summaryrefslogtreecommitdiffstats
path: root/doc
Commit message (Collapse)AuthorAgeFilesLines
* doc: primary-backup.sh: clarify licensing terms (GPLv2+)Pablo Neira Ayuso2011-12-301-4/+6
| | | | | | | This script is released under GPLv2+. Update copyright notice as well. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: prepare 1.0.0 release in conntrack-tools manualPablo Neira Ayuso2011-02-271-2/+1
| | | | | | | Remove reference which states that this is still under development and refer to version 1.0.0. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: add missing conntrackd -s invocation with optionsPablo Neira Ayuso2011-02-221-1/+5
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: add reference to the CT target againPablo Neira Ayuso2011-02-221-0/+27
| | | | | | | Now that we have fixed several aspects of the event filtering in 2.6.38, I reintroduce the documentation for this feature. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: document redundant link support for conntrackdPablo Neira Ayuso2011-02-181-0/+39
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: document -s option of conntrackd in the manualPablo Neira Ayuso2011-02-181-0/+115
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: remove reference to the CT targetPablo Neira Ayuso2011-02-011-23/+0
| | | | | | | Sorry, the iptables CT target is not yet ready for use until some patches are pushed to the Linux kernel. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: update conntrack-tools manualPablo Neira Ayuso2011-01-161-6/+112
| | | | | | | | | | | | | This update adds to the documentation the following information: * add reference to "Demystifying cluster-based fault-tolerant firewalls" * add how-to disable the external cache * add how-to disable the internal cache * add how-to set the synchronization transport protocol * document iptables CT target * ask for sponsors to finish H323 and SIP support. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: minor documentation update (two new questions in the FAQ)Pablo Neira Ayuso2010-08-041-1/+27
| | | | | | | This patch includes a minor documentation update with two new questions in the FAQ. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: fix wrong kernel requirements for TCPWindowTracking in example filesPablo Neira Ayuso2010-08-043-3/+3
| | | | | | | | This patch fixes wrong Linux kernel requirements in the example configuration files. We require a Linux kernel >= 2.6.36 instead of >= 2.6.35 as the files suggest. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: warn on TCPWindowTracking option (it requires kernel >= 2.6.35)Pablo Neira Ayuso2010-07-153-0/+3
| | | | | | | This patch adds a comment on the TCPWindowTracking option to warn that this will be supported since the Linux kernel 2.6.35. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: fix ICMPv6 supportPablo Neira Ayuso2010-07-013-0/+3
| | | | | | | | | | | This patch fixes several minor nitpicks to support IPv6 failover: * ICMPv6 type/code/id were missing in synchronization messages. * The use of '-' as string in the configuration file was not allowed. * Include example in configuration file under doc/. Reported-by: Mohit Mehta <mohit.mehta@vyatta.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: description on how to block traffic with conntrack was incompletePablo Neira Ayuso2010-05-101-2/+7
| | | | | | | | | This patch completes the documentation with the following discussion that took place in the mailing list. http://marc.info/?l=netfilter&m=127335152521674&w=2 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: PollSecs goes in the General clause for statisticsPablo Neira Ayuso2010-02-281-12/+12
| | | | | | | | This patch fixes the configuration file that includes an example of the PollSecs clause in Stats. This is wrong since it should go in the General clause. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add support for TCP window scale factor synchronizationPablo Neira Ayuso2010-02-113-0/+32
| | | | | | | This patch adds a new option TCPWindowTracking that allows not to disable TCP window tracking as it occurs by default. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: fix UDP filtering in configuration filePablo Neira Ayuso2010-02-114-0/+4
| | | | | | | | UDP filtering was broken during the addition of the UDP-based synchronization protocol that was introduced in 0.9.14. This patch fixes the problem. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: document internal cache disabling and TCP-based synchronizationPablo Neira Ayuso2009-12-232-4/+61
| | | | | | | | This patch documents the internal cache disabling feature that is available for the NOTRACK mode. I have also added an example on how to set up a TCP-based state-synchronization. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add ICMP support for state-synchronizationPablo Neira Ayuso2009-12-193-0/+3
| | | | | | | | This patch adds state-synchronization for ICMP. You SHOULD use a Linux kernel >= 2.6.31, otherwise this patch can result in tons of state-updates. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: break lines at 80 characters in example config filesPablo Neira Ayuso2009-09-232-16/+18
| | | | | | | In 49540362b2a25aadbaf25fd087414776aa5a67a8, we forgot to break lines at 80 characters. This patch cleans up this issue. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: fix bad configuration file for DisableExternalCache statementSamuel Gauthier2009-09-032-24/+26
| | | | | | | | DisableExternalCache is supposed to be put in mode NOTRACK{} or Mode FTFW{} statement. Signed-off-by: Samuel Gauthier <samuel.gauthier@6wind.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add support state-replication based on TCPPablo Neira Ayuso2009-08-231-1/+2
| | | | | | | | This patch adds support for TCP as protocol to replicate state-changes between two daemons. Note that this only makes sense with the notrack mode. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add `DisableExternalCache' clausePablo Neira Ayuso2009-08-192-0/+26
| | | | | | | | | | | This patch adds the clause `DisableExternalCache' that allows you to disable the external cache and to directly inject the entries into the kernel conntrack table. As a result, the CPU consumption of conntrackd increases. This clause can only be used with the FT-FW and the notrack synchronization modes, but not with the alarm mode. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add support for IPv6 kernel-space filtering via BSFPablo Neira Ayuso2009-07-214-0/+10
| | | | | | | This patch adds the missing support to filter IPv6 from kernel-space by means of the BSF API that libnetfilter_conntrack provides. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add clause to enable ctnetlink reliable event deliveryPablo Neira Ayuso2009-07-214-0/+29
| | | | | | | | This patch adds the NetlinkEventsReliable clause, this is useful to turn on reliable Netlink event delivery. This features requires a Linux kernel >= 2.6.31. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: fix English typo in documentationPablo Neira Ayuso2009-07-171-2/+2
| | | | | | | This is an update to commit 575fc906a302599cb9afeb136096dfd96bb57b17. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* sync: add support for DCCP state replicationPablo Neira Ayuso2009-04-243-0/+3
| | | | | | This patch adds initial support for DCCP state replication. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* sync: add support for SCTP state replicationPablo Neira Ayuso2009-04-183-0/+3
| | | | | | This patch adds initial support for SCTP state replication. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: change scheduler and priority via configuration filePablo Neira Ayuso2009-04-144-0/+44
| | | | | | | | With this patch, you can change the scheduler policy and priority for conntrackd. Using a RT scheduler policy reduces the chances to hit ENOBUFS in Netlink. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: set nice to -20 in example config filesPablo Neira Ayuso2009-03-313-9/+15
| | | | | | | | This patch sets the most favourable nice value for conntrackd in the default configuration files. This is generally a good idea to reduce the chances to hit ENOBUFS. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* udp: fix missing scope_id in the socket creationPablo Neira Ayuso2009-03-203-0/+24
| | | | | | | | | This patch fixes an EINVAL error returned by bind() when opening an UDP server socket to propagate state-changes over the dedicated link. This patch also includes the change of the example configuration files in case that you want to use UDP over IPv6. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* sync-mode: add unicast UDP support to propagate state-changesPablo Neira Ayuso2009-03-133-12/+144
| | | | | | | | This patch adds support for unicast UDP to the channel infrastructure. With this patch, you can select UDP unicast to propagate state-changes instead of multicast. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: fix broken link to ulogd2 in the manualPablo Neira Ayuso2009-02-231-1/+1
| | | | | Reported-by: Ralf <rm@amitrader.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* config: add NetlinkBufferSize and NetlinkBufferSizeMaxGrowthPablo Neira Ayuso2009-02-214-8/+8
| | | | | | | | This patch adds two alias that removes an inconsistency in the configuration file names. Now, the clauses that refers to Netlink starts by the prefix "Netlink". Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: revert primary-backup-2.6.29-and-higher.sh scriptPablo Neira Ayuso2009-02-212-111/+0
| | | | | | | | | | This patch reverts primary-backup-2.6.29-and-higher.sh. This script is not safe for production enviroments until the commit phase guarantees that the state-change propagation over netlink is reliable. This script should be ready for 2.6.30 if the appropriate kernel patches go into mainline in time. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: add bulk update to primary-script.sh scriptPablo Neira Ayuso2009-02-151-0/+11
| | | | | | | | | | | | This patch updates the script to remark the fact that it should be used with Linux kernel < 2.6.29. Moreover, it adds a bulk-update command after the commit in the primary path to avoid any race condition (the backup may request a resync while this primary is still committing the entries with an empty internal cache). This is hackish, but I think that this is the best way to do this for systems running a Linux kernel < 2.6.29. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: add new primary-backup.sh script for >= 2.6.29Pablo Neira Ayuso2009-02-151-0/+109
| | | | | | | | This patch adds a new primary-backup.sh script for Linux kernels >= 2.6.29. This script takes advantage of the user-space event reporting that ctnetlink does since this kernel version. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: unset ACKWindowSize in example configuration filesPablo Neira Ayuso2009-02-151-2/+2
| | | | | | | This patch unset ACKWindowSize since it already sets the clause to its default value. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add Nice clause to set the nice valuePablo Neira Ayuso2009-02-084-0/+32
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: add new option NetlinkOverrunResyncPablo Neira Ayuso2009-02-083-0/+39
| | | | | | | | This patch adds NetlinkOverrunResync. This option can be used to set the amount of time after which the daemon resynchronizes itself with the kernel state-table if it detects a Netlink overrun. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: increase hashtable bucket size and limits in example filesPablo Neira Ayuso2009-01-253-15/+27
| | | | | | | This patch details a bit more the hashtable parameters. Moreover, it increases the default size of the hashtable. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: use 'From' instead of 'from' in the example configfilesPablo Neira Ayuso2009-01-253-3/+3
| | | | | | | | This patch fixes a wrong use of 'from' instead of 'From' in the example configuration files. Reported-by: Yoann Juet <yoann.juet@univ-nantes.fr> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: unset CommitTimeout by defaultPablo Neira Ayuso2009-01-253-12/+30
| | | | | | | This patch disables CommitTimeout by default. The daemon now uses the approximate timeout calculation by default. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: increase default PurgeTimeout valuePablo Neira Ayuso2009-01-253-18/+15
| | | | | | | | | This patch increases the default PurgeTimeout value to 60 seconds. The former 15 seconds provides good real-time reaction in terms of user-side expected behaviour, but it is too small if you trigger random failure in a firewall cluster. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ftfw: add ResendQueueSize and deprecate ResendBufferSize clausesPablo Neira Ayuso2009-01-171-7/+8
| | | | | | | | This patch adds ResendQueueSize, which sets the number of objects that can be stored in the resend queue waiting to be confirmed. The ResendBufferSize clause has been deprecated. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add state polling support (oppossed to current event-driven)Pablo Neira Ayuso2009-01-174-0/+48
| | | | | | | | | | | | This patch adds the clause PollSecs that changes the normal behaviour of conntrackd. With PollSecs set to > 0, conntrackd polls every N seconds the entries. This is the opposed behaviour of an event-driven behaviour but may be useful for those that have really strong limitations in terms of CPU consumption and want to perform a relaxed replication. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for redundant dedicated linksPablo Neira Ayuso2009-01-173-0/+57
| | | | | | | | This patch adds support for redundant dedicated links. You can add a pool of dedicated links that can be used if the current active fails. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* run: limit the number of iterations over the event handlingPablo Neira Ayuso2009-01-153-0/+33
| | | | | | | | Currently, the event handling can starve other event file descriptors. This patch limits the number of event handling iterations. The parameter is tunable via configuration file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: add note on McastSndSocketBuffer and McastRcvSocketBufferPablo Neira Ayuso2008-12-173-15/+23
| | | | | | | This patch adds a note on the impact of having small values for the McastSndSocketBuffer and McastRcvSocketBuffer clauses. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: revert commit 9bc7d7f8f333e79323495a193f92c9d4f1708da9Pablo Neira Ayuso2008-12-173-23/+15
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xPablo Neira Ayuso2008-12-173-15/+23
|