| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This new interface supersedes the /proc interface:
/proc/sys/net/netfilter/nf_conntrack_PROTO_STATE_timeout
to tune default conntrack timeout helpers.
# nfct timeout default-get inet tcp
.l3proto = 2,
.l4proto = 6,
.policy = {
.SYN_SENT = 120,
.SYN_RECV = 60,
.ESTABLISHED = 432000,
.FIN_WAIT = 120,
.CLOSE_WAIT = 60,
.LAST_ACK = 30,
.TIME_WAIT = 120,
.CLOSE = 10,
.SYN_SENT2 = 120,
.RETRANS = 300,
.UNACKNOWLEDGED = 300,
},
};
# nfct timeout default-set inet tcp ESTABLISHED 100
As replacement for the existing /proc interfaces for timeout tweaking.
This feature requires a Linux kernel >= 3.13.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
helper's list and flush commands handlers shouldn't call
mnl_socket_close on the passed netlink socket as it is done in the
main function after parse_params call.
Bug introduced in (3c78a45 nfct: src: consolidate netlink
socket creation).
Signed-off-by: Hani Benhabiles <kroosec@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Open the socket from the main function, then pass it as parameter
to the corresponding interpreter.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Add helper function nfct_mnl_talk and use it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch is a cleanup to split this function in smaller chunks.
It is required to prepare default protocol timeout tuning via
netlink.
|
| |
|
|
|
|
|
| |
The kernel bails out for unsupported protocols. Moreover, we
don't need to upgrade to support new protocols.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Modularize timeout and helper extensions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Instead of hardcoded path to /usr/lib/conntrack-tools/ which might
not be true if options like --prefix with different location is
passed to conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the user-space helper infrastructure. It also
contains the implementation of the FTP helper in user-space.
There's one example file that you can use to configure conntrackd
as user-space connection tracking helper under:
doc/helper/conntrackd.conf
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
nfct-extensions/timeout.c: In function ‘nfct_timeout_cb’:
nfct-extensions/timeout.c:99:2: warning: passing argument 4 of ‘nfct_timeout_snprintf’ makes integer from pointer without a cast [enabled by default]
/usr/include/libnetfilter_cttimeout/libnetfilter_cttimeout.h:114:5: note: expected ‘unsigned int’ but argument is of type ‘struct nfct_timeout *’
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
CC nfct-extensions/timeout.o
../../src/nfct-extensions/timeout.c: In function ‘nfct_cmd_timeout_parse_params’:
../../src/nfct-extensions/timeout.c:40:27: warning: variable ‘ret’ set but not used [-Wunused-but-set-variable]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
I'll need for the upcoming cthelper infrastructure. Moreover, we avoid
more fragmentation in the netfilter user-space utilities. And the plan
is that `nfct' will replace `conntrack' at some point.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
