summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* cache iterators: rework cache_reset_timersPablo Neira Ayuso2008-08-074-20/+25
| | | | | | | | | | | This patch adds the clause PurgeTimeout that sets the new timer when conntrackd -t is called. This command is particularly useful when the sysadmin triggers hand-overs between several nodes without rebooting as it reduces the timers of the remaining entries in the kernel. Thus, avoiding clashes between new and old entries that may trigger INVALID packets. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: add getter and check existence functionsPablo Neira Ayuso2008-08-072-2/+31
| | | | | | | | | | This patch adds nl_get_conntrack and it changes the behaviour of nl_exist_conntrack. Now, nl_get_conntrack requests the kernel for a conntrack and updates the cached entry. On the other hand, nl_exist_conntrack only inquiries for the existence of the entry. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache_iterators: do not report ENOENT in cache_reset_timersPablo Neira Ayuso2008-08-021-1/+0
| | | | | | | | | | Do not report ENOENT to log files, this may confuse users. There's a race condition when shortening the timers and handling the destroy messages. However, this problem is not serious as the point of the shortening is to reduce the lifetime of the conntracks. If the conntrack is dying, there's no point to shorten their lifetime anymore :) Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrackd: add -t option to shorten conntrack timeoutsPablo Neira Ayuso2008-08-023-0/+46
| | | | | | | | | | | | | | | | | This patch adds the new option `-t' for conntrackd. This option shortens the value of the timeout for the cached entries that lives in the kernel. This option is particularly useful to remove the zombie established entries that remain in kernel if the user tests the platform by forcing the takeover from one to another node several times. We currently use the value of CommitTimeout which is sane for it. Adding a new option does not seem to add more flexibility IMO. Once we get the patches to notify user changes via ctnetlink and the netlink flag NLM_F_ECHO works, we may directly invoke a massive purge of the entries, however, such solution would still need evaluation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ftfw: show consistent information to users for problem diagnosingPablo Neira Ayuso2008-08-013-9/+26
| | | | | | | | | | This patch hides information that may confuse users while they are diagnosing problems in their setup. For example, we hide entries that are schedule to expire - from the user side, they are already destroyed entries; and we show in the counters the real active entries, not all that are stored in the caches. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* fix broken normal deletion in cachesPablo Neira Ayuso2008-08-012-41/+40
| | | | | | | | | | | | This patch fixes the non-timer-based cache deletion. This bug affects the alarm-based approach since the backup replicas did not get the deletion event, thus, delaying the deletion. This patch introduces cache_find() to look up for a conntrack object and __cache_del_timer() to perform direct deletions by means of the pointer obtained with cache_find(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* fix: wrong use of timersub in cache_timerPablo Neira Ayuso2008-08-011-1/+1
| | | | | | Fix wrong output in the dump of the expire timer which was negative. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* fix: use %zu instead of %u for size_tPablo Neira Ayuso2008-08-011-1/+1
| | | | | | Use %zu instead of %u for size_t to remove compilation warning. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* commit: retry at least once if we hit ETIME or ENOMEMEric Leblond2008-08-011-1/+18
| | | | | | | | | Some users are reporting ETIME errors in the update. This happens when you try to update a conntrack that is expiring. To avoid this problem, we retry once at least. We do similar for ENOMEM errors, although only users in virtual machines have reported this AFAIK. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* add more sanity checks in the input pathPablo Neira Ayuso2008-08-012-8/+38
| | | | | | | Some users have reported crashes when nf_conntrack_ipv6 was not present. This patch performs more robust sanity checks in the input path. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* CLI: add new option --buffer-size for -EPablo Neira Ayuso2008-07-291-18/+43
| | | | | | | Add new option --buffer-size for -E to set the netlink socket buffer size. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* filter: skip protocol state filtering if state not presentPablo Neira Ayuso2008-07-291-0/+3
| | | | | | | Skip user-space the protocol state filter if the protocol state is not present in the event message. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* log: syslog displays the entry that triggers the errorPablo Neira Ayuso2008-07-241-2/+9
| | | | | | | | This patch fixes an inconsistency in the output. If syslog was chosen as logger, the conntrack entries that triggered an error were not displayed. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* add support for kernel-space filtering via BSFPablo Neira Ayuso2008-07-232-0/+104
| | | | | | | This patch adds support for kernel-space filtering via BSF by means of the libnetfilter_conntrack's BSF high-level API. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Major rework of the user-space event filteringPablo Neira Ayuso2008-07-2210-323/+457
| | | | | | | | | | This patch reworks the user-space filtering. Although we have kernel-space filtering since Linux kernel >= 2.6.26, we keep userspace filtering to ensure backward compatibility. Moreover, this patch prepares the implementation of the kernel-space filtering via libnetfilter_conntrack's high-level berkeley socket filter API. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* fix xml output: wrap output with one root elementPablo Neira Ayuso2008-06-221-4/+44
|
* use only the original tuple to check if a conntrack is presentPablo Neira Ayuso2008-06-161-1/+9
|
* fix unsecure usage of printf and include limits.h (PATH_MAX and INT_MAX)Albin Tonerre2008-06-153-1/+3
|
* check if entries already exist in kernel before injectionPablo Neira Ayuso2008-06-151-15/+24
|
* delay the closure of the dump descriptor to fix assertion with cache_wtconntrack-tools-0.9.7Pablo Neira Ayuso2008-05-311-1/+3
|
* increase deletion stats when the timer is scheduled in cache_del_timeout()Pablo Neira Ayuso2008-05-311-2/+7
|
* define SO_[RCV|SND]BUFFORCE if not setPablo Neira Ayuso2008-05-271-0/+8
|
* remove secmark support for conntrackdPablo Neira Ayuso2008-05-272-3/+0
|
* fix leak in cache_destroy(): release objects before destroying the cachePablo Neira Ayuso2008-05-261-0/+1
|
* rework the HELLO logic inside FT-FWPablo Neira Ayuso2008-05-262-7/+47
|
* add best effort replication protocol (aka NOTRACK)Pablo Neira Ayuso2008-05-255-2/+203
|
* add eventfd emulation to communicate receiver -> senderPablo Neira Ayuso2008-05-254-8/+100
|
* only allow the use of --secmark for listing (filtering)Pablo Neira Ayuso2008-05-222-3/+5
| | | | add missing string.h required by strdup in config parsing
* check for missing IPv6 address before hashingPablo Neira Ayuso2008-05-211-0/+8
|
* Updates (-U) show the effect of the operation in the conntrack entryPablo Neira Ayuso2008-05-201-11/+36
|
* add Mcast[Snd|Rcv]SocketBuffer clauses to tune multicast socket buffersPablo Neira Ayuso2008-05-204-1/+50
|
* improve network message sanity checkingsPablo Neira Ayuso2008-05-183-38/+57
|
* - remove (misleading) counters and use information from the statistics modePablo Neira Ayuso2008-05-162-73/+7
| | | | | - use generic nfct_copy() from libnetfilter_conntrack to update objects - use generic nfct_cmp() to compare objects
* Fix reorder possible reordering of destroy messages under message omission. ↵/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-297-47/+100
| | | | This patch introduces the TimeoutDestroy clause to determine how long a conntrack remains in the internal cache once it has been destroy from the kernel table.
* rework of the FT-FW approach/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-264-95/+233
|
* add more verbose error notification when the injection of a conntrack fails/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-164-12/+33
|
* o fix NAT filtering via --src-nat and --dst-nat (reported by K.Oledzki)/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-161-40/+52
| | | | | | o recover the ID support o show display counters to stderr o enable filtering by status and ID
* fix conntrack -U -p tcp [...]/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-131-10/+7
|
* This is a major improvement of the conntrack command line tool:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-131-69/+220
| | | | | | | | o check for missing source/address IP/ports in creation and get operations o way more flexible conntrack updates and deletions o fix NAT filtering via --src-nat and --dst-nat (reported by K.Oledzki) o show display counters to stderr o minor cleanups
* o simplify parameter-handling code/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-121-217/+138
| | | | | o check for missing source/address IP/ports o minor cleanups
* improve netlink overrun handling/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-094-74/+99
|
* fix asymmetric path support (still some open concerns)/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-082-4/+63
|
* fix compilation in ARM (reported by Thiemo Seufer via Max Kellermann)/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-081-0/+1
|
* fix minor compilation issue in amd64 with gcc4.3 (reported by Daniel Schepler/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-03-261-1/+1
| | | | via M.Kellermann)
* Krzysztof Oledzki <ole@ans.pl>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-03-252-2/+6
| | | | | o add ICMPv6 (-p icmpv6) support o add possibility to distinguish between invalid (unknown) and empty proto
* revert relicensing... still we use linux_list.h code which seems to be GPLv2 ↵/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-03-0830-30/+30
| | | | only which is incompatible AFAIK
* relicense conntrack-tools as GPLv3+, so far the most significant contributor ↵/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-03-0830-30/+30
| | | | has been Max Kellermann and has no issues with relicensing their contributions.
* cleanup: remove config_set from main(), use config_file variable instead/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-02-221-4/+3
|
* compose the file descriptor set at initialization stage to save some cycles/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-02-195-19/+99
|
* From: Max Kellermann <max@duempel.org>/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-02-144-18/+18
| | | | whitespace cleanups