| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Without this patch, man page users can miss important general information.
The HTML display stays as it was.
The man3 pages are updated to reference libnetfilter_queue.7.
build_man.sh must be invoked with arguments to activate man7 generation,
so will continue to work in other projects as before.
build_man.sh remains generic,
so should be able to make man7 pages for other netfilter projects.
v2: Change commit message from "how" to "why"
v3: Confine man page generation to build_man.sh per Pablo request;
Add build_man.sh to doxyfile.stamp dependencies (should have always been)
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In order to work with the post-processing logic in doxygen/Makefile.am,
SYNOPSIS sections must be inserted at the end of the module description
(text after \defgroup or \addtogroup)
(becomes Detailed Description in the man page).
Also a few minor updates including rename module uselessfns to do_not_use.
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Emit a warning to notify users that this file is deprecated.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Silly, since its easy to fetch this via libmnl.
Unfortunately there is a large number of software that uses the old
API, so add a helper to return the attribute.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
- Change items of the form #<word> to "\b <word>".
(#<word> is rather obscurely documented to be a reference to a documented
entity)
- Re-work text wrapping in above change to keep lines within 80cc
- Add 2 missing \param directives
12 warnings fixed
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
| |
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Updated:
src/libnetfilter_queue.c: - ip_queue withdrawn in kernel 3.5
- Update some URLs
- libmnl is a dependency
- Multiword section headers need a tag
- Re-work cinematic to refer to nft
- Some native English speaker updates
(e.g. enqueue *is* a word)
- Prefer nf-queue.c over deprecated doxygen doco
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The extra spaces had no effect on how the file looked (except cat -A).
This patch reduces the file size by a few bytes, but the main motivation was
that my editor makes this change automatically.
Updated:
src/libnetfilter_queue.c: Leading whitespace is canonically tabbed
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Modify the definition and use of EXPORT_SYMBOL as was done for libmnl in
commit 444d6dc9.
Additionally, avoid generating long (>80ch) lines when inserting
EXPORT_SYMBOL.
Finally, re-align multi-line parameter blocks with opening parenthesis.
[ I have mangled the original patch to not split the function definition and
its return value. --pablo ]
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add information about retrieving UID/GID/SECCTX fields
Signed-off-by: Piotr Radoslaw Sawicki <piotr.sawicki@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
This reverts commit 58cb0668dc15c78cd3af9eeaedf29386e86ecac1.
Prepare a new patch to keep this update consistent with libmnl.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
clang ignores the visibility attribute if its not defined before the
definition. As a result these symbols become hidden and consumers of
this library fail to link due to these missing symbols.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Victor Julien <victor@inliniac.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
nfq_open_nfnl uses an intermediate static object, so when it is invoked
by distinct threads at the same time there is a small chance that some
threads end up with another threads nfq_handle pointer stored in ->data.
The result is that the affected queue will be stuck because the thread
that was supposed to service it is handling another/wrong queue instead.
Tested-by: Michal Tesar <mtesar@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This commit adds security context information structures
and functions.
This will allow userspace to find the security context of each
packet (if it exists) and make decisions based on that.
It should work for SELinux and SMACK.
Signed-off-by: Roman Kubiak <r.kubiak@samsung.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
There is confusion on what this command actually does and why
examples commonly PF_UNBIND at startup.
Since these are obsolete document that its not needed starting
with Linux 3.8.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
With this patch libnetfilter_queue is able to parse UID/GID
socket information.
Signed-off-by: Valentina Giusti <Valentina.Giusti@bmw-carit.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As of f40eabb01 (add pkt_buff and protocol helper functions)
libnetfilter_queue accidentally exports the internal function named
'checksum'. This is a bit too generic and may cause crashes with
applications that worked fine before.
This patch makes the functions checksum, checksum_tcpudp_ipv4 and
checksum_tcpudp_ipv6 local by building with fvis-hidden and adding
EXPORTs for the legacy api calls and the ones that seem to have missing
EXPORT tags (mainly pktbuff api).
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |\
| |
| |
| |
| |
| |
| |
| | |
Get the following patches into master:
examples/nf-queue: receive large gso packets
src: add new GSO handling capabilities
examples/nf-queue: handle recv error, use larger buffer
|
| | |
| |
| |
| |
| |
| | |
allows userspace to ask for large gso packets via nfqueue.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Valgrind generates error reports during a call
to the nfq_unbind_pf function:
==00:00:00:08.662 22111== 4 errors in context 1 of 1:
==00:00:00:08.662 22111== Syscall param socketcall.sendto(msg) points
to uninitialised byte(s)
...
==00:00:00:08.662 22111== Uninitialised value was created by a stack allocation
==00:00:00:08.662 22111== at 0x679C30B: __build_send_cfg_msg
(libnetfilter_queue.c:178
Signed-off-by: Tamas K Lengyel <tamas.k.lengyel@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Suggested by Eric Leblond.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
This patch improves the doxygen documentation and adds a reference
to an external article.
|
| | |
|
| |
|
|
|
|
|
| |
libnetfilter_queue.c: In function 'nfq_get_payload':
libnetfilter_queue.c:1116:8: warning: pointer targets in assignment differ in signedness [-Wpointer-sign]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
nf-queue.c: In function ‘main’:
nf-queue.c:146:12: warning: unused variable ‘id’ [-Wunused-variable]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Implement API to set per-queue flags. This is initially used
to implement fail-open support in NFQUEUE.
[ Pablo mangled this patch to bump LIBVERSION as well ]
Signed-off-by: Krishna Kumar <krkumar2@in.ibm.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The verdict NF_STOLEN must not be used.
When using NF_REPEAT, one way to prevent re-queueing of the
same packet is to also set an nfmark using nfq_set_verdict2,
and set up the nefilter rules to only queue a packet when the
mark is not (yet) set.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
add nfq_set_verdict_batch() and nfq_set_verdict_batch2 (to also
set the nfmark of all packets).
verdicts sent by the _batch variant will affect all queued skbs
whose id is smaller or equal to the given id.
This facility is available from Linux 3.1 onwards.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
|
| |
|
|
|
|
| |
NFQNL_COPY_NONE means noop and should not be used.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch documents some performance tweaks for libnetfilter_queue
applications.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch upgrades the license to GPLv2+. I have received an explicit
ACK via email from contributors that are:
* Harald Welte <laforge@netfilter.org>.
* Holger Freyther <zecke@selfish.org>
* Alessandro Vesely <vesely@tana.it>
* Bart Schuymer <bdschuym@pandora.be>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch adds myself to the copyright notice according to my contributions
in the git repository.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch removes the prefix `0x' of the HW protocol.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes the output of the HW address in XML files:
<src>800:800:800:800:800:</src>
now it looks fine:
<src>0019a917a400</src>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
With this patch, nfq_snprintf_xml() returns the number of characters
printed. If the output was truncated, then the return value is the
number of characters that would have been written if enough space
had been available. This makes nfq_snprintf_xml() consistent with
the behaviour of snprintf().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
In 21fd1834b5ce0a1f5b590f7e1ad23bba64fbafdf, we changed nfq_get_payload()
to take an unsigned char * instead of signed char *.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch adds a new function to output the packet in XML format.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The 'data' parameter to nfq_get_payload() returns pointer to unsigned
char (rather than signed char) to make it consistent with the 'buf'
parameter of nfq_set_verdict(), nfq_set_verdict2(), and
nfq_set_verdict_mark(), all of which refer to the same data. Either
signed or unsigned is fine, but they should be consistent as the output
of nfq_get_payload() may be passed back into nfq_set_verdict*(); in that
case, this change eliminates the need for typecasting in the calling
code when using compilers that enforce strict typecasting.
Signed-off-by: David Favro <netfilter@meta-dynamic.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The payload parameters to nfq_set_verdict(), nfq_set_verdict2(), and
nfq_set_verdict_mark() are not modified by those functions, and
therefore should have datatype pointer-to-const. This both causes the
source-code to more effectively represent what is the purpose of the
parameter, and eliminates the need to cast away const-ness when calling
the functions with compilers that enforce strict casting. All existing
calling code should not need modification as pointer-to-X automatically
converts to pointer-to-const-X.
Signed-off-by: David Favro <netfilter@meta-dynamic.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Now, we refer to nfq_set_verdict2() instead.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Alessandro Vessely <vesely@tana.it>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
* Several parameters are clarified.
* Several previously undocumented return-values are documented.
* nfq_set_verdict_mark() [now deprecated]: notes that mark is in
network byte order.
Signed-off-by: David Favro <netfilter@meta-dynamic.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch deprecates nfq_set_verdict_mark() in favour of
nfq_set_verdict2() which does exactly the same but it also
convert the mark value from host-byte order to network-byte
order as expected by nfnetlink_queue.
I know, this is hackish, but I prefer adding new functions
instead of API versioning which is also ugly.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds a minor notice to warn developers that its
application needs CAP_NET_ADMIN in order to send to and receive
packets from kernel-space.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
