| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
Currently, oprofile reports ~17% of sample in the hashing. With
this patch, that uses jhash2 instead of a double call to jhash
and one to jhash_2words, it goes down to ~11%.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch fixes a problem that allows the update of entries that
are scheduled to be removed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch hides information that may confuse users while they are
diagnosing problems in their setup. For example, we hide entries
that are schedule to expire - from the user side, they are already
destroyed entries; and we show in the counters the real active entries,
not all that are stored in the caches.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes the non-timer-based cache deletion. This bug affects
the alarm-based approach since the backup replicas did not get the
deletion event, thus, delaying the deletion.
This patch introduces cache_find() to look up for a conntrack object
and __cache_del_timer() to perform direct deletions by means of the
pointer obtained with cache_find().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Some users have reported crashes when nf_conntrack_ipv6 was not present.
This patch performs more robust sanity checks in the input path.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
- use generic nfct_copy() from libnetfilter_conntrack to update objects
- use generic nfct_cmp() to compare objects
|
| |
|
|
| |
This patch introduces the TimeoutDestroy clause to determine how long a conntrack remains in the internal cache once it has been destroy from the kernel table.
|
| |
|
|
| |
only which is incompatible AFAIK
|
| |
|
|
| |
has been Max Kellermann and has no issues with relicensing their contributions.
|
| | |
|
| |
|
|
| |
import only required C headers and put local headers on top to check
|
| |
|
|
| |
use C99 integers (uint32_t instead of u_int32_t)
|
| |
|
|
| |
Fix tons of gcc warnings
|
| |
|
|
| |
use const when possible
|
| |
|
|
|
| |
- minor fix for hash6 in cache.c (however, ipv6 support is still broken
- several updates in the TODO file
|
| |
|
|
| |
feature is particularly useful for active-active setup without connection persistency, ie. you cannot know which firewall would filter a packet that belongs to a connection.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
- add len field to nethdr
- implement buffered send/recv to batch messages
- stop using netlink format for network messages: use similar TLV-based format
- reduce synchronization messages size up to 60%
- introduce periodic alive messages for sync-nack protocol
- timeslice alarm implementation: remove alarm pthread, remove locking
- simplify debugging functions: use nfct_snprintf instead
- remove major use of libnfnetlink functions: use libnetfilter_conntrack API
- deprecate conntrackd -F, use conntrack -F instead
- major rework of the network infrastructure: much simple, less messy
|
| |
|
|
|
|
| |
- remove several debug calls
- create a child to dispatch dump requests: this will help to simplify the
current locking schema. Later.
|
| |
|
|
|
|
|
|
| |
- empty debug_ct function if DEBUG_CT is not set
- revisit overrun handler: this is a hard battle, just try to do our best here, call Patrick :)
- explicit warning message when netlink_buffer_max_growth is reached
- fix silly bug in stats-mode when dumping in XML format
- fix UDP handler for conntrack
|
| |
|
|
|
|
|
| |
- flush nack queue in the conntrackd -f path
- do not increase add_fail counter for EEXIST errors
- cleanup sync-nack code
- improve mcast_recv_netmsg: sanity check before checksumming!
|
|
|
chain
|
