| Age | Commit message (Collapse) | Author |
|---|
|
This patch adds the -C command, to display the table counter. In the
case of `-C conntrack' the tool reads the proc interface. For
expectation, it loops on the table to count the number of entries
(as there is not proc interface to display the number of
expectations).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, you can filter expected connections:
# conntrack -L --status EXPECTED
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch move the options release to free_options(). It also
move the free_options call after the error checking because
exit_error already free the option.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, you can specify the following command to dump the
expectation table, instead of writing 'expect'.
# conntrack -L e
also, it is valid the following command:
# conntrack -L ex
# conntrack -L exp
and so on.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch replaces a couple of hardcoded buffer sizes by sizeof()
calls. This sort of code is error-prone.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a wrong warning display to stdout instead of stderr.
Make the warning message homogeneous to others.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch relaxes the parameter checking as now we don't need to
pass --status when we create a conntrack via command line interface.
In this case, the conntrack entry is created only with the
IPS_CONFIRMED flag.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch cleanups the NAT filtering. The former code had three
branches, one if src and dst NAT are set, else one if src NAT is
set, else one if dst NAT is set.
Now, we check if src NAT is set or if dst NAT is set.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes the dump counter displayed with -L expect.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes filtering for unsupported protocol. Thus, you can
use -L -p 47 or -L -p gre to filter `gre' traffic.
Based on an initial patch from Bryan Duff <bduff@astrocorp.com>.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
The mark-based filtering for events does not work if the mark is not
present in the event message. This happens because nfct_cmp() skips
the comparison of the compared objects since it they do not have the
same attributes set. This patch make use of the new NFCT_CMP_MASK
flag that returns false if the first object passed as parameter is
set and the second is not.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes the use of snprintf and directly print the XML header
to the standard output. This simplifies the handling.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch cleans up the update path for the conntrack utility.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Insert string `conntrack-tools' in error messages to explicitly print
that this version is inside the conntrack-tools package.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
From: Pablo Neira Ayuso <pablo@netfilter.org>
If getopt_long returns '?', show an error telling that some
arguments are missing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Remove extra \n in error message.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Remove duplicated optarg checkings for options that require mandatory
paramaters. This checking is already done by getopt_long().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Use %zu instead of %u for size_t to remove compilation warning.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Add new option --buffer-size for -E to set the netlink socket buffer
size.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
add missing string.h required by strdup in config parsing
|
|
|
|
o recover the ID support
o show display counters to stderr
o enable filtering by status and ID
|
|
|
|
o check for missing source/address IP/ports in creation and get operations
o way more flexible conntrack updates and deletions
o fix NAT filtering via --src-nat and --dst-nat (reported by K.Oledzki)
o show display counters to stderr
o minor cleanups
|
|
o check for missing source/address IP/ports
o minor cleanups
|
|
via M.Kellermann)
|
|
o add ICMPv6 (-p icmpv6) support
o add possibility to distinguish between invalid (unknown) and empty proto
|
|
only which is incompatible AFAIK
|
|
has been Max Kellermann and has no issues with relicensing their contributions.
|
|
explicitly cast in nat_parse()
Previous commit was an error
|
|
eliminate local variable by returning from the loop
|
|
remove superfluous initialization
|
|
import only required C headers and put local headers on top to check
|
|
check for malloc() failure in merge_opts
|
|
use C99 integers (uint32_t instead of u_int32_t)
|
|
|
|
Fix tons of gcc warnings
|
|
fix shadow warnings by renaming variables or making them local
|
|
Use list_for_each_entry() instead of list_for_each()
|
|
|
|
|
|
o fix missing `-g' and `-n' options in getopt_long control string
o add support for secmark (requires Linux kernel >= 2.6.25)
o add mark and secmark information to the manpage
o cleanup error message
= conntrackd =
o add support for secmark (requires Linux kernel >= 2.6.25)
o add conntrackd (8) manpage
|
|
- use buffer of MTU size
conntrack:
- better protocol argument checkings
- fix per-protocol filtering, eg. conntrack -[L|E] -p tcp now works
- show per-protocol help, ie. conntrack -h -p tcp
- add alias --src for --orig-src and alias --dst for --orig-dst
|
|
|
|
- update conntrack(8) manpage
|
|
o remove bogus option to get a conntrack in test.sh example file
|
|
|
|
o several fixes for the output of usage messages
|
|
- use positive logic in error handling
|
