| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
This patch adds two alias that removes an inconsistency in the
configuration file names. Now, the clauses that refers to Netlink
starts by the prefix "Netlink".
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch includes libnfnetlink.h header in mcast.c to remove
a compilation warning due to missing prototype declaration.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch reverts primary-backup-2.6.29-and-higher.sh. This script
is not safe for production enviroments until the commit phase
guarantees that the state-change propagation over netlink is
reliable. This script should be ready for 2.6.30 if the appropriate
kernel patches go into mainline in time.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch removes debug() and debug_ct(), I haven't use the
debugging information that these functions provide in years.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch makes conntrackd change the current dedicated link if
the message is correct, ie. neither malformed nor out-of-sync.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch fixes an endianess issue in the acknowledgment network
header. This breaks backward compatibility if different conntrackd
versions are used.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch fixes an endianess issue in the synchronization network
header. This breaks backward compatibility if different conntrackd
versions are used.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch removes the use of NFCT_DIR_MAX. This constant is part of
the old libnetfilter_conntrack API which has been removed from the
git tree. It was introduced in the early days of conntrackd, thus,
the use of this constant. Unfortunately, I did not notice until now.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch updates the script to remark the fact that it should be
used with Linux kernel < 2.6.29. Moreover, it adds a bulk-update
command after the commit in the primary path to avoid any race
condition (the backup may request a resync while this primary
is still committing the entries with an empty internal cache).
This is hackish, but I think that this is the best way to do this
for systems running a Linux kernel < 2.6.29.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds a new primary-backup.sh script for Linux kernels
>= 2.6.29. This script takes advantage of the user-space event
reporting that ctnetlink does since this kernel version.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch unset ACKWindowSize since it already sets the clause
to its default value.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch removes the logging initialization for client requests
which is of any use for them.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch also adds missing `-v' information to the manpage.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch allows flushing the internal and/or the external cache.
The `-f' with no extra parameters still works to flush both the
internal and the external cache.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch fixes statistics logging based on polling.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch moves the polling logic into the resync handler. The
dump handler action depended on the daemon working mode (polling
or event-driven) resulting in an inconsistent behaviour.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch uses the appropriate printf format to display the
commit time taken (it was using %llu instead of %lu).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch fixes the disabling on NetlinkOverrunResync, which
was broken.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
With this patch, you can use -p tcp --state to delete based on the
protocol state.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Currently, the daemon sends a flush request to the kernel-space.
With lots of entries and NetlinkOverrunResync disabled, the daemon
remains in an inconsistent state due to an overrun produced by the
flush report to userspace. With this patch, the daemon also flush
its internal cache after the kernel flush request.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds NetlinkOverrunResync. This option can be used to
set the amount of time after which the daemon resynchronizes itself
with the kernel state-table if it detects a Netlink overrun.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch improves the polling support included in 0.9.10. The
polling now consists of getting the state table, wait for PollSecs,
then purge obsolete entries, and so on.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch removes:
* nl_init_dump_handler()
* nl_init_request_handler()
* nl_init_resync_handler()
since they all look very similar.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch fixes a compilation breakage when compiling the
conntrack-tools against a libnfnetlink library < 0.0.40.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch replaces INCLUDES by AM_CPPFLAGS according to a
suggestion from autoreconf.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- add .gitignore files
- replace outdated autoconf macros by new constructs, including autogen.sh
- and use AC_CONFIG_MACRO_DIR as suggested by libtool2:
libtoolize: Consider adding `AC_CONFIG_MACRO_DIR([m4])' to configure.in and
libtoolize: rerunning libtoolize, to keep the correct libtool macros in-tree.
libtoolize: Consider adding `-I m4' to ACLOCAL_AMFLAGS in Makefile.am.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch details a bit more the hashtable parameters. Moreover,
it increases the default size of the hashtable.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch fixes a wrong use of 'from' instead of 'From' in the
example configuration files.
Reported-by: Yoann Juet <yoann.juet@univ-nantes.fr>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch disables CommitTimeout by default. The daemon now uses
the approximate timeout calculation by default.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch sets IP_CT_TCP_FLAG_CLOSE_INIT if the entry is in TCP
TIME_WAIT state. This patch is a workaround, the daemon should
propagate the internal TCP flags to make it fully independent of
possible changes in the TCP tracking code.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch increases the default PurgeTimeout value to 60 seconds.
The former 15 seconds provides good real-time reaction in terms of
user-side expected behaviour, but it is too small if you trigger
random failure in a firewall cluster.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
During the commit phase, the entries in the external cache entries
are inserted in the kernel conntrack table. Currently, we use a
fixed timeout that is specified in the config file. With this patch,
if you don't specify the fixed timeout value via CommitTimeout, the
daemon calculates the real timeout value during the commit phase.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The lifetime feature is used by all working modes, it is useful to
know how long it has been an entry living in the cache. This patch
moves the lifetime feature to the main caching code.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
With this patch, the `-t' option adds an alarm that will flush the
cache after CONFIG(purge_timeout) seconds specified in the config
file. This looks much cleaner and more performance that looping
on the entire conntrack table to set the new timeout of every single
entry.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch removes the clone conntrack objects created before
calling nl_*_conntrack functions since they are not required
anymore (the previous patch guarantees that objects passed as
parameter are not modified).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch moves the timeout mangling inside nl_*_conntrack().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This function is a synonimous of nl_get_conntrack(), use the get
function instead.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The current commit code updates an entry it still exists in the
kernel. With this patch, we delete the entry and create a new one
to make sure that we start a clean session.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
The option --status can be used with -I. Currently, this behaviour
is broken.
conntrack v0.9.9 (conntrack-tools): Illegal option `--status' with this command
Try `conntrack -h' or 'conntrack --help' for more information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch obsoletes `DestroyTimeout' which has no clients anymore.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the -C command, to display the table counter. In the
case of `-C conntrack' the tool reads the proc interface. For
expectation, it loops on the table to count the number of entries
(as there is not proc interface to display the number of
expectations).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch moves the existing `-v' behaviour to `-s queue' where it
really belongs. The `-v' option is now left to display the version
which is the common use of it.
# conntrackd -v
Connection tracking userspace daemon v0.9.9. Licensed under GPLv2.
(C) 2006-2009 Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds ResendQueueSize, which sets the number of objects
that can be stored in the resend queue waiting to be confirmed.
The ResendBufferSize clause has been deprecated.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch adds the object counter to `conntrackd -s cache'. This
is useful to detect object leaks in runtime. This patch also changes
the layout of the output to fit the display in less than 24 lines
(assuming 24x80 terminal).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the clause PollSecs that changes the normal
behaviour of conntrackd. With PollSecs set to > 0, conntrackd
polls every N seconds the entries.
This is the opposed behaviour of an event-driven behaviour but may
be useful for those that have really strong limitations in terms of
CPU consumption and want to perform a relaxed replication.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch moves the file descriptor registration after the
initialization instead of having a specific hook for this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch is a cleanup. The overrun handler is actually a way to
resynchronize against the conntrack kernel table. The name overrun
was used because it was initially its purpose. The new naming shows
its genericity.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds support for redundant dedicated links. You can add
a pool of dedicated links that can be used if the current active
fails.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|