summaryrefslogtreecommitdiffstats
path: root/src/read_config_yy.y
Commit message (Collapse)AuthorAgeFilesLines
* conntrackd: add support for TCP window scale factor synchronizationPablo Neira Ayuso2010-02-111-0/+18
| | | | | | | This patch adds a new option TCPWindowTracking that allows not to disable TCP window tracking as it occurs by default. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: fix UDP filtering in configuration filePablo Neira Ayuso2010-02-111-0/+19
| | | | | | | | UDP filtering was broken during the addition of the UDP-based synchronization protocol that was introduced in 0.9.14. This patch fixes the problem. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: fix flow-state filtering for TCPPablo Neira Ayuso2009-12-231-1/+4
| | | | | | | | This patch fixes the clause `State' in `Filter' that allows you to filter by protocol state. This bug was introduced during the implementation of the TCP-based synchronization. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add `DisableInternalCache' clausePablo Neira Ayuso2009-10-211-1/+12
| | | | | | | | This patch adds the clause `DisableInternalCache' that allows you to bypass the internal cache. This clause can only be used with the notrack synchronization mode. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add retention queue for TCP errorsPablo Neira Ayuso2009-09-231-3/+15
| | | | | | | | Under stress, the TCP stack may return EAGAIN if there is not space left in the sender buffer. We also enqueue any other error. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add support state-replication based on TCPPablo Neira Ayuso2009-08-231-1/+157
| | | | | | | | This patch adds support for TCP as protocol to replicate state-changes between two daemons. Note that this only makes sense with the notrack mode. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add `DisableExternalCache' clausePablo Neira Ayuso2009-08-191-0/+13
| | | | | | | | | | | This patch adds the clause `DisableExternalCache' that allows you to disable the external cache and to directly inject the entries into the kernel conntrack table. As a result, the CPU consumption of conntrackd increases. This clause can only be used with the FT-FW and the notrack synchronization modes, but not with the alarm mode. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add support for IPv6 kernel-space filtering via BSFPablo Neira Ayuso2009-07-211-1/+16
| | | | | | | This patch adds the missing support to filter IPv6 from kernel-space by means of the BSF API that libnetfilter_conntrack provides. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add clause to enable ctnetlink reliable event deliveryPablo Neira Ayuso2009-07-211-1/+12
| | | | | | | | This patch adds the NetlinkEventsReliable clause, this is useful to turn on reliable Netlink event delivery. This features requires a Linux kernel >= 2.6.31. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: rework commit not to fork a child processPablo Neira Ayuso2009-07-191-0/+5
| | | | | | | | | | | | | | | This patch reworks the commit phase to avoid the forking. This is particularly useful in active-active setups in which one node has to commit the external cache while it is receiving new entries to be added in the external cache. This results in really high commit times due to the penalty of the copy-on-write that fork performs. The default number of steps in one run loop is limited to 64 by now. No option to tune this parameter is still available via the configuration file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: remove the cache write-through policyPablo Neira Ayuso2009-05-231-2/+4
| | | | | | | | | | | | | | This patch removes the cache write-through clause. This feature remained undocumented although some has found it looking at the source code. This feature has remained in the tree for quite some time although it has several limitations. Moreover, it is specifically broken and dangerous for Linux kernels >= 2.6.29 since it generates loops in the synchronization. We do this removal first to prepare the introduction of a feature to bypass the external cache. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: change scheduler and priority via configuration filePablo Neira Ayuso2009-04-141-0/+30
| | | | | | | | With this patch, you can change the scheduler policy and priority for conntrackd. Using a RT scheduler policy reduces the chances to hit ENOBUFS in Netlink. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* config: cleanup error reporting during config file parsingPablo Neira Ayuso2009-03-311-111/+143
| | | | | | This patch cleans up the error reporting. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* config: obsolete `ListenTo' clausePablo Neira Ayuso2009-03-201-24/+2
| | | | | | | This patch obsoletes the `ListenTo' clause which is a reminiscent of the intial event filtering code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mcast: remove several unused structure fieldsPablo Neira Ayuso2009-03-201-3/+1
| | | | | | This patch removes several structure fields that are unused. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* udp: fix missing scope_id in the socket creationPablo Neira Ayuso2009-03-201-2/+11
| | | | | | | | | This patch fixes an EINVAL error returned by bind() when opening an UDP server socket to propagate state-changes over the dedicated link. This patch also includes the change of the example configuration files in case that you want to use UDP over IPv6. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* sync-mode: add unicast UDP support to propagate state-changesPablo Neira Ayuso2009-03-131-15/+155
| | | | | | | | This patch adds support for unicast UDP to the channel infrastructure. With this patch, you can select UDP unicast to propagate state-changes instead of multicast. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* sync-mode: add abstract layer to make daemon independent of multicastPablo Neira Ayuso2009-03-121-31/+38
| | | | | | | | | This patch reworks conntrackd to make it independent of the protocol used to propagate state-changes. This patch adds the channel layer abstraction, this layer allows you to add support for different protocols like unicast UDP or TIPC. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add Nice clause to set the nice valuePablo Neira Ayuso2009-02-081-2/+9
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: add new option NetlinkOverrunResyncPablo Neira Ayuso2009-02-081-1/+22
| | | | | | | | This patch adds NetlinkOverrunResync. This option can be used to set the amount of time after which the daemon resynchronizes itself with the kernel state-table if it detects a Netlink overrun. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: increase default PurgeTimeout valuePablo Neira Ayuso2009-01-251-2/+2
| | | | | | | | | This patch increases the default PurgeTimeout value to 60 seconds. The former 15 seconds provides good real-time reaction in terms of user-side expected behaviour, but it is too small if you trigger random failure in a firewall cluster. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for approximate timeout calculation during commitPablo Neira Ayuso2009-01-251-4/+0
| | | | | | | | | | During the commit phase, the entries in the external cache entries are inserted in the kernel conntrack table. Currently, we use a fixed timeout that is specified in the config file. With this patch, if you don't specify the fixed timeout value via CommitTimeout, the daemon calculates the real timeout value during the commit phase. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: obsolete `DestroyTimeout' clausePablo Neira Ayuso2009-01-211-5/+2
| | | | | | This patch obsoletes `DestroyTimeout' which has no clients anymore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ftfw: add ResendQueueSize and deprecate ResendBufferSize clausesPablo Neira Ayuso2009-01-171-3/+10
| | | | | | | | This patch adds ResendQueueSize, which sets the number of objects that can be stored in the resend queue waiting to be confirmed. The ResendBufferSize clause has been deprecated. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add state polling support (oppossed to current event-driven)Pablo Neira Ayuso2009-01-171-1/+12
| | | | | | | | | | | | This patch adds the clause PollSecs that changes the normal behaviour of conntrackd. With PollSecs set to > 0, conntrackd polls every N seconds the entries. This is the opposed behaviour of an event-driven behaviour but may be useful for those that have really strong limitations in terms of CPU consumption and want to perform a relaxed replication. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for redundant dedicated linksPablo Neira Ayuso2009-01-171-31/+74
| | | | | | | | This patch adds support for redundant dedicated links. You can add a pool of dedicated links that can be used if the current active fails. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* run: limit the number of iterations over the event handlingPablo Neira Ayuso2009-01-151-1/+10
| | | | | | | | Currently, the event handling can starve other event file descriptors. This patch limits the number of event handling iterations. The parameter is tunable via configuration file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* config: move `Checksum' inside `Multicast' clausePablo Neira Ayuso2008-11-301-0/+14
| | | | | | | | | This patch moves `Checksum' into the `Multicast' clause. This property is dependent of the multicast configuration. This patch is required to introduce the redundant dedicated link support that is on the way. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* filter: CIDR-based filtering supportPablo Neira Ayuso2008-11-251-16/+70
| | | | | | | | | | This patch adds CIDR-based filtering support. The current implementation is O(n). This patch also introduces the vector data type which is used to store the IP address and the network mask. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* filter: choose the filtering method via configuration filePablo Neira Ayuso2008-11-181-1/+15
| | | | | | | | | | | | | | | | This patch changes the current behaviour of the filtering selection. Up to now, conntrackd has used the kernel version to select the filtering method based on the following logic: If kernel is >= 2.6.26 we use BSF-based filtering from kernel-space, otherwise, default to userspace. However, this filtering method still lacks of IPv6 support and it requires a patch that got into 2.6.29 to filter IPv6 addresses from kernel-space. To fix this issue, we default to user-space filtering and let the user choose the method via the configuration file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ftfw: rise the size of the acknowledgment window in the examplePablo Neira Ayuso2008-10-211-2/+2
| | | | | | | | | This patch increases the size of the acknowledgment window based on some experiments in my testbed with oprofile. The previous default value was too small. This resulted in too many cycles to empty the resend queue. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* config: fix usage of 'PurgeTimeout' in Sync NOTRACKPablo Neira Ayuso2008-10-201-2/+4
| | | | | | | | | This patch fixes a problem that is reported by conntrackd while trying to parse the example configuration file. We fix this instead of the example file to make it consistent with other replication approaches. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache iterators: rework cache_reset_timersPablo Neira Ayuso2008-08-071-1/+11
| | | | | | | | | | | This patch adds the clause PurgeTimeout that sets the new timer when conntrackd -t is called. This command is particularly useful when the sysadmin triggers hand-overs between several nodes without rebooting as it reduces the timers of the remaining entries in the kernel. Thus, avoiding clashes between new and old entries that may trigger INVALID packets. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* add support for kernel-space filtering via BSFPablo Neira Ayuso2008-07-231-0/+90
| | | | | | | This patch adds support for kernel-space filtering via BSF by means of the libnetfilter_conntrack's BSF high-level API. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Major rework of the user-space event filteringPablo Neira Ayuso2008-07-221-61/+194
| | | | | | | | | | This patch reworks the user-space filtering. Although we have kernel-space filtering since Linux kernel >= 2.6.26, we keep userspace filtering to ensure backward compatibility. Moreover, this patch prepares the implementation of the kernel-space filtering via libnetfilter_conntrack's high-level berkeley socket filter API. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* add best effort replication protocol (aka NOTRACK)Pablo Neira Ayuso2008-05-251-1/+14
|
* add Mcast[Snd|Rcv]SocketBuffer clauses to tune multicast socket buffersPablo Neira Ayuso2008-05-201-1/+11
|
* Fix reorder possible reordering of destroy messages under message omission. ↵/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-291-1/+11
| | | | This patch introduces the TimeoutDestroy clause to determine how long a conntrack remains in the internal cache once it has been destroy from the kernel table.
* revert relicensing... still we use linux_list.h code which seems to be GPLv2 ↵/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-03-081-1/+1
| | | | only which is incompatible AFAIK
* relicense conntrack-tools as GPLv3+, so far the most significant contributor ↵/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-03-081-1/+1
| | | | has been Max Kellermann and has no issues with relicensing their contributions.
* add IPv6 support to conntrackd/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-02-021-27/+72
|
* Max Kellermann <max@duempel.org>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-181-1/+1
| | | | Simplify logging infrastructure
* Max Kellermann <max@duempel.org>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-171-0/+1
| | | | import only required C headers and put local headers on top to check
* Max Kellermann <max@duempel.org>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-151-1/+1
| | | | Fix tons of gcc warnings
* Max Kellermann <max@duempel.org>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-151-2/+2
| | | | add missing printf arguments
* Max Kellermann <max@duempel.org>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-151-9/+2
| | | | import tcp_state_helper only once
* Max Kellermann <max@duempel.org>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-151-9/+9
| | | | | | yacc generates a function with a return value, and the conntrackd code uses "return;" to ignore a value. this is not legal. convert all of these to "break;" which might be what the author intended to do.
* implement buffered connection logging to improve performance/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-051-1/+7
|
* rename class `buffer' to `queue' which is what it really implements/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-051-5/+5
|
* obsolete `-S' option: Use information provided by the config file/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-051-4/+20
|