summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* ftfw: show consistent information to users for problem diagnosingPablo Neira Ayuso2008-08-014-9/+28
| | | | | | | | | | This patch hides information that may confuse users while they are diagnosing problems in their setup. For example, we hide entries that are schedule to expire - from the user side, they are already destroyed entries; and we show in the counters the real active entries, not all that are stored in the caches. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* fix broken normal deletion in cachesPablo Neira Ayuso2008-08-013-42/+42
| | | | | | | | | | | | This patch fixes the non-timer-based cache deletion. This bug affects the alarm-based approach since the backup replicas did not get the deletion event, thus, delaying the deletion. This patch introduces cache_find() to look up for a conntrack object and __cache_del_timer() to perform direct deletions by means of the pointer obtained with cache_find(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* fix: wrong use of timersub in cache_timerPablo Neira Ayuso2008-08-011-1/+1
| | | | | | Fix wrong output in the dump of the expire timer which was negative. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* fix: wrong information related to default logging actionPablo Neira Ayuso2008-08-017-21/+21
| | | | | | Logging is set off by default instead of what the example files state. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cleanup: remove obsolete clause Replicate in the example conffilesPablo Neira Ayuso2008-08-016-54/+0
| | | | | | Remove obsolete clause Replicate in the example configuration files. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* fix: use %zu instead of %u for size_tPablo Neira Ayuso2008-08-011-1/+1
| | | | | | Use %zu instead of %u for size_t to remove compilation warning. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* commit: retry at least once if we hit ETIME or ENOMEMEric Leblond2008-08-011-1/+18
| | | | | | | | | Some users are reporting ETIME errors in the update. This happens when you try to update a conntrack that is expiring. To avoid this problem, we retry once at least. We do similar for ENOMEM errors, although only users in virtual machines have reported this AFAIK. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* add more sanity checks in the input pathPablo Neira Ayuso2008-08-012-8/+38
| | | | | | | Some users have reported crashes when nf_conntrack_ipv6 was not present. This patch performs more robust sanity checks in the input path. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* CLI: add new option --buffer-size for -EPablo Neira Ayuso2008-07-293-19/+57
| | | | | | | Add new option --buffer-size for -E to set the netlink socket buffer size. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* filter: skip protocol state filtering if state not presentPablo Neira Ayuso2008-07-291-0/+3
| | | | | | | Skip user-space the protocol state filter if the protocol state is not present in the event message. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* log: syslog displays the entry that triggers the errorPablo Neira Ayuso2008-07-241-2/+9
| | | | | | | | This patch fixes an inconsistency in the output. If syslog was chosen as logger, the conntrack entries that triggered an error were not displayed. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* add support for kernel-space filtering via BSFPablo Neira Ayuso2008-07-234-1/+107
| | | | | | | This patch adds support for kernel-space filtering via BSF by means of the libnetfilter_conntrack's BSF high-level API. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Major rework of the user-space event filteringPablo Neira Ayuso2008-07-2223-532/+807
| | | | | | | | | | This patch reworks the user-space filtering. Although we have kernel-space filtering since Linux kernel >= 2.6.26, we keep userspace filtering to ensure backward compatibility. Moreover, this patch prepares the implementation of the kernel-space filtering via libnetfilter_conntrack's high-level berkeley socket filter API. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* fix xml output: wrap output with one root elementPablo Neira Ayuso2008-06-222-4/+50
|
* use only the original tuple to check if a conntrack is presentPablo Neira Ayuso2008-06-161-1/+9
|
* do not include Changelog in tarballs, user git shortlog for changelog insteadPablo Neira Ayuso2008-06-151-1/+1
|
* fix unsecure usage of printf and include limits.h (PATH_MAX and INT_MAX)Albin Tonerre2008-06-153-1/+3
|
* check if entries already exist in kernel before injectionPablo Neira Ayuso2008-06-151-15/+24
|
* delay the closure of the dump descriptor to fix assertion with cache_wtconntrack-tools-0.9.7Pablo Neira Ayuso2008-05-312-1/+4
|
* increase deletion stats when the timer is scheduled in cache_del_timeout()Pablo Neira Ayuso2008-05-311-2/+7
|
* define SO_[RCV|SND]BUFFORCE if not setPablo Neira Ayuso2008-05-271-0/+8
|
* fix make distcheckPablo Neira Ayuso2008-05-271-1/+1
|
* remove secmark support for conntrackdPablo Neira Ayuso2008-05-272-3/+0
|
* fix leak in cache_destroy(): release objects before destroying the cachePablo Neira Ayuso2008-05-262-0/+2
|
* rework the HELLO logic inside FT-FWPablo Neira Ayuso2008-05-264-8/+59
|
* add best effort replication protocol (aka NOTRACK)Pablo Neira Ayuso2008-05-2514-2/+592
|
* add eventfd emulation to communicate receiver -> senderPablo Neira Ayuso2008-05-258-9/+117
|
* add flex version warning (better with >= 2.5.33)Pablo Neira Ayuso2008-05-222-0/+16
|
* only allow the use of --secmark for listing (filtering)Pablo Neira Ayuso2008-05-223-3/+7
| | | | add missing string.h required by strdup in config parsing
* check for missing IPv6 address before hashingPablo Neira Ayuso2008-05-211-0/+8
|
* Updates (-U) show the effect of the operation in the conntrack entryPablo Neira Ayuso2008-05-201-11/+36
|
* add Mcast[Snd|Rcv]SocketBuffer clauses to tune multicast socket buffersPablo Neira Ayuso2008-05-2010-1/+141
|
* improve network message sanity checkingsPablo Neira Ayuso2008-05-186-40/+60
|
* - remove (misleading) counters and use information from the statistics modePablo Neira Ayuso2008-05-164-75/+12
| | | | | - use generic nfct_copy() from libnetfilter_conntrack to update objects - use generic nfct_cmp() to compare objects
* minor fix of the manpage (Max Wilhelm)/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-05-142-1/+2
|
* Fix reorder possible reordering of destroy messages under message omission. ↵/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-2910-49/+105
| | | | This patch introduces the TimeoutDestroy clause to determine how long a conntrack remains in the internal cache once it has been destroy from the kernel table.
* rework of the FT-FW approach/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-266-110/+257
|
* add more verbose error notification when the injection of a conntrack fails/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-166-13/+35
|
* minor update of the manpages/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-162-3/+7
|
* o fix NAT filtering via --src-nat and --dst-nat (reported by K.Oledzki)/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-169-66/+120
| | | | | | o recover the ID support o show display counters to stderr o enable filtering by status and ID
* fix conntrack -U -p tcp [...]/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-136-10/+68
|
* relax parameter checking for UDP and TCP/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-132-2/+2
|
* check for pkg-config before anything (fix bogus missing libraries failure)/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-132-0/+9
|
* add initial automated qa testing for the conntrack cli/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-133-0/+102
|
* This is a major improvement of the conntrack command line tool:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-133-78/+233
| | | | | | | | o check for missing source/address IP/ports in creation and get operations o way more flexible conntrack updates and deletions o fix NAT filtering via --src-nat and --dst-nat (reported by K.Oledzki) o show display counters to stderr o minor cleanups
* o simplify parameter-handling code/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-124-267/+157
| | | | | o check for missing source/address IP/ports o minor cleanups
* update manpages with the new URL/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-093-2/+4
|
* improve netlink overrun handling/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-097-75/+111
|
* fix asymmetric path support (still some open concerns)/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-084-4/+68
|
* fix compilation in ARM (reported by Thiemo Seufer via Max Kellermann)/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-081-0/+1
|