fix #2178: endless loop on ipv6 extension headers increment header and decrement payload size by the extensions size. the length calculation is different for some extensions. in our case only IPPROTO_FRAGMENT requires a different size calculation than the rest. in addition 'proto' is now set in the loop when advancing from an extension header. it moves on to the next extension or protocol now instead of looping on the same 'proto' while advancing the payload. Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
add conntrack logging via libnetfilter_conntrack add conntrack logging to pvefw-logger including timestamps (requires /proc/sys/net/netfilter/nf_conntrack_timestamp to be 1). this allows the tracking of sessions (start, end timestamps with nf_conntrack_timestamp on [DESTROY] messages). commit includes Build-Depends inclusion of libnetfilter-conntrack-dev and libnetfilter_conntrack library in the Makefile. Signed-off-by: David Limbeck <d.limbeck@proxmox.com>
fix ambiguous if statements the funciton nflog_bind_pf(...) returns an integer smaller 0 on a failure, we negated that which results in 1 if no failure and 0 if there was a failure. This is ambiguous and as no parenthesis are set the GCC 6 warning "logical-not-parentheses" gets triggered. Use a simple nflog_bind_pf(...) < 0 check instead. Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
logger: basic ipv6 support Support for: * IPv6 main header * ICMPv6: - echo request/reply - NDP - redirects * destination unreachable message * packet too big message * time exceeded message * parameter problem messages: - erroneous header - bad next-header - bad ipv6 option * extension headers: - routing - fragmentation - skipping over: hopopts, destopts and mobile home
cleanup firewall service implementation We now run a separate server called 'pve-firewall' (renamed 'pvefw'). So service and management tool use the same name: # service pve-firewall start is the same as # pve-firewall start Also removed the read_pvefw_status/save_pvefw_status code.