| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
Reliability comes at the cost of dropping new flows if the
destroy event that ctnetlink delivers to us is lost. Under
heavy stress this may imply dropping packets, you've been
warned.
If you do want not to lose one single flow-logging information,
enable this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
nfct_sizeof() allows memcpy() of ct objects, which violates the
library design (that aims to hide binary layout).
We use nfct_copy() with the override flag instead as added by
libnetfilter_conntrack 0.9.1.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This closes the following bug:
http://bugzilla.netfilter.org/show_bug.cgi?id=684
This problem was introduced with the XML output plugin.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
With this patch, we copy the conntrack object that we propagate
to the output plugin instances *only once*.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes a problem in configurations that use the NFCT
plugin as input in several stacks. The first plugin loaded contains
the hashtable and other important NFCT private data. Other plugin
instances of NFCT are dummies that are only used to store the
output keys.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch adds XML that allows to log information in XML for
ulogd2. It supports packet and flow-based accounting.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch fixes a feature that allows to force the logging of
the existing entries and reset the counters.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch fixes the number of options in NFCT that is
actually 8, not 7.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch splits event_handler into two functions:
event_handler_hashtable and event_handler_no_hashtable.
Thus, we register the appropriate handler during the
initialization time. This patch is a cleanup.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch replaces the existing hashtable implementation with
a newer that provide better performance since it reduces the
number of hash computations.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for poll-based logging. Basically,
ulogd polls from the kernel periodically to log entries. You
can use the `pollinterval' option in the configuration file to
set the polling period.
This patch changes the current behaviour of `pollinterval'
that allowed to mix both the event-driven logging with
polling periodically from the kernel. I have tried to look
for anyone in google (and asking Eric Leblond) using this
feature but I found noone.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch cleans up the destructor and the destructor functions
in the NFCT plugin. I know, this patch isn't easy to review
because it includes too many changes in one.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch reduces the verbosity of the log messages that report
netlink overruns.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch adds `netlink_resync_timeout' that allows you to set
the number of seconds that we wait to perform a resynchronization
due to a netlink overrun. This patch changes the default timeout
from 2 to 60 seconds (less agressive).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
With this patch, we schedule one resynchronization against the
kernel conntrack table that will occur in two seconds (still
we need a patch to make this configurable). Before this, we
scheduled a resynchronization for every overrun, that is very
bad in a scenario in which overruns occurs very frequently.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch fixes a NULL dereference to the timestamp structure when
hashtable_add() fails, for example, because the hashtable is full.
Reported-by: Bernhard Schmidt <berni@birkenwald.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
This patch deletes the overrun timer in the destructor function.
|
|
|
|
|
|
|
|
|
| |
ulogd_inpflow_NFCT.c: In function 'propagate_ct':
ulogd_inpflow_NFCT.c:483: error: 'IPPROTO_UDPLITE' undeclared (first use in this function)
(and more for IPPROTO_SCTP)
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
| |
This patch fixes a memory leak in the destructor function which was not
releasing the memory allocated for each connection tracking entry.
|
|
|
|
|
| |
This patch fixes some crashes in NFCT plugin that were triggered
by the call of the destructor_nfct function (during stop).
|
|
|
|
|
|
|
|
|
| |
This patch cleans up the current key assignation by introducing a
set of functions ukey_* to set the key value as Eric Leblond and
we discussed during the latest Netfilter Workshop. This patch is
based on an idea from Holger Eitzenberger.
Signed-off-by: Eric Leblond <eric@inl.fr>
|
| |
|
|
|
|
|
|
|
|
| |
This patch fixes some messages in the NFCT and NFLOG input
plugin (end of line before quote). It also fixes indenting by
suppressing some spaces on empty line and replacing spaces by tab.
Signed-off-by: Eric Leblond <eric@inl.fr>
|
|
|
|
|
|
|
|
|
| |
This patch fixes NFCT when hash_enable is 0. Limitation of treatment to
NFCT_DESTROY message type causes usage of the hashtable function and
hence a crash because it is not initiated.
Signed-off-by: regit <regit@ghlodit.inl.fr>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
| |
is used (hash_enable=1 which is the default)
|
|
|
|
| |
STOP timestamp for DESTROY packet
|
|
|
|
|
|
| |
This patch cleans up the key building by breaking lines at 80 columns and
it fixes the IPv6 support (use of a pointer after free) by introducing a new
128 bit type.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch improves the overrun handling. The logic behind this patch
consists of two steps:
1) duplicate the netlink buffer size if the size does not goes after the
upper boundary.
2) scheduling a resynchronization (in two seconds) with the kernel conntrack
table if we hit ENOBUFS. During the resynchronization, the NFCT plugin dumps
the current table and purges the objects that do not exist anymore.
This patch also introduces two new clauses, the netlink_socket_buffer_size
and netlink_socket_buffer_maxsize that set the size of the netlink socket
buffer.
|
|
|
|
|
|
|
|
| |
This patch introduces a generic hashtable to store the nf_conntrack objects.
The objects are identified by the original and reply tuples instead of the
conntrack ID which is not dumped in the event message of linux kernel < 2.6.25.
This patch also fixes the NFCT_MSG_* by NFCT_T_* which is the appropriate
message type tag.
|
|
|
|
|
|
|
| |
plugin. To be able to send IP addresses to the IP2STR and IP2BIN module
oob.family and oob.protocol keys have been added.
Signed-off-by: Eric Leblond <eric@inl.fr>
|
|
|
|
|
|
|
|
|
| |
- event mask is now configurable though the event_mask configuration variable
- event type is now stored in the ct.event output key. This can be used to
display the information or to use it to implement some tracking algorithm in
userspace.
Signed-off-by: Eric Leblond <eric@inl.fr>
|
|
|
|
|
|
| |
able to use multiple time the same instance of NFCT.
Signed-off-by: Eric Leblond <eric@inl.fr>
|
|
|
|
| |
- fix crash when enabling pollinterval clause in flow-based accounting
|
|
|
|
| |
Signed-off-by: Eric Leblond <eric@inl.fr>
|
|
|
|
|
|
|
| |
The following patch fixes some indenting and typo in various ulogd2
files.
Eric Leblond <eric@inl.fr>
|
|
|
|
| |
output is compatible with the SYSLOG and LOGEMU plugins. (Philip Craig)
|
|
|
|
|
|
|
| |
1) correctly name flow.end.usec
2) initialize 'idle' list_head
3) don't allocate hash table in case hash_use=0
4) fix invalid pointer arithmetic
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
original patch by Christian Hentschel, amended like:
1) the hash table has to be per-instance, since [at least in the future]
we can have nfnetlink messages routed from other machines over the
network, thus every NFCT instance has to have it's own hash table.
2) Whether or not to use a preallocated table is now a configuration
value, as is the number of buckets and max_entries
3) configure_nfct was not used in the struct ulogd_plugin.configure
4) don't put the hashtable buckets in BSS, but rather allocate them
dynamically
5) allocate all ct_timestamps (in the preallocated case) at once, rather
than malloc()ing each on its own.
6) use official IPFIX fields for flow start and flow end instead of
private numbers
7) use llist instead of list (linuxlist.h adds an additional 'l')
8) add lots of TODO items
9) add IPFIX_NF_conntrack_id to header file
|
|
|
|
| |
- Rename "tcp.[sd]port" into "l4.[sd]port" (Christian Hentschel)
|
| |
|
| |
|
|
|
|
| |
version
|
|
|
|
| |
- fix segfault due to missing priv_size
|
| |
|
| |
|
|
|