summaryrefslogtreecommitdiffstats
path: root/include
Commit message (Collapse)AuthorAgeFilesLines
* automake: add missing cidr.hconntrack-tools-0.9.9Pablo Neira Ayuso2008-12-181-1/+1
| | | | | | This patch adds cidr.h to Makefile.am in include/ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: cleanup, rename hashtable_test() by hashtable_find()Pablo Neira Ayuso2008-12-171-1/+1
| | | | | | | | This patch renames the function hashtable_test() by hashtable_find() which is a better name IMO to describe this function. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ftfw: shrink alive message sizePablo Neira Ayuso2008-12-131-3/+3
| | | | | | | | | | This patch reduces the size of alive messages by removing the "from" and "to" fields which are not of any help. This patch also removes the IS_CTL() macro since it does not return true for the control messages anymore but only for IS_ACK(), IS_NACK() and IS_RESYNC(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* network: do more strict message type checkingPablo Neira Ayuso2008-12-131-5/+7
| | | | | | | This patch adds more strict checking in the message type. We add a new message type NET_T_CTL for control messages. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* network: use NET_T_* instead of NFCT_Q_*Pablo Neira Ayuso2008-12-131-0/+7
| | | | | | | | This patch replaces the use of NFCT_Q_* in the message type by specific network message type NET_T_*. The query types are reserved for libnetfilter_conntrack operations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: fix EILSEQ error messages due to process race conditionPablo Neira Ayuso2008-12-111-8/+8
| | | | | | | | | | | | | | | | | | | | | This patch fixes a race condition that triggers EILSEQ errors (wrong sequence message). The problems is triggered when the child process resets the timers at the same time that the parent process requests a resync. Since both the child and the parent process use the same descriptors, the sequence tracking code in libnfnetlink gets confused as it considers that it is receiving out of sequence netlink messages. This patch introduces internal handlers to commit and reset timers so that the parent and the child do not use the same descriptors to operate with the kernel. This patch changes the prototype of all nf_*_conntrack() functions. Now, the nfct handler is passed as first parameter, this change is required to fix this problem. The rest of the changes on the API is done for consistency. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: recover conntrackd -F operationPablo Neira Ayuso2008-12-091-0/+1
| | | | | | | | | This patch recovers the option -F for conntrackd. This will be particularly useful to flush the kernel conntrack table without getting the event notification of the conntrack deletions (that will happen with Linux kernel >= 2.6.29). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parse: strict attribute size checkingPablo Neira Ayuso2008-12-081-0/+2
| | | | | | | This patch adds strict attribute size checking. This is good to detect corrupted or malformed messages. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* network: fix data offset alignment returned by NTA_DATA macroPablo Neira Ayuso2008-12-081-1/+1
| | | | | | | This patch aligns the data offset that is returned by the NTA_DATA macro. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* network: remove the netpld header from the messagesPablo Neira Ayuso2008-12-081-25/+22
| | | | | | | | | This patch simplifies the message format of the replication messages. As a result, we save four bytes. The netpld header was introduced in the early protocol design. Today, it does not have any reason to exist. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* network: remove length parameter of mcast_buffered_send_netmsg()Pablo Neira Ayuso2008-12-081-1/+1
| | | | | | | | This patch simplifies mcast_buffered_send_netmsg() by removing the length parameter. Instead, we use the length field in the nethdr to know the message size to be sent. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* network: remove unused function mcast_send_netmsg()Pablo Neira Ayuso2008-12-081-1/+0
| | | | | | This patch removes the unused function mcast_send_netmsg(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parse: fix missing master layer 4 protocol number assignationPablo Neira Ayuso2008-12-081-0/+1
| | | | | | | | | | | This patch fixes NTA_MASTER_L4PROTO parsing which was missing. This problem was introduced in "network: rework TLV-based protocol", commit id 76ac8ebe5e49385585c8e29fe530ed4baef390bf, ie. somewhere in the development of 0.9.9. This patch also fixes the size of parsing callback array that is NTA_MAX, not ATTR_MAX. This problem does not affect conntrack-tools <= 0.9.8. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: remove unnecessary whitespace lines in netlink.hPablo Neira Ayuso2008-12-071-10/+0
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: constify conntrack object parameter of nl_*_conntrack()Pablo Neira Ayuso2008-12-071-3/+3
| | | | | | | This patch constifies the first parameter, which is a conntrack object, in all nl_*_conntrack() functions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: clone conntrack object while creation/updatePablo Neira Ayuso2008-12-061-2/+2
| | | | | | | | | | | | | | | | | This patch changes the behaviour of nl_create_conntrack() and nl_update_conntrack() which now clone the conntrack object received as parameter. This was not required as these functions were called inside fork(), thus, they modified a copy of the real conntrack objects in the child process. However, this behaviour is broken following the try-again logic in __do_commit_step. For example, if we try to update an expected conntrack object that has vanished for whatever reason, since nl_update_conntrack() modifies the object (unset the master conntrack information), nl_create_conntrak() will create an entry without the master conntrack information. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: do not include NTA_TIMEOUT in the replication messagesPablo Neira Ayuso2008-12-061-1/+1
| | | | | | | | | With this patch, NTA_TIMEOUT is not included in the replication messages anymore. During the fail-over, we set a small timeout to purge the entries that were not recovered successfully (however, unsuccessful recovery should not happen ever). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* network: make tx buffer initialization independent of mcast configPablo Neira Ayuso2008-11-301-1/+1
| | | | | | | | | | This patch changes the prototype of mcast_buffered_init() to receive as argument the MTU size instead of the multicast configuration. This decouples the initialization of the tx buffer from the multicast configuration. This patch is needed by the multi-dedicated link support. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: move callbacks to run.c for better readabilityPablo Neira Ayuso2008-11-272-7/+5
| | | | | | | | | This patch is a cleanup. It moves the callbacks from netlink.c to run.c where they are actually invoked. This is better for code readability as I usually have to switch from run.c to netlink.c to remember what the callbacks actually do. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* fds: remove unused array of file descriptorsPablo Neira Ayuso2008-11-261-3/+0
| | | | | | | This patch removes an unused array of file descriptors inside the fds structure. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* filter: CIDR-based filtering supportPablo Neira Ayuso2008-11-254-2/+36
| | | | | | | | | | This patch adds CIDR-based filtering support. The current implementation is O(n). This patch also introduces the vector data type which is used to store the IP address and the network mask. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: add attribute header size to total attribute lengthPablo Neira Ayuso2008-11-251-3/+3
| | | | | | | | | | | | | | This patch adds the size of the attribute header (4 bytes) to the length field of netattr. This fixes a possible invalid memory access in malformed messages. This change is included in the set of scheduled changes for 0.9.9 that break backward compatibility. This patch also removes a memset of 4096 by one to initialize the headers and the netattr paddings. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* filter: choose the filtering method via configuration filePablo Neira Ayuso2008-11-181-1/+1
| | | | | | | | | | | | | | | | This patch changes the current behaviour of the filtering selection. Up to now, conntrackd has used the kernel version to select the filtering method based on the following logic: If kernel is >= 2.6.26 we use BSF-based filtering from kernel-space, otherwise, default to userspace. However, this filtering method still lacks of IPv6 support and it requires a patch that got into 2.6.29 to filter IPv6 addresses from kernel-space. To fix this issue, we default to user-space filtering and let the user choose the method via the configuration file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* filter: use jhash2 instead of jhash for IPv6 addressesPablo Neira Ayuso2008-11-151-1/+1
| | | | | | | Since an IPv6 address can be seen as an array of uint32_t. Use the optimized jhash2() function instead of the generic jhash(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* network: rework TLV-based protocolPablo Neira Ayuso2008-11-021-0/+29
| | | | | | | | | | | | | | | This patch reworks the TLV-based protocol to reduce the overhead in the message building. The idea is to group some attributes that must be present in a consistent configuration. Putting them together help us to save some cycles in the message building. Now, oprofile reports ~15% of samples in the build path instead of ~25%. CPU consumption for 3000 HTTP GET requests per second (1000 concurrent with apache benchmark tool) is ~45% in my testbed, that is ~19% more consumption than with no replication at all. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* network: add protocol version field (breaks backward compatibility)Pablo Neira Ayuso2008-11-021-4/+6
| | | | | | | | | | | | | This patch adds the version field (8-bits long) to the nethdr structure. This fields can be used to indicate the protocol version in case that we detect an incompatibility between two conntrackd daemons working with different protocol versions. Unfortunately, this patch breaks backward compatibility, ie. conntrackd <= 0.9.8 protocol is not compatible with the upcoming conntrackd >= 0.9.9. Better do this now than later. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ftfw: add option `-v' to output debugging information (if any)Pablo Neira Ayuso2008-10-261-0/+1
| | | | | | | | | | | | | | | | This patch introduces the option `-v' to show useful debugging information, if any. As for now, only sync-ftfw.c make use of it to display the content and the length of the resent list/queue. This is useful to check for message leaks. Other working modes or synchronization approaches may use it to display debugging information in the future. This patch removes _SIGNAL_DEBUG in sync-ftfw.c that was used for for the same purpose. However, it could only be enabled at compilation time and it uses signalling instead of the standard UNIX socket interface that conntrackd provides. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* filter: do not filter in user-space if kernel supports BSFPablo Neira Ayuso2008-10-211-1/+1
| | | | | | | | | This patch avoids a double filtering in user-space and kernel-space if the kernel support BSF. Since we do not use BSF for dumps and resyncs, we add a new parameter to ignore_conntrack to indicate if we have to perform the filtering in user-space or not. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: fix filtering for unsupported protocolPablo Neira Ayuso2008-10-041-0/+1
| | | | | | | | | This patch fixes filtering for unsupported protocol. Thus, you can use -L -p 47 or -L -p gre to filter `gre' traffic. Based on an initial patch from Bryan Duff <bduff@astrocorp.com>. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: cleanup XML header handlingPablo Neira Ayuso2008-09-281-6/+0
| | | | | | | This patch removes the use of snprintf and directly print the XML header to the standard output. This simplifies the handling. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ftfw: fix race condition in the helloing routinePablo Neira Ayuso2008-09-251-6/+0
| | | | | | | | | | | | | | | | | | | | This patch fixes a race condition that can prevent one node from sending the initial hello message required to reset the sequence tracking. node A node B | | start | | hello msg |----------------------->| stop | | start | | |<-----------------------| hello-back msg In the picture above, the node A never sends the hello messages. Thus, the node B drops the next messages as they are in the before boundary. This patch adds a new state to the the helloing state-machine to fix this problem. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* filter: check if kernel-space filtering is availablePablo Neira Ayuso2008-09-171-0/+1
| | | | | | | | Check if the Linux kernel is >= 2.6.26, otherwise it does not support kernel-space filtering. This is not clean but we have no choice, the BSF infrastructure does not return ENOTSUPP for unsupported operations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache iterators: commit master entries before related onesPablo Neira Ayuso2008-08-071-0/+14
| | | | | | Commit master entries before related ones to avoid ENOENT errors. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache iterators: rework cache_reset_timersPablo Neira Ayuso2008-08-071-0/+1
| | | | | | | | | | | This patch adds the clause PurgeTimeout that sets the new timer when conntrackd -t is called. This command is particularly useful when the sysadmin triggers hand-overs between several nodes without rebooting as it reduces the timers of the remaining entries in the kernel. Thus, avoiding clashes between new and old entries that may trigger INVALID packets. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: add getter and check existence functionsPablo Neira Ayuso2008-08-072-0/+5
| | | | | | | | | | This patch adds nl_get_conntrack and it changes the behaviour of nl_exist_conntrack. Now, nl_get_conntrack requests the kernel for a conntrack and updates the cached entry. On the other hand, nl_exist_conntrack only inquiries for the existence of the entry. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add -t option to shorten conntrack timeoutsPablo Neira Ayuso2008-08-022-0/+2
| | | | | | | | | | | | | | | | | This patch adds the new option `-t' for conntrackd. This option shortens the value of the timeout for the cached entries that lives in the kernel. This option is particularly useful to remove the zombie established entries that remain in kernel if the user tests the platform by forcing the takeover from one to another node several times. We currently use the value of CommitTimeout which is sane for it. Adding a new option does not seem to add more flexibility IMO. Once we get the patches to notify user changes via ctnetlink and the netlink flag NLM_F_ECHO works, we may directly invoke a massive purge of the entries, however, such solution would still need evaluation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ftfw: show consistent information to users for problem diagnosingPablo Neira Ayuso2008-08-011-0/+2
| | | | | | | | | | This patch hides information that may confuse users while they are diagnosing problems in their setup. For example, we hide entries that are schedule to expire - from the user side, they are already destroyed entries; and we show in the counters the real active entries, not all that are stored in the caches. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* fix broken normal deletion in cachesPablo Neira Ayuso2008-08-011-1/+2
| | | | | | | | | | | | This patch fixes the non-timer-based cache deletion. This bug affects the alarm-based approach since the backup replicas did not get the deletion event, thus, delaying the deletion. This patch introduces cache_find() to look up for a conntrack object and __cache_del_timer() to perform direct deletions by means of the pointer obtained with cache_find(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* CLI: add new option --buffer-size for -EPablo Neira Ayuso2008-07-291-1/+4
| | | | | | | Add new option --buffer-size for -E to set the netlink socket buffer size. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* add support for kernel-space filtering via BSFPablo Neira Ayuso2008-07-231-0/+2
| | | | | | | This patch adds support for kernel-space filtering via BSF by means of the libnetfilter_conntrack's BSF high-level API. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Major rework of the user-space event filteringPablo Neira Ayuso2008-07-226-44/+71
| | | | | | | | | | This patch reworks the user-space filtering. Although we have kernel-space filtering since Linux kernel >= 2.6.26, we keep userspace filtering to ensure backward compatibility. Moreover, this patch prepares the implementation of the kernel-space filtering via libnetfilter_conntrack's high-level berkeley socket filter API. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* fix xml output: wrap output with one root elementPablo Neira Ayuso2008-06-221-0/+6
|
* fix make distcheckPablo Neira Ayuso2008-05-271-1/+1
|
* rework the HELLO logic inside FT-FWPablo Neira Ayuso2008-05-261-1/+11
|
* add best effort replication protocol (aka NOTRACK)Pablo Neira Ayuso2008-05-251-0/+1
|
* add eventfd emulation to communicate receiver -> senderPablo Neira Ayuso2008-05-253-1/+16
|
* add Mcast[Snd|Rcv]SocketBuffer clauses to tune multicast socket buffersPablo Neira Ayuso2008-05-201-0/+2
|
* improve network message sanity checkingsPablo Neira Ayuso2008-05-182-2/+2
|
* Fix reorder possible reordering of destroy messages under message omission. ↵/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-293-2/+5
| | | | This patch introduces the TimeoutDestroy clause to determine how long a conntrack remains in the internal cache once it has been destroy from the kernel table.
* rework of the FT-FW approach/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-261-15/+23
|