| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
This patch adds a new option TCPWindowTracking that allows not
to disable TCP window tracking as it occurs by default.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
UDP filtering was broken during the addition of the UDP-based
synchronization protocol that was introduced in 0.9.14. This
patch fixes the problem.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch fixes the clause `State' in `Filter' that allows
you to filter by protocol state. This bug was introduced during
the implementation of the TCP-based synchronization.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds the clause `DisableInternalCache' that allows you
to bypass the internal cache. This clause can only be used with
the notrack synchronization mode.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Under stress, the TCP stack may return EAGAIN if there is not
space left in the sender buffer. We also enqueue any other
error.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds support for TCP as protocol to replicate
state-changes between two daemons. Note that this only
makes sense with the notrack mode.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the clause `DisableExternalCache' that allows you
to disable the external cache and to directly inject the entries
into the kernel conntrack table. As a result, the CPU consumption
of conntrackd increases. This clause can only be used with the
FT-FW and the notrack synchronization modes, but not with the
alarm mode.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch adds the missing support to filter IPv6 from kernel-space
by means of the BSF API that libnetfilter_conntrack provides.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds the NetlinkEventsReliable clause, this is useful
to turn on reliable Netlink event delivery. This features
requires a Linux kernel >= 2.6.31.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch reworks the commit phase to avoid the forking. This is
particularly useful in active-active setups in which one node
has to commit the external cache while it is receiving new entries
to be added in the external cache. This results in really high
commit times due to the penalty of the copy-on-write that fork
performs.
The default number of steps in one run loop is limited to 64 by now.
No option to tune this parameter is still available via the
configuration file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch removes the cache write-through clause. This feature
remained undocumented although some has found it looking at the
source code. This feature has remained in the tree for quite
some time although it has several limitations. Moreover, it
is specifically broken and dangerous for Linux kernels >= 2.6.29
since it generates loops in the synchronization.
We do this removal first to prepare the introduction of a feature
to bypass the external cache.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
With this patch, you can change the scheduler policy and priority
for conntrackd. Using a RT scheduler policy reduces the chances to
hit ENOBUFS in Netlink.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch cleans up the error reporting.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch obsoletes the `ListenTo' clause which is a reminiscent
of the intial event filtering code.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch removes several structure fields that are unused.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch fixes an EINVAL error returned by bind() when opening
an UDP server socket to propagate state-changes over the dedicated
link. This patch also includes the change of the example
configuration files in case that you want to use UDP over IPv6.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds support for unicast UDP to the channel
infrastructure. With this patch, you can select UDP unicast to
propagate state-changes instead of multicast.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch reworks conntrackd to make it independent of the protocol
used to propagate state-changes. This patch adds the channel layer
abstraction, this layer allows you to add support for different
protocols like unicast UDP or TIPC.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds NetlinkOverrunResync. This option can be used to
set the amount of time after which the daemon resynchronizes itself
with the kernel state-table if it detects a Netlink overrun.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch increases the default PurgeTimeout value to 60 seconds.
The former 15 seconds provides good real-time reaction in terms of
user-side expected behaviour, but it is too small if you trigger
random failure in a firewall cluster.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
During the commit phase, the entries in the external cache entries
are inserted in the kernel conntrack table. Currently, we use a
fixed timeout that is specified in the config file. With this patch,
if you don't specify the fixed timeout value via CommitTimeout, the
daemon calculates the real timeout value during the commit phase.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch obsoletes `DestroyTimeout' which has no clients anymore.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds ResendQueueSize, which sets the number of objects
that can be stored in the resend queue waiting to be confirmed.
The ResendBufferSize clause has been deprecated.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the clause PollSecs that changes the normal
behaviour of conntrackd. With PollSecs set to > 0, conntrackd
polls every N seconds the entries.
This is the opposed behaviour of an event-driven behaviour but may
be useful for those that have really strong limitations in terms of
CPU consumption and want to perform a relaxed replication.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds support for redundant dedicated links. You can add
a pool of dedicated links that can be used if the current active
fails.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Currently, the event handling can starve other event file
descriptors. This patch limits the number of event handling
iterations. The parameter is tunable via configuration file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch moves `Checksum' into the `Multicast' clause. This
property is dependent of the multicast configuration. This patch
is required to introduce the redundant dedicated link support
that is on the way.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch adds CIDR-based filtering support. The current
implementation is O(n).
This patch also introduces the vector data type which is
used to store the IP address and the network mask.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch changes the current behaviour of the filtering selection.
Up to now, conntrackd has used the kernel version to select the
filtering method based on the following logic: If kernel is >= 2.6.26
we use BSF-based filtering from kernel-space, otherwise, default to
userspace.
However, this filtering method still lacks of IPv6 support and
it requires a patch that got into 2.6.29 to filter IPv6 addresses
from kernel-space. To fix this issue, we default to user-space
filtering and let the user choose the method via the configuration
file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch increases the size of the acknowledgment window based on
some experiments in my testbed with oprofile. The previous default value
was too small. This resulted in too many cycles to empty the resend
queue.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch fixes a problem that is reported by conntrackd while
trying to parse the example configuration file. We fix this
instead of the example file to make it consistent with other
replication approaches.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the clause PurgeTimeout that sets the new timer
when conntrackd -t is called. This command is particularly useful
when the sysadmin triggers hand-overs between several nodes without
rebooting as it reduces the timers of the remaining entries in
the kernel. Thus, avoiding clashes between new and old entries that
may trigger INVALID packets.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch adds support for kernel-space filtering via BSF by means of
the libnetfilter_conntrack's BSF high-level API.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch reworks the user-space filtering. Although we have
kernel-space filtering since Linux kernel >= 2.6.26, we keep userspace
filtering to ensure backward compatibility. Moreover, this patch
prepares the implementation of the kernel-space filtering via
libnetfilter_conntrack's high-level berkeley socket filter API.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
| |
|
|
|
|
| |
This patch introduces the TimeoutDestroy clause to determine how long a conntrack remains in the internal cache once it has been destroy from the kernel table.
|
|
|
|
| |
only which is incompatible AFAIK
|
|
|
|
| |
has been Max Kellermann and has no issues with relicensing their contributions.
|
| |
|
|
|
|
| |
Simplify logging infrastructure
|
|
|
|
| |
import only required C headers and put local headers on top to check
|
|
|
|
| |
Fix tons of gcc warnings
|
|
|
|
| |
add missing printf arguments
|
|
|
|
| |
import tcp_state_helper only once
|
|
|
|
|
|
| |
yacc generates a function with a return value, and the conntrackd code
uses "return;" to ignore a value. this is not legal. convert all of
these to "break;" which might be what the author intended to do.
|
| |
|
| |
|
| |
|