Age | Commit message (Collapse) | Author |
|
|
|
|
|
|
|
|
|
|
|
parse.c: In function ‘msg2ct’:
parse.c:258: error: ‘NULL’ undeclared (first use in this function)
parse.c:258: error: (Each undeclared identifier is reported only once
parse.c:258: error: for each function it appears in.)
needed #include <stdddef.h>
|
|
|
|
|
|
|
|
|
|
|
|
It was set to NFCT_HELPER_NAME_MAX (16 bytes), but we have function
names that are larger, eg. nf-nat-follow-master which is 18 bytes
long.
This leads to hitting malformed message while synchronizing
expectations.
I'll add some new constant to libnetfilter_conntrack instead of
hardcoding this, later.
Reported-by: Gaurav Sinha <gaurav.sinha@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 46faeab56cf4117f41cb6f1f1c40a9c18a81372f)
(cherry picked from commit 0cf70ce9b1bcb63d54d9514558b74ae2bde39d9f)
|
|
|
|
ignoring ignored addresses during flush
|
|
|
|
While adding the expectation support for conntrackd, I accidentally
broke synchrony in 'conntrackd -c' command.
Basically, conntrackd -c should not return control to the shell
until the cache has been committed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 7eb63b5872f07903d952aa5cfd6ad0e7647a066a)
(cherry picked from commit 93d244a982f80a691bfb6eb4e17e2cccc32a5cb9)
|
|
Flushing the external cache, ie. conntrackd -f, while commit is in progress
is not allowed anymore, ie. conntrackd -c.
Note that conntrackd -c is synchronous. Thus, it returns control to the
caller once the commit has finished.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 8648ae6d08bb84030c2c3519454532f6e04e31d9)
(cherry picked from commit 3611b5f5992837224205361c25cfed55c47af8c4)
|
|
|
|
pacifica
Conflicts:
include/helper.h
src/expect.c
src/helpers/ftp.c
src/helpers/rpc.c
src/helpers/tns.c
tests/conntrackd/cthelper/main.c
tests/conntrackd/cthelper/run-test.sh
|
|
This patch adds the automated testing infrastructure the user-space
helpers. Basically, this adds the `cthelper-test' program that can
be invoked from the command line:
./cthelper-test pcaps/oracle-tns-redirect.pcap tns tcp 1521
To test the helper with one PCAP file that contains traces of Oracle TNS
traffic. It also provides tweaks to test the DNAT content mangling code:
./cthelper-test pcaps/oracle-tns-redirect.pcap tns tcp 1521 dnat
This will also allow fuzzy testing of user-space helper, for further
validation, not yet implemented.
To compile this tool, you have to run:
./configure
make check
under the qa/cthelper-test/ directory. I'm doing like this because
this directory is not included in the standalone tarball that
make distcheck generates (I don't want to bloat it with development
tools that can be retrieved from the git repository).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
How to use this helper in a few steps:
1) You can enable this helper via:
nfct helper add rpc inet tcp
nfct helper add rpc inet udp
2) Configure /etc/conntrackd/conntrackd.conf and launch it.
3) You can test this helper locally with the following rule-set:
iptables -A OUTPUT -t raw -p udp -m udp --dport 111 -j CT --helper rpc
iptables -A OUTPUT -t raw -p tcp -m tcp --dport 111 -j CT --helper rpc
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 111 -j ACCEPT
iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -m udp --dport 111 -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P OUTPUT DROP
4) Configure NFS and export some local directory. Then, mount it with version 3.
mount.nfs -onfsvers=3 127.0.0.1:/srv/cvs /mnt/
You should see permanent expectations created for this.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the user-space helper infrastructure. It also
contains the implementation of the FTP helper in user-space.
There's one example file that you can use to configure conntrackd
as user-space connection tracking helper under:
doc/helper/conntrackd.conf
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
user_space_helpers
Conflicts:
src/cthelper.c
src/helpers/ftp.c
src/helpers/tns.c
|
|
This patch adds the automated testing infrastructure the user-space
helpers. Basically, this adds the `cthelper-test' program that can
be invoked from the command line:
./cthelper-test oracle-tns/oracle-tns-redirect.pcap tns tcp
To test the helper with one PCAP file that contains traces of Oracle TNS
traffic.
This will also allow fuzzy testing of user-space helper, for further
validation, not yet implemented.
To compile this tool, you have to run:
./configure
make check
under the qa/cthelper-test/ directory. I'm doing like this because
this directory is not included in the standalone tarball that
make distcheck generates (I don't want to bloat it with development
tools that can be retrieved from the git repository).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the user-space helper infrastructure. It also
contains the implementation of the FTP helper in user-space.
There's one example file that you can use to configure conntrackd
as user-space connection tracking helper under:
doc/helper/conntrackd.conf
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
user_space_helpers
Conflicts:
.gitignore
src/run.c
|
|
This patch adds the automated testing infrastructure the user-space
helpers. Basically, this adds the `cthelper-test' program that can
be invoked from the command line:
./cthelper-test oracle-tns/oracle-tns-redirect.pcap tns tcp
To test the helper with one PCAP file that contains traces of Oracle TNS
traffic.
This will also allow fuzzy testing of user-space helper, for further
validation, not yet implemented.
To compile this tool, you have to run:
./configure
make check
under the qa/cthelper-test/ directory. I'm doing like this because
this directory is not included in the standalone tarball that
make distcheck generates (I don't want to bloat it with development
tools that can be retrieved from the git repository).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the user-space helper infrastructure. It also
contains the implementation of the FTP helper in user-space.
There's one example file that you can use to configure conntrackd
as user-space connection tracking helper under:
doc/helper/conntrackd.conf
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch moves the specific ctnetlink code to ctnl.c to prepare
the introduction of the cthelper infrastructure.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|