| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Add information about retrieving UID/GID/SECCTX fields
Signed-off-by: Piotr Radoslaw Sawicki <piotr.sawicki@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Old APIs still remain, so just increase current and age.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
This reverts commit 58cb0668dc15c78cd3af9eeaedf29386e86ecac1.
Prepare a new patch to keep this update consistent with libmnl.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
clang ignores the visibility attribute if its not defined before the
definition. As a result these symbols become hidden and consumers of
this library fail to link due to these missing symbols.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Victor Julien <victor@inliniac.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
nfq_open_nfnl uses an intermediate static object, so when it is invoked
by distinct threads at the same time there is a small chance that some
threads end up with another threads nfq_handle pointer stored in ->data.
The result is that the affected queue will be stuck because the thread
that was supposed to service it is handling another/wrong queue instead.
Tested-by: Michal Tesar <mtesar@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds four (actually two) attributes validation with
comparing to current kernel header.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This commit adds security context information structures
and functions.
This will allow userspace to find the security context of each
packet (if it exists) and make decisions based on that.
It should work for SELinux and SMACK.
Signed-off-by: Roman Kubiak <r.kubiak@samsung.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The source uses linux names for members of tcphdr. For example
"source" instead of "th_sport", ... musl libc's headers need
_GNU_SOURCE defined in order to expose these.
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Similar to 7335cbe ("extra: fix wrong implementation in
nfq_udp_get_payload").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The result of inet_ntoa() will be overwritten by the next call to
inet_ntoa(), so using it twice in the same snprintf() call causes
wrong result.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
There is confusion on what this command actually does and why
examples commonly PF_UNBIND at startup.
Since these are obsolete document that its not needed starting
with Linux 3.8.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
With this patch libnetfilter_queue is able to parse UID/GID
socket information.
Signed-off-by: Valentina Giusti <Valentina.Giusti@bmw-carit.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
These functions are internal and they belong to the libnetfilter_queue scope,
so let's add the corresponding nfq_ prefix.
Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As of f40eabb01 (add pkt_buff and protocol helper functions)
libnetfilter_queue accidentally exports the internal function named
'checksum'. This is a bit too generic and may cause crashes with
applications that worked fine before.
This patch makes the functions checksum, checksum_tcpudp_ipv4 and
checksum_tcpudp_ipv6 local by building with fvis-hidden and adding
EXPORTs for the legacy api calls and the ones that seem to have missing
EXPORT tags (mainly pktbuff api).
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |\
| |
| |
| |
| |
| |
| |
| | |
Get the following patches into master:
examples/nf-queue: receive large gso packets
src: add new GSO handling capabilities
examples/nf-queue: handle recv error, use larger buffer
|
| | |
| |
| |
| |
| |
| | |
allows userspace to ask for large gso packets via nfqueue.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Valgrind generates error reports during a call
to the nfq_unbind_pf function:
==00:00:00:08.662 22111== 4 errors in context 1 of 1:
==00:00:00:08.662 22111== Syscall param socketcall.sendto(msg) points
to uninitialised byte(s)
...
==00:00:00:08.662 22111== Uninitialised value was created by a stack allocation
==00:00:00:08.662 22111== at 0x679C30B: __build_send_cfg_msg
(libnetfilter_queue.c:178
Signed-off-by: Tamas K Lengyel <tamas.k.lengyel@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Suggested by Eric Leblond.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
This patch improves the doxygen documentation and adds a reference
to an external article.
|
| | |
|
| |
|
|
|
|
|
| |
libnetfilter_queue.c: In function 'nfq_get_payload':
libnetfilter_queue.c:1116:8: warning: pointer targets in assignment differ in signedness [-Wpointer-sign]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
nf-queue.c: In function ‘main’:
nf-queue.c:146:12: warning: unused variable ‘id’ [-Wunused-variable]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch updates the doxygen documentation for the new API.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Fix wrong arithmetics and missing pktb->len update
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
pktb_expand_tail returns 0 if there is no room for the mangling.
Note that we don't support dynamic reallocation, instead the
caller is responsible for allocating the extra room via pktb_alloc
according to the maximum amount of bytes it needs for the mangling.
Since pkt_buff layout is not exposed, we can change this in the
future if we prefer dynamic reallocation.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Implement API to set per-queue flags. This is initially used
to implement fail-open support in NFQUEUE.
[ Pablo mangled this patch to bump LIBVERSION as well ]
Signed-off-by: Krishna Kumar <krkumar2@in.ibm.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The verdict NF_STOLEN must not be used.
When using NF_REPEAT, one way to prevent re-queueing of the
same packet is to also set an nfmark using nfq_set_verdict2,
and set up the nefilter rules to only queue a packet when the
mark is not (yet) set.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
add nfq_set_verdict_batch() and nfq_set_verdict_batch2 (to also
set the nfmark of all packets).
verdicts sent by the _batch variant will affect all queued skbs
whose id is smaller or equal to the given id.
This facility is available from Linux 3.1 onwards.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
| |
NFQNL_COPY_NONE means noop and should not be used.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch documents some performance tweaks for libnetfilter_queue
applications.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |\ |
|
| | |
| |
| |
| |
| |
| | |
libtool automatically adds PIC flags as needed.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
PKG_CHECK_MODULES already produces its own (and more verbose) messsage
when a module cannot be found.
Mucking around with CFLAGS and LIBS is also not needed since pkgconfig
takes care of providing variables, so let's use them in Makefile.am.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Makefile.am: "INCLUDES" is the old name for "AM_CPPFLAGS" (or "*_CPPFLAGS")
And remove unused $(all_includes)
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |/
|
|
|
|
|
|
|
|
|
|
| |
This patch upgrades the license to GPLv2+. I have received an explicit
ACK via email from contributors that are:
* Harald Welte <laforge@netfilter.org>.
* Holger Freyther <zecke@selfish.org>
* Alessandro Vesely <vesely@tana.it>
* Bart Schuymer <bdschuym@pandora.be>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
I accidentally inserted LIBVERSION to Makefile.am but the one
used is in src/Makefile.am. This patch removes the previous
definition.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch adds myself to the copyright notice according to my contributions
in the git repository.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
