| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
This patch obsoletes `-s multicast' by `-s link' to display the
dedicated link statistics, as the current dedicated link protocol
use can be unicast UDP or multicast. The term "link" is more
generic.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch removes the logging initialization for client requests
which is of any use for them.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch also adds missing `-v' information to the manpage.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch allows flushing the internal and/or the external cache.
The `-f' with no extra parameters still works to flush both the
internal and the external cache.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch moves the existing `-v' behaviour to `-s queue' where it
really belongs. The `-v' option is now left to display the version
which is the common use of it.
# conntrackd -v
Connection tracking userspace daemon v0.9.9. Licensed under GPLv2.
(C) 2006-2009 Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds support for redundant dedicated links. You can add
a pool of dedicated links that can be used if the current active
fails.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch fixes a missing \n in the help message displayed with
conntrackd -h.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch adds run-time statistics that you can check via
`conntrackd -s runtime'. This information is useful for
trouble-shooting.
This patch replaces several log messages that can be triggered in
runtime. The idea behind this patch is to avoid log message flooding
under errors.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch adds cache statistics that you can check via
`conntrackd -s cache'. This information is useful for
trouble-shooting.
This patch replaces several log messages that can be triggered in
runtime. The idea behind this patch is to avoid log message flooding
under errors.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch adds networks statistics that you can check via
`conntrackd -s network'. This information is useful for
trouble-shooting.
This patch replaces several log messages that can be triggered in
runtime. The idea behind this patch is to avoid log message flooding
under errors.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch changes the current behaviour of the filtering selection.
Up to now, conntrackd has used the kernel version to select the
filtering method based on the following logic: If kernel is >= 2.6.26
we use BSF-based filtering from kernel-space, otherwise, default to
userspace.
However, this filtering method still lacks of IPv6 support and
it requires a patch that got into 2.6.29 to filter IPv6 addresses
from kernel-space. To fix this issue, we default to user-space
filtering and let the user choose the method via the configuration
file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces the option `-v' to show useful debugging
information, if any. As for now, only sync-ftfw.c make use of it to
display the content and the length of the resent list/queue. This
is useful to check for message leaks. Other working modes or
synchronization approaches may use it to display debugging
information in the future.
This patch removes _SIGNAL_DEBUG in sync-ftfw.c that was used for
for the same purpose. However, it could only be enabled at compilation
time and it uses signalling instead of the standard UNIX socket
interface that conntrackd provides.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch adds missing information on -t when conntrackd is invoked
with -h.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Check if the Linux kernel is >= 2.6.26, otherwise it does not support
kernel-space filtering. This is not clean but we have no choice, the BSF
infrastructure does not return ENOTSUPP for unsupported operations.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Minor cleanup to save a couple of lines in the Linux kernel version
checking.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the new option `-t' for conntrackd. This option shortens
the value of the timeout for the cached entries that lives in the
kernel. This option is particularly useful to remove the zombie
established entries that remain in kernel if the user tests the platform
by forcing the takeover from one to another node several times.
We currently use the value of CommitTimeout which is sane for it. Adding
a new option does not seem to add more flexibility IMO.
Once we get the patches to notify user changes via ctnetlink and the
netlink flag NLM_F_ECHO works, we may directly invoke a massive purge of
the entries, however, such solution would still need evaluation.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
|
| |
|
|
| |
only which is incompatible AFAIK
|
| |
|
|
| |
has been Max Kellermann and has no issues with relicensing their contributions.
|
| | |
|
| |
|
|
| |
whitespace cleanups
|
| |
|
|
| |
Simplify logging infrastructure
|
| |
|
|
|
| |
there is no need to check capabilities - the socket() call will fail a
few lines later anyway, producing an error message which is good enough.
|
| |
|
|
| |
import only required C headers and put local headers on top to check
|
| |
|
|
|
|
|
| |
o always close stdin - even in non-daemon mode, it is of no use
o chdir("/") to release the cwd inode
o ignore setsid() failure, because there is only one possible and
o fix harmless error condition
|
| | |
|
| |
|
|
| |
Fix tons of gcc warnings
|
| |
|
|
| |
add missing function prototypes
|
| |
|
|
| |
(Based on comments from Max Kellerman)
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Detach daemon from its terminal
|
| |
|
|
|
|
| |
o minor irrelevant fixes for uncommon error paths and fix several typos
o use LOG_INFO for connection logging, use LOG_NOTICE for other information
o minor error handling updates
|
| | |
|
| |
|
|
|
|
| |
o rename `persistent' mode to `alarm'
o rename `nack' mode to `ftfw'
o Now default synchronization mode is ftfw instead of alarm
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
- add len field to nethdr
- implement buffered send/recv to batch messages
- stop using netlink format for network messages: use similar TLV-based format
- reduce synchronization messages size up to 60%
- introduce periodic alive messages for sync-nack protocol
- timeslice alarm implementation: remove alarm pthread, remove locking
- simplify debugging functions: use nfct_snprintf instead
- remove major use of libnfnetlink functions: use libnetfilter_conntrack API
- deprecate conntrackd -F, use conntrack -F instead
- major rework of the network infrastructure: much simple, less messy
|
| |
|
|
| |
- several cleanups
|
|
|
chain
|
