| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
This patch adds four (actually two) attributes validation with
comparing to current kernel header.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds security context information structures
and functions.
This will allow userspace to find the security context of each
packet (if it exists) and make decisions based on that.
It should work for SELinux and SMACK.
Signed-off-by: Roman Kubiak <r.kubiak@samsung.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
The source uses linux names for members of tcphdr. For example
"source" instead of "th_sport", ... musl libc's headers need
_GNU_SOURCE defined in order to expose these.
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Similar to 7335cbe ("extra: fix wrong implementation in
nfq_udp_get_payload").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The result of inet_ntoa() will be overwritten by the next call to
inet_ntoa(), so using it twice in the same snprintf() call causes
wrong result.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
There is confusion on what this command actually does and why
examples commonly PF_UNBIND at startup.
Since these are obsolete document that its not needed starting
with Linux 3.8.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
With this patch libnetfilter_queue is able to parse UID/GID
socket information.
Signed-off-by: Valentina Giusti <Valentina.Giusti@bmw-carit.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
These functions are internal and they belong to the libnetfilter_queue scope,
so let's add the corresponding nfq_ prefix.
Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As of f40eabb01 (add pkt_buff and protocol helper functions)
libnetfilter_queue accidentally exports the internal function named
'checksum'. This is a bit too generic and may cause crashes with
applications that worked fine before.
This patch makes the functions checksum, checksum_tcpudp_ipv4 and
checksum_tcpudp_ipv6 local by building with fvis-hidden and adding
EXPORTs for the legacy api calls and the ones that seem to have missing
EXPORT tags (mainly pktbuff api).
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|\
| |
| |
| |
| |
| |
| |
| | |
Get the following patches into master:
examples/nf-queue: receive large gso packets
src: add new GSO handling capabilities
examples/nf-queue: handle recv error, use larger buffer
|
| |
| |
| |
| |
| |
| | |
allows userspace to ask for large gso packets via nfqueue.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Valgrind generates error reports during a call
to the nfq_unbind_pf function:
==00:00:00:08.662 22111== 4 errors in context 1 of 1:
==00:00:00:08.662 22111== Syscall param socketcall.sendto(msg) points
to uninitialised byte(s)
...
==00:00:00:08.662 22111== Uninitialised value was created by a stack allocation
==00:00:00:08.662 22111== at 0x679C30B: __build_send_cfg_msg
(libnetfilter_queue.c:178
Signed-off-by: Tamas K Lengyel <tamas.k.lengyel@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
Suggested by Eric Leblond.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
This patch improves the doxygen documentation and adds a reference
to an external article.
|
| |
|
|
|
|
|
|
|
| |
libnetfilter_queue.c: In function 'nfq_get_payload':
libnetfilter_queue.c:1116:8: warning: pointer targets in assignment differ in signedness [-Wpointer-sign]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
nf-queue.c: In function ‘main’:
nf-queue.c:146:12: warning: unused variable ‘id’ [-Wunused-variable]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch updates the doxygen documentation for the new API.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Fix wrong arithmetics and missing pktb->len update
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
pktb_expand_tail returns 0 if there is no room for the mangling.
Note that we don't support dynamic reallocation, instead the
caller is responsible for allocating the extra room via pktb_alloc
according to the maximum amount of bytes it needs for the mangling.
Since pkt_buff layout is not exposed, we can change this in the
future if we prefer dynamic reallocation.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Implement API to set per-queue flags. This is initially used
to implement fail-open support in NFQUEUE.
[ Pablo mangled this patch to bump LIBVERSION as well ]
Signed-off-by: Krishna Kumar <krkumar2@in.ibm.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The verdict NF_STOLEN must not be used.
When using NF_REPEAT, one way to prevent re-queueing of the
same packet is to also set an nfmark using nfq_set_verdict2,
and set up the nefilter rules to only queue a packet when the
mark is not (yet) set.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
add nfq_set_verdict_batch() and nfq_set_verdict_batch2 (to also
set the nfmark of all packets).
verdicts sent by the _batch variant will affect all queued skbs
whose id is smaller or equal to the given id.
This facility is available from Linux 3.1 onwards.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
| |
NFQNL_COPY_NONE means noop and should not be used.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch documents some performance tweaks for libnetfilter_queue
applications.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|\ |
|
| |
| |
| |
| |
| |
| | |
libtool automatically adds PIC flags as needed.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
PKG_CHECK_MODULES already produces its own (and more verbose) messsage
when a module cannot be found.
Mucking around with CFLAGS and LIBS is also not needed since pkgconfig
takes care of providing variables, so let's use them in Makefile.am.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Makefile.am: "INCLUDES" is the old name for "AM_CPPFLAGS" (or "*_CPPFLAGS")
And remove unused $(all_includes)
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|/
|
|
|
|
|
|
|
|
|
|
| |
This patch upgrades the license to GPLv2+. I have received an explicit
ACK via email from contributors that are:
* Harald Welte <laforge@netfilter.org>.
* Holger Freyther <zecke@selfish.org>
* Alessandro Vesely <vesely@tana.it>
* Bart Schuymer <bdschuym@pandora.be>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
I accidentally inserted LIBVERSION to Makefile.am but the one
used is in src/Makefile.am. This patch removes the previous
definition.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch adds myself to the copyright notice according to my contributions
in the git repository.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch removes the prefix `0x' of the HW protocol.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes the output of the HW address in XML files:
<src>800:800:800:800:800:</src>
now it looks fine:
<src>0019a917a400</src>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
With this patch, nfq_snprintf_xml() returns the number of characters
printed. If the output was truncated, then the return value is the
number of characters that would have been written if enough space
had been available. This makes nfq_snprintf_xml() consistent with
the behaviour of snprintf().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
In 21fd1834b5ce0a1f5b590f7e1ad23bba64fbafdf, we changed nfq_get_payload()
to take an unsigned char * instead of signed char *.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch adds a new function to output the packet in XML format.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The 'data' parameter to nfq_get_payload() returns pointer to unsigned
char (rather than signed char) to make it consistent with the 'buf'
parameter of nfq_set_verdict(), nfq_set_verdict2(), and
nfq_set_verdict_mark(), all of which refer to the same data. Either
signed or unsigned is fine, but they should be consistent as the output
of nfq_get_payload() may be passed back into nfq_set_verdict*(); in that
case, this change eliminates the need for typecasting in the calling
code when using compilers that enforce strict typecasting.
Signed-off-by: David Favro <netfilter@meta-dynamic.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The payload parameters to nfq_set_verdict(), nfq_set_verdict2(), and
nfq_set_verdict_mark() are not modified by those functions, and
therefore should have datatype pointer-to-const. This both causes the
source-code to more effectively represent what is the purpose of the
parameter, and eliminates the need to cast away const-ness when calling
the functions with compilers that enforce strict casting. All existing
calling code should not need modification as pointer-to-X automatically
converts to pointer-to-const-X.
Signed-off-by: David Favro <netfilter@meta-dynamic.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Now, we refer to nfq_set_verdict2() instead.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|