From fb17dccd91ba9448c2adaca2dcf0f9d665e1e8a4 Mon Sep 17 00:00:00 2001 From: "Ayuso/emailAddress=pablo@netfilter.org" Date: Fri, 21 Dec 2007 18:35:10 +0000 Subject: o add support for related conntracks (requires Linux kernel >= 2.6.22) o update leftover references to `persistent' and `nack' modes --- ChangeLog | 1 + INSTALL | 8 ++++---- TODO | 8 ++++---- src/build.c | 14 ++++++++++++++ src/parse.c | 6 ++++++ src/read_config_yy.y | 20 ++++++++++---------- 6 files changed, 39 insertions(+), 18 deletions(-) diff --git a/ChangeLog b/ChangeLog index e893439..2a3a112 100644 --- a/ChangeLog +++ b/ChangeLog @@ -22,6 +22,7 @@ o Use more appropriate names for the existing synchronization modes: o rename `nack' mode to `ftfw' o Now default synchronization mode is ftfw instead of alarm o rename `examples' directory to `doc' +o add support for related conntracks (requires Linux kernel >= 2.6.22) version 0.9.5 (2007/07/29) ------------------------------ diff --git a/INSTALL b/INSTALL index f619c1e..cfb642e 100644 --- a/INSTALL +++ b/INSTALL @@ -115,9 +115,9 @@ Copyright (C) 2005-2007 Pablo Neira Ayuso # cp examples/sync/_type_/node1/conntrackd.conf /etc/conntrackd.conf Where _type_ is the synchronization type selected, currently there are - two: the persistent mode and the NACK mode. The persistent mode consumes - more resources than the NACK mode but resolves synchronization issues - better. On the other the NACK mode reduces resource consumption. I'll + two: the alarm mode and the FTFW mode. The alarm mode consumes + more resources than the FTFW mode but resolves synchronization issues + better. On the other the FTFW mode reduces resource consumption. I'll provide more information on both approaches soon. Do not forget to edit the files in order to adapt them to the @@ -171,7 +171,7 @@ Copyright (C) 2005-2007 Pablo Neira Ayuso Therefore, on failure event, the candidate node takes over the virtual IPs and the connections that the failing active was processing. Observe - that this file differs for the NACK mode. + that this file differs for the FTFW mode. 6) Disable TCP window tracking diff --git a/TODO b/TODO index 7f5b949..61f7e69 100644 --- a/TODO +++ b/TODO @@ -3,12 +3,12 @@ by dificulty levels: = Relatively easy = [ ] improve shell scripts for keepalived/heartbeat: *really* important - [ ] NACK as default protocol - [ ] rename persistent to alarm + [X] NACK as default protocol + [X] rename persistent to alarm, rename nack to ftfw [X] manpage for conntrackd(8) [ ] add scripts to use the floating priority feature in keepalived to avoid premature take over. - [ ] ignorepool with unlimited size and ignore networks + [X] ignorepool with unlimited size and ignore networks [ ] selective conntracks removal [ ] debian/rpm packages [ ] improve website @@ -18,7 +18,7 @@ by dificulty levels: = Requires some work = [ ] study better keepalived transitions [ ] test/fix ipv6 support - [ ] add support setup related conntracks + [X] add support setup related conntracks [ ] NAT sequence adjustment support = Open issues that won't be ever resolved = diff --git a/src/build.c b/src/build.c index 109b26e..5fdc83f 100644 --- a/src/build.c +++ b/src/build.c @@ -102,6 +102,20 @@ void build_netpld(struct nf_conntrack *ct, struct netpld *pld, int query) if (nfct_attr_is_set(ct, ATTR_STATUS)) __build_u32(ct, pld, ATTR_STATUS); + /* setup the master conntrack */ + if (nfct_attr_is_set(ct, ATTR_MASTER_IPV4_SRC)) + __build_u32(ct, pld, ATTR_MASTER_IPV4_SRC); + if (nfct_attr_is_set(ct, ATTR_MASTER_IPV4_DST)) + __build_u32(ct, pld, ATTR_MASTER_IPV4_DST); + if (nfct_attr_is_set(ct, ATTR_MASTER_L3PROTO)) + __build_u8(ct, pld, ATTR_MASTER_L3PROTO); + if (nfct_attr_is_set(ct, ATTR_MASTER_PORT_SRC)) + __build_u16(ct, pld, ATTR_MASTER_PORT_SRC); + if (nfct_attr_is_set(ct, ATTR_MASTER_PORT_DST)) + __build_u16(ct, pld, ATTR_MASTER_PORT_DST); + if (nfct_attr_is_set(ct, ATTR_MASTER_L4PROTO)) + __build_u8(ct, pld, ATTR_MASTER_L4PROTO); + /* NAT */ if (nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT)) { u_int32_t data = nfct_get_attr_u32(ct, ATTR_REPL_IPV4_DST); diff --git a/src/parse.c b/src/parse.c index 8816e7a..0650995 100644 --- a/src/parse.c +++ b/src/parse.c @@ -56,6 +56,12 @@ parse h[ATTR_MAX] = { [ATTR_MARK] = parse_u32, [ATTR_STATUS] = parse_u32, [ATTR_SECMARK] = parse_u32, + [ATTR_MASTER_IPV4_SRC] = parse_u32, + [ATTR_MASTER_IPV4_DST] = parse_u32, + [ATTR_MASTER_L3PROTO] = parse_u8, + [ATTR_MASTER_PORT_SRC] = parse_u16, + [ATTR_MASTER_PORT_DST] = parse_u16, + [ATTR_MASTER_L4PROTO] = parse_u8 }; void parse_netpld(struct nf_conntrack *ct, struct netpld *pld, int *query) diff --git a/src/read_config_yy.y b/src/read_config_yy.y index 795aae9..6201923 100644 --- a/src/read_config_yy.y +++ b/src/read_config_yy.y @@ -362,37 +362,37 @@ sync_line: refreshtime | multicast_line | relax_transitions | delay_destroy_msgs - | sync_mode_persistent - | sync_mode_nack + | sync_mode_alarm + | sync_mode_ftfw | listen_to | state_replication | cache_writethrough ; -sync_mode_persistent: T_SYNC_MODE T_ALARM '{' sync_mode_persistent_list '}' +sync_mode_alarm: T_SYNC_MODE T_ALARM '{' sync_mode_alarm_list '}' { conf.flags |= SYNC_MODE_ALARM; }; -sync_mode_nack: T_SYNC_MODE T_FTFW '{' sync_mode_nack_list '}' +sync_mode_ftfw: T_SYNC_MODE T_FTFW '{' sync_mode_ftfw_list '}' { conf.flags |= SYNC_MODE_FTFW; }; -sync_mode_persistent_list: - | sync_mode_persistent_list sync_mode_persistent_line; +sync_mode_alarm_list: + | sync_mode_alarm_list sync_mode_alarm_line; -sync_mode_persistent_line: refreshtime +sync_mode_alarm_line: refreshtime | expiretime | timeout | relax_transitions | delay_destroy_msgs ; -sync_mode_nack_list: - | sync_mode_nack_list sync_mode_nack_line; +sync_mode_ftfw_list: + | sync_mode_ftfw_list sync_mode_ftfw_line; -sync_mode_nack_line: resend_buffer_size +sync_mode_ftfw_line: resend_buffer_size | timeout | window_size ; -- cgit v1.2.3