntrack attributes via nfqueue, show a minimal example that sets the connmark from userspace. Signed-off-by: Florian Westphal <fw@strlen.de>
* Revert "src: Declare the define visibility attribute together"Pablo Neira Ayuso2017-04-149-82/+162
| | | | | | | | This reverts commit 58cb0668dc15c78cd3af9eeaedf29386e86ecac1. Prepare a new patch to keep this update consistent with libmnl. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Declare the define visibility attribute togetherKhem Raj2017-04-149-162/+82
| | | | | | | | | clang ignores the visibility attribute if its not defined before the definition. As a result these symbols become hidden and consumers of this library fail to link due to these missing symbols. Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Correct typo in the location of internal.h in #includeKhem Raj2017-04-141-1/+1
| | | | | Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: check result of malloc when creating queueVictor Julien2016-07-031-0/+2
| | | | | Signed-off-by: Victor Julien <victor@inliniac.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: make nfq_open_nfnl thread-safeFlorian Westphal2016-06-201-5/+4
| | | | | | | | | | | | | nfq_open_nfnl uses an intermediate static object, so when it is invoked by distinct threads at the same time there is a small chance that some threads end up with another threads nfq_handle pointer stored in ->data. The result is that the affected queue will be stuck because the thread that was supposed to service it is handling another/wrong queue instead. Tested-by: Michal Tesar <mtesar@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nlmsg: add lacking attributes validationKen-ichirou MATSUZAWA2015-10-051-0/+9
| | | | | | | | This patch adds four (actually two) attributes validation with comparing to current kernel header. Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add security context informationRoman Kubiak2015-06-306-3/+43
| | | | | | | | | | | | This commit adds security context information structures and functions. This will allow userspace to find the security context of each packet (if it exists) and make decisions based on that. It should work for SELinux and SMACK. Signed-off-by: Roman Kubiak <r.kubiak@samsung.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnetfilter_queue.h: Include <sys/time.h> for struct timevalFelix Janda2015-06-191-1/+1
| | | | | Signed-off-by: Felix Janda <felix.janda@posteo.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extra: Define _GNU_SOURCE to get members of tcphdr&ucphdrFelix Janda2015-05-292-0/+2
| | | | | | | | | The source uses linux names for members of tcphdr. For example "source" instead of "th_sport", ... musl libc's headers need _GNU_SOURCE defined in order to expose these. Signed-off-by: Felix Janda <felix.janda@posteo.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Use stdint types everywhereFelix Janda2015-05-293-82/+82
| | | | | Signed-off-by: Felix Janda <felix.janda@posteo.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: Sync with kernel headersFelix Janda2015-05-271-34/+37
| | | | | Signed-off-by: Felix Janda <felix.janda@posteo.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extra: tcp: insufficient sanitization in nfq_tcp_get_payload()Pablo Neira Ayuso2014-06-301-3/+7
| | | | | | | Similar to 7335cbe ("extra: fix wrong implementation in nfq_udp_get_payload"). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extra: fix wrong implementation in nfq_udp_get_payloadTing-Wei Lan2014-06-301-4/+8
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extra: use inet_ntop instead of inet_ntoaTing-Wei Lan2014-06-301-1/+5
| | | | | | | | The result of inet_ntoa() will be overwritten by the next call to inet_ntoa(), so using it twice in the same snprintf() call causes wrong result. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: fix wrong function name in the headerTing-Wei Lan2014-06-201-1/+1
| | | | | | There is no nfq_ip6hdr_snprintf(). nfq_ip6_snprintf() is the correct name. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* utils: add the parameter queue number in nfqnl_testÁlvaro Neira Ayuso2014-06-091-2/+11
| | | | | | | | This patch allows to stablish the number of the queue that we want to read the packets. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* utils: Remove unused variable in nfqnl_testÁlvaro Neira Ayuso2014-06-061-1/+0
| | | | | Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: PF_BIND/UNBIND is ignored in 3.8 and laterFlorian Westphal2014-04-243-2/+9
| | | | | | | | | | There is confusion on what this command actually does and why examples commonly PF_UNBIND at startup. Since these are obsolete document that its not needed starting with Linux 3.8. Signed-off-by: Florian Westphal <fw@strlen.de>
* utils: add example usage of nfq_get_uid and nfq_get_gidValentina Giusti2014-01-081-1/+15
| | | | | | | | [ Mangled this patch to indicate that this kernel does not support UID/GID retrieval not to confuse users --pablo ] Signed-off-by: Valentina Giusti <Valentina.Giusti@bmw-carit.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for UID/GID socket infoValentina Giusti2014-01-085-2/+62
| | | | | | | | With this patch libnetfilter_queue is able to parse UID/GID socket information. Signed-off-by: Valentina Giusti <Valentina.Giusti@bmw-carit.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure: uclinux is also linuxGustavo Zacarias2013-09-171-1/+1
| | | | | Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: extra: add prefix nfq_ to internal checksum functionsPablo Neira Ayuso2013-08-135-13/+13
| | | | | | | | These functions are internal and they belong to the libnetfilter_queue scope, so let's add the corresponding nfq_ prefix. Suggested-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: avoid symbol namespace pollutionFlorian Westphal2013-08-134-4/+50
| | | | | | | | | | | | | | | As of f40eabb01 (add pkt_buff and protocol helper functions) libnetfilter_queue accidentally exports the internal function named 'checksum'. This is a bit too generic and may cause crashes with applications that worked fine before. This patch makes the functions checksum, checksum_tcpudp_ipv4 and checksum_tcpudp_ipv6 local by building with fvis-hidden and adding EXPORTs for the legacy api calls and the ones that seem to have missing EXPORT tags (mainly pktbuff api). Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Merge branch 'next'Pablo Neira Ayuso2013-08-135-21/+98
|\ | | | | | | | | | | | | | | Get the following patches into master: examples/nf-queue: receive large gso packets src: add new GSO handling capabilities examples/nf-queue: handle recv error, use larger buffer
| * examples/nf-queue: receive large gso packetsFlorian Westphal2013-04-301-2/+27
| | | | | | | | Signed-off-by: Florian Westphal <fw@strlen.de>
| * src: add new GSO handling capabilitiesFlorian Westphal2013-04-304-6/+47
| | | | | | | | | | | | allows userspace to ask for large gso packets via nfqueue. Signed-off-by: Florian Westphal <fw@strlen.de>
| * examples/nf-queue: handle recv error, use larger bufferFlorian Westphal2013-04-301-13/+24
| | | | | | | | | | | | | | | | | | We ask for 0xffff copy size, so we need a buffer that can hold 0xffff, plus a few more bytes to allow for netlink attributes. Also, turn off/handle ENOBUFS. Signed-off-by: Florian Westphal <fw@strlen.de>
* | fix valgrind errors of uninitialised byte during call to nfq_unbind_pfTamas Lengyel2013-06-011-0/+1
|/ | | | | | | | | | | | | | | | Valgrind generates error reports during a call to the nfq_unbind_pf function: ==00:00:00:08.662 22111== 4 errors in context 1 of 1: ==00:00:00:08.662 22111== Syscall param socketcall.sendto(msg) points to uninitialised byte(s) ... ==00:00:00:08.662 22111== Uninitialised value was created by a stack allocation ==00:00:00:08.662 22111== at 0x679C30B: __build_send_cfg_msg (libnetfilter_queue.c:178 Signed-off-by: Tamas K Lengyel <tamas.k.lengyel@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* build: don't install internal.hFlorian Westphal2013-04-271-1/+1
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* src: document NFQA_CFG_F_CONNTRACK flagPablo Neira Ayuso2013-03-141-5/+9
| | | | | | Suggested by Eric Leblond. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doxygen: improve documentationEric Leblond2013-01-251-1/+21
| | | | | This patch improves the doxygen documentation and adds a reference to an external article.
* doxygen: improve fail-open documentation.Eric Leblond2013-01-251-0/+8
|
* examples: nf-queue: fix api usageFlorian Westphal2012-11-251-12/+12
| | | | | | | | | | | 1. struct nlattr *attr[NFQA_MAX+1] must be initialized. Otherwise, attr[FOO] might be non-null after parsing even if that attribute isn't present in the message. 2. mnl_attr_get_payload will never return NULL (if the attribute is NULL, it returns MNL_ATTR_HDRLEN.) Signed-off-by: Florian Westphal <fw@strlen.de>
* build: resolve automake-1.12 warningsJan Engelhardt2012-10-081-0/+1
| | | | | | | | am/ltlibrary.am: warning: 'libnetfilter_queue.la': linking libtool libraries using a non-POSIX archiver requires 'AM_PROG_AR' in 'configure.ac' Signed-off-by: Jan Engelhardt <jengelh@inai.de>
* bump version to 1.0.2libnetfilter_queue-1.0.2Pablo Neira Ayuso2012-10-081-1/+1
| | | | | | | | | | | | | | LIBVERSION is already correctly updates, previous release was: 3:0:2 and this is: 4:0:3 This release includes new interfaces, but we're still backward compatible. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* fix compilation warning in nfq_get_payloadPablo Neira Ayuso2012-08-211-1/+2
| | | | | | | libnetfilter_queue.c: In function 'nfq_get_payload': libnetfilter_queue.c:1116:8: warning: pointer targets in assignment differ in signedness [-Wpointer-sign] Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nf-queue: fix compilation warning with gcc-4.7Pablo Neira Ayuso2012-08-202-8/+7
| | | | | | | nf-queue.c: In function ‘main’: nf-queue.c:146:12: warning: unused variable ‘id’ [-Wunused-variable] Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>