summaryrefslogtreecommitdiffstats
path: root/configure.ac
Commit message (Collapse)AuthorAgeFilesLines
* conntrack-tools 1.4.6 releaseHEADconntrack-tools-1.4.6masterPablo Neira Ayuso3 days1-2/+2
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: search for RPC headersAsh Hughes2019-05-301-0/+2
| | | | | | | | Attempts to get RPC headers from libtirpc if they aren't otherwise available. Signed-off-by: Ash Hughes <sehguh.hsa@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack-tools 1.4.5 releaseconntrack-tools-1.4.5Arturo Borrero Gonzalez2018-05-011-2/+2
| | | | Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
* conntrackd: remove use of HAVE_INET_PTON_IPV6Nicolas Dichtel2017-06-061-28/+0
| | | | | | | | | | | | | | | | | The goal of this patch is to fix the ipv6 support when conntrackd is cross-compiled. The AC_RUN_IFELSE macro must be avoided as much as possible. See section 6.6 of the gnu autoconf: "If you really need to test for a runtime behavior while configuring, you can write a test program to determine the result, and compile and run it using AC_RUN_IFELSE. Avoid running test programs if possible, because this prevents people from configuring your package for cross-compiling." Let's remove this check and test the returned error to handle the case where ipv6 is not supported (inet_pton() returns -1 when the family is not supported). Reported-by: Zhenlin Zhang <zhenlin.zhang@6wind.com> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Link nfct and helper modules with `-z lazy`Kevin Cernekee2016-09-201-0/+3
| | | | | | | | | | | | | | | Some distributions, such as Gentoo and Chrome OS, try to link all programs with `-z now` as a security hardening measure. This breaks nfct, because nfct cannot satisfy all of the helper modules' symbols. Therefore nfct implicitly depends on lazy binding. Have autoconf probe the linker to see if `-z lazy` works, and if so, use it to link nfct and the helpers. conntrackd itself is unaffected, and should still work with `-z now`. Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack-tools 1.4.4 releaseconntrack-tools-1.4.4Pablo Neira Ayuso2016-08-221-2/+2
| | | | | | | | | | | This release includes NAT IPv6 support for state synchronization, list filtering with address masks, a new conntrackd.conf manpage, initial systemd integration and other minor documentation updates. Bump dependency to libnetfilter_conntrack 1.0.6 to make sure the NAT IPv6 bits are there in place. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure: Remove flex check warningShivani Bhardwaj2016-06-221-15/+0
| | | | | | | | | Remove the warning about outdated version of flex as it is not needed anymore. This check was introduced back in 2008 to skip a broken flex version that doesn't seem to be packaged by any distribution anymore. Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add systemd supportArturo Borrero2015-11-171-1/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds basic systemd support. The feature can be enabled/disabled at configure time: ./configure --disable-systemd Also, at runtime in conntrackd.conf General { Systemd on|off } (by default it's enabled both at runtime and at configure time) * tell systemd about conntrackd readiness: When conntrackd starts, it will send systemd the data "READY=1". At the point the data is sent, conntrackd is fully ready to work (configuration was OK, sockets OK, et all), so other actions depending on conntrackd can be safely chained in the machine boot process. * tell systemd about conntrackd shutting down: If the admin kills conntrackd with `conntrackd -k', the data "STOPPING=1" will be send to systemd so it learns about the daemon shutting down. Same for manual signals. * watchdog support: The admin can configure systemd to watch the conntrackd daemon and perform some actions if conntrackd dies: restart it, reboot the machine, etc... Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure.ac: improve feature selectionArturo Borrero2015-11-011-2/+2
| | | | | | | | Let's improve feature selection with feedback from Jan Engelhardt and Pablo Neira Ayuso. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack-tools 1.4.3 releaseconntrack-tools-1.4.3Pablo Neira Ayuso2015-09-081-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure: Add AM_PROG_AR to silence automake warningFelix Janda2015-05-211-0/+1
| | | | | | | | | /usr/share/automake-1.13/am/ltlibrary.am: warning: 'ct_helper_tns.la': linking libtool libraries using a non-POSIX /usr/share/automake-1.13/am/ltlibrary.am: archiver requires 'AM_PROG_AR' in 'configure.ac' src/helpers/Makefile.am:3: while processing Libtool library 'ct_helper_tns.la' Signed-off-by: Felix Janda <felix.janda@posteo.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: add --disable-cthelper and --disable-cttimeoutPablo Neira Ayuso2013-09-261-3/+23
| | | | | | | | | | This patch allows you to disable userspace helper support and conntrack timeout tuning at build stage. By default, both features are enabled, to avoid breaking backward compatibility. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack-tools 1.4.2 releaseconntrack-tools-1.4.2Pablo Neira Ayuso2013-08-061-2/+2
| | | | | | | bump dependency with libnetfilter_conntrack to 1.0.4, otherwise we don't get the connlabel support. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: requires libnetfilter_conntrack >= 1.0.3Pablo Neira Ayuso2013-03-041-1/+1
| | | | | Reported-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: bump version to 1.4.1conntrack-tools-1.4.1Pablo Neira Ayuso2013-03-031-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bump version to 1.4.0 and update dependenciesconntrack-tools-1.4.0Pablo Neira Ayuso2012-10-081-4/+4
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nfct: helper: use CONNTRACKD_LIB_DIR variable set during configurationPablo Neira Ayuso2012-08-011-0/+5
| | | | | | | | Instead of hardcoded path to /usr/lib/conntrack-tools/ which might not be true if options like --prefix with different location is passed to conntrack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add cthelper infrastructure (+ example FTP helper)Pablo Neira Ayuso2012-08-011-2/+7
| | | | | | | | | | | | This patch adds the user-space helper infrastructure. It also contains the implementation of the FTP helper in user-space. There's one example file that you can use to configure conntrackd as user-space connection tracking helper under: doc/helper/conntrackd.conf Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bump version to 1.2.2conntrack-tools-1.2.2Pablo Neira Ayuso2012-07-311-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bump version to 1.2.1conntrack-tools-1.2.1Pablo Neira Ayuso2012-05-261-1/+1
| | | | | | this release fixes a compilation issue in 1.2.0, sorry. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: update dependencies with libnetfilter_conntrack (>= 1.0.1)Pablo Neira Ayuso2012-05-261-1/+1
| | | | | | | libnetfilter_conntrack 1.0.1 includes important updates for the expectation side, which is used in this major milestone release. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: bump version to 1.2.0Pablo Neira Ayuso2012-05-261-1/+1
| | | | | | | Major milestone including the new `nfct' utility and the expectation support for conntrackd. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: integrate nfct into the conntrack-tools treePablo Neira Ayuso2012-05-261-1/+3
| | | | | | | | I'll need for the upcoming cthelper infrastructure. Moreover, we avoid more fragmentation in the netfilter user-space utilities. And the plan is that `nfct' will replace `conntrack' at some point. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: support for expectation synchronizationPablo Neira Ayuso2012-01-101-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds support to synchronize expectations between firewalls. This addition aims to re-use as much as possible of the existing infrastructure for stability reasons. The expectation support has been tested with the FTP helper. This extension requires libnetfilter_conntrack 1.0.0. If this is the first time you're playing with conntrackd, I *strongly* recommend you to get working setup of conntrackd without expectation support before as described in the documentation. Then, enabling expectation support is rather easy. To know more about expectations, if you're not familiar with them, I suggest you to read: "Netfilter's Connection Tracking System" http://people.netfilter.org/pablo/docs/login.pdf Reprinted from ;login: The Magazine of USENIX, vol. 31, no. 3 (Berkeley, CA: USENIX Association, 2006, pp40-45.) In short, expectations allow one Linux firewall to filter multi-flow traffic like FTP, SIP and H.323. In my testbed, there are two firewalls in a primary-backup configuration running keepalived. The use a couple of floating cluster IP address (192.168.0.100 and 192.168.1.100) that are used by the client. These firewalls protect one FTP server (192.168.1.2) that will be accessed by one client. In ASCII art, it looks like this: 192.168.0.100 192.168.1.100 eth1 eth2 fw-1 / \ FTP -- client ------ ------ server -- 192.168.0.2 \ / 192.168.1.2 fw-2 This is the rule-set for the firewalls: -A POSTROUTING -t nat -s 192.168.0.2/32 -d 192.168.1.2/32 -j SNAT --to-source 192.168.1.100 -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -m state --state INVALID -j DROP -A FORWARD -m state --state RELATED -j ACCEPT -A FORWARD -i eth2 -m state --state ESTABLISHED -j ACCEPT -A FORWARD -i eth1 -p tcp -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT -A FORWARD -i eth1 -p tcp -m state --state ESTABLISHED -j ACCEPT -A FORWARD -m state --state INVALID -j LOG --log-prefix "invalid: " The following steps detail how to check that the expectation support works fine for conntrackd: 1) You have to enable the expectation support in the configuration file with the following option: Sync { ... Options { ExpectationSync { ftp sip h323 } } } This enables expectation synchronization for the FTP, SIP and H.323 helpers. You can alternatively use: Sync { ... Options { ExpectationSync On } } To enable expectation synchronization for all helpers. 2) Make sure you have loaded the FTP helper in both firewalls. root@fw1# modprobe nf_conntrack_ftp root@fw2# modprobe nf_conntrack_ftp 3) Switch to the client. Start one FTP control connection to one server that is protected by the firewalls, enter passive mode: (term-1) user@client$ nc 192.168.1.2 21 220 dummy FTP server USER anonymous 331 Please specify the password. PASS nothing 230 Login successful. PASV 227 Entering Passive Mode (192,168,1,2,163,11). This means that port 163*256+11=41739 will be used for the data traffic. Read this if you are not familiar with the FTP protocol: http://www.freefire.org/articles/ftpexample.php 3) Switch to fw-1 (primary) to check that the expectation is in the internal cache. root@fw1# conntrackd -i exp proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=41739 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.0.2 master-dst=192.168.1.2 sport=36390 dport=21 [active since 5s] 4) Switch to fw-2 (backup) to check that the expectation has been successfully replicated. root@fw2# conntrackd -e exp proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=41739 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.0.2 master-dst=192.168.1.2 sport=36390 dport=21 [active since 8s] 5) Make the primary firewall fw-1 fail. Now fw-2 becomes primary. 6) Switch to fw-2 (primary) to commit the external cache into the kernel. root@fw2# conntrackd -c exp The logs should display that the commit was successful: root@fw2# tail -100f /var/log/conntrackd.log [Wed Dec 7 22:16:31 2011] (pid=19195) [notice] committing external cache: expectations [Wed Dec 7 22:16:31 2011] (pid=19195) [notice] Committed 1 new entries [Wed Dec 7 22:16:31 2011] (pid=19195) [notice] commit has taken 0.000366 seconds 7) Switch to the client. Open a new terminal and connect to the port that has been announced by the server: (term-2) user@client$ nc -vvv 192.168.1.2 41739 (UNKNOWN) [192.168.1.2] 41739 (?) open 8) Switch to term-1 and ask for the file listing: [...] 227 Entering Passive Mode (192,168,1,2,163,11). LIST 9) Switch to term-2, it should display the listing. That means everything has worked fine. You may want to try disabling the expectation support and repeating the steps to check that *it does not work* without the state-synchronization. You can also display expectation statistics by means of: root@fwX# conntrackd -s exp This update requires no changes in the primary-backup.sh script that is used by the HA manager to interact with conntrackd. Thus, we provide a backward compatible command line interface. Regarding the Filter clause and expectations, we use the master conntrack to filter expectation events. The filtering is performed in user-space. No kernel-space filtering support for expectations yet (this support should go in libnetfilter_conntrack at some point). This patch also includes support to disable caching and to allow direct injection of expectations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: bump version to 1.0.1conntrack-tools-1.0.1Pablo Neira Ayuso2012-01-041-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: disable implicit .tar.gz archive generation and use POSIX modeJan Engelhardt2011-12-171-1/+2
|
* build: use AC_CONFIG_AUX_DIR and stash away toolsJan Engelhardt2011-12-171-1/+1
|
* build: Linux kernel-style for compilation messagesPablo Neira Ayuso2011-03-151-0/+3
| | | | | | | | | | | | [...] CC external_inject.o CC internal_cache.o CC internal_bypass.o CC read_config_yy.o CC read_config_lex.o CCLD conntrackd Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: bump version to 1.0.0conntrack-tools-1.0.0Pablo Neira Ayuso2011-02-271-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: conntrack-tools now requires libnetfilter_conntrack >= 0.9.1Pablo Neira Ayuso2011-02-241-1/+1
| | | | | | | The existing code requires new features that went into the current library version. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: remove redundant bison/lex testsJan Engelhardt2010-11-051-8/+6
| | | | | | | AC_PROG_{LEX,YACC} already searches for the programs, so no need to do it again with AC_CHECK_PROGS. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: run autoupdate to replace obsolete constructsJan Engelhardt2010-11-051-4/+3
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: default to not building static librariesJan Engelhardt2010-11-051-0/+1
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: no need for error message in PKG_CHECK_MODULESJan Engelhardt2010-10-311-23/+2
| | | | | | | | | | | PKG_CHECK_MODULES already produces its own (and more verbose) messsage when a module cannot be found. Mucking around with CFLAGS and LIBS is also not needed since pkgconfig takes care of providing variables, so let's use them in Makefile.am. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: remove statements without effectJan Engelhardt2010-10-311-2/+2
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: use modern call syntax for AM_INIT_AUTOMAKEJan Engelhardt2010-10-311-1/+1
| | | | | | | automake options also need to definitely go into configure.ac, otherwise they only apply to a single directory. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: use autoconf-suggested naming of filesJan Engelhardt2010-10-311-0/+135
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>