libnetfilter_conntrack 1.0.5 release

libnetfilter_conntrack 1.0.4 release

libnetfilter_conntrack 1.0.3 release

libnetfilter_conntrack 1.0.2 release

The ct_echo_event and ct_mark_filter tests break `make distcheck'. Get them
out of the way until...

Signed-off-by: Pablo Neira Ayuso <[email protected]>

Signed-off-by: Ken-ichirou MATSUZAWA <[email protected]>
Signed-off-by: Florian Westphal <fw@...

Add VyOS based dh_gencontrol settings to debian/rules to enable
development builds (999.dev).

Signed-off-by: Felix Janda <[email protected]>
Signed-off-by: Pablo Neira Ayuso <pablo@netfi...

Signed-off-by: Felix Janda <[email protected]>
Signed-off-by: Pablo Neira Ayuso <pablo@netfi...

testing mark filter in root by

# ./qa/ct_mark_filter.sh

Signed-off-by: Ken-ichirou MATSUZA...

This patch adds mark filter for event listener, using same struct
nfct_filter_dump_mark at dump....

This breaks static builds where the toolchain completely lacks libdl.

Signed-off-by: Gustavo Za...

nssocket forks and change netns pre-establishd by ip(8), serves its
socket descriptor to parent ...

Signed-off-by: Ken-ichirou MATSUZAWA <[email protected]>
Signed-off-by: Florian Westphal <fw@...

for nfct_bitmask_clear() and nfct_bitmask_equal()

Signed-off-by: Ken-ichirou MATSUZAWA <chamas@...

This patch adds two functions, useful for ulogd IPFIX
output module.

Signed-off-by: Ken-ichirou...

Relax checking for MARK and ZONE to treat 'attribute not
set' like 'attribute is set to 0'.

Thi...

Test all combinations of flags/attribute states for both
ZONE and MARK.

Signed-off-by: Ken-ichi...

nfct_filter_dump_set_attr() will set the bit.

Signed-off-by: Ken-ichirou MATSUZAWA <[email protected]...

As reported by Ken-ichirou MATSUZAWA:

"conntrack -L --zone 0" doesn't list any output.

nfct_cm...

unsigned, < 0 is always false.

Signed-off-by: Florian Westphal <[email protected]>

Stefan reported that the *_catch() functions documentation was imprecise
on some aspects.

Repor...

Substract the netlink + nfnetlink headers to pass the payload length
to nfct_payload_parse().

S...

Signed-off-by: Gustavo Zacarias <[email protected]>
Signed-off-by: Pablo Neira Ayuso <pabl...

also bump LIBVERSION, we've added new interfaces and retained
backwards compatibility.

Signed-o...

nfct_labelmap_new returns NULL on failure, e.g. when file cannot be
opened. It will also fail i...

Only dump the contents of the system-wide connlabel.conf if present
instead of expecting same co...

nfct_snprintf doesn't print connlabels, as they're system specific
and can easily generate lots ...

Must free ct and exp using the _destroy functions, else we leak attributes with malloc'd data.

...

Can always lift this restriction later but for now enforce
strict label naming.

This is mainly ...

Can't be zero, it was already tested.

Signed-off-by: Florian Westphal <[email protected]>

This fixes construction of the conntrack object when CTA_LABEL
attribute is present.

Signed-off...

Signed-off-by: Florian Westphal <[email protected]>

For each attribute:
- copy ct2 attrs to ct1 (so they're the same)
- change value of attr
- ca...

Signed-off-by: Florian Westphal <[email protected]>

The expect cmp function ignored most of the attributes.

Signed-off-by: Florian Westphal <fw@str...

Normal comparision succeeds when the _common_ attribute subset
have same values.

When STRICT ma...

Some of these checks will fail due to errors in nfct_cmp STRICT handling
and missing comparision...

The libnfnetlink based backend 'build.c' currently ignores
ATTR_CONNLABELS and ATTR_CONNLABELS_M...

allows to set/clear only a subset of the in-kernel label set, e.g.
"set bit 1 and do not change ...

Signed-off-by: Florian Westphal <[email protected]>

adds new labelmap api to create a name <-> bit mapping
from a text file (default: /etc/xtables/c...

In order to use generic getter/setter API with upcoming
conntrack label extension, add helper fu...

Signed-off-by: Pablo Neira Ayuso <[email protected]>

For consistency with other tests.

Signed-off-by: Pablo Neira Ayuso <[email protected]>

Use buf[32] as struct nfct_attr_grp_ipv6 is 32 bytes long. That fixes:

== validate set grp API ...

cppcheck reported:
[src/conntrack/compare.c:364] -> [src/conntrack/compare.c:364]: (style) Same ...

From f5317d351f95cbd320b9324c6ed117da1551ee29 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <...

To include: IPCTNL_MSG_CT_GET_DYING and IPCTNL_MSG_CT_GET_UNCONFIRMED

Signed-off-by: Pablo Neir...

some attributes are pointers to malloc'd objects. Simply copying the
pointer results in use-aft...

The attribute is variable-length and must be thus be set via set_attr_l().

Signed-off-by: Flori...

am/ltlibrary.am: warning: 'libnetfilter_conntrack.la': linking
libtool libraries using a non-POS...

bump current and age since we have new interfaces but we're backward
compatible.

Signed-off-by:...

Signed-off-by: Pablo Neira Ayuso <[email protected]>

(cherry picked from commit 5bf4046a4e563c4dcaa53258468592216f6fbc89)

Signed-off-by: Pablo Neira Ayuso <[email protected]>

It was missing, add it.

Signed-off-by: Pablo Neira Ayuso <[email protected]>

build_mnl.c: In function 'nfexp_nlmsg_build':
build_mnl.c:18:11: warning: variable 'l3num' set b...

4b6df76 conntrack: fix autogenerated BPF code for IPv6 filtering aimed
to fix a bug the IPv6 BPF...

BPF code generated for IPv6 filtering was wrong.

Assuming you want to allow all traffic except ...

This patch adds more verbose output for the automatic BPF filter
generation to sieve netlink mes...

Signed-off-by: Pablo Neira Ayuso <[email protected]>

This adds the ATTR_HELPER_INFO that can be used to send binary data
that will be attached to the...

Because the obtained flags are essentially that (preprocessor
options).

Signed-off-by: Jan Enge...

Conflicts:
src/conntrack/api.c
src/conntrack/build_mnl.c
src/conntrack/parse_mnl.c
src/expec...

This adds the ATTR_HELPER_INFO that can be used to send binary data
that will be attached to the...

This patch adds the following examples:

nfexp-mnl-dump
nfexp-mnl-event

Basically, we re-use th...

This patch adds the following examples:

nfct-mnl-create
nfct-mnl-del
nfct-mnl-dump
nfct-mnl-eve...

This patch adds support to build and to parse netlink messages
from/to one user-space nf_conntra...

This patch adds support to build and to parse netlink messages
from/to one user-space nf_conntra...

Signed-off-by: Florian Westphal <[email protected]>

Signed-off-by: Jan Engelhardt <[email protected]>

CFLAGS must not be overriden if not set (it belongs to the user).
Since -DLIBNETFILTER_CONNTRACK...