summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2015-11-26Merge tag 'conntrack-tools-1.4.3' into lithiumAlex Harpin
conntrack-tools 1.4.3 release
2015-11-25Merge tag 'conntrack-tools-1.4.2' into lithiumAlex Harpin
conntrack-tools 1.4.2 release
2015-11-24Merge tag 'conntrack-tools-1.4.1' into lithiumAlex Harpin
conntrack-tools 1.4.1 release
2015-11-21Merge tag 'conntrack-tools-1.4.0' into lithiumAlex Harpin
conntrack-tools 1.4.0 release
2015-10-02conntrackd: build: fix crash when optional kernel modules are not loadedPablo Neira Ayuso
Fix a possible crash if conntrackd sees DCCP, SCTP and ICMPv6 traffic and the corresponding kernel modules that track this traffic are not available. Fixes: http://bugzilla.netfilter.org/show_bug.cgi?id=910 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-08-26nfct: Update syntax to specify command before subsystemPablo Neira Ayuso
This patch gets the nfct syntax in sync with nft so it looks like this: nfct <add|delete|...> object ... instead of: nfct object <add|delete|...> ... This patch retains backward compatibility so you can still use the old syntax. The manpage and tests have been also updated to promote the adoption of this syntax. We should have little existing clients of this tool as we can only use this to configure the cttimeout and cthelper infrastructures. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-08-26nfct: don't link against libnetfilter_conntrackArturo Borrero
The nfct program uses none of the symbols of libnetfilter_conntrack. Linking against it means that distributors have to maintain an useless depedency. This was spotted by the dpkg-shlibdeps tool. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-08-18conntrackd: missing break in expectation message parser functionPablo Neira Ayuso
Fortunately, the TLVs come in order in the message, however, if the order is changed we'll incorrectly set up the expectation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-08-18conntrackd: use strncpy to set up the cache namePablo Neira Ayuso
This is not exposed, but use the strncpy() variant to calm down static code validators. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-08-18conntrackd: simplify branch in tcp_accept()Pablo Neira Ayuso
The same code is executed regardless the reason why accept() has failed. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-08-18conntrackd: fix error handling in nfq_queue_cb()Pablo Neira Ayuso
Make sure we have a clean exit on error, everything needs to be properly released. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-08-18conntrackd: fix descriptor leak in do_local_request()Pablo Neira Ayuso
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-08-18conntrackd: fix leak in fork_process_new()Pablo Neira Ayuso
Release the child_process structure in case that fork() fails. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-08-18conntrackd: NTA_MAX is also an invalid attributePablo Neira Ayuso
Otherwise this can result in an off-by-one array access. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-08-18conntrackd: fix sanitization of expection attribute in the wire formatPablo Neira Ayuso
The maximum number of attribute is NTA_EXP_MAX for expectation sync messages. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-07-03conntrack: made the protocol option value case insensitiveSzilárd Pfeiffer
Extensions register protocols by lowercase protocol name, but value of proto command line option may be uppercase. Extension related options cannot be used when protocol name comparision fails. Signed-off-by: Szilárd Pfeiffer <pfeiffer.szilard@balabit.hu> Signed-off-by: Florian Westphal <fw@strlen.de>
2015-06-26conntrack: fix expectation entry creationSzilárd Pfeiffer
Signed-off-by: Szilárd Pfeiffer <pfeiffer.szilard@balabit.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-06-26conntrack: refactor handling of address optionsSzilárd Pfeiffer
Signed-off-by: Szilárd Pfeiffer <pfeiffer.szilard@balabit.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-06-12cthelper: Optimise nfq_queue_cbPaul Aitken
ct and myct have both already been checked for non-NULL, so there's no need to check either of them again later. Signed-off-by: Paul Aitken <paitken@brocade.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-06-12conntrackd: remove unused 'numbytes'Paul Aitken
'numbytes' isn't used and can be removed. Signed-off-by: Paul Aitken <paitken@brocade.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-05-29expect: Fix wrong memset usagePablo Neira Ayuso
memset fills bytes, not ulongs - so the second parameter (the fill value) has to be a byte. Reported-by: Paul Aitken <paitken@brocade.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-05-21cthelper: don't pass up a 0 length queueChas Williams III
If the user didn't specify a queue length in the configuration file it will have a length of 0. Allow the kernel's default to take precedence instead. Signed-off-by: Charles (Chas) Williams <ciwillia@brocade.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-05-21netlink: Use <fcntl.h> instead of legacy synonym <sys/fcntl.h>Felix Janda
Signed-off-by: Felix Janda <felix.janda@posteo.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-05-21src: Define _GNU_SOURCE to get members of tcphdr&ucphdrFelix Janda
The source uses linux names for members of tcphdr. For example "source" instead of "th_sport", ... musl libc's headers need _GNU_SOURCE defined in order to expose these. Signed-off-by: Felix Janda <felix.janda@posteo.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-05-21src: Use stdint typesFelix Janda
Signed-off-by: Felix Janda <felix.janda@posteo.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-02-19conntrackd: allow strings with underscore from flex scannerPablo Neira Ayuso
Some people use interface names with underscores, so allow them from the flex scanner. Original patch from http://patchwork.ozlabs.org/patch/440600/ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-02-13conntrack: fix setting labels in updatesJarno Rajahalme
When updating labels we always have to send the same sized bitmask as we received, as the bits we do omit will otherwise cleared as "padding". Mask has to have the same size as the labels, otherwise it will not be encoded by libnetfilter_conntrack, as different sizes are not accepted by the kernel either. Finally, kernel only retains old bit values that we send as zeroes in BOTH the label and the mask, due to XOR used in bit manipulation. This patch fixes all these issues and allows updates to set new labels without accidentally clearing old ones. Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> Signed-off-by: Florian Westphal <fw@strlen.de>
2014-12-11channel: Fix file descriptor leak in channel_open() on errorThomas Jarosch
Detected by cppcheck Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2014-06-13conntrackd: build: fix crash when optional kernel modules are not loadedPablo Neira Ayuso
Fix a possible crash if conntrackd sees DCCP, SCTP and ICMPv6 traffic and the corresponding kernel modules that track this traffic are not available. Fixes: http://bugzilla.netfilter.org/show_bug.cgi?id=910 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2014-05-29udp: bind UDP sender side to same interface of the receiver sidePablo Neira Ayuso
Otherwise, the kernel may select a different interface for the client side. Original patch from Michael Griego. While at it, remove some trailing whitespaces. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2014-05-13nfct: timeout: add support for default protocol timeout tuningPablo Neira Ayuso
This new interface supersedes the /proc interface: /proc/sys/net/netfilter/nf_conntrack_PROTO_STATE_timeout to tune default conntrack timeout helpers. # nfct timeout default-get inet tcp .l3proto = 2, .l4proto = 6, .policy = { .SYN_SENT = 120, .SYN_RECV = 60, .ESTABLISHED = 432000, .FIN_WAIT = 120, .CLOSE_WAIT = 60, .LAST_ACK = 30, .TIME_WAIT = 120, .CLOSE = 10, .SYN_SENT2 = 120, .RETRANS = 300, .UNACKNOWLEDGED = 300, }, }; # nfct timeout default-set inet tcp ESTABLISHED 100 As replacement for the existing /proc interfaces for timeout tweaking. This feature requires a Linux kernel >= 3.13. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2014-05-12nfct: remove unneeded included headerPablo Neira Ayuso
This fixes a compilation breakage when libnetfilter_cttimeout.h is not installed. Reported-by: Hangbin Liu <liuhangbin@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2014-03-12conntrackd: userspace SSDP helperAsh Hughes
Here is a patch which adds a userspace conntrack helper for the SSDP protocol. This is based on the code found at: http://marc.info/?t=132945775100001&r=1&w=2 I'm not sure how to get my laptop to play at IPv6, so I've not tested this part, but I've tested the IPv4 section and it works. Signed-off-by: Ash Hughes <ashley.hughes@blueyonder.co.uk> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-10-15conntrackd: Don't hardcode libs dir pathHani Benhabiles
Use CONNTRACKD_LIB_DIR instead of hardcoded path. Signed-off-by: Hani Benhabiles <kroosec@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-10-11nfct: Fix use-after-free / double-freeHani Benhabiles
helper's list and flush commands handlers shouldn't call mnl_socket_close on the passed netlink socket as it is done in the main function after parse_params call. Bug introduced in (3c78a45 nfct: src: consolidate netlink socket creation). Signed-off-by: Hani Benhabiles <kroosec@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-10-07conntrackd: cthelper: add amanda helperPablo Neira Ayuso
This patch adds a userspace port of the amanda helper that is currently implemented in the kernel. Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
2013-10-03conntrackd: cthelper: add TFTP helperPablo Neira Ayuso
This patch adds an userspace port of the TFTP helper that is currently implemented in the kernel. This includes NAT support. It requires a Linux kernel 3.12. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-10-03conntrackd: cthelper: add SANE helperPablo Neira Ayuso
This patch adds an userspace port of the SANE helper that is currently implemented in the kernel. This requires Linux kernel 3.12 to work.
2013-10-01nfct: src: consolidate netlink socket creationPablo Neira Ayuso
Open the socket from the main function, then pass it as parameter to the corresponding interpreter. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-10-01nfct: src: add nfct_mnl_talk and use itPablo Neira Ayuso
Add helper function nfct_mnl_talk and use it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-09-30nfct: timeout: split nfct_cmd_timeout_add in several functionsPablo Neira Ayuso
This patch is a cleanup to split this function in smaller chunks. It is required to prepare default protocol timeout tuning via netlink.
2013-09-30nfct: timeout: use getprotoentPablo Neira Ayuso
The kernel bails out for unsupported protocols. Moreover, we don't need to upgrade to support new protocols. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-09-26build: add --disable-cthelper and --disable-cttimeoutPablo Neira Ayuso
This patch allows you to disable userspace helper support and conntrack timeout tuning at build stage. By default, both features are enabled, to avoid breaking backward compatibility. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-09-26nfct: modularize extensionsPablo Neira Ayuso
Modularize timeout and helper extensions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-09-26conntrackd: helpers: add DHCPv6 helperPablo Neira Ayuso
This patch adds support for the DHCPv6 helper. 1) nfct helper add dhcpv6 inet6 udp 2) ip6tables -I OUTPUT -t raw -p udp --sport 546 -j CT --helper dhcpv6 3) run conntrackd You should see: % conntrack -L exp -f ipv6 279 proto=17 src=:: dst=ff02::1:2 sport=0 dport=546 mask-src=:: mask-dst=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff sport=0 dport=65535 master-src=fe80::221:ccff:fe4a:7f9c master-dst=ff02::1:2 sport=546 dport=547 PERMANENT class=0 helper=dhcpv6 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-09-26conntrackd: cthelper: allow to attach expectations via nfqueuePablo Neira Ayuso
This requires the Linux kernel 3.12. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-09-15conntrack: do not exit when update returns an errorFlorian Westphal
If we fail to update an entry, just try to continue with the next one instead of exiting. Can happen f.e. when using "conntrack -U --add-label bla", but the conntrack entry in the kernel does not have the label extension set. Signed-off-by: Florian Westphal <fw@strlen.de>
2013-09-15conntrack: support add/delete of conntrack labelsClemence Faure
new options "--label-add" and "--label-delete" to alter connlabels assigned to a connection. Signed-off-by: Clemence Faure <clemence.faure@sophos.com> Signed-off-by: Florian Westphal <fw@strlen.de>
2013-09-15conntrack: support multiple -l optionsFlorian Westphal
Using -l foo -l bar caused the "foo" label to be lost. Merge multiple -l options so "-l foo,bar" and "-l foo -l bar" have same effect. Signed-off-by: Florian Westphal <fw@strlen.de>
2013-09-04conntrack: minor cleanupFlorian Westphal
Rename get_table to generic "optional argument handling" helper, so it can be re-used in upcoming patch. While at it, avoid copy&paste of "labelmap" handling. Signed-off-by: Florian Westphal <fw@strlen.de>