nfnlmsg_*_parse() does not assign *result on error. So this will
lead to freeing a dangling pointer.
Error found by coverity.
Acked-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: Thomas Haller <thaller@redhat.com>
This expands functionality for manipulating conntracks over netlink by
adding other attributes to nfnl_ct_build_message(). Added a command link
program to add conntracks.
https://github.com/thom311/libnl/pull/55
[thaller@redhat.com: cleaned up whitespace from original patch]
Acked-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: Thomas Haller <thaller@redhat.com>
Newer kernels support conntrack zones, which help to partition the
conntrack table into virtual conntrack tables.
This patch is for adding support for the optional attribute, adds
setters and getters, and adds support for the zone ID in the conntrack
dumper.
An example entry in NL_DUMP_LINE format looks like:
tcp SYN_SENT 10.128.128.99:43354 <-> 10.128.129.20:22 zone 1
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Recent kernels support conntrack time stamping, which is a helpful
feature to determine the duration of a flow without building a flow
cache in your user space application, just to keep the 'start' time of
your flow.
Timestamps are recorded with nanosecond resolution once this feature
is enabled.
This patch adds optional support for the CTA_TIMESTAMP, then
modifies the dump routine to write that info in a format similar
to /proc/net/nf_conntrack. This is an example output when using
NL_DUMP_LINE:
udp 10.128.128.28:56836 <-> 10.128.129.255:8612 delta-time 30
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Add ICMPv6 type, code and ID (if set) by using the already available
conntrack atttributes.
Currently the ICMPv6 conntrack objects in libnl are without type, code
and ID. This e. g. is the output of nl_object_dump() without the patch:
ipv6-icmp ::1 <-> ::1
id 0xdd0871f0 family inet6 timeout 30s <NOREPLY,SNAT_INIT,DNAT_INIT>
The attached patch tries to solve that. It then looks like
ipv6-icmp ::1 <-> ::1 icmp type 128 code 0 id 28253
id 0xdf3a11f0 family inet6 timeout 30s <SNAT_INIT,DNAT_INIT>
It is the 'small' approach, because it reuses the existing ICMP
attributes of the conntrack object (currently only used for IPv4).
This way I can avoid to add new _icmp6_get_, _icmp6_set_ and
_icmp6_test_ functions.
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Hello,
libnl 3.2.9 does not build with musl libc, without patching.
I' using a current musl libc (http://www.etalabs.net/musl/)
with linux 2.6.32 headers.
At first there were a couple problems on the musl side, but those are
resolved.
However, I found some other issues:
First, two files were missing
#include <byteswap.h>:
lib/netfilter/log_msg.c
lib/netfilter/queue_msg.c
These files used __bswap_64 (which should be bswap_64), a macro
declared in byteswap.h
Second, I got this error after fixing that:
In file included from nf-queue.c:16:
./include/linux/netfilter.h:53: error: field in has incomplete type
./include/linux/netfilter.h:54: error: field in6 has incomplete type
I found that src/nf-queue.c is missing an
#include <netinet/in.h>
Attached is a patch which resolves these issues. I've tested with both
musl and glibc, and it builds cleanly on both.
This changes make nfnl_ct_get_src_port() and others return the value
in host byte order rather than in network byte order.
Also splits printing into details and statistical section and
improves readability.
The idea of a common handle is long revised and only misleading,
nl_handle really represents a socket with some additional
action handlers assigned to it.
Alias for nl_handle is kept for backwards compatibility.
Replaces obsolete calls to nla_get_addr() and nla_get_data()
with nl_addr_alloc_attr() respectively nl_data_alloc_attr().
Also fixes missing error handling while parsing routing multipath
configuration.
In order for the interface to become more thread safe, the error
handling was revised to no longer depend on a static errno and
error string buffer.
This patch converts all error paths to return a libnl specific
error code which can be translated to a error message using
nl_geterror(int error). The functions nl_error() and
nl_get_errno() are therefore obsolete.
This change required various sets of function prototypes to be
changed in order to return an error code, the most prominent
are:
struct nl_cache *foo_alloc_cache(...);
changed to:
int foo_alloc_cache(..., struct nl_cache **);
struct nl_msg *foo_build_request(...);
changed to:
int foo_build_request(..., struct nl_msg **);
struct foo *foo_parse(...);
changed to:
int foo_parse(..., struct foo **);
This pretty much only leaves trivial allocation functions to
still return a pointer object which can still return NULL to
signal out of memory.
This change is a serious API and ABI breaker, sorry!
This interface was internal so far which required all code defining
caches to be compiled with the sources available.
In order to simplify the interface, the co_msg_parser prototype was
changed to take the struct nl_parser_param directly instead of a
void *. It used to be void * because the co_msg_parser was directly
passed as the NL_CB_VALID callback function.
