summaryrefslogtreecommitdiffstats
path: root/src/Makefile.am
Commit message (Collapse)AuthorAgeFilesLines
* build: stop suppressing warnings for generated sourcesJeremy Sowden2023-08-281-3/+0
| | | | | | | | | Contrary to the comment that yacc and lex generate dirty code, none of the warnings being suppressed are in the generated code. Stop suppressing them in order to fix the code. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: reformat and sort `conntrack_LDADD` and `conntrackd_SOURCES`Jeremy Sowden2023-08-281-17/+60
| | | | | | | One per line. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: don't suppress various warningsSam James2022-11-241-1/+1
| | | | | | | | | | | | These will become fatal with Clang 16 and GCC 14 anyway, but let's address the real problem (followup commit). We do have to keep one wrt yyerror() & const char * though, but the issue is contained to the code Bison generates. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1637 Signed-off-by: Sam James <sam@gentoo.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nfct: remove lazy bindingPablo Neira Ayuso2022-03-091-2/+0
| | | | | | | | | | | | | | | | | | | | | | | Since cd5135377ac4 ("conntrackd: cthelper: Set up userspace helpers when daemon starts"), userspace conntrack helpers do not depend on a previous invocation of nfct to set up the userspace helpers. Move helper definitions to nfct-extensions/helper.c since existing deployments might still invoke nfct, even if not required anymore. This patch was motivated by the removal of the lazy binding. Phil Sutter says: "For security purposes, distributions might want to pass -Wl,-z,now linker flags to all builds, thereby disabling lazy binding globally. In the past, nfct relied upon lazy binding: It uses the helper objects' parsing functions without but doesn't provide all symbols the objects use." Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: remove MAINTAINERCLEANFILESJeremy Sowden2021-12-171-1/+0
| | | | | | | | | automake generates rules to remove the files generated by bison and flex by default, so there is no need to add them explicitly to MAINTAINERCLEANFILES. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: fix dependency-tracking of yacc-generated headerJeremy Sowden2021-09-271-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | List it as a built source in order to force make to create it before compilation. Otherwise, a parallel make can end up attempting to compile the output of lex before yacc has finished generating its own output: $ make -j17 [...] YACC read_config_yy.c LEX read_config_lex.c CC stack.o CC resync.o CC cthelper.o CC helpers.o CC utils.o CC expect.o CC systemd.o CC nfct.o CC nfct-extensions/helper.o CC nfct-extensions/timeout.o CC read_config_lex.o read_config_lex.l:25:10: fatal error: read_config_yy.h: No such file or directory 25 | #include "read_config_yy.h" | ^~~~~~~~~~~~~~~~~~ compilation terminated. make[2]: *** [Makefile:701: read_config_lex.o] Error 1 make[2]: *** Waiting for unfinished jobs.... updating read_config_yy.h make[2]: Leaving directory '/space/azazel/work/git/netfilter/conntrack-tools/src' make[1]: *** [Makefile:743: all-recursive] Error 1 make[1]: Leaving directory '/space/azazel/work/git/netfilter/conntrack-tools/src' make: *** [Makefile:541: all-recursive] Error 1 Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: clean yacc- and lex-generated files with maintainer-cleanJeremy Sowden2021-09-271-1/+1
| | | | | | | | | Automake expects to distribute yacc- and lex-generated sources, so that the user doesn't need to regenerate them. Therefore, the appropriate target to clean them is `maintainer-clean`. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: remove yacc-generated header from EXTRA_DISTJeremy Sowden2021-09-271-2/+0
| | | | | | | | Automake generates yacc and lex output files and includes them in distributions as a matter of course. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Makefile.am: Use ${} instead of @...@Phil Sutter2019-11-121-1/+1
| | | | | | | | | | Referencing to variables using @...@ means they will be replaced by configure. This is not needed and may cause problems later. Suggested-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: use -Wno-sign-compare with autogenerated flex codePablo Neira Ayuso2018-05-091-1/+1
| | | | | | | | | | | | | CC read_config_lex.o read_config_lex.c: In function ‘yy_get_next_buffer’: read_config_lex.c:2101:18: warning: comparison between signed and unsigned integer expressions [-Wsign-compare] for ( n = 0; n < max_size && \ ^ read_config_lex.c:3016:3: note: in expansion of macro ‘YY_INPUT’ YY_INPUT( (&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move]), ^~~~~~~~ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: factorize resync operationsArturo Borrero Gonzalez2017-05-081-1/+1
| | | | | | | | | | | Resync operations factorization. There are two: * resync_send --> conntrackd -B (send bulk resync) * resync_req --> conntrackd -n (request resync) Future patches reuse this factorized code. Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: factorice tx_queue functionsArturo Borrero Gonzalez2017-05-081-1/+1
| | | | | | | They are shared by both sync-ftfw and sync-notrack. Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Link nfct and helper modules with `-z lazy`Kevin Cernekee2016-09-201-1/+1
| | | | | | | | | | | | | | | Some distributions, such as Gentoo and Chrome OS, try to link all programs with `-z now` as a security hardening measure. This breaks nfct, because nfct cannot satisfy all of the helper modules' symbols. Therefore nfct implicitly depends on lazy binding. Have autoconf probe the linker to see if `-z lazy` works, and if so, use it to link nfct and the helpers. conntrackd itself is unaffected, and should still work with `-z now`. Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add systemd supportArturo Borrero2015-11-171-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds basic systemd support. The feature can be enabled/disabled at configure time: ./configure --disable-systemd Also, at runtime in conntrackd.conf General { Systemd on|off } (by default it's enabled both at runtime and at configure time) * tell systemd about conntrackd readiness: When conntrackd starts, it will send systemd the data "READY=1". At the point the data is sent, conntrackd is fully ready to work (configuration was OK, sockets OK, et all), so other actions depending on conntrackd can be safely chained in the machine boot process. * tell systemd about conntrackd shutting down: If the admin kills conntrackd with `conntrackd -k', the data "STOPPING=1" will be send to systemd so it learns about the daemon shutting down. Same for manual signals. * watchdog support: The admin can configure systemd to watch the conntrackd daemon and perform some actions if conntrackd dies: restart it, reboot the machine, etc... Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nfct: don't link against libnetfilter_conntrackArturo Borrero2015-08-261-1/+0
| | | | | | | | | | | | The nfct program uses none of the symbols of libnetfilter_conntrack. Linking against it means that distributors have to maintain an useless depedency. This was spotted by the dpkg-shlibdeps tool. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: add --disable-cthelper and --disable-cttimeoutPablo Neira Ayuso2013-09-261-9/+30
| | | | | | | | | | This patch allows you to disable userspace helper support and conntrack timeout tuning at build stage. By default, both features are enabled, to avoid breaking backward compatibility. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: fix libraries dependencies in MakefilesNicolas Dichtel2012-09-211-2/+2
| | | | | | | | Several includes are missing when netfilter libs are not in the standard path. Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add cthelper infrastructure (+ example FTP helper)Pablo Neira Ayuso2012-08-011-5/+19
| | | | | | | | | | | | This patch adds the user-space helper infrastructure. It also contains the implementation of the FTP helper in user-space. There's one example file that you can use to configure conntrackd as user-space connection tracking helper under: doc/helper/conntrackd.conf Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: move ctnetlink code to ctnl.c (removed from run.c)Pablo Neira Ayuso2012-08-011-0/+1
| | | | | | | This patch moves the specific ctnetlink code to ctnl.c to prepare the introduction of the cthelper infrastructure. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add support for stats dumping via ctnetlinkPablo Neira Ayuso2012-08-011-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | Since Linux kernel >= 3.6.x, we can dump the conntrack statistics via ctnetlink instead of using the /proc interface: conntrack -S cpu=0 searched=9177 found=387086 new=250451 invalid=1 ignore=4 delete=254093 delete_list=5467 insert=1825 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0 cpu=1 searched=390 found=37493 new=1531 invalid=0 ignore=0 delete=345 delete_list=345 insert=1531 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0 cpu=2 searched=333 found=68061 new=1895 invalid=0 ignore=1 delete=607 delete_list=607 insert=1896 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0 cpu=3 searched=71 found=13364 new=1254 invalid=0 ignore=0 delete=75 delete_list=75 insert=1254 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0 conntrack -S exp cpu=0 expect_new=9177 expect_create=387284 expect_delete=251141 cpu=1 expect_new=390 expect_create=37496 expect_delete=1531 cpu=2 expect_new=333 expect_create=68117 expect_delete=1895 cpu=3 expect_new=71 expect_create=13366 expect_delete=1255 Note that the output is not backward-compatible, but we fail back to previous output in case that ctnetlink stats dumping is not available. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: integrate nfct into the conntrack-tools treePablo Neira Ayuso2012-05-261-1/+7
| | | | | | | | I'll need for the upcoming cthelper infrastructure. Moreover, we avoid more fragmentation in the netfilter user-space utilities. And the plan is that `nfct' will replace `conntrack' at some point. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: support for expectation synchronizationPablo Neira Ayuso2012-01-101-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds support to synchronize expectations between firewalls. This addition aims to re-use as much as possible of the existing infrastructure for stability reasons. The expectation support has been tested with the FTP helper. This extension requires libnetfilter_conntrack 1.0.0. If this is the first time you're playing with conntrackd, I *strongly* recommend you to get working setup of conntrackd without expectation support before as described in the documentation. Then, enabling expectation support is rather easy. To know more about expectations, if you're not familiar with them, I suggest you to read: "Netfilter's Connection Tracking System" http://people.netfilter.org/pablo/docs/login.pdf Reprinted from ;login: The Magazine of USENIX, vol. 31, no. 3 (Berkeley, CA: USENIX Association, 2006, pp40-45.) In short, expectations allow one Linux firewall to filter multi-flow traffic like FTP, SIP and H.323. In my testbed, there are two firewalls in a primary-backup configuration running keepalived. The use a couple of floating cluster IP address (192.168.0.100 and 192.168.1.100) that are used by the client. These firewalls protect one FTP server (192.168.1.2) that will be accessed by one client. In ASCII art, it looks like this: 192.168.0.100 192.168.1.100 eth1 eth2 fw-1 / \ FTP -- client ------ ------ server -- 192.168.0.2 \ / 192.168.1.2 fw-2 This is the rule-set for the firewalls: -A POSTROUTING -t nat -s 192.168.0.2/32 -d 192.168.1.2/32 -j SNAT --to-source 192.168.1.100 -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -m state --state INVALID -j DROP -A FORWARD -m state --state RELATED -j ACCEPT -A FORWARD -i eth2 -m state --state ESTABLISHED -j ACCEPT -A FORWARD -i eth1 -p tcp -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT -A FORWARD -i eth1 -p tcp -m state --state ESTABLISHED -j ACCEPT -A FORWARD -m state --state INVALID -j LOG --log-prefix "invalid: " The following steps detail how to check that the expectation support works fine for conntrackd: 1) You have to enable the expectation support in the configuration file with the following option: Sync { ... Options { ExpectationSync { ftp sip h323 } } } This enables expectation synchronization for the FTP, SIP and H.323 helpers. You can alternatively use: Sync { ... Options { ExpectationSync On } } To enable expectation synchronization for all helpers. 2) Make sure you have loaded the FTP helper in both firewalls. root@fw1# modprobe nf_conntrack_ftp root@fw2# modprobe nf_conntrack_ftp 3) Switch to the client. Start one FTP control connection to one server that is protected by the firewalls, enter passive mode: (term-1) user@client$ nc 192.168.1.2 21 220 dummy FTP server USER anonymous 331 Please specify the password. PASS nothing 230 Login successful. PASV 227 Entering Passive Mode (192,168,1,2,163,11). This means that port 163*256+11=41739 will be used for the data traffic. Read this if you are not familiar with the FTP protocol: http://www.freefire.org/articles/ftpexample.php 3) Switch to fw-1 (primary) to check that the expectation is in the internal cache. root@fw1# conntrackd -i exp proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=41739 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.0.2 master-dst=192.168.1.2 sport=36390 dport=21 [active since 5s] 4) Switch to fw-2 (backup) to check that the expectation has been successfully replicated. root@fw2# conntrackd -e exp proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=41739 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.0.2 master-dst=192.168.1.2 sport=36390 dport=21 [active since 8s] 5) Make the primary firewall fw-1 fail. Now fw-2 becomes primary. 6) Switch to fw-2 (primary) to commit the external cache into the kernel. root@fw2# conntrackd -c exp The logs should display that the commit was successful: root@fw2# tail -100f /var/log/conntrackd.log [Wed Dec 7 22:16:31 2011] (pid=19195) [notice] committing external cache: expectations [Wed Dec 7 22:16:31 2011] (pid=19195) [notice] Committed 1 new entries [Wed Dec 7 22:16:31 2011] (pid=19195) [notice] commit has taken 0.000366 seconds 7) Switch to the client. Open a new terminal and connect to the port that has been announced by the server: (term-2) user@client$ nc -vvv 192.168.1.2 41739 (UNKNOWN) [192.168.1.2] 41739 (?) open 8) Switch to term-1 and ask for the file listing: [...] 227 Entering Passive Mode (192,168,1,2,163,11). LIST 9) Switch to term-2, it should display the listing. That means everything has worked fine. You may want to try disabling the expectation support and repeating the steps to check that *it does not work* without the state-synchronization. You can also display expectation statistics by means of: root@fwX# conntrackd -s exp This update requires no changes in the primary-backup.sh script that is used by the HA manager to interact with conntrackd. Thus, we provide a backward compatible command line interface. Regarding the Filter clause and expectations, we use the master conntrack to filter expectation events. The filtering is performed in user-space. No kernel-space filtering support for expectations yet (this support should go in libnetfilter_conntrack at some point). This patch also includes support to disable caching and to allow direct injection of expectations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: generalize caching infrastructurePablo Neira Ayuso2012-01-101-1/+1
| | | | | | | | This patch generalizes the caching infrastructure to store different object types. This patch is the first in the series to prepare support for the synchronization of expectations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: use AM_YFLAGS instead of overriding YACCJan Engelhardt2010-11-051-1/+1
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: resolve automake warningJan Engelhardt2010-11-051-1/+1
| | | | | | src/Makefile.am:24: whitespace following trailing backslash Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: no need for error message in PKG_CHECK_MODULESJan Engelhardt2010-10-311-3/+2
| | | | | | | | | | | PKG_CHECK_MODULES already produces its own (and more verbose) messsage when a module cannot be found. Mucking around with CFLAGS and LIBS is also not needed since pkgconfig takes care of providing variables, so let's use them in Makefile.am. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: remove unused $(all_libraries)Jan Engelhardt2010-10-311-2/+2
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* conntrackd: add `DisableInternalCache' clausePablo Neira Ayuso2009-10-211-0/+1
| | | | | | | | This patch adds the clause `DisableInternalCache' that allows you to bypass the internal cache. This clause can only be used with the notrack synchronization mode. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add support state-replication based on TCPPablo Neira Ayuso2009-08-231-0/+1
| | | | | | | | This patch adds support for TCP as protocol to replicate state-changes between two daemons. Note that this only makes sense with the notrack mode. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: reduce the number of gettimeofday() syscallsPablo Neira Ayuso2009-08-211-1/+1
| | | | | | | | This patch reduces the number of gettimeofday syscalls by caching the current time in a variable at the beginning of the main loop. Based on a suggestion from Vincent Jardin. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add `DisableExternalCache' clausePablo Neira Ayuso2009-08-191-0/+1
| | | | | | | | | | | This patch adds the clause `DisableExternalCache' that allows you to disable the external cache and to directly inject the entries into the kernel conntrack table. As a result, the CPU consumption of conntrackd increases. This clause can only be used with the FT-FW and the notrack synchronization modes, but not with the alarm mode. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: remove the cache write-through policyPablo Neira Ayuso2009-05-231-1/+1
| | | | | | | | | | | | | | This patch removes the cache write-through clause. This feature remained undocumented although some has found it looking at the source code. This feature has remained in the tree for quite some time although it has several limitations. Moreover, it is specifically broken and dangerous for Linux kernels >= 2.6.29 since it generates loops in the synchronization. We do this removal first to prepare the introduction of a feature to bypass the external cache. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: detect where the events comes fromPablo Neira Ayuso2009-05-231-1/+1
| | | | | | | | | | Since Linux kernel 2.6.29, ctnetlink reports the changes that have been done using ctnetlink. With this patch, conntrackd can recognize who is the origin of the event messages. For example, this is interesting to avoid a messy implicit bulk send during the commit of entries. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add child process infrastructurePablo Neira Ayuso2009-05-231-1/+1
| | | | | | | | | | | | | This patch adds a simple infrastructure that allows to account the child processes that have been forked. This also includes a callback handler that can be registered that is called once the child process finishes. We can extended this later to include an alarm to limit the maximum lifetime of a forked child process. This is good to ensure that child processes behave timely. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add GRE supportPablo Neira Ayuso2009-04-181-1/+1
| | | | | | | This patch adds GRE support for the command line tool conntrack. With this patch, we support all protocols available in the kernel. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.
* conntrack: add DCCP supportPablo Neira Ayuso2009-04-111-1/+1
| | | | | | This patch adds DCCP support for the command line tool conntrack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add SCTP supportPablo Neira Ayuso2009-04-111-1/+1
| | | | | | This patch adds SCTP support to the command line tool conntrack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add UDPlite supportPablo Neira Ayuso2009-04-111-1/+1
| | | | | | This patch adds UDPlite support for the command line tool conntrack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* sync-mode: add unicast UDP support to propagate state-changesPablo Neira Ayuso2009-03-131-2/+2
| | | | | | | | This patch adds support for unicast UDP to the channel infrastructure. With this patch, you can select UDP unicast to propagate state-changes instead of multicast. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* sync-mode: add abstract layer to make daemon independent of multicastPablo Neira Ayuso2009-03-121-0/+1
| | | | | | | | | This patch reworks conntrackd to make it independent of the protocol used to propagate state-changes. This patch adds the channel layer abstraction, this layer allows you to add support for different protocols like unicast UDP or TIPC. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache: move lifetime feature to main cache codePablo Neira Ayuso2009-01-251-1/+1
| | | | | | | | The lifetime feature is used by all working modes, it is useful to know how long it has been an entry living in the cache. This patch moves the lifetime feature to the main caching code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* filter: CIDR-based filtering supportPablo Neira Ayuso2008-11-251-2/+2
| | | | | | | | | | This patch adds CIDR-based filtering support. The current implementation is O(n). This patch also introduces the vector data type which is used to store the IP address and the network mask. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: fix filtering for unsupported protocolPablo Neira Ayuso2008-10-041-1/+1
| | | | | | | | | This patch fixes filtering for unsupported protocol. Thus, you can use -L -p 47 or -L -p gre to filter `gre' traffic. Based on an initial patch from Bryan Duff <bduff@astrocorp.com>. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Major rework of the user-space event filteringPablo Neira Ayuso2008-07-221-2/+1
| | | | | | | | | | This patch reworks the user-space filtering. Although we have kernel-space filtering since Linux kernel >= 2.6.26, we keep userspace filtering to ensure backward compatibility. Moreover, this patch prepares the implementation of the kernel-space filtering via libnetfilter_conntrack's high-level berkeley socket filter API. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* add best effort replication protocol (aka NOTRACK)Pablo Neira Ayuso2008-05-251-1/+1
|
* add eventfd emulation to communicate receiver -> senderPablo Neira Ayuso2008-05-251-1/+1
|
* Krzysztof Oledzki <ole@ans.pl>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-03-251-1/+1
| | | | | o add ICMPv6 (-p icmpv6) support o add possibility to distinguish between invalid (unknown) and empty proto
* compose the file descriptor set at initialization stage to save some cycles/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-02-191-1/+1
|
* implement a rb-tree based alarm framework/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-291-1/+1
|
* Max Kellermann <max@duempel.org>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-181-1/+1
| | | | Simplify logging infrastructure