netfilter/ct: support optional CTA_TIMESTAMP attribute
Recent kernels support conntrack time stamping, which is a helpful
feature to determine the duration of a flow without building a flow
cache in your user space application, just to keep the 'start' time of
your flow.
Timestamps are recorded with nanosecond resolution once this feature
is enabled.
This patch adds optional support for the CTA_TIMESTAMP, then
modifies the dump routine to write that info in a format similar
to /proc/net/nf_conntrack. This is an example output when using
NL_DUMP_LINE:
Joe Damato [Thu, 25 Jul 2013 23:36:16 +0000 (16:36 -0700)]
Add idiag-socket-details
This small program lists all sockets on the system seen by netlink and serves
as a simple example showing how to alloc an idiag msg cache and dump the
objects in it.
Joe Damato [Thu, 4 Jul 2013 01:40:58 +0000 (18:40 -0700)]
Add support for inet diag Netlink protocol.
- Inet diag allows users to gather low-level socket information.
- This library provides a higher-level API for creating inetdiag requests (via
idiagnl_connect and idiagnl_send_simple) and parsing the replies (via
idiagnl_msg_parse). A cache is also provided (via idiagnl_msg_alloc_cache).
- Request and message objects provide APIs for accessing and setting the
various properties of each.
- This library also allows the user to parse the inetdiag response attributes
which contain information about traffic class, TOS, congestion, socket
memory info, and more depending on the kernel version used.
- Includes doxygen documentation.
Provide wrapper function for generic netlink library functions. The
genlmsg_parse() function is handled similar to nla_parse_nested() so
it returns tuple with error code and dictionary of parsed attributes.
Signed-off-by: Arend van Spriel <arend@broadcom.com> Signed-off-by: Thomas Graf <tgraf@suug.ch>
add support functions for attributes and callback handlers
added support functions to access the netlink attributes and use
custom callback handlers. Most is wrapped as is, but there are
a couple of special cases handled.
1) void *nla_data(struct nlattr *);
The return value is changed to a Python byte array so it includes
the lenght of the data stream.
2) int nla_parse_nested(...);
This returns a tuple (err, dict). 'err' is the error code and 'dict'
is a dictionary with attribute identifier as key and value represents
a struct nlattr object.
3) macro nla_for_each_nested()
Provide nla_get_nested() which returns a Python list of struct nlattr
objects that is iterable.
4) allocate struct nla_policy array
Provide nla_policy_array() function that allocates consecutive space
in memory for struct nla_policy array entries. Each entry is put in
a Python list so the entry fields can be modified in Python. This
array object can be passed to the nla_parse_nested() function.
Signed-off-by: Arend van Spriel <arend@broadcom.com> Signed-off-by: Thomas Graf <tgraf@suug.ch>
Thomas Graf [Thu, 27 Jun 2013 16:29:17 +0000 (18:29 +0200)]
msg: Avoid returning a negative value for nlmsg_attrlen()
If a hdrlen was provided that was greather than the actual
message length, a negative attributes length would result.
This was typically happening for RTM_GETLINK requests where
we can get a away with a 4 bytes header on the request side
but the response would use a 16 bytes header.
This resulted in strange -8 bytes leftover debug messages.
Andrew Collins [Mon, 17 Jun 2013 21:58:43 +0000 (15:58 -0600)]
Handle -NLE_AGAIN in nl_cache_mngr_data_ready
Since commit "nl: Return -NLE_AGAIN if non-blocking socket would block",
nl_cache_mngr_data_ready returns -NLE_AGAIN to callers on non-blocking sockets.
Change it to consider -NLE_AGAIN as a non-error case as it is expected behavior
with the nl_recv changes.
Andrew Collins [Mon, 17 Jun 2013 21:24:05 +0000 (15:24 -0600)]
Default to comparing all attributes if no oo_id_attrs defined
Since commit: "cache pickup: Avoid duplicates during cache pickup",
nfnl_ct_alloc_cache no longer properly fills the cache, as it doesn't
define oo_id_attrs so all items are considered duplicates.
Instead of adding a ~0 oo_id_attrs to ct_obj, this changes
nl_object_identical to default to comparing all attributes if
neither oo_id_attrs_get or oo_id_attrs are provided.
Thomas Graf [Wed, 8 May 2013 11:52:27 +0000 (13:52 +0200)]
nl: Increase receive buffer size to 4 pages
Assuming that the kernel does not send more than a page is no longer valid,
and enabling MSG_PEEK'ing by default to figure out the exact message buffer
requirements can have a negative influence on the performance of existing
applications. Bumping the default receive buffer space to 4 pages seems
a sane default.
rtnl_link_af_unregister() attempts to write-lock info_lock twice
instead of releasing it before returning. It also will return with
info_lock write-locked if passed a NULL ops.
There seams to be an error in the calculation of needed space for the message in nla_reserve. The current size of the message is counted twice: Once in NLMSG_ALIGN, once in the condition below.
This causes nla_put_* calls to be rejected if the allocation size of the message has been strictly calculated by the caller.
Fix leak of cb if nl_socket_alloc_cb() failed to allocate socket
- each *_get() should have corresponding *_put(). That rule was broken in nl_socket_alloc()
- Also, check if cb is NULL in nl_socket_set_cb (calls BUG())
Passing a NULL pointer would cause a NULL pointer dereference within
nl_object_free().
Returning early on NULL pointer is the behavior free(3) and other
nl*_free() functions.
Thomas Graf [Tue, 2 Apr 2013 09:58:18 +0000 (11:58 +0200)]
nl: Return -NLE_AGAIN if non-blocking socket would block
Previously 0 was returned which gave the caller no chance of detecting
when a non-blocking socket would block. If a caller intends to never
see an error message it should utilize poll()/select() to only read
when the socket has pending data or information.
Reported-by: Holger Eitzenberger <holger@eitzenberger.org> Signed-off-by: Thomas Graf <tgraf@suug.ch>
Add ICMPv6 type, code and ID (if set) by using the already available
conntrack atttributes.
Currently the ICMPv6 conntrack objects in libnl are without type, code
and ID. This e. g. is the output of nl_object_dump() without the patch:
ipv6-icmp ::1 <-> ::1
id 0xdd0871f0 family inet6 timeout 30s <NOREPLY,SNAT_INIT,DNAT_INIT>
The attached patch tries to solve that. It then looks like
ipv6-icmp ::1 <-> ::1 icmp type 128 code 0 id 28253
id 0xdf3a11f0 family inet6 timeout 30s <SNAT_INIT,DNAT_INIT>
It is the 'small' approach, because it reuses the existing ICMP
attributes of the conntrack object (currently only used for IPv4).
This way I can avoid to add new _icmp6_get_, _icmp6_set_ and
_icmp6_test_ functions.
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org> Signed-off-by: Thomas Graf <tgraf@suug.ch>
Thomas Graf [Mon, 1 Apr 2013 09:16:34 +0000 (11:16 +0200)]
genl: Update mt_id of cache ops when resolving genl id
The cache layer uses the message type array stored in the cache
ops to lookup which cache a message belongs to. Update to the
the message array with the resolved generic netlink id to make
it compatible with the caching API.
Allows to use nl_cache_refill() and others for generic netlink
based caches with dynamic generic netlink ids.
Thomas Graf [Thu, 14 Mar 2013 17:52:17 +0000 (18:52 +0100)]
rtnl-addr: Inherit prefix length to nl_addr objs in rtnl_addr_set_prefixlen()
Previously if using rtnl_addr_set_prefixlen() the new prefix length
was not forwarded to the corresponding 'struct nl_addr' objects
associated with address already and thus the comparison function
would fail.
This patch also clears the internal ADDR_ATTR_PREFIXLEN flag if
the prefix length has been reset.
Thomas Graf [Thu, 14 Mar 2013 15:25:17 +0000 (16:25 +0100)]
tests: Add check based unit test system
Introduces new unit tests based on `check`. Each subsystem/module can
have its own unit tests in tests/check-<name>.c that will be linked
together in tests/check-all.c.
Running 'make check' will compile and run the unit tests automatically.
A reference unit test implementation has been done for the abstract
address module.
Thomas Graf [Wed, 13 Mar 2013 16:12:03 +0000 (17:12 +0100)]
attr: Warn application if nla_parse() observes same attribute multiple times
Use a debugging message to warn applications if an attribute is
found multiple times in the same message. It is perfectly valid
to rely on this behaviour but it is likely to indicate a bug.
roopa [Fri, 15 Feb 2013 18:26:30 +0000 (10:26 -0800)]
link: Fix rtnl_link_af_data_compare return value
This patch fixes a bug where because of the af_ops check
being first in the function, we were returning ~0 if af_ops
was null even if both objects really did not have af_data
and we should be returning 0.
Its better to have the af_data present check before anything else.
So, Rearranged some of the code in rtnl_link_af_data_compare.
Changes include:
- Do the attribute present check before anything else
- If ao_compare op not present, return ~0
Signed-off-by: Roopa Prabhu <roopa@cumulusnetworks.com> Reviewed-by: Nolan Leake <nolan@cumulusnetworks.com> Reviewed-by: Shrijeet Mukherjee <shm@cumulusnetworks.com> Reviewed-by: Wilson Kok <wkok@cumulusnetworks.com> Signed-off-by: Thomas Graf <tgraf@suug.ch>
Thomas Graf [Tue, 5 Feb 2013 21:41:26 +0000 (22:41 +0100)]
bridge: Support the new bridging attributes
This provides support for the new bridging attributes provided
in IFLA_PROTINFO while maintaining backwards compatibility
with older kernels.
A set of new API functions are exported to access the bridging
information. rtnl_link_bridge_has_ext_info() can be used to
check whether a bridge object has been constructed based on
the newly available attributes or the old message format.
Thomas Graf [Fri, 1 Feb 2013 09:41:45 +0000 (10:41 +0100)]
neigh: Remove check for AF_UNSPEC in rtnl_neigh_get()
This check was introduces to not accidently return AF_BRIDGE objects
to unaware API users as they do differ in structure. However, such
objects are only available if explicitely requests using the
NL_CACHE_AF_ITER flag or by using arg1 == AF_BRIDGE for the cache.
Therefore remove this check and allow rtnl_neigh_get() to be used to
fetch any neighbor object of a cache.
Reported-by: Maxime Bizon <mbizon@freebox.fr> Signed-off-by: Thomas Graf <tgraf@suug.ch>
roopa [Mon, 28 Jan 2013 15:46:16 +0000 (07:46 -0800)]
link cache: remove AF_UNSPEC check in rtnl_get_link and rtnl_get_link_by_name
This patch reverts back the AF_UNSPEC check introduced by AF_BRIDGE
changes at http://lists.infradead.org/pipermail/libnl/2012-November/000796.html
After the addition of AF_BRIDGE support, link cache can now contain objects of
type AF_BRIDGE. To make sure existing api's did not return AF_BRIDGE objects
and surprise existing callers, I introduced the check for AF_UNSPEC.
But from what Andy Wang reported, rtnl_link_get_by_name returns the first
link object with matching ifindex and that could have not only been AF_UNSPEC
but also of family AF_INET6. And his app always got an AF_INET6 object prior
to the patch that introduced the AF_UNSPEC check.
I could just add AF_INET6 family check along with AF_UNSPEC in the apis and that
should work well.
But thinking about it some more, removing the AF_UNSPEC change seems to be safer at
this point. That way this api will retain its semantics and return the first object
with matching ifindex. It could be of any supported family. The user will know if the
cache contains bridge objects, because they are available only with the cache flag
NL_CACHE_AF_ITER. Besides, if new users want to search for a specific object,
nl_cache_find is a better option.
Reported-by: Andy Wang <Andy.Wang@watchguard.com> Signed-off-by: Roopa Prabhu <roopa@cumulusnetworks.com> Signed-off-by: Thomas Graf <tgraf@suug.ch>
projects / libnl / log