| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
The array's size in struct sockaddr_un is only UNIX_PATH_MAX and
according to unix(7), it should hold a null-terminated string. So adjust
config reader to reject paths of length UNIX_PATH_MAX and above and
adjust the internal arrays to aid the compiler.
Fixes: f196de88cdd97 ("src: fix strncpy -Wstringop-truncation warnings")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The -A command works exactly the same way as -I except that it
does not fail if the ct entry already exists.
This command is useful for the batched ct loads to not abort if
some entries being applied exist.
The ct entry dump in the "save" format is now switched to use the
-A command as well for the generated output.
Also tests added to cover the -A command.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The old way of the commands_v_options initialization made it more
difficult and error-prone to add a map for a new command, because one
would have to calculate a proper "index" for the initializer and fill
the gap with zeros.
As a preparation step for adding the new "-A" command support,
switch to C99 initializer syntax for commands_v_options.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since cd5135377ac4 ("conntrackd: cthelper: Set up userspace helpers when
daemon starts"), userspace conntrack helpers do not depend on a previous
invocation of nfct to set up the userspace helpers.
Move helper definitions to nfct-extensions/helper.c since existing
deployments might still invoke nfct, even if not required anymore.
This patch was motivated by the removal of the lazy binding.
Phil Sutter says:
"For security purposes, distributions might want to pass -Wl,-z,now
linker flags to all builds, thereby disabling lazy binding globally.
In the past, nfct relied upon lazy binding: It uses the helper objects'
parsing functions without but doesn't provide all symbols the objects
use."
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add a new setting to allow conntrackd to autoconfigure the userspace
helpers at startup.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit allows dumping conntrack entries in the format
used by the conntrack parameters, aka "save" output format.
This is useful for saving ct entry data to allow applying
it later on.
To enable the "save" output the "-o save" parameter needs
to be passed to the conntrack tool invocation.
[ pablo@netfilter.org: several updates to the original patch ]
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@cloud.ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
In some use cases, zone is used to differentiate different
conntrack state tables, so zone also should be synchronized
if it is set.
Signed-off-by: Yi Yang <yangyi01@inspur.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch adds support for the IPS_HW_OFFLOAD flag which specifies that
this conntrack entry has been offloaded into the hardware.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
-Wstringop-truncation warning was introduced in GCC-8 as truncation
checker for strncpy and strncat.
Systems using gcc version >= 8 would receive the following warnings:
read_config_yy.c: In function ‘yyparse’:
read_config_yy.y:1594:2: warning: ‘strncpy’ specified bound 16 equals destination size [-Wstringop-truncation]
1594 | strncpy(policy->name, $2, CTD_HELPER_NAME_LEN);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
read_config_yy.y:1384:2: warning: ‘strncpy’ specified bound 256 equals destination size [-Wstringop-truncation]
1384 | strncpy(conf.stats.logfile, $2, FILENAME_MAXLEN);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
read_config_yy.y:692:2: warning: ‘strncpy’ specified bound 108 equals destination size [-Wstringop-truncation]
692 | strncpy(conf.local.path, $2, UNIX_PATH_MAX);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
read_config_yy.y:169:2: warning: ‘strncpy’ specified bound 256 equals destination size [-Wstringop-truncation]
169 | strncpy(conf.lockfile, $2, FILENAME_MAXLEN);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
read_config_yy.y:119:2: warning: ‘strncpy’ specified bound 256 equals destination size [-Wstringop-truncation]
119 | strncpy(conf.logfile, $2, FILENAME_MAXLEN);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
main.c: In function ‘main’:
main.c:168:5: warning: ‘strncpy’ specified bound 4096 equals destination size [-Wstringop-truncation]
168 | strncpy(config_file, argv[i], PATH_MAX);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fix the issue by checking for string length first. Also using
snprintf instead.
In addition, correct an off-by-one when warning about maximum config
file path length.
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
# conntrack -L -u OFFLOAD
tcp 6 431984 ESTABLISHED src=192.168.10.2 dst=10.0.1.2 sport=32824 dport=5201 src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=32824 [OFFLOAD] mark=0 secctx=null use=2
tcp 6 431984 ESTABLISHED src=192.168.10.2 dst=10.0.1.2 sport=32826 dport=5201 src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=32826 [OFFLOAD] mark=0 secctx=null use=2
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Mark fall through cases as such. Note that correctness of those fall
throughs have not been verified.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to prevent netlink buffer overrun, conntrackd is recommended to run
at max priority.
Make conntrackd to use a RT (SHED_RR) scheduler by default at max priority.
This is common among other HA daemons. For example corosync uses SCHED_RR
by default.
The scheduler configuration option is kept in order to allow admins to perform
fine-tuning, but it is deleted from example configuration files.
Note that this default sched priority is so high that it makes the nice value
useless, so deprecate the nice configuration. Anyway the nice value can be set
externally at runtime using nice/renice.
The code is moved to the init() routine. In case of error setting the
scheduler, the system default will be used. Report a message to the user
and continue working.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This configuration option doesn't add any value to users.
Use the magic value of 100 (i.e, the socket will keep 100 pending connections),
which I think is fair enough for what conntrackd can do in the unix socket.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
If a node goes to live, ask the other for resync at startup.
This has to be done usually by hand, but I guess is an operation common
enough to add some bits to ease people life here.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Resync operations factorization. There are two:
* resync_send --> conntrackd -B (send bulk resync)
* resync_req --> conntrackd -n (request resync)
Future patches reuse this factorized code.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
They are shared by both sync-ftfw and sync-notrack.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch introduces a new evaluate() function that can be used to spot
inconsistent configurations.
Don't allow CommitTimeout with DisableExternalCache On since this
results in EINVAL errors. CommitTimeout makes no sense with no external
cache.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Copy and paste of headers is not good, include kernel header that
provide the necessary definitions.
Cache a copy of nf_conntrack_common.h.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This will allow to call dlog() function from all the points in the
execution at runtime.
If the log was not initialized, then we just fprintf and return.
By now, we can't init the log engine earlier because we require config
from the user, so there is a egg-chicken problem.
This means that we can't log parsing messages to logfiles but only to
stderr/stdout.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If conntrackd is running in console mode (i.e. in foreground)
then we can print the log messages to stdout/stderr.
This eases the workflow for admins, since we condensate more info into
the same terminal output.
Example:
% sudo conntrackd -C /etc/conntrackd.conf
WARNING: XXXX is an invalid interface
[Thu Oct 27 13:57:09 2016] (pid=7581) [notice] disabling internal cache
[Thu Oct 27 13:57:09 2016] (pid=7581) [notice] disabling external cache
[Thu Oct 27 13:57:09 2016] (pid=7581) [ERROR] can't open channel socket: No such device
[Thu Oct 27 13:57:09 2016] (pid=7581) [ERROR] initialization failed
ERROR: conntrackd cannot start, please check the logfile for more info
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
We don't use 'struct nfct_attr_grp_ipv6', actually 'uint32_t * 4'.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
So we can properly sync NATed IPv6 connections.
Thanks to Florian Westphal for originally ponting me to this lack of
support in conntrackd, which saved me a lot of time.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds basic systemd support.
The feature can be enabled/disabled at configure time:
./configure --disable-systemd
Also, at runtime in conntrackd.conf
General {
Systemd on|off
}
(by default it's enabled both at runtime and at configure time)
* tell systemd about conntrackd readiness:
When conntrackd starts, it will send systemd the data "READY=1".
At the point the data is sent, conntrackd is fully ready to work
(configuration was OK, sockets OK, et all), so other actions depending
on conntrackd can be safely chained in the machine boot process.
* tell systemd about conntrackd shutting down:
If the admin kills conntrackd with `conntrackd -k', the data "STOPPING=1"
will be send to systemd so it learns about the daemon shutting down. Same
for manual signals.
* watchdog support:
The admin can configure systemd to watch the conntrackd daemon and perform
some actions if conntrackd dies: restart it, reboot the machine, etc...
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for zone directions.
Since all options have the orig/reply as a prefix, I named it --orig-zone
and --reply-zone to stay consistent with the rest of the cmdline options.
As for the option chars, there was no unallocated reasonable combination,
thus only long options are officially exposed in the help, similarly as in
other cases.
Test suite results, after patch: OK: 79 BAD: 0
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch gets the nfct syntax in sync with nft so it looks like this:
nfct <add|delete|...> object ...
instead of:
nfct object <add|delete|...> ...
This patch retains backward compatibility so you can still use the old syntax.
The manpage and tests have been also updated to promote the adoption of this
syntax. We should have little existing clients of this tool as we can only use
this to configure the cttimeout and cthelper infrastructures.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[...]
CC conntrack.o
In file included from ../include/conntrack.h:4:0,
from conntrack.c:41:
conntrack.c: In function ‘findproto’:
../include/linux_list.h:385:59: warning: right-hand operand of comma expression has no effect [-Wunused-value]
for (pos = list_entry((head)->next, typeof(*pos), member), \
^
[...]
The original patch is from Patrick McHardy <kaber@trash.net>.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This new interface supersedes the /proc interface:
/proc/sys/net/netfilter/nf_conntrack_PROTO_STATE_timeout
to tune default conntrack timeout helpers.
# nfct timeout default-get inet tcp
.l3proto = 2,
.l4proto = 6,
.policy = {
.SYN_SENT = 120,
.SYN_RECV = 60,
.ESTABLISHED = 432000,
.FIN_WAIT = 120,
.CLOSE_WAIT = 60,
.LAST_ACK = 30,
.TIME_WAIT = 120,
.CLOSE = 10,
.SYN_SENT2 = 120,
.RETRANS = 300,
.UNACKNOWLEDGED = 300,
},
};
# nfct timeout default-set inet tcp ESTABLISHED 100
As replacement for the existing /proc interfaces for timeout tweaking.
This feature requires a Linux kernel >= 3.13.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds an userspace port of the TFTP helper that is currently
implemented in the kernel. This includes NAT support. It requires a
Linux kernel 3.12.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Open the socket from the main function, then pass it as parameter
to the corresponding interpreter.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Add helper function nfct_mnl_talk and use it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Modularize timeout and helper extensions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This requires the Linux kernel 3.12.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
new options "--label-add" and "--label-delete" to alter connlabels
assigned to a connection.
Signed-off-by: Clemence Faure <clemence.faure@sophos.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- check if ct has label attribute, and at least one label
(bit) is set
- serialize bitmap into array-of-u32, in network byte order
- add code to build new nfct_bitmask object from array-of-u32
Current parse functions don't have length information,
this adds optional parse2() which gets struct netattr pointer.
Attributes that want to use parse2 need to set .maxsize to nonzero
value.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
| |
Signed-off-by: Clemence Faure <clemence.faure@sophos.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch simplifies the expectation filtering by looking up for the
master conntrack. If it does not exists, then we assume that we don't
want this expectation either.
This simplification also fixes the current broken expectation filtering,
since the master conntrack from expectations has neither reply tuple
nor state, however, the filtering code assumes the opposite.
This partially reverts (479a37a conntrackd: fix crash with IPv6 expectation
in the filtering code) since it was incorrectly setting the reply tuple
of the master conntrack.
Thanks to Bill Fink for providing feedback to resolve this issue.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch deprecates the `Family' tweak in the configuration file.
Several reasons for this:
* If not specified, this was default to IPv4 only in table dumps from
the kernel. However, non-IPv4 events were still received. This is
inconsistent.
* It's an early tweak that was not documented (not included in any
of the example files).
If we want to support any sort of consistent filtering based on the
family, this should happen in the filtering code.
After this patch, conntrackd uses AF_UNSPEC to dump the conntrack and
expectation tables from the kernel.
Reported-by: Bill Fink <billfink@mindspring.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch adds the QueueLen option, that allows you to increase
the maximum number of packets waiting in the nfnetlink_queue to
receive a verdict from userspace.
Rising the default value (1024) is useful to avoid hitting the following
error message: "nf_queue: full at X entries, dropping packets(s)".
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The pr_debug call should be converted to use dlog instead.
I'll try to add some some configuration parameter to
enable/disable debugging in runtime. This is not very flexible.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the user-space helper infrastructure. It also
contains the implementation of the FTP helper in user-space.
There's one example file that you can use to configure conntrackd
as user-space connection tracking helper under:
doc/helper/conntrackd.conf
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch moves the specific ctnetlink code to ctnl.c to prepare
the introduction of the cthelper infrastructure.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch generalizes the select-based file descriptor infrastructure
by allowing you to register file descriptors and its callbacks. Instead
of hardcoding the descriptors that needs to be checked.
Now, struct fds_item contains a callback and pointer to data that is
passed to it:
struct fds_item {
struct list_head head;
int fd;
+ void (*cb)(void *data);
+ void *data;
};
Then, we check which ones are active in the select_main_step() function:
list_for_each_entry(cur, &STATE(fds)->list, head) {
if (FD_ISSET(cur->fd, &readfds))
cur->cb(cur->data);
}
And it invoked the corresponding callback.
I had to slightly modify the channel infrastructure to fit it into
the changes.
This modularity is required for the upcoming cthelper support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since Linux kernel >= 3.6.x, we can dump the conntrack statistics
via ctnetlink instead of using the /proc interface:
conntrack -S
cpu=0 searched=9177 found=387086 new=250451 invalid=1 ignore=4 delete=254093 delete_list=5467 insert=1825 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=1 searched=390 found=37493 new=1531 invalid=0 ignore=0 delete=345 delete_list=345 insert=1531 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=2 searched=333 found=68061 new=1895 invalid=0 ignore=1 delete=607 delete_list=607 insert=1896 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=3 searched=71 found=13364 new=1254 invalid=0 ignore=0 delete=75 delete_list=75 insert=1254 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
conntrack -S exp
cpu=0 expect_new=9177 expect_create=387284 expect_delete=251141
cpu=1 expect_new=390 expect_create=37496 expect_delete=1531
cpu=2 expect_new=333 expect_create=68117 expect_delete=1895
cpu=3 expect_new=71 expect_create=13366 expect_delete=1255
Note that the output is not backward-compatible, but we fail back to previous
output in case that ctnetlink stats dumping is not available.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch changes the current behaviour of `-t' and `-F' commands,
that results in flushing the kernel conntrack table. With this patch,
the entries that match the Filter clauses in conntrackd.conf are
ignored.
This fixes the situation in which some local ssh connection to the
firewall is lost during the failover (since `-t' is invoked from the
primary-backup.sh script).
Note that the Filter clause tells what entries have to be ignored,
ie. the entries that do not need to be replicated. It makes sense
not to flush entries that are not replicated (usually traffic to
the local firewall).
Reported-by: Gaurav Sinha <gaurav.sinha@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
