summaryrefslogtreecommitdiffstats
path: root/doc/sync/notrack
Commit message (Collapse)AuthorAgeFilesLines
* docs: refresh references to /proc/net/core/rmem_defaultArturo Borrero Gonzalez2019-10-301-1/+1
| | | | | | | | | | | In recent kernel versions, /proc/net/core/rmem_default is now /proc/sys/net/core/rmem_default instead. Refresh docs that mention this file. Reported-by: Raphaƫl Bazaud <rbazaud@gmail.com> Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* systemd: default to use libsystemd if build with support for itArturo Borrero Gonzalez2018-04-181-1/+1
| | | | | | | | | | | | | | We may assume that if an user does build conntrackd with such feature, is with the intention to use it. So, if that's the case, default to use it. This eases some downstream use cases when dealing with default configs to be shipped to final users. This could be a mid-point solution, given some users are asking for a full revert of commit c01d0d9138112ec95ee316385ea2687dd94fa4e3. Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: make the daemon run in RT mode by defaultArturo Borrero Gonzalez2017-06-121-21/+0
| | | | | | | | | | | | | | | | | | | | | | | In order to prevent netlink buffer overrun, conntrackd is recommended to run at max priority. Make conntrackd to use a RT (SHED_RR) scheduler by default at max priority. This is common among other HA daemons. For example corosync uses SCHED_RR by default. The scheduler configuration option is kept in order to allow admins to perform fine-tuning, but it is deleted from example configuration files. Note that this default sched priority is so high that it makes the nice value useless, so deprecate the nice configuration. Anyway the nice value can be set externally at runtime using nice/renice. The code is moved to the init() routine. In case of error setting the scheduler, the system default will be used. Report a message to the user and continue working. Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: deprecate unix backlog configurationArturo Borrero Gonzalez2017-06-061-1/+0
| | | | | | | | | This configuration option doesn't add any value to users. Use the magic value of 100 (i.e, the socket will keep 100 pending connections), which I think is fair enough for what conntrackd can do in the unix socket. Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: Disable runtime systemd support by defaultPablo Neira Ayuso2016-02-171-2/+2
| | | | | | | | | | | | By default, conntrackd is compiled with no built-in systemd support. This patch updates the default runtime behaviour to be consistent with what ./configure provides by default. Thus, users should explicitly indicate "Systemd On" in their configuration file to enable this. This shouldn't cause any problem to old users of conntrackd. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add systemd supportArturo Borrero2015-11-171-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds basic systemd support. The feature can be enabled/disabled at configure time: ./configure --disable-systemd Also, at runtime in conntrackd.conf General { Systemd on|off } (by default it's enabled both at runtime and at configure time) * tell systemd about conntrackd readiness: When conntrackd starts, it will send systemd the data "READY=1". At the point the data is sent, conntrackd is fully ready to work (configuration was OK, sockets OK, et all), so other actions depending on conntrackd can be safely chained in the machine boot process. * tell systemd about conntrackd shutting down: If the admin kills conntrackd with `conntrackd -k', the data "STOPPING=1" will be send to systemd so it learns about the daemon shutting down. Same for manual signals. * watchdog support: The admin can configure systemd to watch the conntrackd daemon and perform some actions if conntrackd dies: restart it, reboot the machine, etc... Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: fix crash if ExpectationSync is enabled on old Linux kernelsPablo Neira Ayuso2012-10-041-1/+2
| | | | | | | | | | ExpectationSync requires Linux kernel >= 3.5 to work sanely, document this. Still, we don't want to crash if someone enables expectation sync with old Linux kernels (like 2.6.32). Reported-by: James Gutholm <gutholmj@evergreen.edu> Tested-by: James Gutholm <gutholmj@evergreen.edu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: add ras, q.931 and h.245 to examples configuration filePablo Neira Ayuso2012-02-211-1/+3
| | | | | | | | | | | | | | | Now it includes: ExpectationSync { ... ras q.931 h.245 } Which are the set of helpers for h.323. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: support for expectation synchronizationPablo Neira Ayuso2012-01-101-0/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds support to synchronize expectations between firewalls. This addition aims to re-use as much as possible of the existing infrastructure for stability reasons. The expectation support has been tested with the FTP helper. This extension requires libnetfilter_conntrack 1.0.0. If this is the first time you're playing with conntrackd, I *strongly* recommend you to get working setup of conntrackd without expectation support before as described in the documentation. Then, enabling expectation support is rather easy. To know more about expectations, if you're not familiar with them, I suggest you to read: "Netfilter's Connection Tracking System" http://people.netfilter.org/pablo/docs/login.pdf Reprinted from ;login: The Magazine of USENIX, vol. 31, no. 3 (Berkeley, CA: USENIX Association, 2006, pp40-45.) In short, expectations allow one Linux firewall to filter multi-flow traffic like FTP, SIP and H.323. In my testbed, there are two firewalls in a primary-backup configuration running keepalived. The use a couple of floating cluster IP address (192.168.0.100 and 192.168.1.100) that are used by the client. These firewalls protect one FTP server (192.168.1.2) that will be accessed by one client. In ASCII art, it looks like this: 192.168.0.100 192.168.1.100 eth1 eth2 fw-1 / \ FTP -- client ------ ------ server -- 192.168.0.2 \ / 192.168.1.2 fw-2 This is the rule-set for the firewalls: -A POSTROUTING -t nat -s 192.168.0.2/32 -d 192.168.1.2/32 -j SNAT --to-source 192.168.1.100 -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -m state --state INVALID -j DROP -A FORWARD -m state --state RELATED -j ACCEPT -A FORWARD -i eth2 -m state --state ESTABLISHED -j ACCEPT -A FORWARD -i eth1 -p tcp -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT -A FORWARD -i eth1 -p tcp -m state --state ESTABLISHED -j ACCEPT -A FORWARD -m state --state INVALID -j LOG --log-prefix "invalid: " The following steps detail how to check that the expectation support works fine for conntrackd: 1) You have to enable the expectation support in the configuration file with the following option: Sync { ... Options { ExpectationSync { ftp sip h323 } } } This enables expectation synchronization for the FTP, SIP and H.323 helpers. You can alternatively use: Sync { ... Options { ExpectationSync On } } To enable expectation synchronization for all helpers. 2) Make sure you have loaded the FTP helper in both firewalls. root@fw1# modprobe nf_conntrack_ftp root@fw2# modprobe nf_conntrack_ftp 3) Switch to the client. Start one FTP control connection to one server that is protected by the firewalls, enter passive mode: (term-1) user@client$ nc 192.168.1.2 21 220 dummy FTP server USER anonymous 331 Please specify the password. PASS nothing 230 Login successful. PASV 227 Entering Passive Mode (192,168,1,2,163,11). This means that port 163*256+11=41739 will be used for the data traffic. Read this if you are not familiar with the FTP protocol: http://www.freefire.org/articles/ftpexample.php 3) Switch to fw-1 (primary) to check that the expectation is in the internal cache. root@fw1# conntrackd -i exp proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=41739 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.0.2 master-dst=192.168.1.2 sport=36390 dport=21 [active since 5s] 4) Switch to fw-2 (backup) to check that the expectation has been successfully replicated. root@fw2# conntrackd -e exp proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=41739 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.0.2 master-dst=192.168.1.2 sport=36390 dport=21 [active since 8s] 5) Make the primary firewall fw-1 fail. Now fw-2 becomes primary. 6) Switch to fw-2 (primary) to commit the external cache into the kernel. root@fw2# conntrackd -c exp The logs should display that the commit was successful: root@fw2# tail -100f /var/log/conntrackd.log [Wed Dec 7 22:16:31 2011] (pid=19195) [notice] committing external cache: expectations [Wed Dec 7 22:16:31 2011] (pid=19195) [notice] Committed 1 new entries [Wed Dec 7 22:16:31 2011] (pid=19195) [notice] commit has taken 0.000366 seconds 7) Switch to the client. Open a new terminal and connect to the port that has been announced by the server: (term-2) user@client$ nc -vvv 192.168.1.2 41739 (UNKNOWN) [192.168.1.2] 41739 (?) open 8) Switch to term-1 and ask for the file listing: [...] 227 Entering Passive Mode (192,168,1,2,163,11). LIST 9) Switch to term-2, it should display the listing. That means everything has worked fine. You may want to try disabling the expectation support and repeating the steps to check that *it does not work* without the state-synchronization. You can also display expectation statistics by means of: root@fwX# conntrackd -s exp This update requires no changes in the primary-backup.sh script that is used by the HA manager to interact with conntrackd. Thus, we provide a backward compatible command line interface. Regarding the Filter clause and expectations, we use the master conntrack to filter expectation events. The filtering is performed in user-space. No kernel-space filtering support for expectations yet (this support should go in libnetfilter_conntrack at some point). This patch also includes support to disable caching and to allow direct injection of expectations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: fix wrong kernel requirements for TCPWindowTracking in example filesPablo Neira Ayuso2010-08-041-1/+1
| | | | | | | | This patch fixes wrong Linux kernel requirements in the example configuration files. We require a Linux kernel >= 2.6.36 instead of >= 2.6.35 as the files suggest. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: warn on TCPWindowTracking option (it requires kernel >= 2.6.35)Pablo Neira Ayuso2010-07-151-0/+1
| | | | | | | This patch adds a comment on the TCPWindowTracking option to warn that this will be supported since the Linux kernel 2.6.35. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: fix ICMPv6 supportPablo Neira Ayuso2010-07-011-0/+1
| | | | | | | | | | | This patch fixes several minor nitpicks to support IPv6 failover: * ICMPv6 type/code/id were missing in synchronization messages. * The use of '-' as string in the configuration file was not allowed. * Include example in configuration file under doc/. Reported-by: Mohit Mehta <mohit.mehta@vyatta.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add support for TCP window scale factor synchronizationPablo Neira Ayuso2010-02-111-0/+11
| | | | | | | This patch adds a new option TCPWindowTracking that allows not to disable TCP window tracking as it occurs by default. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: fix UDP filtering in configuration filePablo Neira Ayuso2010-02-111-0/+1
| | | | | | | | UDP filtering was broken during the addition of the UDP-based synchronization protocol that was introduced in 0.9.14. This patch fixes the problem. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: document internal cache disabling and TCP-based synchronizationPablo Neira Ayuso2009-12-232-4/+61
| | | | | | | | This patch documents the internal cache disabling feature that is available for the NOTRACK mode. I have also added an example on how to set up a TCP-based state-synchronization. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add ICMP support for state-synchronizationPablo Neira Ayuso2009-12-191-0/+1
| | | | | | | | This patch adds state-synchronization for ICMP. You SHOULD use a Linux kernel >= 2.6.31, otherwise this patch can result in tons of state-updates. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: break lines at 80 characters in example config filesPablo Neira Ayuso2009-09-231-8/+9
| | | | | | | In 49540362b2a25aadbaf25fd087414776aa5a67a8, we forgot to break lines at 80 characters. This patch cleans up this issue. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: fix bad configuration file for DisableExternalCache statementSamuel Gauthier2009-09-031-12/+13
| | | | | | | | DisableExternalCache is supposed to be put in mode NOTRACK{} or Mode FTFW{} statement. Signed-off-by: Samuel Gauthier <samuel.gauthier@6wind.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add support state-replication based on TCPPablo Neira Ayuso2009-08-231-1/+2
| | | | | | | | This patch adds support for TCP as protocol to replicate state-changes between two daemons. Note that this only makes sense with the notrack mode. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add `DisableExternalCache' clausePablo Neira Ayuso2009-08-191-0/+13
| | | | | | | | | | | This patch adds the clause `DisableExternalCache' that allows you to disable the external cache and to directly inject the entries into the kernel conntrack table. As a result, the CPU consumption of conntrackd increases. This clause can only be used with the FT-FW and the notrack synchronization modes, but not with the alarm mode. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add support for IPv6 kernel-space filtering via BSFPablo Neira Ayuso2009-07-211-0/+3
| | | | | | | This patch adds the missing support to filter IPv6 from kernel-space by means of the BSF API that libnetfilter_conntrack provides. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add clause to enable ctnetlink reliable event deliveryPablo Neira Ayuso2009-07-211-0/+7
| | | | | | | | This patch adds the NetlinkEventsReliable clause, this is useful to turn on reliable Netlink event delivery. This features requires a Linux kernel >= 2.6.31. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* sync: add support for DCCP state replicationPablo Neira Ayuso2009-04-241-0/+1
| | | | | | This patch adds initial support for DCCP state replication. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* sync: add support for SCTP state replicationPablo Neira Ayuso2009-04-181-0/+1
| | | | | | This patch adds initial support for SCTP state replication. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: change scheduler and priority via configuration filePablo Neira Ayuso2009-04-141-0/+11
| | | | | | | | With this patch, you can change the scheduler policy and priority for conntrackd. Using a RT scheduler policy reduces the chances to hit ENOBUFS in Netlink. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: set nice to -20 in example config filesPablo Neira Ayuso2009-03-311-3/+5
| | | | | | | | This patch sets the most favourable nice value for conntrackd in the default configuration files. This is generally a good idea to reduce the chances to hit ENOBUFS. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* udp: fix missing scope_id in the socket creationPablo Neira Ayuso2009-03-201-0/+8
| | | | | | | | | This patch fixes an EINVAL error returned by bind() when opening an UDP server socket to propagate state-changes over the dedicated link. This patch also includes the change of the example configuration files in case that you want to use UDP over IPv6. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* sync-mode: add unicast UDP support to propagate state-changesPablo Neira Ayuso2009-03-131-4/+48
| | | | | | | | This patch adds support for unicast UDP to the channel infrastructure. With this patch, you can select UDP unicast to propagate state-changes instead of multicast. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* config: add NetlinkBufferSize and NetlinkBufferSizeMaxGrowthPablo Neira Ayuso2009-02-211-2/+2
| | | | | | | | This patch adds two alias that removes an inconsistency in the configuration file names. Now, the clauses that refers to Netlink starts by the prefix "Netlink". Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add Nice clause to set the nice valuePablo Neira Ayuso2009-02-081-0/+8
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: add new option NetlinkOverrunResyncPablo Neira Ayuso2009-02-081-0/+13
| | | | | | | | This patch adds NetlinkOverrunResync. This option can be used to set the amount of time after which the daemon resynchronizes itself with the kernel state-table if it detects a Netlink overrun. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: increase hashtable bucket size and limits in example filesPablo Neira Ayuso2009-01-251-5/+9
| | | | | | | This patch details a bit more the hashtable parameters. Moreover, it increases the default size of the hashtable. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: use 'From' instead of 'from' in the example configfilesPablo Neira Ayuso2009-01-251-1/+1
| | | | | | | | This patch fixes a wrong use of 'from' instead of 'From' in the example configuration files. Reported-by: Yoann Juet <yoann.juet@univ-nantes.fr> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: unset CommitTimeout by defaultPablo Neira Ayuso2009-01-251-4/+10
| | | | | | | This patch disables CommitTimeout by default. The daemon now uses the approximate timeout calculation by default. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: increase default PurgeTimeout valuePablo Neira Ayuso2009-01-251-6/+5
| | | | | | | | | This patch increases the default PurgeTimeout value to 60 seconds. The former 15 seconds provides good real-time reaction in terms of user-side expected behaviour, but it is too small if you trigger random failure in a firewall cluster. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add state polling support (oppossed to current event-driven)Pablo Neira Ayuso2009-01-171-0/+12
| | | | | | | | | | | | This patch adds the clause PollSecs that changes the normal behaviour of conntrackd. With PollSecs set to > 0, conntrackd polls every N seconds the entries. This is the opposed behaviour of an event-driven behaviour but may be useful for those that have really strong limitations in terms of CPU consumption and want to perform a relaxed replication. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for redundant dedicated linksPablo Neira Ayuso2009-01-171-0/+19
| | | | | | | | This patch adds support for redundant dedicated links. You can add a pool of dedicated links that can be used if the current active fails. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* run: limit the number of iterations over the event handlingPablo Neira Ayuso2009-01-151-0/+11
| | | | | | | | Currently, the event handling can starve other event file descriptors. This patch limits the number of event handling iterations. The parameter is tunable via configuration file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: add note on McastSndSocketBuffer and McastRcvSocketBufferPablo Neira Ayuso2008-12-171-6/+10
| | | | | | | This patch adds a note on the impact of having small values for the McastSndSocketBuffer and McastRcvSocketBuffer clauses. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: revert commit 9bc7d7f8f333e79323495a193f92c9d4f1708da9Pablo Neira Ayuso2008-12-171-10/+6
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xPablo Neira Ayuso2008-12-171-6/+10
|
* doc: document the netlink buffer size clausesPablo Neira Ayuso2008-12-171-4/+12
| | | | | | | | This patch documents the SocketBufferSize and SocketBufferSizeGrowth clause. It also rises the default values which are fairly small for busy firewalls. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: fix typo SocketBufferSizeMaxGrowth in example conffilesPablo Neira Ayuso2008-12-171-1/+1
| | | | | | | | This patch replaces SocketBufferSizeMaxGrown by SocketBufferSizeMaxGrowth. Both clauses are still valid but better to use the one that has no typos in the configuration files. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* config: move `Checksum' inside `Multicast' clausePablo Neira Ayuso2008-11-301-6/+7
| | | | | | | | | This patch moves `Checksum' into the `Multicast' clause. This property is dependent of the multicast configuration. This patch is required to introduce the redundant dedicated link support that is on the way. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* filter: CIDR-based filtering supportPablo Neira Ayuso2008-11-251-0/+3
| | | | | | | | | | This patch adds CIDR-based filtering support. The current implementation is O(n). This patch also introduces the vector data type which is used to store the IP address and the network mask. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* filter: choose the filtering method via configuration filePablo Neira Ayuso2008-11-181-2/+10
| | | | | | | | | | | | | | | | This patch changes the current behaviour of the filtering selection. Up to now, conntrackd has used the kernel version to select the filtering method based on the following logic: If kernel is >= 2.6.26 we use BSF-based filtering from kernel-space, otherwise, default to userspace. However, this filtering method still lacks of IPv6 support and it requires a patch that got into 2.6.29 to filter IPv6 addresses from kernel-space. To fix this issue, we default to user-space filtering and let the user choose the method via the configuration file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: remove example about CacheWriteTroughPablo Neira Ayuso2008-10-211-9/+0
| | | | | | | | | | | | | | | This patch removes the documentation about the CacheWriteTrhough clause. This feature is scheduled for removal since the asynchronous nature of conntrackd does not allow multi-path routing support. I'm lying, actually there's a chance to support it, but we have to guarantee that the RTT in the message synchronization between the firewall is smaller than the RTT between the peer and the firewalls. Moreover, this option has made more bad than good since people enable it when things don't work. Making the whole troubleshooting more complicated. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: rise default size of the hashtable in the example filePablo Neira Ayuso2008-10-201-2/+2
| | | | | | | This patch rises the default value of the hashtables in terms of buckets and entries to the default value in nf_conntrack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* config: use /var/run to create the UNIX socket filePablo Neira Ayuso2008-09-181-1/+1
| | | | | | | | This patch removes the use of /tmp to create the UNIX socket file to communicate with conntrackd in the example configuration files. This was OK in the early alpha days, but not anymore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache iterators: rework cache_reset_timersPablo Neira Ayuso2008-08-071-0/+11
| | | | | | | | | | | This patch adds the clause PurgeTimeout that sets the new timer when conntrackd -t is called. This command is particularly useful when the sysadmin triggers hand-overs between several nodes without rebooting as it reduces the timers of the remaining entries in the kernel. Thus, avoiding clashes between new and old entries that may trigger INVALID packets. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>