_NET_ADMIN to bypass the netlink_net_capable()
check:
vpnns -- nfnl_osf -f /tmp/pf.os
vpnns -- nfnl_osf -f /tmp/pf.os -d
These non-root operations successfully modify the systemwide OS
fingerprint list. Add new capable() checks so that they can't.
Signed-off-by: Kevin Cernekee <cerne...
a_len = 24,
.status = enabled,
};
Add capable() checks in nfnetlink_cthelper, as this is cleaner than
trying to generalize the solution.
Signed-off-by: Kevin Cernekee <cerne...@chromium.org>
---
net/netfilter/nfnetlink_cthelper.c | 10 ++
1 file changed, 10 inserti
According to valgrind, this currently leaks ~512B to 2kB for each
packet sent to the userspace helper.
Signed-off-by: Kevin Cernekee <cerne...@chromium.org>
---
src/cthelper.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/cthelper.c b/src/cthelper.c
index 54eb830..f01c509
This frees T_IP, T_PATH_VAL, and T_STRING tokens. They were being flagged
by valgrind as memory leaks.
Lightly tested using doc/helper/conntrackd.conf and doc/stats/conntrackd.conf.
Signed-off-by: Kevin Cernekee <cerne...@chromium.org>
---
src/read_config_yy.
and helpers because they operate on unconfirmed connections.
Instead of returning -EBUSY if the user program asks to modify an
unchangeable bit, simply ignore the change.
Also, fix the logic so that user programs are allowed to clear
the bits that they are allowed to change.
Signed-off-by: Ke
f 0 is set for an unconfirmed connection, restore the
old behavior of ignoring it (rather than setting up a connection that
expires immediately).
Signed-off-by: Kevin Cernekee <cerne...@chromium.org>
---
net/netfilter/nf_conntrack_netlink.c | 12
1 file changed, 8 insertions(+), 4 de
use they operate on unconfirmed connections.
Instead of returning -EBUSY if the user program asks to modify an
unchangeable bit, simply ignore the change.
Also, fix the logic so that user programs are allowed to clear
the bits that they are allowed to change.
Signed-off-by: Kevin Cernekee <
remains bug-compatible with old user code.
Kevin Cernekee (3):
netfilter: ctnetlink: Fix regression in CTA_TIMEOUT processing
netfilter: ctnetlink: Fix regression in CTA_STATUS processing
netfilter: ctnetlink: Fix regression in CTA_HELP processing
include/uapi/linux/netfilter/nf_conntrack_c
If a user program specifies CTA_HELP but the argument matches the
current conntrack helper name, ignore it instead of generating an error.
Signed-off-by: Kevin Cernekee <cerne...@chromium.org>
---
net/netfilter/nf_conntrack_netlink.c | 13 +
1 file changed, 9 insertions
On Thu, Jan 5, 2017 at 1:42 PM, Kevin Cernekee <cerne...@chromium.org> wrote:
> + * nfct timeout add long-timewait inet tcp \
> + * established 1000 close 10 time_wait 10 last_ack 10
> + * nfct timeout add long-timewait inet tcp time_wait 3600
> + * iptables -
the CALLBACK URL. Tested with and
without NAT.
Signed-off-by: Kevin Cernekee <cerne...@chromium.org>
---
doc/helper/conntrackd.conf | 10 +-
src/helpers/ssdp.c | 477 -
2 files changed, 480 insertions(+), 7 deletions(-)
diff --git a/doc/
t exported to library
callers.
Move the attribute up into the function definition to make clang happy.
Signed-off-by: Kevin Cernekee <cerne...@chromium.org>
---
doxygen.cfg.in | 2 +-
src/internal.h | 5 ++---
src/libnetfilter_
t exported to library
callers.
Move the attribute up into the function definition to make clang happy.
Signed-off-by: Kevin Cernekee <cerne...@chromium.org>
---
doxygen.cfg.in | 2 +-
src/internal.h | 5 ++-
src/libnetfilter
if `-z lazy` works, and if so,
use it to link nfct and the helpers.
conntrackd itself is unaffected, and should still work with `-z now`.
Signed-off-by: Kevin Cernekee <cerne...@chromium.org>
---
Note that the autoconf script is GPLv3. But I've seen it used in other
projects, and it seeme
On Thu, Sep 1, 2016 at 4:47 PM, Kevin Cernekee <cerne...@chromium.org> wrote:
> The patch that I sent out last night is able to handle scenarios in
> which the event occurs shortly after the subscription is established.
> But in my testing I am noticing two other problems:
>
>
This allows unicast replies to multicast DNS (mDNS / RFC6762) queries.
These queries are often used when a full-featured mDNS service (such as
avahi-daemon) is not running, or if an mDNS client does not have
permission to bind to port 5353.
Signed-off-by: Kevin Cernekee <cerne...@chromium.
On Tue, Aug 23, 2016 at 8:36 AM, Pablo Neira Ayuso wrote:
>> 2) Just noticed that the sane and tftp modules require Linux 3.12+.
>> My test system is running 3.8. Does ssdp have a similar restriction,
>> and if so, what would need to be backported?
>
> Userspace expectation
matchoff is relative to dataoff, i.e. matchoff=0 (as utilized by
nfq_tcp_mangle_ipv4()) points to the first byte of the TCP payload.
Signed-off-by: Kevin Cernekee <cerne...@chromium.org>
---
src/helpers/ftp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/helpers/f
031 ,18,149,79PORT.1
0x0060: 3932 2c31 3638 2c32 3534 2c32 2c31 3439 92,168,254,2,149
0x0070: 2c37 3927 3a20 636f 6d6d 616e 6420 6e6f ,79':.command.no
0x0080: 7420 756e 6465 7273 746f 6f64 2e0d 0at.understood...
Add the missing assignments.
Signed-off-by: Kevin Cernekee <
this is complete, the subscription should work
Add the necessary code to add expectations for each of these connections
and rewrite the IP in the CALLBACK URL.
Signed-off-by: Kevin Cernekee <cerne...@chromium.org>
---
This needs more testing on my end, so I'm posting it as an RFC to solicit
prelim
On Wed, Aug 17, 2016 at 6:12 PM, Pablo Neira Ayuso wrote:
> Looking at ctnetlink, it should be possible to make it via
> CTA_EXPECT_HELP_NAME. Thus, by when we find a matching expectation,
> the helper is set to this new connection too.
>
> See line 1086 in
Hi,
I am trying to extend the ssdp user helper in conntrackd to handle
event subscriptions on a UPnP control point. The flow looks like
this:
1) Outbound multicast M-SEARCH packet (dst: 1900/udp)
- Create expectation for unicast reply from to source port
2) Inbound unicast reply (there may
Signed-off-by: Kevin Cernekee <cerne...@chromium.org>
---
src/conntrack/api.c | 4 ++--
src/expect/api.c| 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/conntrack/api.c b/src/conntrack/api.c
index e4d4acc312bb..bed2e42c8f43 100644
--- a/src/conntrack/api.c
+++ b/src
onvert from their encoded
from into the kernel internal format for uids and gids and perform the
owner match.
Similar to ping_group_range, this code does not try to detect
noncontiguous UID/GID ranges.
Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com>
Signed-off-by: Kevin
onvert from their encoded
from into the kernel internal format for uids and gids and perform the
owner match.
Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com>
Signed-off-by: Kevin Cernekee <cerne...@chromium.org>
---
Original post:
https://lists.linuxfoundation.org/pi
25 matches
Mail list logo