| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
Since Linux kernel 2.6.29, ctnetlink reports the changes that have
been done using ctnetlink. With this patch, conntrackd can recognize
who is the origin of the event messages. For example, this is
interesting to avoid a messy implicit bulk send during the commit
of entries.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a simple infrastructure that allows to account
the child processes that have been forked. This also includes
a callback handler that can be registered that is called once
the child process finishes.
We can extended this later to include an alarm to limit the
maximum lifetime of a forked child process. This is good to
ensure that child processes behave timely.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Samuel Gauthier <samuel.gauthier@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch adds initial support for DCCP state replication.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch adds initial support for SCTP state replication.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch adds GRE support for the command line tool conntrack.
With this patch, we support all protocols available in the kernel.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.
|
| |
|
|
|
|
| |
This patch fixes an English typo in an output message.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
With this patch, you can change the scheduler policy and priority
for conntrackd. Using a RT scheduler policy reduces the chances to
hit ENOBUFS in Netlink.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch adds DCCP support for the command line tool conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch adds SCTP support to the command line tool conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch adds UDPlite support for the command line tool conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch extends the generic_opt_check() function to add
extra information on the possible option combinations. Under
some specific situations, like the creation and getting of
a conntrack, you may specify the original or the reply tuple
but at least one MUST be present. This handling has been
always tricky, it still remains but we're more user friendly
at least.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch cleans up the error reporting.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch removes the broken command checking. This is better
handled by the option checkings which comes just after this one.
This patch also fixes some inconsistencies in the command
parameter checking when long names are used.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch adds `-S' command to display kernel statistics. Using
raw `cat' on /proc and the hexadecimal output is not very handy.
This option parses the /proc entry and display the information
is a more human friendly way.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch fixes some missing bits for the `-C' conntrack command
like the manpage information, the usage help, the `--counters'
synonymous and the commands vs. options checking.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch fixes a problem that was introduced while adding the
multichannel support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch obsoletes the `ListenTo' clause which is a reminiscent
of the intial event filtering code.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch removes several structure fields that are unused.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch fixes an EINVAL error returned by bind() when opening
an UDP server socket to propagate state-changes over the dedicated
link. This patch also includes the change of the example
configuration files in case that you want to use UDP over IPv6.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch fixes a bug in the message parser which leads to treat
a destination PAT as a source PAT.
Reported-by: Habib Sahnoun <sahnounhab@yahoo.fr>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch obsoletes `-s multicast' by `-s link' to display the
dedicated link statistics, as the current dedicated link protocol
use can be unicast UDP or multicast. The term "link" is more
generic.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch removes a compilation warning. The buffer passed to
be sent must be const.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch is a cleanup, it removes a couple of reminiscent
references to multicast (as now conntrackd is independent of
the protocol used to replicate state-changes, currently supports
unicast UDP and multicast).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch saves one tab in the code.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch fixes a misleading output that shows the number of lost
and malformed packets. Instead, those numbers show the number of
the number of lost and malformed messages.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds support for unicast UDP to the channel
infrastructure. With this patch, you can select UDP unicast to
propagate state-changes instead of multicast.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch is a cleanup. It renames the mcast_track_*() functions
by nethdr_track_*() because this functions are related to message
sequence tracking. They are not stick to multicast at all.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch reworks conntrackd to make it independent of the protocol
used to propagate state-changes. This patch adds the channel layer
abstraction, this layer allows you to add support for different
protocols like unicast UDP or TIPC.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch renames the mcast_iface to interface since this nlif
handler is not related with multicast itself, but to monitor the
link interface used to propagate state-changes. This patch is a
cleanup.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch is a cleanup. It renames the function mcast_send_sync()
to sync_send() since the function itself is not related to multicast
anymore (it enqueues state-changes to the upper layer).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch adds include limits.h to mcast.c and sync-mode.c. Why Gentoo
maintainers did not report me the problem? :(
http://bugs.gentoo.org/show_bug.cgi?id=256497
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch replace nfct_get_attr_u32 by nfct_get_attr_u8 which is
the correct size of a TCP state. Set also the CLOSE_INIT flag for
CLOSE TCP state (as nf_conntrack_proto_tcp allows).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds two alias that removes an inconsistency in the
configuration file names. Now, the clauses that refers to Netlink
starts by the prefix "Netlink".
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch includes libnfnetlink.h header in mcast.c to remove
a compilation warning due to missing prototype declaration.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch removes debug() and debug_ct(), I haven't use the
debugging information that these functions provide in years.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch makes conntrackd change the current dedicated link if
the message is correct, ie. neither malformed nor out-of-sync.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch removes the use of NFCT_DIR_MAX. This constant is part of
the old libnetfilter_conntrack API which has been removed from the
git tree. It was introduced in the early days of conntrackd, thus,
the use of this constant. Unfortunately, I did not notice until now.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch removes the logging initialization for client requests
which is of any use for them.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch also adds missing `-v' information to the manpage.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch allows flushing the internal and/or the external cache.
The `-f' with no extra parameters still works to flush both the
internal and the external cache.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch fixes statistics logging based on polling.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch moves the polling logic into the resync handler. The
dump handler action depended on the daemon working mode (polling
or event-driven) resulting in an inconsistent behaviour.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch uses the appropriate printf format to display the
commit time taken (it was using %llu instead of %lu).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Currently, the daemon sends a flush request to the kernel-space.
With lots of entries and NetlinkOverrunResync disabled, the daemon
remains in an inconsistent state due to an overrun produced by the
flush report to userspace. With this patch, the daemon also flush
its internal cache after the kernel flush request.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds NetlinkOverrunResync. This option can be used to
set the amount of time after which the daemon resynchronizes itself
with the kernel state-table if it detects a Netlink overrun.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch improves the polling support included in 0.9.10. The
polling now consists of getting the state table, wait for PollSecs,
then purge obsolete entries, and so on.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch removes:
* nl_init_dump_handler()
* nl_init_request_handler()
* nl_init_resync_handler()
since they all look very similar.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch sets IP_CT_TCP_FLAG_CLOSE_INIT if the entry is in TCP
TIME_WAIT state. This patch is a workaround, the daemon should
propagate the internal TCP flags to make it fully independent of
possible changes in the TCP tracking code.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
