| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
With this patch, conntrack does not show bogus entries that have no NAT
applied due to a relaxed checking.
conntrack -L --src-nat :80
tcp 6 342824 ESTABLISHED src=XX.214.188.80 dst=66.XX.7.180 sport=80 dport=13749 packets=4 bytes=6000 [UNREPLIED] src=66.XX.7.180 dst=XX.214.188.80 sport=13749 dport=80 packets=0 bytes=0 mark=0 secmark=0 use=1
conntrack v0.9.14 (conntrack-tools): 1 flow entries have been shown.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
In 142606c60808b3ab0496155ac3d086765e6baef3, I re-introduced the
inconsistent behaviour that I described in
85f94171a71880c744f265268f33ad58819caa74. Great.
This patch fixes this again.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch adds the testsuite for the NAT filtering options.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch adds the --any-nat option that allows to display src-NATted
OR dst-NATted flows.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch allows the following command to filter port-based NAT:
$ conntrack -L --dst-nat :9999
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch is a cleanup, it puts all the commands and options code
together. This makes easier and less error-prone the task to add
new commands and options.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch is a cleanup, it expands an array that contains the
correspondence between the option-flags and the option-names.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
In commit 56817d1c0cc30bcd65c56c2f73634b256603cc4d, I added the
TCP window scale factor support but it was incomplete. We have to
set the IP_CT_TCP_FLAG_WINDOW_SCALE flag to update the td_scale
field via ctnetlink. Check nlattr_to_tcp(...) function in
nf_conntrack_proto_tcp.c for more details.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The patch that I committed in 2e06d62d341fdf936dbc1fa944d5e03f761aaf0e
was incomplete. With it, `-L --src-nat --dst-nat' shows source-natted
OR destination-natted flows. This patch changes the behaviour to
show source-natted AND destination-natted flows.
This is the consistent behaviour that we expect from conntrack
(this is how it works for other options indeed).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch fixes the filtering with --src-nat and --dst-nat options.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch reverts 0865d22af0ec5876f721d44c90ac898fdfa435aa since
it breaks conntrack listing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
`conntrackd -i -x' does not display internal cache in XML, this
patch fixes the problem.
Signed-off-by: Mohit Mehta <mohit.mehta@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Since > 0.9.6, the conntrack listing with the options --src-nat
and --dst-nat does not work. This patch fixes the problem.
Reported-by: Mohit Mehta <mohit.mehta@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch completes the documentation with the following discussion
that took place in the mailing list.
http://marc.info/?l=netfilter&m=127335152521674&w=2
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch splits the __run() routine into two functions, run_polling()
and run_events() that are selected once in run-time. We save one branch
in a loop that intensively executed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch fixes the configuration file that includes an example of
the PollSecs clause in Stats. This is wrong since it should go in
the General clause.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
From Richard Lucassen:
> Btw: if you search the "-m --mask" option in the manpage, you'll see a
> cosmetic typo: this option is on the same line as "-t --timeout"
Reported-by: Richard Lucassen <reply5@xaq.nl>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch fixes a hung that occurs if you invoke `conntrackd -c'
and you have disabled the external cache.
Note that `conntrackd -c' does nothing since there is no entries
in the external cache to be committed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch move the ports addition to the layer 4 functions, instead
of checking for the port attribute. It also add a function for UDP
otherwise we break support for this protocol.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch adds a new option TCPWindowTracking that allows not
to disable TCP window tracking as it occurs by default.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
UDP filtering was broken during the addition of the UDP-based
synchronization protocol that was introduced in 0.9.14. This
patch fixes the problem.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch bumps conntrack-tools version to 0.9.14.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch documents the `-B' command in conntrackd that allows you
to force a bulk send to other firewall nodes in the cluster.
Reported-by: Tino Keitel <tkeitel@innominate.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
With this patch, we allow to manually create TCP entries in the table.
Basically, we disable TCP window tracking for this entry to avoid
problems.
Reported-by: Roman Fiedler <roman.fiedler@ait.ac.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch documents the internal cache disabling feature that
is available for the NOTRACK mode. I have also added an example
on how to set up a TCP-based state-synchronization.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch fixes the clause `State' in `Filter' that allows
you to filter by protocol state. This bug was introduced during
the implementation of the TCP-based synchronization.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds state-synchronization for ICMP. You SHOULD use a
Linux kernel >= 2.6.31, otherwise this patch can result in tons
of state-updates.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
With this patch, we use an indirect call to build the layer 4
information into the synchronization message.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds the clause `DisableInternalCache' that allows you
to bypass the internal cache. This clause can only be used with
the notrack synchronization mode.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
In 0b03f4b759e439edd2c3da0add08050276d7dc5f, I forgot to increase
the stats for successful cases. This patch fixes this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
# conntrackd -s
external inject:
connections created: 0 failed: 0
connections updated: 0 failed: 0
connections destroyed: 0 failed: 0
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Read an integer right away with fscanf() instead of read()-ing to a
buffer, which was actually to small for the terminating '\0', and
atoi()-ing. Furthermore read() might not read enough, though unlikely
here.
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Avoid this error:
conntrack v0.9.13 (conntrack-tools): Operation failed: No such file or
directory
when using 'conntrack -E -e ALL ...'.
This is caused by the fact that netfilter expectations also get
delivered, but things are not setup for this, nfnl_catch returns -1
and errno = ENOENT.
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
When 'conntrack' is called with no arguments then garbage is printed
after the usage message. This patch fixes this.
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch fixes a missing calculation of maxfd when a file descriptor
is unregistered.
Reported-by: Jean Mickael Guerin <jean-mickael.guerin@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds the alive control message to the notrack mode.
This helps to diagnose problems in the synchronization and
the state of the channel, specifically for TCP-based channels.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Under stress, the TCP stack may return EAGAIN if there is not
space left in the sender buffer. We also enqueue any other
error.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch rate-limits the amount of connect() calls to avoid
syn-floods when the other peer is not connected and we are
generating updates.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
In 49540362b2a25aadbaf25fd087414776aa5a67a8, we forgot to break lines
at 80 characters. This patch cleans up this issue.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch fixes a bug in the TCP support that breaks
re-connections of the client side if several TCP
channels are used in the configuration file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch avoids the shadowing of the global `conf' variable that
is used to store the configuration information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
With this patch, we increase the error stats if:
* we failed to connect to the other peer.
* some unexpected error made connect() fail.
* sendto returned ECONNRESET or EPIPE.
Moreover, we propagate the sendto() errors to upper layers
under failure as Samuel Gauthier suggested.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
In 9406f29b89f6727c3db5485d109466701393b4d4, we added different
return values for the UNIX sockets that we use to extract the
daemon statistics. Unfortunately, I forgot to change this
as well. This patch fixes a problem that blocks the client
socket indefinitely.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Use the TCP header size (20 bytes) instead of the UDP header size
(8 bytes) to calculate the maximum packet size.
Reported-by: Samuel Gauthier <samuel.gauthier@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
DisableExternalCache is supposed to be put in mode NOTRACK{} or
Mode FTFW{} statement.
Signed-off-by: Samuel Gauthier <samuel.gauthier@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
As we get attr->nta_attr directly from net message, it can be corrupted.
Hence, we must check that nta_attr value is valid before trying to reach
h[attr->nta_attr] element.
Signed-off-by: Samuel Gauthier <samuel.gauthier@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
We cannot assume that we will not write in the net message before we
send it, because the memory allocated for the net message (__net) is
only reserved in BUILD_NETMSG (because of the { } block in it).
This patch marks the buffer as static to avoid this problem.
Based on a patch from Samuel Gauthier <samuel.gauthier@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds support for TCP as protocol to replicate
state-changes between two daemons. Note that this only
makes sense with the notrack mode.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
With this patch, we can remove file descriptors dinamically
from our own file descriptor pool.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
