| Age | Commit message (Collapse) | Author |
|---|
|
In 142606c60808b3ab0496155ac3d086765e6baef3, I re-introduced the
inconsistent behaviour that I described in
85f94171a71880c744f265268f33ad58819caa74. Great.
This patch fixes this again.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the --any-nat option that allows to display src-NATted
OR dst-NATted flows.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch allows the following command to filter port-based NAT:
$ conntrack -L --dst-nat :9999
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch is a cleanup, it puts all the commands and options code
together. This makes easier and less error-prone the task to add
new commands and options.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch is a cleanup, it expands an array that contains the
correspondence between the option-flags and the option-names.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
The patch that I committed in 2e06d62d341fdf936dbc1fa944d5e03f761aaf0e
was incomplete. With it, `-L --src-nat --dst-nat' shows source-natted
OR destination-natted flows. This patch changes the behaviour to
show source-natted AND destination-natted flows.
This is the consistent behaviour that we expect from conntrack
(this is how it works for other options indeed).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes the filtering with --src-nat and --dst-nat options.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch reverts 0865d22af0ec5876f721d44c90ac898fdfa435aa since
it breaks conntrack listing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Since > 0.9.6, the conntrack listing with the options --src-nat
and --dst-nat does not work. This patch fixes the problem.
Reported-by: Mohit Mehta <mohit.mehta@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Read an integer right away with fscanf() instead of read()-ing to a
buffer, which was actually to small for the terminating '\0', and
atoi()-ing. Furthermore read() might not read enough, though unlikely
here.
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Avoid this error:
conntrack v0.9.13 (conntrack-tools): Operation failed: No such file or
directory
when using 'conntrack -E -e ALL ...'.
This is caused by the fact that netfilter expectations also get
delivered, but things are not setup for this, nfnl_catch returns -1
and errno = ENOENT.
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
When 'conntrack' is called with no arguments then garbage is printed
after the usage message. This patch fixes this.
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds GRE support for the command line tool conntrack.
With this patch, we support all protocols available in the kernel.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.
|
|
This patch fixes an English typo in an output message.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds DCCP support for the command line tool conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds SCTP support to the command line tool conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds UDPlite support for the command line tool conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch extends the generic_opt_check() function to add
extra information on the possible option combinations. Under
some specific situations, like the creation and getting of
a conntrack, you may specify the original or the reply tuple
but at least one MUST be present. This handling has been
always tricky, it still remains but we're more user friendly
at least.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes the broken command checking. This is better
handled by the option checkings which comes just after this one.
This patch also fixes some inconsistencies in the command
parameter checking when long names are used.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds `-S' command to display kernel statistics. Using
raw `cat' on /proc and the hexadecimal output is not very handy.
This option parses the /proc entry and display the information
is a more human friendly way.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes some missing bits for the `-C' conntrack command
like the manpage information, the usage help, the `--counters'
synonymous and the commands vs. options checking.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
The option --status can be used with -I. Currently, this behaviour
is broken.
conntrack v0.9.9 (conntrack-tools): Illegal option `--status' with this command
Try `conntrack -h' or 'conntrack --help' for more information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the -C command, to display the table counter. In the
case of `-C conntrack' the tool reads the proc interface. For
expectation, it loops on the table to count the number of entries
(as there is not proc interface to display the number of
expectations).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, you can filter expected connections:
# conntrack -L --status EXPECTED
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch move the options release to free_options(). It also
move the free_options call after the error checking because
exit_error already free the option.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, you can specify the following command to dump the
expectation table, instead of writing 'expect'.
# conntrack -L e
also, it is valid the following command:
# conntrack -L ex
# conntrack -L exp
and so on.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch replaces a couple of hardcoded buffer sizes by sizeof()
calls. This sort of code is error-prone.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a wrong warning display to stdout instead of stderr.
Make the warning message homogeneous to others.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch relaxes the parameter checking as now we don't need to
pass --status when we create a conntrack via command line interface.
In this case, the conntrack entry is created only with the
IPS_CONFIRMED flag.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch cleanups the NAT filtering. The former code had three
branches, one if src and dst NAT are set, else one if src NAT is
set, else one if dst NAT is set.
Now, we check if src NAT is set or if dst NAT is set.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes the dump counter displayed with -L expect.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes filtering for unsupported protocol. Thus, you can
use -L -p 47 or -L -p gre to filter `gre' traffic.
Based on an initial patch from Bryan Duff <bduff@astrocorp.com>.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
The mark-based filtering for events does not work if the mark is not
present in the event message. This happens because nfct_cmp() skips
the comparison of the compared objects since it they do not have the
same attributes set. This patch make use of the new NFCT_CMP_MASK
flag that returns false if the first object passed as parameter is
set and the second is not.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes the use of snprintf and directly print the XML header
to the standard output. This simplifies the handling.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch cleans up the update path for the conntrack utility.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Insert string `conntrack-tools' in error messages to explicitly print
that this version is inside the conntrack-tools package.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
From: Pablo Neira Ayuso <pablo@netfilter.org>
If getopt_long returns '?', show an error telling that some
arguments are missing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Remove extra \n in error message.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Remove duplicated optarg checkings for options that require mandatory
paramaters. This checking is already done by getopt_long().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Use %zu instead of %u for size_t to remove compilation warning.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Add new option --buffer-size for -E to set the netlink socket buffer
size.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
add missing string.h required by strdup in config parsing
|
|
|
|
o recover the ID support
o show display counters to stderr
o enable filtering by status and ID
|
|
|
|
o check for missing source/address IP/ports in creation and get operations
o way more flexible conntrack updates and deletions
o fix NAT filtering via --src-nat and --dst-nat (reported by K.Oledzki)
o show display counters to stderr
o minor cleanups
|
|
o check for missing source/address IP/ports
o minor cleanups
|
|
via M.Kellermann)
|
|
o add ICMPv6 (-p icmpv6) support
o add possibility to distinguish between invalid (unknown) and empty proto
|
