summaryrefslogtreecommitdiffstats
path: root/doc/sync/notrack
Commit message (Collapse)AuthorAgeFilesLines
* conntrackd: add support for IPv6 kernel-space filtering via BSFPablo Neira Ayuso2009-07-211-0/+3
| | | | | | | This patch adds the missing support to filter IPv6 from kernel-space by means of the BSF API that libnetfilter_conntrack provides. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add clause to enable ctnetlink reliable event deliveryPablo Neira Ayuso2009-07-211-0/+7
| | | | | | | | This patch adds the NetlinkEventsReliable clause, this is useful to turn on reliable Netlink event delivery. This features requires a Linux kernel >= 2.6.31. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* sync: add support for DCCP state replicationPablo Neira Ayuso2009-04-241-0/+1
| | | | | | This patch adds initial support for DCCP state replication. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* sync: add support for SCTP state replicationPablo Neira Ayuso2009-04-181-0/+1
| | | | | | This patch adds initial support for SCTP state replication. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: change scheduler and priority via configuration filePablo Neira Ayuso2009-04-141-0/+11
| | | | | | | | With this patch, you can change the scheduler policy and priority for conntrackd. Using a RT scheduler policy reduces the chances to hit ENOBUFS in Netlink. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: set nice to -20 in example config filesPablo Neira Ayuso2009-03-311-3/+5
| | | | | | | | This patch sets the most favourable nice value for conntrackd in the default configuration files. This is generally a good idea to reduce the chances to hit ENOBUFS. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* udp: fix missing scope_id in the socket creationPablo Neira Ayuso2009-03-201-0/+8
| | | | | | | | | This patch fixes an EINVAL error returned by bind() when opening an UDP server socket to propagate state-changes over the dedicated link. This patch also includes the change of the example configuration files in case that you want to use UDP over IPv6. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* sync-mode: add unicast UDP support to propagate state-changesPablo Neira Ayuso2009-03-131-4/+48
| | | | | | | | This patch adds support for unicast UDP to the channel infrastructure. With this patch, you can select UDP unicast to propagate state-changes instead of multicast. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* config: add NetlinkBufferSize and NetlinkBufferSizeMaxGrowthPablo Neira Ayuso2009-02-211-2/+2
| | | | | | | | This patch adds two alias that removes an inconsistency in the configuration file names. Now, the clauses that refers to Netlink starts by the prefix "Netlink". Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add Nice clause to set the nice valuePablo Neira Ayuso2009-02-081-0/+8
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: add new option NetlinkOverrunResyncPablo Neira Ayuso2009-02-081-0/+13
| | | | | | | | This patch adds NetlinkOverrunResync. This option can be used to set the amount of time after which the daemon resynchronizes itself with the kernel state-table if it detects a Netlink overrun. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: increase hashtable bucket size and limits in example filesPablo Neira Ayuso2009-01-251-5/+9
| | | | | | | This patch details a bit more the hashtable parameters. Moreover, it increases the default size of the hashtable. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: use 'From' instead of 'from' in the example configfilesPablo Neira Ayuso2009-01-251-1/+1
| | | | | | | | This patch fixes a wrong use of 'from' instead of 'From' in the example configuration files. Reported-by: Yoann Juet <yoann.juet@univ-nantes.fr> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: unset CommitTimeout by defaultPablo Neira Ayuso2009-01-251-4/+10
| | | | | | | This patch disables CommitTimeout by default. The daemon now uses the approximate timeout calculation by default. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: increase default PurgeTimeout valuePablo Neira Ayuso2009-01-251-6/+5
| | | | | | | | | This patch increases the default PurgeTimeout value to 60 seconds. The former 15 seconds provides good real-time reaction in terms of user-side expected behaviour, but it is too small if you trigger random failure in a firewall cluster. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add state polling support (oppossed to current event-driven)Pablo Neira Ayuso2009-01-171-0/+12
| | | | | | | | | | | | This patch adds the clause PollSecs that changes the normal behaviour of conntrackd. With PollSecs set to > 0, conntrackd polls every N seconds the entries. This is the opposed behaviour of an event-driven behaviour but may be useful for those that have really strong limitations in terms of CPU consumption and want to perform a relaxed replication. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for redundant dedicated linksPablo Neira Ayuso2009-01-171-0/+19
| | | | | | | | This patch adds support for redundant dedicated links. You can add a pool of dedicated links that can be used if the current active fails. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* run: limit the number of iterations over the event handlingPablo Neira Ayuso2009-01-151-0/+11
| | | | | | | | Currently, the event handling can starve other event file descriptors. This patch limits the number of event handling iterations. The parameter is tunable via configuration file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: add note on McastSndSocketBuffer and McastRcvSocketBufferPablo Neira Ayuso2008-12-171-6/+10
| | | | | | | This patch adds a note on the impact of having small values for the McastSndSocketBuffer and McastRcvSocketBuffer clauses. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: revert commit 9bc7d7f8f333e79323495a193f92c9d4f1708da9Pablo Neira Ayuso2008-12-171-10/+6
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xPablo Neira Ayuso2008-12-171-6/+10
|
* doc: document the netlink buffer size clausesPablo Neira Ayuso2008-12-171-4/+12
| | | | | | | | This patch documents the SocketBufferSize and SocketBufferSizeGrowth clause. It also rises the default values which are fairly small for busy firewalls. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: fix typo SocketBufferSizeMaxGrowth in example conffilesPablo Neira Ayuso2008-12-171-1/+1
| | | | | | | | This patch replaces SocketBufferSizeMaxGrown by SocketBufferSizeMaxGrowth. Both clauses are still valid but better to use the one that has no typos in the configuration files. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* config: move `Checksum' inside `Multicast' clausePablo Neira Ayuso2008-11-301-6/+7
| | | | | | | | | This patch moves `Checksum' into the `Multicast' clause. This property is dependent of the multicast configuration. This patch is required to introduce the redundant dedicated link support that is on the way. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* filter: CIDR-based filtering supportPablo Neira Ayuso2008-11-251-0/+3
| | | | | | | | | | This patch adds CIDR-based filtering support. The current implementation is O(n). This patch also introduces the vector data type which is used to store the IP address and the network mask. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* filter: choose the filtering method via configuration filePablo Neira Ayuso2008-11-181-2/+10
| | | | | | | | | | | | | | | | This patch changes the current behaviour of the filtering selection. Up to now, conntrackd has used the kernel version to select the filtering method based on the following logic: If kernel is >= 2.6.26 we use BSF-based filtering from kernel-space, otherwise, default to userspace. However, this filtering method still lacks of IPv6 support and it requires a patch that got into 2.6.29 to filter IPv6 addresses from kernel-space. To fix this issue, we default to user-space filtering and let the user choose the method via the configuration file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: remove example about CacheWriteTroughPablo Neira Ayuso2008-10-211-9/+0
| | | | | | | | | | | | | | | This patch removes the documentation about the CacheWriteTrhough clause. This feature is scheduled for removal since the asynchronous nature of conntrackd does not allow multi-path routing support. I'm lying, actually there's a chance to support it, but we have to guarantee that the RTT in the message synchronization between the firewall is smaller than the RTT between the peer and the firewalls. Moreover, this option has made more bad than good since people enable it when things don't work. Making the whole troubleshooting more complicated. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: rise default size of the hashtable in the example filePablo Neira Ayuso2008-10-201-2/+2
| | | | | | | This patch rises the default value of the hashtables in terms of buckets and entries to the default value in nf_conntrack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* config: use /var/run to create the UNIX socket filePablo Neira Ayuso2008-09-181-1/+1
| | | | | | | | This patch removes the use of /tmp to create the UNIX socket file to communicate with conntrackd in the example configuration files. This was OK in the early alpha days, but not anymore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache iterators: rework cache_reset_timersPablo Neira Ayuso2008-08-071-0/+11
| | | | | | | | | | | This patch adds the clause PurgeTimeout that sets the new timer when conntrackd -t is called. This command is particularly useful when the sysadmin triggers hand-overs between several nodes without rebooting as it reduces the timers of the remaining entries in the kernel. Thus, avoiding clashes between new and old entries that may trigger INVALID packets. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* script: rework scripts that enable interaction with keepalivedPablo Neira Ayuso2008-08-023-47/+0
| | | | | | | | | | | This patch reworks the documentation section. It removes the replicated keepalived.conf files and merge all the scripts into one to reduce confusion and improve maintainability. It's likely that the documentation directory will suffer more restructurations in the near future. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: remove duplicated example filesPablo Neira Ayuso2008-08-014-204/+36
| | | | | | | | This patch removes the directories node1/ and node2/ since the differences are few small and the user should be able to get it running if he RTFM. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* fix: wrong information related to default logging actionPablo Neira Ayuso2008-08-012-6/+6
| | | | | | Logging is set off by default instead of what the example files state. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cleanup: remove obsolete clause Replicate in the example conffilesPablo Neira Ayuso2008-08-012-18/+0
| | | | | | Remove obsolete clause Replicate in the example configuration files. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Major rework of the user-space event filteringPablo Neira Ayuso2008-07-222-48/+82
| | | | | | | | | | This patch reworks the user-space filtering. Although we have kernel-space filtering since Linux kernel >= 2.6.26, we keep userspace filtering to ensure backward compatibility. Moreover, this patch prepares the implementation of the kernel-space filtering via libnetfilter_conntrack's high-level berkeley socket filter API. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* add best effort replication protocol (aka NOTRACK)Pablo Neira Ayuso2008-05-257-0/+387