summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* conntrack: fix English typo in output messagePablo Neira Ayuso2009-04-141-9/+9
| | | | | | This patch fixes an English typo in an output message. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: change scheduler and priority via configuration filePablo Neira Ayuso2009-04-148-1/+99
| | | | | | | | With this patch, you can change the scheduler policy and priority for conntrackd. Using a RT scheduler policy reduces the chances to hit ENOBUFS in Netlink. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add DCCP supportPablo Neira Ayuso2009-04-116-2/+252
| | | | | | This patch adds DCCP support for the command line tool conntrack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add SCTP supportPablo Neira Ayuso2009-04-116-5/+275
| | | | | | This patch adds SCTP support to the command line tool conntrack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add UDPlite supportPablo Neira Ayuso2009-04-116-3/+218
| | | | | | This patch adds UDPlite support for the command line tool conntrack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: fix coupled-options sanity checkingsPablo Neira Ayuso2009-04-116-79/+119
| | | | | | | | | | | | This patch extends the generic_opt_check() function to add extra information on the possible option combinations. Under some specific situations, like the creation and getting of a conntrack, you may specify the original or the reply tuple but at least one MUST be present. This handling has been always tricky, it still remains but we're more user friendly at least. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: save one indent in the TCP supportPablo Neira Ayuso2009-04-111-61/+59
| | | | | | This patch saves one extra indent in the switch(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: cleanup error output with `-p tcp --state'Pablo Neira Ayuso2009-04-111-1/+1
| | | | | | | | | | This patch also removes a new line that is not required in the error message. # conntrack -L -p tcp --state CLOS conntrack v0.9.12 (conntrack-tools): Unknown TCP state CLOS > empty line < Try `conntrack -h' or 'conntrack --help' for more information.
* conntrack: remove hardcoded iteration in TCP supportPablo Neira Ayuso2009-04-101-14/+14
| | | | | | | This patch is a cleanup, it removes a hardcoded iteration in the TCP support. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* daemon: remove unused constants in header filePablo Neira Ayuso2009-04-101-6/+0
| | | | | | | This patch removes a couple of constants that have no clients in the conntrackd code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: bump version to 0.9.12conntrack-tools-0.9.12Pablo Neira Ayuso2009-04-011-1/+1
| | | | | | | This patch bumps conntrack-tools version to 0.9.12 to prepare the release. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* config: cleanup error reporting during config file parsingPablo Neira Ayuso2009-03-311-111/+143
| | | | | | This patch cleans up the error reporting. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: set nice to -20 in example config filesPablo Neira Ayuso2009-03-313-9/+15
| | | | | | | | This patch sets the most favourable nice value for conntrackd in the default configuration files. This is generally a good idea to reduce the chances to hit ENOBUFS. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: remove broken command checking codePablo Neira Ayuso2009-03-311-22/+6
| | | | | | | | | This patch removes the broken command checking. This is better handled by the option checkings which comes just after this one. This patch also fixes some inconsistencies in the command parameter checking when long names are used. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add `-S' command to display kernel statisticsPablo Neira Ayuso2009-03-313-5/+92
| | | | | | | | | This patch adds `-S' command to display kernel statistics. Using raw `cat' on /proc and the hexadecimal output is not very handy. This option parses the /proc entry and display the information is a more human friendly way. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: fix missing bits in `-C' commandPablo Neira Ayuso2009-03-312-1/+6
| | | | | | | | This patch fixes some missing bits for the `-C' conntrack command like the manpage information, the usage help, the `--counters' synonymous and the commands vs. options checking. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* sync-mode: fix broken dedicated-link change in multichannel layerPablo Neira Ayuso2009-03-203-12/+12
| | | | | | | This patch fixes a problem that was introduced while adding the multichannel support. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* config: obsolete `ListenTo' clausePablo Neira Ayuso2009-03-202-26/+2
| | | | | | | This patch obsoletes the `ListenTo' clause which is a reminiscent of the intial event filtering code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mcast: remove several unused structure fieldsPablo Neira Ayuso2009-03-203-24/+1
| | | | | | This patch removes several structure fields that are unused. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* udp: fix missing scope_id in the socket creationPablo Neira Ayuso2009-03-206-6/+45
| | | | | | | | | This patch fixes an EINVAL error returned by bind() when opening an UDP server socket to propagate state-changes over the dedicated link. This patch also includes the change of the example configuration files in case that you want to use UDP over IPv6. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parse: fix broken destination port address translationPablo Neira Ayuso2009-03-191-1/+1
| | | | | | | | This patch fixes a bug in the message parser which leads to treat a destination PAT as a source PAT. Reported-by: Habib Sahnoun <sahnounhab@yahoo.fr> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* sync-mode: change `multicast' by `link' for `-s' optionPablo Neira Ayuso2009-03-174-5/+12
| | | | | | | | | This patch obsoletes `-s multicast' by `-s link' to display the dedicated link statistics, as the current dedicated link protocol use can be unicast UDP or multicast. The term "link" is more generic. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mcast: mcast_send() takes a const pointer to bufferPablo Neira Ayuso2009-03-172-2/+2
| | | | | | | This patch removes a compilation warning. The buffer passed to be sent must be const. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* sync-mode: cleanup reminiscent of multicast dependencyPablo Neira Ayuso2009-03-171-2/+2
| | | | | | | | | This patch is a cleanup, it removes a couple of reminiscent references to multicast (as now conntrackd is independent of the protocol used to replicate state-changes, currently supports unicast UDP and multicast). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* sync-mode: save one tab inside switch, cleanupPablo Neira Ayuso2009-03-131-14/+14
| | | | | | This patch saves one tab in the code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* sync-mode: fix wrong output stats refering lost/malformed packetsPablo Neira Ayuso2009-03-131-3/+3
| | | | | | | | This patch fixes a misleading output that shows the number of lost and malformed packets. Instead, those numbers show the number of the number of lost and malformed messages. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* sync-mode: add unicast UDP support to propagate state-changesPablo Neira Ayuso2009-03-1313-32/+764
| | | | | | | | This patch adds support for unicast UDP to the channel infrastructure. With this patch, you can select UDP unicast to propagate state-changes instead of multicast. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* sync-mode: rename mcast_track_*() by nethdr_track_*()Pablo Neira Ayuso2009-03-125-12/+12
| | | | | | | | This patch is a cleanup. It renames the mcast_track_*() functions by nethdr_track_*() because this functions are related to message sequence tracking. They are not stick to multicast at all. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* sync-mode: add abstract layer to make daemon independent of multicastPablo Neira Ayuso2009-03-1216-349/+596
| | | | | | | | | This patch reworks conntrackd to make it independent of the protocol used to propagate state-changes. This patch adds the channel layer abstraction, this layer allows you to add support for different protocols like unicast UDP or TIPC. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* sync-mode: rename mcast_iface structure to interfacePablo Neira Ayuso2009-03-092-14/+14
| | | | | | | | | This patch renames the mcast_iface to interface since this nlif handler is not related with multicast itself, but to monitor the link interface used to propagate state-changes. This patch is a cleanup. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* sync-mode: rename mcast_send_sync() to sync_send()Pablo Neira Ayuso2009-03-091-7/+7
| | | | | | | | This patch is a cleanup. It renames the function mcast_send_sync() to sync_send() since the function itself is not related to multicast anymore (it enqueues state-changes to the upper layer). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove debian/ directoryPablo Neira Ayuso2009-03-067-56/+0
| | | | | | | This patch removes the debian directory. According to the debian policy, this directory should not be in source tree. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: remove use of old libnetfilter API flagsPablo Neira Ayuso2009-03-064-36/+102
| | | | | | | This patch removes the use of the obsolete old libnetfilter protocol flags. This patch also improves error reporting in TCP and UDP. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: fix broken link to ulogd2 in the manualPablo Neira Ayuso2009-02-231-1/+1
| | | | | Reported-by: Ralf <rm@amitrader.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: add m4 directoryJan Engelhardt2009-02-211-0/+2
| | | | | | | | | Since 4dd73e4e34b57685d8a85e041f6a0b4a65200e30, the "m4" directory is missing because git stores no empty directories. Add the appropriate .gitignore file and the problem resolves itself. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix compilation issue in gentoo due to missing include limits.hPablo Neira Ayuso2009-02-212-0/+2
| | | | | | | | | This patch adds include limits.h to mcast.c and sync-mode.c. Why Gentoo maintainers did not report me the problem? :( http://bugs.gentoo.org/show_bug.cgi?id=256497 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: bump version to 0.9.11conntrack-tools-0.9.11Pablo Neira Ayuso2009-02-211-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: use u8 getter for TCP statesPablo Neira Ayuso2009-02-211-1/+1
| | | | | | | | This patch replace nfct_get_attr_u32 by nfct_get_attr_u8 which is the correct size of a TCP state. Set also the CLOSE_INIT flag for CLOSE TCP state (as nf_conntrack_proto_tcp allows). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* config: add NetlinkBufferSize and NetlinkBufferSizeMaxGrowthPablo Neira Ayuso2009-02-215-11/+13
| | | | | | | | This patch adds two alias that removes an inconsistency in the configuration file names. Now, the clauses that refers to Netlink starts by the prefix "Netlink". Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mcast: fix compilation warning due missing headerPablo Neira Ayuso2009-02-211-0/+1
| | | | | | | This patch includes libnfnetlink.h header in mcast.c to remove a compilation warning due to missing prototype declaration. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: revert primary-backup-2.6.29-and-higher.sh scriptPablo Neira Ayuso2009-02-212-111/+0
| | | | | | | | | | This patch reverts primary-backup-2.6.29-and-higher.sh. This script is not safe for production enviroments until the commit phase guarantees that the state-change propagation over netlink is reliable. This script should be ready for 2.6.30 if the appropriate kernel patches go into mainline in time. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove obsolete debug() and debug_ct() callsPablo Neira Ayuso2009-02-209-52/+8
| | | | | | | This patch removes debug() and debug_ct(), I haven't use the debugging information that these functions provide in years. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* sync-mode: change current link if message is correctPablo Neira Ayuso2009-02-201-3/+10
| | | | | | | This patch makes conntrackd change the current dedicated link if the message is correct, ie. neither malformed nor out-of-sync. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* network: fix endianess issue in acknowledgment network headerPablo Neira Ayuso2009-02-201-0/+7
| | | | | | | | This patch fixes an endianess issue in the acknowledgment network header. This breaks backward compatibility if different conntrackd versions are used. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* network: fix endianess issue in synchronization network headerPablo Neira Ayuso2009-02-201-0/+7
| | | | | | | | This patch fixes an endianess issue in the synchronization network header. This breaks backward compatibility if different conntrackd versions are used. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* headers: don't use NFCT_DIR_MAX in statistics structurePablo Neira Ayuso2009-02-202-10/+11
| | | | | | | | | This patch removes the use of NFCT_DIR_MAX. This constant is part of the old libnetfilter_conntrack API which has been removed from the git tree. It was introduced in the early days of conntrackd, thus, the use of this constant. Unfortunately, I did not notice until now. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: add bulk update to primary-script.sh scriptPablo Neira Ayuso2009-02-151-0/+11
| | | | | | | | | | | | This patch updates the script to remark the fact that it should be used with Linux kernel < 2.6.29. Moreover, it adds a bulk-update command after the commit in the primary path to avoid any race condition (the backup may request a resync while this primary is still committing the entries with an empty internal cache). This is hackish, but I think that this is the best way to do this for systems running a Linux kernel < 2.6.29. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: add new primary-backup.sh script for >= 2.6.29Pablo Neira Ayuso2009-02-151-0/+109
| | | | | | | | This patch adds a new primary-backup.sh script for Linux kernels >= 2.6.29. This script takes advantage of the user-space event reporting that ctnetlink does since this kernel version. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: unset ACKWindowSize in example configuration filesPablo Neira Ayuso2009-02-151-2/+2
| | | | | | | This patch unset ACKWindowSize since it already sets the clause to its default value. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: don't initialize logging for client requestPablo Neira Ayuso2009-02-151-6/+6
| | | | | | | This patch removes the logging initialization for client requests which is of any use for them. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>