conntrack-tools i.e. conntrack and conntrackd (mirror of https://github.com/vyos/conntrack-tools.git) https://git.amelek.net/vyos/conntrack-tools.git/atom?h=conntrack-tools-0.9.10 2009-01-25T20:00:03+00:00 2009-01-25T20:00:03+00:00 Pablo Neira Ayuso pablo@netfilter.org 2009-01-25T20:00:03+00:00 urn:sha1:9532b922795943b0ea24e18cc878b28b7833b92e Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2009-01-25T18:15:01+00:00 Pablo Neira Ayuso pablo@netfilter.org 2009-01-25T18:15:01+00:00 urn:sha1:8b7937e8a3864d84992e931ace69172ba171d875 This patch details a bit more the hashtable parameters. Moreover, it increases the default size of the hashtable. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2009-01-25T17:50:43+00:00 Pablo Neira Ayuso pablo@netfilter.org 2009-01-25T17:50:43+00:00 urn:sha1:afb9b7f9ee21df97754648d832fcee2b778b277a This patch fixes a wrong use of 'from' instead of 'From' in the example configuration files. Reported-by: Yoann Juet <yoann.juet@univ-nantes.fr> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2009-01-25T17:21:26+00:00 Pablo Neira Ayuso pablo@netfilter.org 2009-01-25T17:21:26+00:00 urn:sha1:2aeebebf6d6a48d57023e3c7953ddd9088284f99 This patch disables CommitTimeout by default. The daemon now uses the approximate timeout calculation by default. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2009-01-25T16:53:21+00:00 Pablo Neira Ayuso pablo@netfilter.org 2009-01-25T16:53:21+00:00 urn:sha1:30ab4eae6a196102285fd649119fa2d9afe35a32 This patch sets IP_CT_TCP_FLAG_CLOSE_INIT if the entry is in TCP TIME_WAIT state. This patch is a workaround, the daemon should propagate the internal TCP flags to make it fully independent of possible changes in the TCP tracking code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2009-01-25T16:53:14+00:00 Pablo Neira Ayuso pablo@netfilter.org 2009-01-25T16:53:14+00:00 urn:sha1:cced587d766b9194b698a156d241766d5bad8a9d This patch increases the default PurgeTimeout value to 60 seconds. The former 15 seconds provides good real-time reaction in terms of user-side expected behaviour, but it is too small if you trigger random failure in a firewall cluster. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2009-01-25T16:53:05+00:00 Pablo Neira Ayuso pablo@netfilter.org 2009-01-25T16:53:05+00:00 urn:sha1:50c09dec9ad0261d8fcc18d69b2c9ec74052955c During the commit phase, the entries in the external cache entries are inserted in the kernel conntrack table. Currently, we use a fixed timeout that is specified in the config file. With this patch, if you don't specify the fixed timeout value via CommitTimeout, the daemon calculates the real timeout value during the commit phase. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2009-01-25T16:53:02+00:00 Pablo Neira Ayuso pablo@netfilter.org 2009-01-25T16:53:02+00:00 urn:sha1:1c9faf8c218bc7ff4617557383e4116f1adb11e5 The lifetime feature is used by all working modes, it is useful to know how long it has been an entry living in the cache. This patch moves the lifetime feature to the main caching code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2009-01-25T16:52:56+00:00 Pablo Neira Ayuso pablo@netfilter.org 2009-01-25T16:52:56+00:00 urn:sha1:eec8fdf57f34fe0d80b884ad0e376ed24c63ffcc With this patch, the `-t' option adds an alarm that will flush the cache after CONFIG(purge_timeout) seconds specified in the config file. This looks much cleaner and more performance that looping on the entire conntrack table to set the new timeout of every single entry. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2009-01-25T16:51:23+00:00 Pablo Neira Ayuso pablo@netfilter.org 2009-01-25T16:51:23+00:00 urn:sha1:b9ee88a0fdb20ed847f05efce1b0abdc8afbabaf This patch removes the clone conntrack objects created before calling nl_*_conntrack functions since they are not required anymore (the previous patch guarantees that objects passed as parameter are not modified). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>