| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
This patch fixes several minor nitpicks to support IPv6 failover:
* ICMPv6 type/code/id were missing in synchronization messages.
* The use of '-' as string in the configuration file was not allowed.
* Include example in configuration file under doc/.
Reported-by: Mohit Mehta <mohit.mehta@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch move the ports addition to the layer 4 functions, instead
of checking for the port attribute. It also add a function for UDP
otherwise we break support for this protocol.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch adds a new option TCPWindowTracking that allows not
to disable TCP window tracking as it occurs by default.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds state-synchronization for ICMP. You SHOULD use a
Linux kernel >= 2.6.31, otherwise this patch can result in tons
of state-updates.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
With this patch, we use an indirect call to build the layer 4
information into the synchronization message.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In 400ae54438c4b85126f9fab0ae1dc067823b70f7, we added the SCTP
support by means of a structure that was encapsulated in an
TLV attribute. However, this structure didn't handle alignment
and endianess issues appropriately. Similar problem was
introduced in b808645ec71b7cc22cf5106b3d79625d07e6077c along
with the DCCP support.
This patch moves every field of this structure to independent
attributes. I decided not to use nesting to make building and
parsing more simple.
Using TLV is a good idea, specially for DCCP and SCTP that are
under development and that may include new fields and obsolete
them in the future.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Samuel Gauthier <samuel.gauthier@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch adds initial support for DCCP state replication.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch adds initial support for SCTP state replication.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
During the commit phase, the entries in the external cache entries
are inserted in the kernel conntrack table. Currently, we use a
fixed timeout that is specified in the config file. With this patch,
if you don't specify the fixed timeout value via CommitTimeout, the
daemon calculates the real timeout value during the commit phase.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch simplifies the message format of the replication
messages. As a result, we save four bytes. The netpld header
was introduced in the early protocol design. Today, it does
not have any reason to exist.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
With this patch, NTA_TIMEOUT is not included in the replication
messages anymore. During the fail-over, we set a small timeout
to purge the entries that were not recovered successfully
(however, unsuccessful recovery should not happen ever).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the size of the attribute header (4 bytes) to the
length field of netattr. This fixes a possible invalid memory
access in malformed messages.
This change is included in the set of scheduled changes for 0.9.9
that break backward compatibility.
This patch also removes a memset of 4096 by one to initialize
the headers and the netattr paddings.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch reworks the TLV-based protocol to reduce the overhead
in the message building. The idea is to group some attributes
that must be present in a consistent configuration. Putting them
together help us to save some cycles in the message building.
Now, oprofile reports ~15% of samples in the build path instead
of ~25%. CPU consumption for 3000 HTTP GET requests per second
(1000 concurrent with apache benchmark tool) is ~45% in my
testbed, that is ~19% more consumption than with no replication
at all.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
|
| |
|
|
| |
only which is incompatible AFAIK
|
| |
|
|
| |
has been Max Kellermann and has no issues with relicensing their contributions.
|
| | |
|
| |
|
|
|
| |
o add support for NAT sequence adjustment (requires Linux kernel >= 2.6.25)
o remove TODO file from release tarballs
|
| |
|
|
| |
use size_t
|
| |
|
|
| |
use C99 integers (uint32_t instead of u_int32_t)
|
| |
|
|
| |
o update leftover references to `persistent' and `nack' modes
|
| |
|
|
|
|
|
|
|
|
|
| |
o fix missing `-g' and `-n' options in getopt_long control string
o add support for secmark (requires Linux kernel >= 2.6.25)
o add mark and secmark information to the manpage
o cleanup error message
= conntrackd =
o add support for secmark (requires Linux kernel >= 2.6.25)
o add conntrackd (8) manpage
|
| | |
|
|
|
- add len field to nethdr
- implement buffered send/recv to batch messages
- stop using netlink format for network messages: use similar TLV-based format
- reduce synchronization messages size up to 60%
- introduce periodic alive messages for sync-nack protocol
- timeslice alarm implementation: remove alarm pthread, remove locking
- simplify debugging functions: use nfct_snprintf instead
- remove major use of libnfnetlink functions: use libnetfilter_conntrack API
- deprecate conntrackd -F, use conntrack -F instead
- major rework of the network infrastructure: much simple, less messy
|
