summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* conntrack: display informative message if expectation table is flushedPablo Neira Ayuso2011-02-221-0/+2
| | | | | | | | | | | With this patch, we display the following message after: # conntrack -F expect conntrack v0.9.15 (conntrack-tools): expectation table has been emptied. To make it consistent with the message displayed with conntrack -F. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: remove use of deprecated nfct_maxsize()Pablo Neira Ayuso2011-02-182-11/+16
| | | | | | | This patch removes the use of nfct_maxsize() and several abusive stack-based allocations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: allocate template objects in the heapPablo Neira Ayuso2011-02-171-61/+89
| | | | | | | | | | With this patch, we don't abuse the stack anymore, instead we allocate the template objects that are used in the heap. We stop using nfct_maxsize() which is now deprecated in libnetfilter_conntrack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: use nfct_copy() with override flag in cache_object_new()Pablo Neira Ayuso2011-02-171-1/+1
| | | | | | | | | Using memcpy() is not safe, it breaks secctx and it may break more things in the future. Moreover, nfct_size*() functions will be deprecated soon, they are evil since they open the window to memcpy(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add -o ktimestamp option (it requires linux >= 2.6.38)Pablo Neira Ayuso2011-02-171-2/+7
| | | | | | | | | | | | | | | | | | | | | | | This option requires Linux kernel >= 2.6.38, you have to enable conntrack timestamping with: echo 1 > /proc/sys/net/netfilter/nf_conntrack_timestamp # conntrack -L -o ktimestamp udp 17 59 src=192.168.1.128 dst=192.168.1.1 sport=52050 dport=53 src=192.168.1.1 dst=192.168.1.128 sport=53 dport=52050 [ASSURED] mark=0 delta-time=121 [start=Thu Feb 17 17:41:18 2011] use=1 # conntrack -L conntrack v0.9.15 (conntrack-tools): 20 flow entries have been shown. udp 17 31 src=192.168.1.128 dst=192.168.1.1 sport=52050 dport=53 src=192.168.1.1 dst=192.168.1.128 sport=53 dport=52050 [ASSURED] mark=0 delta-time=149 use=1 # conntrack -E -o ktimestamp ... [DESTROY] udp 17 src=192.168.1.128 dst=192.168.1.1 sport=40162 dport=53 src=192.168.1.1 dst=192.168.1.128 sport=53 dport=40162 [ASSURED] delta-time=3 [start=Thu Feb 17 17:44:57 2011] [stop=Thu Feb 17 17:45:00 2011] # conntrack -E [DESTROY] udp 17 src=192.168.1.128 dst=77.226.252.14 sport=123 dport=123 src=77.226.252.14 dst=192.168.1.128 sport=123 dport=123 delta-time=8 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: rise number of committed entries per stepPablo Neira Ayuso2011-02-161-1/+1
| | | | | | | | | | | This patch rises the number of committed entries per step from 64 to 8192. Experimental results in active-active setups here show that we reduce the commit time with this value significantly. This deserves some more study, it can be a good idea to remove this commit per step completely. I leave this for the future. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: event iteration limiter is already reset in main select loopPablo Neira Ayuso2011-02-161-3/+3
| | | | | | | This patch removes an unnecessary reset of the event iteration limiter that is already done in the main select loop. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache: log if we received a commit request while already one in progressPablo Neira Ayuso2011-02-152-9/+13
| | | | | | | | | | | | This patch improves the case in which we receive a commit request but we are already performing one. This behaviour is suspicious since the HA manager should not trigger a double master transition. Otherwise, something probably is not configured appropriately. This improves 98756c2608f0879a2322919c7441973216565272 "cache: close commit request if we already have one in progress". Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache: close commit request if we already have one in progressPablo Neira Ayuso2011-02-132-0/+7
| | | | | | | | We close a commit request if there's already one in progress. This patch fixes a problem that may be triggered if two consecutive commit requests are received. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* sync: don't override initial return value of local handlerPablo Neira Ayuso2011-02-131-8/+4
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* local: don't override initial return valuePablo Neira Ayuso2011-02-131-5/+1
| | | | | | | | | | | The return initial value is overriden after the initial read. Don't override this value, instead we check the return value of the read() operation. This patch also changes the error statistics accounting since we consider that a request with no data is an error. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: use AM_YFLAGS instead of overriding YACCJan Engelhardt2010-11-051-1/+1
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: resolve automake warningJan Engelhardt2010-11-051-1/+1
| | | | | | src/Makefile.am:24: whitespace following trailing backslash Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* Add .gitignore filesJan Engelhardt2010-10-311-0/+6
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: no need for error message in PKG_CHECK_MODULESJan Engelhardt2010-10-311-3/+2
| | | | | | | | | | | PKG_CHECK_MODULES already produces its own (and more verbose) messsage when a module cannot be found. Mucking around with CFLAGS and LIBS is also not needed since pkgconfig takes care of providing variables, so let's use them in Makefile.am. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: remove unused $(all_libraries)Jan Engelhardt2010-10-311-2/+2
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* conntrack: allow to listen to all kind of expectation eventsPablo Neira Ayuso2010-10-121-8/+55
| | | | | | | So far, conntrack only allows to listen to events of new expectations. With this patch, we can listen to events of destroyed expectations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: fix parsing of NAT sequence adjustment in synchronization messagesPablo Neira Ayuso2010-07-131-5/+5
| | | | | | | | | | This patch fixes a bug that results in an incorrect parsing of the NAT sequence adjustment in synchronization messages. Spotted by Adam Gundy in the following message that was sent to the netfilter ML: http://marc.info/?l=netfilter&m=127894708222913&w=2 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: replace cryptic `mfrm' by `malformed' in `-s'Mohit Mehta2010-07-091-3/+3
| | | | | | | | | | | Looking at the output of `conntrackd -s`; I didn't know what 'mfrm' meant under the 'message sequence tracking' section so I had to look up the code for this. While doing so, I replaced 'mfrm' with 'malformed' in the output since I thought other users might be confused as well as I was looking at that word. Signed-off-by: Mohit Mehta <mohit.mehta@vyatta.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: setup event reliability after handler creationPablo Neira Ayuso2010-07-071-12/+13
| | | | | | | This patch enables the event reliability in an early stage of the event handler initialization. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: open event handler once cache has been populatedPablo Neira Ayuso2010-07-071-13/+18
| | | | | | | | | | | | | With this patch, we open the event handler once the internal cache (if any) is populated. This reduces the chances of a possible premature overrun if we lauch conntrackd in a busy firewall. However, we may still start with an internal cache that may differ a bit from the once in the kernel. This patch has no impact in setups where conntrackd is started in a spare firewall. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: enforce strict logic for NetlinkBufferSize[*] clausesMohit Mehta2010-07-071-14/+20
| | | | | | | | | | | | | | | - NetlinkBufferSize value passed to the kernel gets doubled [see SO_RCVBUF in net/core/sock.c]; it's halved now before it gets sent to the kernel. This ensures that daemon starts up with a netlink socket buffer size equal to the value set for NetlinkBufferSize in configuration file. - Previously, netlink socket buffer size would only stop increasing after it had increased beyond NetlinkBufferSizeMaxGrowth value. With this commit netlink socket buffer size increases as long as it is less than or equal to NetlinkBufferSizeMaxGrowth value. Signed-off-by: Mohit Mehta <mohit.mehta@vyatta.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add zone supportPablo Neira Ayuso2010-07-051-22/+37
| | | | | | | | This patch adds `--zone' to the command line tool. This adds the missing user-space support for Patrick's McHardy iptables CT target. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: fix ICMPv6 supportPablo Neira Ayuso2010-07-012-1/+2
| | | | | | | | | | | This patch fixes several minor nitpicks to support IPv6 failover: * ICMPv6 type/code/id were missing in synchronization messages. * The use of '-' as string in the configuration file was not allowed. * Include example in configuration file under doc/. Reported-by: Mohit Mehta <mohit.mehta@vyatta.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: update error message for max netlink socket size reachedMohit Mehta2010-07-011-2/+2
| | | | | | | It must refer to NetlinkBufferSize[*] instead of "SocketBufferSize[*]. Signed-off-by: Mohit Mehta <mohit.mehta@vyatta.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: cleanup parsing of the NAT argumentsPablo Neira Ayuso2010-07-011-12/+19
| | | | | | | | | | | | | | | This patch cleans up nat_parse() and it also displays nicer error message for malformed arguments. % conntrack -L --src-nat :80 conntrack v0.9.14 (conntrack-tools): No IP specified Try `conntrack -h' or 'conntrack --help' for more information. % conntrack -L --src-nat 1.1.1.1: conntrack v0.9.14 (conntrack-tools): No port specified after `:' Try `conntrack -h' or 'conntrack --help' for more information. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: fix `conntrack --[src|dst|any]-nat IP:PORT' if port mismatchesPablo Neira Ayuso2010-07-011-0/+16
| | | | | | | | This patch fixes the filtering if the IP matches an entry but the PORT does not matches. Without this patch, the entry is shown when it should be not. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: --[src|dst|any]-nat requires IP:PORT as argumentPablo Neira Ayuso2010-07-011-1/+3
| | | | | | | This patch restricts the behaviour that we previously introduced in 142606c60808b3ab0496155ac3d086765e6baef3. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: fix `conntrack --any-nat 1.1.1.1' filteringPablo Neira Ayuso2010-07-011-2/+2
| | | | | | | This patch adds the missing bits to allow to filter with --any-nat based on the IP address. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: fix `conntrack --src-nat 1.1.1.1' if PAT appliedPablo Neira Ayuso2010-07-011-6/+6
| | | | | | | | This patch fixes another scenario in which the flow has some PAT mangling and we passed the src-nat address that we want to use to perform the filtering. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: fix `conntrack --src-nat 3.3.3.3' and similarPablo Neira Ayuso2010-07-011-4/+14
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: fix bogus NATted flows in filteringPablo Neira Ayuso2010-07-011-4/+8
| | | | | | | | | | | With this patch, conntrack does not show bogus entries that have no NAT applied due to a relaxed checking. conntrack -L --src-nat :80 tcp 6 342824 ESTABLISHED src=XX.214.188.80 dst=66.XX.7.180 sport=80 dport=13749 packets=4 bytes=6000 [UNREPLIED] src=66.XX.7.180 dst=XX.214.188.80 sport=13749 dport=80 packets=0 bytes=0 mark=0 secmark=0 use=1 conntrack v0.9.14 (conntrack-tools): 1 flow entries have been shown. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: re-fix inconsistent display with `--src-nat' and `--dst-nat'Pablo Neira Ayuso2010-07-011-46/+30
| | | | | | | | | | In 142606c60808b3ab0496155ac3d086765e6baef3, I re-introduced the inconsistent behaviour that I described in 85f94171a71880c744f265268f33ad58819caa74. Great. This patch fixes this again. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add `--any-nat' to filter any NATted flowPablo Neira Ayuso2010-07-011-22/+70
| | | | | | | This patch adds the --any-nat option that allows to display src-NATted OR dst-NATted flows. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: fix port filter with `--src-nat' and `--dst-nat'Pablo Neira Ayuso2010-06-281-31/+39
| | | | | | | | This patch allows the following command to filter port-based NAT: $ conntrack -L --dst-nat :9999 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: put all the commands and options code togetherPablo Neira Ayuso2010-06-221-120/+263
| | | | | | | | This patch is a cleanup, it puts all the commands and options code together. This makes easier and less error-prone the task to add new commands and options. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: expand array that maps option-flags to option-namesPablo Neira Ayuso2010-06-221-3/+23
| | | | | | | This patch is a cleanup, it expands an array that contains the correspondence between the option-flags and the option-names. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: complete TCP window scale supportPablo Neira Ayuso2010-06-171-0/+4
| | | | | | | | | | In commit 56817d1c0cc30bcd65c56c2f73634b256603cc4d, I added the TCP window scale factor support but it was incomplete. We have to set the IP_CT_TCP_FLAG_WINDOW_SCALE flag to update the td_scale field via ctnetlink. Check nlattr_to_tcp(...) function in nf_conntrack_proto_tcp.c for more details. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: `-L --src-nat --dst-nat' filter using AND, not OR logicPablo Neira Ayuso2010-06-171-3/+17
| | | | | | | | | | | | The patch that I committed in 2e06d62d341fdf936dbc1fa944d5e03f761aaf0e was incomplete. With it, `-L --src-nat --dst-nat' shows source-natted OR destination-natted flows. This patch changes the behaviour to show source-natted AND destination-natted flows. This is the consistent behaviour that we expect from conntrack (this is how it works for other options indeed). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: fix `conntrack -L --src-nat --dst-nat' (second try)Pablo Neira Ayuso2010-06-171-13/+9
| | | | | | This patch fixes the filtering with --src-nat and --dst-nat options. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: revert fix `-L --src-nat --dst-nat'Pablo Neira Ayuso2010-06-171-9/+13
| | | | | | | This patch reverts 0865d22af0ec5876f721d44c90ac898fdfa435aa since it breaks conntrack listing. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: `-i -x' does not display internal cache in XMLMohit Mehta2010-06-151-1/+1
| | | | | | | | `conntrackd -i -x' does not display internal cache in XML, this patch fixes the problem. Signed-off-by: Mohit Mehta <mohit.mehta@vyatta.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: fix `-L --src-nat --dst-nat'Pablo Neira Ayuso2010-06-101-13/+9
| | | | | | | | Since > 0.9.6, the conntrack listing with the options --src-nat and --dst-nat does not work. This patch fixes the problem. Reported-by: Mohit Mehta <mohit.mehta@vyatta.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: split __run() routine for poll and event-driven modesPablo Neira Ayuso2010-02-281-71/+105
| | | | | | | | This patch splits the __run() routine into two functions, run_polling() and run_events() that are selected once in run-time. We save one branch in a loop that intensively executed. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: fix `conntrackd -c' if external cache is disabledPablo Neira Ayuso2010-02-173-5/+7
| | | | | | | | | | This patch fixes a hung that occurs if you invoke `conntrackd -c' and you have disabled the external cache. Note that `conntrackd -c' does nothing since there is no entries in the external cache to be committed. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: cleanup port addition in the message building pathPablo Neira Ayuso2010-02-161-6/+17
| | | | | | | | This patch move the ports addition to the layer 4 functions, instead of checking for the port attribute. It also add a function for UDP otherwise we break support for this protocol. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add support for TCP window scale factor synchronizationPablo Neira Ayuso2010-02-115-10/+44
| | | | | | | This patch adds a new option TCPWindowTracking that allows not to disable TCP window tracking as it occurs by default. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: fix UDP filtering in configuration filePablo Neira Ayuso2010-02-111-0/+19
| | | | | | | | UDP filtering was broken during the addition of the UDP-based synchronization protocol that was introduced in 0.9.14. This patch fixes the problem. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: fix flow-state filtering for TCPPablo Neira Ayuso2009-12-231-1/+4
| | | | | | | | This patch fixes the clause `State' in `Filter' that allows you to filter by protocol state. This bug was introduced during the implementation of the TCP-based synchronization. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add ICMP support for state-synchronizationPablo Neira Ayuso2009-12-192-1/+23
| | | | | | | | This patch adds state-synchronization for ICMP. You SHOULD use a Linux kernel >= 2.6.31, otherwise this patch can result in tons of state-updates. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>