conntrack-tools i.e. conntrack and conntrackd (mirror of https://github.com/vyos/conntrack-tools.git) https://git.amelek.net/vyos/conntrack-tools.git/atom?h=conntrack-tools-0.9.8 2008-10-21T18:32:05+00:00 2008-10-21T18:32:05+00:00 Pablo Neira Ayuso pablo@netfilter.org 2008-10-21T18:32:05+00:00 urn:sha1:51bba395e55c839ee680ccc2ed69f3ba11597424 This patch bumps the version to 0.9.8 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2008-10-21T18:14:10+00:00 Pablo Neira Ayuso pablo@netfilter.org 2008-10-21T18:14:10+00:00 urn:sha1:bcb482d23f95c130faa54f7831ea661ad120a89c This patch adds missing information on -t when conntrackd is invoked with -h. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2008-10-21T18:13:07+00:00 Pablo Neira Ayuso pablo@netfilter.org 2008-10-21T18:13:07+00:00 urn:sha1:0b5f55747b9009e6d1877a1d1a00081d8c468e6b This patch updates the conntrackd manpage some re-writes, missing options and new dependencies. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2008-10-21T17:53:23+00:00 Pablo Neira Ayuso pablo@netfilter.org 2008-10-21T17:53:23+00:00 urn:sha1:05c78bc9b5c198a3bd9211aabe467acbbb672b8b This patch removes the documentation about the CacheWriteTrhough clause. This feature is scheduled for removal since the asynchronous nature of conntrackd does not allow multi-path routing support. I'm lying, actually there's a chance to support it, but we have to guarantee that the RTT in the message synchronization between the firewall is smaller than the RTT between the peer and the firewalls. Moreover, this option has made more bad than good since people enable it when things don't work. Making the whole troubleshooting more complicated. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2008-10-21T17:11:42+00:00 Pablo Neira Ayuso pablo@netfilter.org 2008-10-21T17:11:42+00:00 urn:sha1:50162d3c19e38a491d95ec26767438ec25bab0dc This patch avoids a double filtering in user-space and kernel-space if the kernel support BSF. Since we do not use BSF for dumps and resyncs, we add a new parameter to ignore_conntrack to indicate if we have to perform the filtering in user-space or not. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2008-10-21T17:05:02+00:00 Pablo Neira Ayuso pablo@netfilter.org 2008-10-21T17:05:02+00:00 urn:sha1:6d6ebd1247076c88ceeb8d9528d62cd38a5e909a Currently, oprofile reports ~17% of sample in the hashing. With this patch, that uses jhash2 instead of a double call to jhash and one to jhash_2words, it goes down to ~11%. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2008-10-21T16:50:51+00:00 Pablo Neira Ayuso pablo@netfilter.org 2008-10-21T16:50:51+00:00 urn:sha1:705435f574e45348f5613672588b453d6285ef20 This patch fixes a segfault when conntrackd -k is invoked for an instance of conntrackd with no use of the Filter clause. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2008-10-21T16:25:12+00:00 Pablo Neira Ayuso pablo@netfilter.org 2008-10-21T16:25:12+00:00 urn:sha1:5fa52f81764d078d0a719a8902ad00a0d3acd511 This patch adds a log message to tell that conntrackd are using kernel-space filtering. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2008-10-20T14:52:04+00:00 Pablo Neira Ayuso pablo@netfilter.org 2008-10-20T14:52:04+00:00 urn:sha1:5936f6852a919a84b89dcdcced182ecc07a21be5 This patch rises the default value of the hashtables in terms of buckets and entries to the default value in nf_conntrack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2008-10-20T12:17:13+00:00 Pablo Neira Ayuso pablo@netfilter.org 2008-10-20T12:17:13+00:00 urn:sha1:5000afe7e1a3ae4a14995e051d3ee716d8a6c784 This patch fixes double insertion in the tx_list if we receive two (or more) consecutive resync request in short time. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>