The batched verdict implicitely ACKs all queue packet IDs up to the
one send back, which reduces the number of verdict messages send
to the kernel.
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Add ICMPv6 type, code and ID (if set) by using the already available
conntrack atttributes.
Currently the ICMPv6 conntrack objects in libnl are without type, code
and ID. This e. g. is the output of nl_object_dump() without the patch:
ipv6-icmp ::1 <-> ::1
id 0xdd0871f0 family inet6 timeout 30s <NOREPLY,SNAT_INIT,DNAT_INIT>
The attached patch tries to solve that. It then looks like
ipv6-icmp ::1 <-> ::1 icmp type 128 code 0 id 28253
id 0xdf3a11f0 family inet6 timeout 30s <SNAT_INIT,DNAT_INIT>
It is the 'small' approach, because it reuses the existing ICMP
attributes of the conntrack object (currently only used for IPv4).
This way I can avoid to add new _icmp6_get_, _icmp6_set_ and
_icmp6_test_ functions.
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
Signed-off-by: Thomas Graf <tgraf@suug.ch>
This makes runtime removal of cache operations possible if non-safe
API is not in use by application. The non-safe API will be removed
in the next major version.
Signed-off-by: Thomas Graf <tgraf@suug.ch>
On some architectures, uint64_t is defined as:
typedef unsigned long long int __u64;
on another architectures as:
typedef unsigned long int __u64;
So, according to man 3 printf,
uint64_t should be printed as "%llu" on some architectures, and as "%lu" on another. The same for scanf.
To eliminate that challenge, there is inttypes.h, in which appropriate constants
are defined for current architecture.
32-bit types (and even 16 and 8 bit types) should be printed using such constants if
printed variable defined as uint_XXXt or intXXXt type. But in reality 32-bit and less
types does not gain run-time error (except in scanf), because they pushed to stack as
32-bit values at least. So, I decide not to fix that.
Since about 2.6.27 kernel, stats are not enabled by default.
Stats can be enabled using sysctl named
net.netfilter.nf_conntrack_acct
So, do not print zeroes in stats if it's not available.
When not checked, trash may appear in output
Hello,
libnl 3.2.9 does not build with musl libc, without patching.
I' using a current musl libc (http://www.etalabs.net/musl/)
with linux 2.6.32 headers.
At first there were a couple problems on the musl side, but those are
resolved.
However, I found some other issues:
First, two files were missing
#include <byteswap.h>:
lib/netfilter/log_msg.c
lib/netfilter/queue_msg.c
These files used __bswap_64 (which should be bswap_64), a macro
declared in byteswap.h
Second, I got this error after fixing that:
In file included from nf-queue.c:16:
./include/linux/netfilter.h:53: error: field in has incomplete type
./include/linux/netfilter.h:54: error: field in6 has incomplete type
I found that src/nf-queue.c is missing an
#include <netinet/in.h>
Attached is a patch which resolves these issues. I've tested with both
musl and glibc, and it builds cleanly on both.
- changes the modules hierarchy to better represent the set of libaries
- list the header file that needs to be included
- remove examples/doc from api ref that is included in the guide
- add references to the guide
- fix doxygen api linking for version 1.8.0
- readd doxygen mainpage to config file
- fix a couple of doxygen doc bugs
nfnl_queue_msg_send_verdict_payload() will to send the verdict, mark,
and possibly changed payload through the netlink socket.
Add a few docbook comments in other funcs.
Signed-off-by: Karl Hiramoto <karl@hiramoto.org>
commit e92539843a0c7e5116254382626cce226bf2135e
Author: Patrick McHardy <kaber@trash.net>
Date: Thu Oct 23 13:46:16 2008 +0200
libnl: nfqueue: add nfqueue specific socket allocation function
nfqueue users usually send verdict messages from the receive callback.
When waiting for ACKs, the receive callback might be called again
recursively until the stack blows up.
Add a nfqueue specific socket allocation function that automatically
disables ACKing for the socket.
Signed-off-by: Patrick McHardy <kaber@trash.net>
This changes make nfnl_ct_get_src_port() and others return the value
in host byte order rather than in network byte order.
Also splits printing into details and statistical section and
improves readability.
The idea of a common handle is long revised and only misleading,
nl_handle really represents a socket with some additional
action handlers assigned to it.
Alias for nl_handle is kept for backwards compatibility.
Replaces obsolete calls to nla_get_addr() and nla_get_data()
with nl_addr_alloc_attr() respectively nl_data_alloc_attr().
Also fixes missing error handling while parsing routing multipath
configuration.
In order for the interface to become more thread safe, the error
handling was revised to no longer depend on a static errno and
error string buffer.
This patch converts all error paths to return a libnl specific
error code which can be translated to a error message using
nl_geterror(int error). The functions nl_error() and
nl_get_errno() are therefore obsolete.
This change required various sets of function prototypes to be
changed in order to return an error code, the most prominent
are:
struct nl_cache *foo_alloc_cache(...);
changed to:
int foo_alloc_cache(..., struct nl_cache **);
struct nl_msg *foo_build_request(...);
changed to:
int foo_build_request(..., struct nl_msg **);
struct foo *foo_parse(...);
changed to:
int foo_parse(..., struct foo **);
This pretty much only leaves trivial allocation functions to
still return a pointer object which can still return NULL to
signal out of memory.
This change is a serious API and ABI breaker, sorry!
Adds all missing routing attributes and brings the routing
related code to a working state. In the process the API
was broken several times with the justification that nobody
is using this code yet.
The changes include new example code which is also a prototype
for how plain CLI tools could look like to control routes.
[LIBNL]: Fix nfnl_queue_msg_get_packetid() return type
The packet-ID is a 32 bit value, but nfnl_queue_msg_get_packetid() returns
an uint16_t. Makes queueing fail after 2^16 packets.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Split the nfnetlink_log code into two seperate objects, "netfilter/log"
to represent logging instances and "netfilter/log_msg" to represent
log messages. Also perform some function name unification for consistency
with other libnl object types, mainly renaming nfnl_log_build_*_msg
to nfnl_log_build_*_request.
This changes the API in an incompatible way, but since this feature is
new and the libnl netfilter headers haven't been installed so far,
there shouldn't be any users affected by this.
Signed-off-by: Patrick McHardy <kaber@trash.net>
The NUFLA_GID attribute (currently only in net-2.6.25) contains the
gid of the sending process for locally generated packets.
Signed-off-by: Patrick McHardy <kaber@trash.net>
The hwproto doesn't have its own attribute and is also present when
not set. Don't set the attribute if its value is zero.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Holger Eitzenberger
Patrick McHardy