summaryrefslogtreecommitdiffstats
path: root/include
Commit message (Collapse)AuthorAgeFilesLines
* conntrackd: CommitTimeout breaks DisableExternalCache set OnPablo Neira Ayuso2017-03-101-0/+1
| | | | | | | | | | | This patch introduces a new evaluate() function that can be used to spot inconsistent configurations. Don't allow CommitTimeout with DisableExternalCache On since this results in EINVAL errors. CommitTimeout makes no sense with no external cache. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* helper: remove copy and paste from uapi kernel headerPablo Neira Ayuso2016-11-243-25/+135
| | | | | | | | | Copy and paste of headers is not good, include kernel header that provide the necessary definitions. Cache a copy of nf_conntrack_common.h. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* log: introduce a mechanism to know if log was initializedArturo Borrero Gonzalez2016-11-091-0/+1
| | | | | | | | | | | | | | | This will allow to call dlog() function from all the points in the execution at runtime. If the log was not initialized, then we just fprintf and return. By now, we can't init the log engine earlier because we require config from the user, so there is a egg-chicken problem. This means that we can't log parsing messages to logfiles but only to stderr/stdout. Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* log: print messages to stdout/sderr if running in console modeArturo Borrero Gonzalez2016-10-281-0/+1
| | | | | | | | | | | | | | | | | | | | | If conntrackd is running in console mode (i.e. in foreground) then we can print the log messages to stdout/stderr. This eases the workflow for admins, since we condensate more info into the same terminal output. Example: % sudo conntrackd -C /etc/conntrackd.conf WARNING: XXXX is an invalid interface [Thu Oct 27 13:57:09 2016] (pid=7581) [notice] disabling internal cache [Thu Oct 27 13:57:09 2016] (pid=7581) [notice] disabling external cache [Thu Oct 27 13:57:09 2016] (pid=7581) [ERROR] can't open channel socket: No such device [Thu Oct 27 13:57:09 2016] (pid=7581) [ERROR] initialization failed ERROR: conntrackd cannot start, please check the logfile for more info Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include/network.h: fix erroneus comment in NTA_(S|D)NAT_IPV6Arturo Borrero2016-06-061-2/+2
| | | | | | | We don't use 'struct nfct_attr_grp_ipv6', actually 'uint32_t * 4'. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add support for NTA_(S|D)NAT_IPV6Arturo Borrero2016-05-201-0/+2
| | | | | | | | | | So we can properly sync NATed IPv6 connections. Thanks to Florian Westphal for originally ponting me to this lack of support in conntrackd, which saved me a lot of time. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add systemd supportArturo Borrero2015-11-173-1/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds basic systemd support. The feature can be enabled/disabled at configure time: ./configure --disable-systemd Also, at runtime in conntrackd.conf General { Systemd on|off } (by default it's enabled both at runtime and at configure time) * tell systemd about conntrackd readiness: When conntrackd starts, it will send systemd the data "READY=1". At the point the data is sent, conntrackd is fully ready to work (configuration was OK, sockets OK, et all), so other actions depending on conntrackd can be safely chained in the machine boot process. * tell systemd about conntrackd shutting down: If the admin kills conntrackd with `conntrackd -k', the data "STOPPING=1" will be send to systemd so it learns about the daemon shutting down. Same for manual signals. * watchdog support: The admin can configure systemd to watch the conntrackd daemon and perform some actions if conntrackd dies: restart it, reboot the machine, etc... Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add zone direction supportDaniel Borkmann2015-09-291-1/+1
| | | | | | | | | | | | | | | | This patch adds support for zone directions. Since all options have the orig/reply as a prefix, I named it --orig-zone and --reply-zone to stay consistent with the rest of the cmdline options. As for the option chars, there was no unallocated reasonable combination, thus only long options are officially exposed in the help, similarly as in other cases. Test suite results, after patch: OK: 79 BAD: 0 Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nfct: Update syntax to specify command before subsystemPablo Neira Ayuso2015-08-261-1/+3
| | | | | | | | | | | | | | | | | This patch gets the nfct syntax in sync with nft so it looks like this: nfct <add|delete|...> object ... instead of: nfct object <add|delete|...> ... This patch retains backward compatibility so you can still use the old syntax. The manpage and tests have been also updated to promote the adoption of this syntax. We should have little existing clients of this tool as we can only use this to configure the cttimeout and cthelper infrastructures. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* list: fix prefetch dummyArturo Borrero Gonzalez2015-08-261-1/+1
| | | | | | | | | | | | | | | | | [...] CC conntrack.o In file included from ../include/conntrack.h:4:0, from conntrack.c:41: conntrack.c: In function ‘findproto’: ../include/linux_list.h:385:59: warning: right-hand operand of comma expression has no effect [-Wunused-value] for (pos = list_entry((head)->next, typeof(*pos), member), \ ^ [...] The original patch is from Patrick McHardy <kaber@trash.net>. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Include <sys/select.h> for fd_setFelix Janda2015-05-213-0/+3
| | | | | Signed-off-by: Felix Janda <felix.janda@posteo.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Use stdint typesFelix Janda2015-05-212-8/+8
| | | | | Signed-off-by: Felix Janda <felix.janda@posteo.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: Sync with kernel headersFelix Janda2015-05-212-42/+17
| | | | | Signed-off-by: Felix Janda <felix.janda@posteo.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nfct: timeout: add support for default protocol timeout tuningPablo Neira Ayuso2014-05-132-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This new interface supersedes the /proc interface: /proc/sys/net/netfilter/nf_conntrack_PROTO_STATE_timeout to tune default conntrack timeout helpers. # nfct timeout default-get inet tcp .l3proto = 2, .l4proto = 6, .policy = { .SYN_SENT = 120, .SYN_RECV = 60, .ESTABLISHED = 432000, .FIN_WAIT = 120, .CLOSE_WAIT = 60, .LAST_ACK = 30, .TIME_WAIT = 120, .CLOSE = 10, .SYN_SENT2 = 120, .RETRANS = 300, .UNACKNOWLEDGED = 300, }, }; # nfct timeout default-set inet tcp ESTABLISHED 100 As replacement for the existing /proc interfaces for timeout tweaking. This feature requires a Linux kernel >= 3.13. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: cthelper: add TFTP helperPablo Neira Ayuso2013-10-031-0/+3
| | | | | | | | This patch adds an userspace port of the TFTP helper that is currently implemented in the kernel. This includes NAT support. It requires a Linux kernel 3.12. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nfct: src: consolidate netlink socket creationPablo Neira Ayuso2013-10-011-1/+2
| | | | | | | Open the socket from the main function, then pass it as parameter to the corresponding interpreter. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nfct: src: add nfct_mnl_talk and use itPablo Neira Ayuso2013-10-011-0/+5
| | | | | | Add helper function nfct_mnl_talk and use it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nfct: modularize extensionsPablo Neira Ayuso2013-09-261-14/+11
| | | | | | Modularize timeout and helper extensions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: cthelper: allow to attach expectations via nfqueuePablo Neira Ayuso2013-09-262-0/+14
| | | | | | This requires the Linux kernel 3.12. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: support add/delete of conntrack labelsClemence Faure2013-09-151-1/+1
| | | | | | | | new options "--label-add" and "--label-delete" to alter connlabels assigned to a connection. Signed-off-by: Clemence Faure <clemence.faure@sophos.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrackd: support replication of connlabelsFlorian Westphal2013-07-231-0/+4
| | | | | | | | | | | | | | | - check if ct has label attribute, and at least one label (bit) is set - serialize bitmap into array-of-u32, in network byte order - add code to build new nfct_bitmask object from array-of-u32 Current parse functions don't have length information, this adds optional parse2() which gets struct netattr pointer. Attributes that want to use parse2 need to set .maxsize to nonzero value. Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrack: introduce -l option to filter by labelsClemence Faure2013-07-231-1/+1
| | | | | Signed-off-by: Clemence Faure <clemence.faure@sophos.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrackd: simplify expectation filteringPablo Neira Ayuso2013-07-112-0/+2
| | | | | | | | | | | | | | | | | | This patch simplifies the expectation filtering by looking up for the master conntrack. If it does not exists, then we assume that we don't want this expectation either. This simplification also fixes the current broken expectation filtering, since the master conntrack from expectations has neither reply tuple nor state, however, the filtering code assumes the opposite. This partially reverts (479a37a conntrackd: fix crash with IPv6 expectation in the filtering code) since it was incorrectly setting the reply tuple of the master conntrack. Thanks to Bill Fink for providing feedback to resolve this issue. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: deprecate `Family' in configuration filePablo Neira Ayuso2013-07-061-1/+0
| | | | | | | | | | | | | | | | | | | | | | This patch deprecates the `Family' tweak in the configuration file. Several reasons for this: * If not specified, this was default to IPv4 only in table dumps from the kernel. However, non-IPv4 events were still received. This is inconsistent. * It's an early tweak that was not documented (not included in any of the example files). If we want to support any sort of consistent filtering based on the family, this should happen in the filtering code. After this patch, conntrackd uses AF_UNSPEC to dump the conntrack and expectation tables from the kernel. Reported-by: Bill Fink <billfink@mindspring.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: kill unused PLD_* macrosFlorian Westphal2013-06-051-12/+0
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: cthelper: add QueueLen optionPablo Neira Ayuso2012-09-101-0/+1
| | | | | | | | | | | This patch adds the QueueLen option, that allows you to increase the maximum number of packets waiting in the nfnetlink_queue to receive a verdict from userspace. Rising the default value (1024) is useful to avoid hitting the following error message: "nf_queue: full at X entries, dropping packets(s)". Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cthelper: disable debugging information by defaultPablo Neira Ayuso2012-08-211-1/+7
| | | | | | | | | The pr_debug call should be converted to use dlog instead. I'll try to add some some configuration parameter to enable/disable debugging in runtime. This is not very flexible. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add cthelper infrastructure (+ example FTP helper)Pablo Neira Ayuso2012-08-019-4/+361
| | | | | | | | | | | | This patch adds the user-space helper infrastructure. It also contains the implementation of the FTP helper in user-space. There's one example file that you can use to configure conntrackd as user-space connection tracking helper under: doc/helper/conntrackd.conf Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: move ctnetlink code to ctnl.c (removed from run.c)Pablo Neira Ayuso2012-08-011-1/+6
| | | | | | | This patch moves the specific ctnetlink code to ctnl.c to prepare the introduction of the cthelper infrastructure. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: generalize file descriptor infrastructurePablo Neira Ayuso2012-08-013-5/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch generalizes the select-based file descriptor infrastructure by allowing you to register file descriptors and its callbacks. Instead of hardcoding the descriptors that needs to be checked. Now, struct fds_item contains a callback and pointer to data that is passed to it: struct fds_item { struct list_head head; int fd; + void (*cb)(void *data); + void *data; }; Then, we check which ones are active in the select_main_step() function: list_for_each_entry(cur, &STATE(fds)->list, head) { if (FD_ISSET(cur->fd, &readfds)) cur->cb(cur->data); } And it invoked the corresponding callback. I had to slightly modify the channel infrastructure to fit it into the changes. This modularity is required for the upcoming cthelper support. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add support for stats dumping via ctnetlinkPablo Neira Ayuso2012-08-011-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | Since Linux kernel >= 3.6.x, we can dump the conntrack statistics via ctnetlink instead of using the /proc interface: conntrack -S cpu=0 searched=9177 found=387086 new=250451 invalid=1 ignore=4 delete=254093 delete_list=5467 insert=1825 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0 cpu=1 searched=390 found=37493 new=1531 invalid=0 ignore=0 delete=345 delete_list=345 insert=1531 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0 cpu=2 searched=333 found=68061 new=1895 invalid=0 ignore=1 delete=607 delete_list=607 insert=1896 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0 cpu=3 searched=71 found=13364 new=1254 invalid=0 ignore=0 delete=75 delete_list=75 insert=1254 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0 conntrack -S exp cpu=0 expect_new=9177 expect_create=387284 expect_delete=251141 cpu=1 expect_new=390 expect_create=37496 expect_delete=1531 cpu=2 expect_new=333 expect_create=68117 expect_delete=1895 cpu=3 expect_new=71 expect_create=13366 expect_delete=1255 Note that the output is not backward-compatible, but we fail back to previous output in case that ctnetlink stats dumping is not available. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: implement selective flushing for `-t' and `-F' commandsPablo Neira Ayuso2012-07-301-1/+1
| | | | | | | | | | | | | | | | | | | This patch changes the current behaviour of `-t' and `-F' commands, that results in flushing the kernel conntrack table. With this patch, the entries that match the Filter clauses in conntrackd.conf are ignored. This fixes the situation in which some local ssh connection to the firewall is lost during the failover (since `-t' is invoked from the primary-backup.sh script). Note that the Filter clause tells what entries have to be ignored, ie. the entries that do not need to be replicated. It makes sense not to flush entries that are not replicated (usually traffic to the local firewall). Reported-by: Gaurav Sinha <gaurav.sinha@vyatta.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: integrate nfct into the conntrack-tools treePablo Neira Ayuso2012-05-266-1/+241
| | | | | | | | I'll need for the upcoming cthelper infrastructure. Moreover, we avoid more fragmentation in the netfilter user-space utilities. And the plan is that `nfct' will replace `conntrack' at some point. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: support expectfn synchronization for expectationsPablo Neira Ayuso2012-02-071-0/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add support to synchronize helper namePablo Neira Ayuso2012-02-071-0/+2
| | | | | | For both conntrack and expectations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add NAT expectation supportPablo Neira Ayuso2012-02-071-0/+4
| | | | | | This patch adds the missing bits to support NAT expectation support. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add support expectation class synchronizationPablo Neira Ayuso2012-02-071-0/+1
| | | | | | This patch adds support for synchronizing the expectation class. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: support `-i exp -x' and `-e exp -x' optionsPablo Neira Ayuso2012-01-221-0/+2
| | | | | | | | | | This patch allows you to dump the internal and external expectation cache in XML. % conntrackd -i exp -x <flow><layer3 protonum="2" protoname="ipv4"><expected><src>192.168.1.135</src><dst>130.89.148.12</dst></expected><mask><src>255.255.255.255</src><dst>255.255.255.255</dst></mask><master><src>192.168.1.135</src><dst>130.89.148.12</dst></master></layer3><layer4 protonum="6" protoname="tcp"><expected><sport>0</sport><dport>9082</dport></expected><mask><sport>0</sport><dport>65535</dport></mask><master><sport>50518</sport><dport>21</dport></master></layer4><meta><helper-name>ftp</helper-name></meta></flow> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: support for expectation synchronizationPablo Neira Ayuso2012-01-108-2/+105
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds support to synchronize expectations between firewalls. This addition aims to re-use as much as possible of the existing infrastructure for stability reasons. The expectation support has been tested with the FTP helper. This extension requires libnetfilter_conntrack 1.0.0. If this is the first time you're playing with conntrackd, I *strongly* recommend you to get working setup of conntrackd without expectation support before as described in the documentation. Then, enabling expectation support is rather easy. To know more about expectations, if you're not familiar with them, I suggest you to read: "Netfilter's Connection Tracking System" http://people.netfilter.org/pablo/docs/login.pdf Reprinted from ;login: The Magazine of USENIX, vol. 31, no. 3 (Berkeley, CA: USENIX Association, 2006, pp40-45.) In short, expectations allow one Linux firewall to filter multi-flow traffic like FTP, SIP and H.323. In my testbed, there are two firewalls in a primary-backup configuration running keepalived. The use a couple of floating cluster IP address (192.168.0.100 and 192.168.1.100) that are used by the client. These firewalls protect one FTP server (192.168.1.2) that will be accessed by one client. In ASCII art, it looks like this: 192.168.0.100 192.168.1.100 eth1 eth2 fw-1 / \ FTP -- client ------ ------ server -- 192.168.0.2 \ / 192.168.1.2 fw-2 This is the rule-set for the firewalls: -A POSTROUTING -t nat -s 192.168.0.2/32 -d 192.168.1.2/32 -j SNAT --to-source 192.168.1.100 -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -m state --state INVALID -j DROP -A FORWARD -m state --state RELATED -j ACCEPT -A FORWARD -i eth2 -m state --state ESTABLISHED -j ACCEPT -A FORWARD -i eth1 -p tcp -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT -A FORWARD -i eth1 -p tcp -m state --state ESTABLISHED -j ACCEPT -A FORWARD -m state --state INVALID -j LOG --log-prefix "invalid: " The following steps detail how to check that the expectation support works fine for conntrackd: 1) You have to enable the expectation support in the configuration file with the following option: Sync { ... Options { ExpectationSync { ftp sip h323 } } } This enables expectation synchronization for the FTP, SIP and H.323 helpers. You can alternatively use: Sync { ... Options { ExpectationSync On } } To enable expectation synchronization for all helpers. 2) Make sure you have loaded the FTP helper in both firewalls. root@fw1# modprobe nf_conntrack_ftp root@fw2# modprobe nf_conntrack_ftp 3) Switch to the client. Start one FTP control connection to one server that is protected by the firewalls, enter passive mode: (term-1) user@client$ nc 192.168.1.2 21 220 dummy FTP server USER anonymous 331 Please specify the password. PASS nothing 230 Login successful. PASV 227 Entering Passive Mode (192,168,1,2,163,11). This means that port 163*256+11=41739 will be used for the data traffic. Read this if you are not familiar with the FTP protocol: http://www.freefire.org/articles/ftpexample.php 3) Switch to fw-1 (primary) to check that the expectation is in the internal cache. root@fw1# conntrackd -i exp proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=41739 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.0.2 master-dst=192.168.1.2 sport=36390 dport=21 [active since 5s] 4) Switch to fw-2 (backup) to check that the expectation has been successfully replicated. root@fw2# conntrackd -e exp proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=41739 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.0.2 master-dst=192.168.1.2 sport=36390 dport=21 [active since 8s] 5) Make the primary firewall fw-1 fail. Now fw-2 becomes primary. 6) Switch to fw-2 (primary) to commit the external cache into the kernel. root@fw2# conntrackd -c exp The logs should display that the commit was successful: root@fw2# tail -100f /var/log/conntrackd.log [Wed Dec 7 22:16:31 2011] (pid=19195) [notice] committing external cache: expectations [Wed Dec 7 22:16:31 2011] (pid=19195) [notice] Committed 1 new entries [Wed Dec 7 22:16:31 2011] (pid=19195) [notice] commit has taken 0.000366 seconds 7) Switch to the client. Open a new terminal and connect to the port that has been announced by the server: (term-2) user@client$ nc -vvv 192.168.1.2 41739 (UNKNOWN) [192.168.1.2] 41739 (?) open 8) Switch to term-1 and ask for the file listing: [...] 227 Entering Passive Mode (192,168,1,2,163,11). LIST 9) Switch to term-2, it should display the listing. That means everything has worked fine. You may want to try disabling the expectation support and repeating the steps to check that *it does not work* without the state-synchronization. You can also display expectation statistics by means of: root@fwX# conntrackd -s exp This update requires no changes in the primary-backup.sh script that is used by the HA manager to interact with conntrackd. Thus, we provide a backward compatible command line interface. Regarding the Filter clause and expectations, we use the master conntrack to filter expectation events. The filtering is performed in user-space. No kernel-space filtering support for expectations yet (this support should go in libnetfilter_conntrack at some point). This patch also includes support to disable caching and to allow direct injection of expectations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: constify ct parameter of ct_filter_* functionsPablo Neira Ayuso2012-01-101-1/+1
| | | | | | | The ct object that is passed as parameter is not modified, make it constant. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: remove cache_data_get_object and replace by direct pointerPablo Neira Ayuso2012-01-101-1/+0
| | | | | | | We now include one pointer to the object in the extra section. This is required to generalize this code for the expectation support. We consume 4-8 bytes extra, but we will not need more changes to support expectations which is a good idea.
* conntrackd: simplify cache_get_extra functionPablo Neira Ayuso2012-01-101-1/+1
| | | | | | | | This patch simplifies cache_get_extra which now takes only one parameter that is the cache_object. With it, the extra area can be calculated. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: generalize local handler actionsPablo Neira Ayuso2012-01-101-23/+23
| | | | | | | This patch prepares the introduction of actions with the expectation table. Mostly renamings. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: generalize/cleanup network message building/parsingPablo Neira Ayuso2012-01-102-11/+13
| | | | | | | | | | | | | | | | | | This patch generalizes the network message building and parsing to prepare the upcoming expectation support. Basically, it renames: - NET_T_STATE_* by NET_T_STATE_CT_*, as I plan to add NET_T_STATE_EXP_* - BUILD_NETMSG by BUILD_NETMSG_FROM_CT, and build_payload by ct2msg. I plan to add exp2msg. - parse_payload by msg2ct, since I plan to add msg2exp. - modify object_status_to_network_type to prepare the support of expectations. - add prefix ct_ to all parsing functions in parse.c, as we will have similar functions to convert messages to expectation objects. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: generalize external handlers to prepare expectation supportPablo Neira Ayuso2012-01-101-8/+10
| | | | | | | | | | This patch contains cleanups to prepare the expectation support for external handlers. Mostly renamings. I have also updated the file headers to include Vyatta in the copyright statement. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: generalize caching infrastructurePablo Neira Ayuso2012-01-102-18/+66
| | | | | | | | This patch generalizes the caching infrastructure to store different object types. This patch is the first in the series to prepare support for the synchronization of expectations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache: log if we received a commit request while already one in progressPablo Neira Ayuso2011-02-151-1/+1
| | | | | | | | | | | | This patch improves the case in which we receive a commit request but we are already performing one. This behaviour is suspicious since the HA manager should not trigger a double master transition. Otherwise, something probably is not configured appropriately. This improves 98756c2608f0879a2322919c7441973216565272 "cache: close commit request if we already have one in progress". Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add zone supportPablo Neira Ayuso2010-07-051-1/+1
| | | | | | | | This patch adds `--zone' to the command line tool. This adds the missing user-space support for Patrick's McHardy iptables CT target. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add `--any-nat' to filter any NATted flowPablo Neira Ayuso2010-07-011-1/+1
| | | | | | | This patch adds the --any-nat option that allows to display src-NATted OR dst-NATted flows. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: put all the commands and options code togetherPablo Neira Ayuso2010-06-221-142/+1
| | | | | | | | This patch is a cleanup, it puts all the commands and options code together. This makes easier and less error-prone the task to add new commands and options. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>