summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* build: bump version to 1.4.1conntrack-tools-1.4.1Pablo Neira Ayuso2013-03-031-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add support to dump the dying and unconfirmed list via ctnetlinkPablo Neira Ayuso2012-12-041-13/+95
| | | | | | | | | | | | | | | | | | | | | | This patch adds support for: conntrack -L dying conntrack -L unconfirmed To display the list of dying and unconfirmed conntracks. This provides some instrumentation in case that `conntrack -C` really deviates from what `conntrack -L | wc -l` says. Users like to check this to make sure things are going OK. Still, some conntrack objects may be still in the dying and the unconfirmed list. With this patch, we can also dump their content, before it was not possible. In normal cases both lists would be simply empty, or in the case of the dying list, you can observe that entries go slightly down in number. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: fix deadlock due to wrong nested signal blockingPablo Neira Ayuso2012-11-062-16/+9
| | | | | | | | | | | | | | | | | | | | | | | The existing code may nest several signal blocking and unblocking calls in different paths of the code. This may result in deadlocks while receiving signals. This patch simplifies the signal blocking approach. Now signals are blocked in three paths: 1) Internal timers handling, while running timer callback for expired timers. 2) File descriptor handling, while running file descriptor callbacks. 3) While handling signals, to avoid that SIGINT and SIGTERM in a row results in a deadlock. Thanks a lot to Ulrich Weber <ulrich.weber@sophos.com> for discussing a fix for this problem. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bump version to 1.4.0 and update dependenciesconntrack-tools-1.4.0Pablo Neira Ayuso2012-10-081-4/+4
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: detail user-space helper supportPablo Neira Ayuso2012-10-081-5/+150
| | | | | | This patch adds documentation on how to enable user-space helper support. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: fix crash if ExpectationSync is enabled on old Linux kernelsPablo Neira Ayuso2012-10-046-5/+26
| | | | | | | | | | ExpectationSync requires Linux kernel >= 3.5 to work sanely, document this. Still, we don't want to crash if someone enables expectation sync with old Linux kernels (like 2.6.32). Reported-by: James Gutholm <gutholmj@evergreen.edu> Tested-by: James Gutholm <gutholmj@evergreen.edu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: fix libraries dependencies in MakefilesNicolas Dichtel2012-09-212-3/+5
| | | | | | | | Several includes are missing when netfilter libs are not in the standard path. Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: cthelper: add QueueLen optionPablo Neira Ayuso2012-09-105-4/+40
| | | | | | | | | | | This patch adds the QueueLen option, that allows you to increase the maximum number of packets waiting in the nfnetlink_queue to receive a verdict from userspace. Rising the default value (1024) is useful to avoid hitting the following error message: "nf_queue: full at X entries, dropping packets(s)". Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: parse: fix wrong maximum length for ATTR_EXP_FNPablo Neira Ayuso2012-09-081-1/+1
| | | | | | | | | | | | | | | It was set to NFCT_HELPER_NAME_MAX (16 bytes), but we have function names that are larger, eg. nf-nat-follow-master which is 18 bytes long. This leads to hitting malformed message while synchronizing expectations. I'll add some new constant to libnetfilter_conntrack instead of hardcoding this, later. Reported-by: Gaurav Sinha <gaurav.sinha@vyatta.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: conntrackd: fix compile errors and warningsAnsis Atteka2012-08-242-3/+4
| | | | | | | This patch fixes few compile warnings and errors. Signed-off-by: Ansis Atteka <aatteka@nicira.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cthelper: ftp: fix EPRT case for IPv4Pablo Neira Ayuso2012-08-211-1/+6
| | | | | | | | | %pI4 also exists in the Linux kernel. It would be good to have some generic functions to convert binary data to address string. Later. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cthelper: disable debugging information by defaultPablo Neira Ayuso2012-08-211-1/+7
| | | | | | | | | The pr_debug call should be converted to use dlog instead. I'll try to add some some configuration parameter to enable/disable debugging in runtime. This is not very flexible. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: don't resync expectations if such sync has been disabledVincent Bernat2012-08-031-1/+3
| | | | | | | | conntrackd was segfaulting with `ExpectationSync` set to `Off` and PollSecs (polling mode) in use. Signed-off-by: Vincent Bernat <bernat@luffy.cx> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nfct: helper: use CONNTRACKD_LIB_DIR variable set during configurationPablo Neira Ayuso2012-08-012-6/+7
| | | | | | | | Instead of hardcoded path to /usr/lib/conntrack-tools/ which might not be true if options like --prefix with different location is passed to conntrack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: conntrackd: add cthelper-test infrastructurePablo Neira Ayuso2012-08-0118-0/+1024
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the automated testing infrastructure the user-space helpers. Basically, this adds the `cthelper-test' program that can be invoked from the command line: ./cthelper-test pcaps/oracle-tns-redirect.pcap tns tcp 1521 To test the helper with one PCAP file that contains traces of Oracle TNS traffic. It also provides tweaks to test the DNAT content mangling code: ./cthelper-test pcaps/oracle-tns-redirect.pcap tns tcp 1521 dnat This will also allow fuzzy testing of user-space helper, for further validation, not yet implemented. To compile this tool, you have to run: ./configure make check under the qa/cthelper-test/ directory. I'm doing like this because this directory is not included in the standalone tarball that make distcheck generates (I don't want to bloat it with development tools that can be retrieved from the git repository). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: TNS helper added to cthelperJozsef Kadlecsik2012-08-013-1/+420
| | | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: RPC helper added to cthelperJozsef Kadlecsik2012-08-013-2/+507
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | How to use this helper in a few steps: 1) You can enable this helper via: nfct helper add rpc inet tcp nfct helper add rpc inet udp 2) Configure /etc/conntrackd/conntrackd.conf and launch it. 3) You can test this helper locally with the following rule-set: iptables -A OUTPUT -t raw -p udp -m udp --dport 111 -j CT --helper rpc iptables -A OUTPUT -t raw -p tcp -m tcp --dport 111 -j CT --helper rpc iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 111 -j ACCEPT iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -m udp --dport 111 -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -P OUTPUT DROP 4) Configure NFS and export some local directory. Then, mount it with version 3. mount.nfs -onfsvers=3 127.0.0.1:/srv/cvs /mnt/ You should see permanent expectations created for this. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add cthelper infrastructure (+ example FTP helper)Pablo Neira Ayuso2012-08-0125-12/+3030
| | | | | | | | | | | | This patch adds the user-space helper infrastructure. It also contains the implementation of the FTP helper in user-space. There's one example file that you can use to configure conntrackd as user-space connection tracking helper under: doc/helper/conntrackd.conf Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: move ctnetlink code to ctnl.c (removed from run.c)Pablo Neira Ayuso2012-08-015-467/+543
| | | | | | | This patch moves the specific ctnetlink code to ctnl.c to prepare the introduction of the cthelper infrastructure. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: generalize file descriptor infrastructurePablo Neira Ayuso2012-08-0112-244/+249
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch generalizes the select-based file descriptor infrastructure by allowing you to register file descriptors and its callbacks. Instead of hardcoding the descriptors that needs to be checked. Now, struct fds_item contains a callback and pointer to data that is passed to it: struct fds_item { struct list_head head; int fd; + void (*cb)(void *data); + void *data; }; Then, we check which ones are active in the select_main_step() function: list_for_each_entry(cur, &STATE(fds)->list, head) { if (FD_ISSET(cur->fd, &readfds)) cur->cb(cur->data); } And it invoked the corresponding callback. I had to slightly modify the channel infrastructure to fit it into the changes. This modularity is required for the upcoming cthelper support. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: -C uses ctnetlink instead of ↵Pablo Neira Ayuso2012-08-011-1/+70
| | | | | | /proc/sys/net/netfilter/nf_conntrack_count Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add support for stats dumping via ctnetlinkPablo Neira Ayuso2012-08-013-9/+215
| | | | | | | | | | | | | | | | | | | | | | | | Since Linux kernel >= 3.6.x, we can dump the conntrack statistics via ctnetlink instead of using the /proc interface: conntrack -S cpu=0 searched=9177 found=387086 new=250451 invalid=1 ignore=4 delete=254093 delete_list=5467 insert=1825 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0 cpu=1 searched=390 found=37493 new=1531 invalid=0 ignore=0 delete=345 delete_list=345 insert=1531 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0 cpu=2 searched=333 found=68061 new=1895 invalid=0 ignore=1 delete=607 delete_list=607 insert=1896 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0 cpu=3 searched=71 found=13364 new=1254 invalid=0 ignore=0 delete=75 delete_list=75 insert=1254 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0 conntrack -S exp cpu=0 expect_new=9177 expect_create=387284 expect_delete=251141 cpu=1 expect_new=390 expect_create=37496 expect_delete=1531 cpu=2 expect_new=333 expect_create=68117 expect_delete=1895 cpu=3 expect_new=71 expect_create=13366 expect_delete=1255 Note that the output is not backward-compatible, but we fail back to previous output in case that ctnetlink stats dumping is not available. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bump version to 1.2.2conntrack-tools-1.2.2Pablo Neira Ayuso2012-07-311-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: implement selective flushing for `-t' and `-F' commandsPablo Neira Ayuso2012-07-305-6/+39
| | | | | | | | | | | | | | | | | | | This patch changes the current behaviour of `-t' and `-F' commands, that results in flushing the kernel conntrack table. With this patch, the entries that match the Filter clauses in conntrackd.conf are ignored. This fixes the situation in which some local ssh connection to the firewall is lost during the failover (since `-t' is invoked from the primary-backup.sh script). Note that the Filter clause tells what entries have to be ignored, ie. the entries that do not need to be replicated. It makes sense not to flush entries that are not replicated (usually traffic to the local firewall). Reported-by: Gaurav Sinha <gaurav.sinha@vyatta.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: fix commit operation, needs to be synchronousPablo Neira Ayuso2012-07-051-2/+2
| | | | | | | | | | While adding the expectation support for conntrackd, I accidentally broke synchrony in 'conntrackd -c' command. Basically, conntrackd -c should not return control to the shell until the cache has been committed. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add bugtrap notice in case of flush while commit in progressPablo Neira Ayuso2012-07-051-0/+18
| | | | | | | | | | Flushing the external cache, ie. conntrackd -f, while commit is in progress is not allowed anymore, ie. conntrackd -c. Note that conntrackd -c is synchronous. Thus, it returns control to the caller once the commit has finished. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: fix documentation on ExpectationSync and H.323 helperPablo Neira Ayuso2012-06-161-1/+3
| | | | | | | | | | | | | The H.323 helper is actually composed of three helpers: ras q.931 h.245 We have to specify those in the configuration file since h.323 is not any known helper itself. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: fix compilation in src/parse.cPablo Neira Ayuso2012-05-281-0/+1
| | | | | | | | | | | | | | | Making all in src make[1]: Entering directory `/home/oden/RPM/BUILD/conntrack-tools-1.2.0/src' CC parse.o parse.c: In function 'msg2ct': parse.c:258:34: error: 'NULL' undeclared (first use in this function) parse.c:258:34: note: each undeclared identifier is reported only once for each function it appears in parse.c: In function 'msg2exp': parse.c:438:16: error: 'NULL' undeclared (first use in this function) Reported-by: Oden Eriksson <oeriksson@mandriva.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: simplify TCP connection handling logicPablo Neira Ayuso2012-05-281-27/+2
| | | | | | | | | | Before this patch, we called accept() to likely return EAGAIN. This is not required as select() will tell us that we're ready to accept. Therefore, that early accept() invocation complicates the whole handling just to get the connection accepted a bit before. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* update .gitignoreJan Engelhardt2012-05-262-0/+2
|
* bump version to 1.2.1conntrack-tools-1.2.1Pablo Neira Ayuso2012-05-261-1/+1
| | | | | | this release fixes a compilation issue in 1.2.0, sorry. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nfct: fix compilation of timeout extensionPablo Neira Ayuso2012-05-261-1/+1
| | | | | | | | nfct-extensions/timeout.c: In function ‘nfct_timeout_cb’: nfct-extensions/timeout.c:99:2: warning: passing argument 4 of ‘nfct_timeout_snprintf’ makes integer from pointer without a cast [enabled by default] /usr/include/libnetfilter_cttimeout/libnetfilter_cttimeout.h:114:5: note: expected ‘unsigned int’ but argument is of type ‘struct nfct_timeout *’ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* add README.nfctconntrack-tools-1.2.0Pablo Neira Ayuso2012-05-261-0/+62
| | | | | | This files includes some short description on `nfct'. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* add nfct(8) manpagePablo Neira Ayuso2012-05-262-1/+65
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: conntrack: add run-test.sh scriptPablo Neira Ayuso2012-05-261-0/+20
| | | | | | For automated testing of the conntrack utility. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* move qa directory to tests/conntrack/Pablo Neira Ayuso2012-05-268-0/+0
| | | | | | | All automated testing for the conntrack-tools will now reside under the test directory. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: update dependencies with libnetfilter_conntrack (>= 1.0.1)Pablo Neira Ayuso2012-05-261-1/+1
| | | | | | | libnetfilter_conntrack 1.0.1 includes important updates for the expectation side, which is used in this major milestone release. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nfct: fix compilation warning in cttimeout supportPablo Neira Ayuso2012-05-261-2/+2
| | | | | | | | CC nfct-extensions/timeout.o ../../src/nfct-extensions/timeout.c: In function ‘nfct_cmd_timeout_parse_params’: ../../src/nfct-extensions/timeout.c:40:27: warning: variable ‘ret’ set but not used [-Wunused-but-set-variable] Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: bump version to 1.2.0Pablo Neira Ayuso2012-05-261-1/+1
| | | | | | | Major milestone including the new `nfct' utility and the expectation support for conntrackd. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add nfct tests for cttimeoutPablo Neira Ayuso2012-05-2612-0/+337
| | | | | | This patch adds the automated tests for the cttimeout infrastructure. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: integrate nfct into the conntrack-tools treePablo Neira Ayuso2012-05-2611-5/+856
| | | | | | | | I'll need for the upcoming cthelper infrastructure. Moreover, we avoid more fragmentation in the netfilter user-space utilities. And the plan is that `nfct' will replace `conntrack' at some point. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: flush stdout for each expectation event, tooFlorian Westphal2012-05-201-0/+1
| | | | | | | | | else, piping "conntrack -E expect" output will be buffered/delayed, which is not what users expect. Normal conntrack events are already flushed. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* icmp[v6]: --icmp[v6]-[type|code] are optional for updates and deletesPablo Neira Ayuso2012-03-272-4/+4
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: manpage and help display improvementsAdrian Bridgett2012-03-203-3/+14
| | | | | | | | This patch adds missing information regarding several conntrackd options to the manpage and the help info that is displayed in the command line. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: fix example on how to filter events via iptables CT targetPablo Neira Ayuso2012-03-051-2/+3
| | | | | | | | | | | | | | | | You have to use this: iptables -I PREROUTING -t raw -j CT --ctevents assured,destroy instead of: iptables -I PREROUTING -t raw -j CT --ctevents assured Otherwise, conntrackd cache gets full since no destroy events are delivered. Reported-by: Kerin Millar <kerframil@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: add ras, q.931 and h.245 to examples configuration filePablo Neira Ayuso2012-02-213-3/+9
| | | | | | | | | | | | | | | Now it includes: ExpectationSync { ... ras q.931 h.245 } Which are the set of helpers for h.323. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: allow using lower/upper case in ExpectationSyncPablo Neira Ayuso2012-02-211-4/+5
| | | | | | | | | | | | | | | | | | | | | | | | You can use: ExpectationSync { ftp ras q.931 sip } or: ExpectationSync { FTP RAS Q.931 SIP } no matter lower/upper case. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: allow to filter by mark from kernel-spacePablo Neira Ayuso2012-02-141-4/+37
| | | | | | | | | | | | This patch uses the new infrastructure that allows us to filter by mark from kernel-space. This change ensures backward compatibility with kernels with no support for filtering by mark (Linux kernel <= 3.4.x). This requires lastest libnetfilter_conntrack library. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: fix parsing of expectation class, helper name and NATPablo Neira Ayuso2012-02-071-1/+17
| | | | | | | | | | | | | | | | | | I forgot to modify the body of msg2exp to include the recently committed support for the expectation class, helper name and NAT. This patch fixes the problem. Now in node-1 (primary), it shows: proto=17 src=192.168.11.4 dst=192.168.10.5 sport=0 dport=5060 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.10.5 master-dst=192.168.11.4 sport=5060 dport=5060 PERMANENT class=0 helper=sip [active since 31s] And it node-2 (secondary), it shows: proto=17 src=192.168.11.4 dst=192.168.10.5 sport=0 dport=5060 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.10.5 master-dst=192.168.11.4 sport=5060 dport=5060 PERMANENT class=0 helper=sip [active since 180s] This has been tested with the SIP conntrack helper. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: support expectfn synchronization for expectationsPablo Neira Ayuso2012-02-073-0/+8
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>