conntrack-tools i.e. conntrack and conntrackd (mirror of https://github.com/vyos/conntrack-tools.git) https://git.amelek.net/vyos/conntrack-tools.git/atom?h=lithium 2015-09-08T18:10:13+00:00 2015-09-08T18:10:13+00:00 Pablo Neira Ayuso pablo@netfilter.org 2015-08-21T17:18:38+00:00 urn:sha1:882bb111285a3a4465995b4af03040a291145d7b Since dd73ceecdbe8 ("nfct: Update syntax to specify command before subsystem") the command comes before the object type. Update documentation accordingly. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2014-03-12T12:34:57+00:00 Ash Hughes ashley.hughes@blueyonder.co.uk 2014-03-08T21:13:34+00:00 urn:sha1:92246dcc1fdcf222302a42926e0e95af2c30463e Here is a patch which adds a userspace conntrack helper for the SSDP protocol. This is based on the code found at: http://marc.info/?t=132945775100001&r=1&w=2 I'm not sure how to get my laptop to play at IPv6, so I've not tested this part, but I've tested the IPv4 section and it works. Signed-off-by: Ash Hughes <ashley.hughes@blueyonder.co.uk> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2013-09-26T16:52:26+00:00 Pablo Neira Ayuso pablo@netfilter.org 2013-08-06T12:21:04+00:00 urn:sha1:36118bfc4901b0978d2c8f17912fe91ec66f35e8 This patch adds support for the DHCPv6 helper. 1) nfct helper add dhcpv6 inet6 udp 2) ip6tables -I OUTPUT -t raw -p udp --sport 546 -j CT --helper dhcpv6 3) run conntrackd You should see: % conntrack -L exp -f ipv6 279 proto=17 src=:: dst=ff02::1:2 sport=0 dport=546 mask-src=:: mask-dst=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff sport=0 dport=65535 master-src=fe80::221:ccff:fe4a:7f9c master-dst=ff02::1:2 sport=546 dport=547 PERMANENT class=0 helper=dhcpv6 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-09-10T11:24:59+00:00 Pablo Neira Ayuso pablo@netfilter.org 2012-09-10T11:17:24+00:00 urn:sha1:febb3cceac1889fb6558b8ef40ac733072fdcd47 This patch adds the QueueLen option, that allows you to increase the maximum number of packets waiting in the nfnetlink_queue to receive a verdict from userspace. Rising the default value (1024) is useful to avoid hitting the following error message: "nf_queue: full at X entries, dropping packets(s)". Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-08-01T17:20:17+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2012-05-15T12:43:20+00:00 urn:sha1:40f4330e6b50ed2b198549b1006c6fcb349f5a3b Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-08-01T17:20:12+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2012-05-15T12:31:35+00:00 urn:sha1:969d93f14fffadb5cae67a7662484c1e064bbff1 How to use this helper in a few steps: 1) You can enable this helper via: nfct helper add rpc inet tcp nfct helper add rpc inet udp 2) Configure /etc/conntrackd/conntrackd.conf and launch it. 3) You can test this helper locally with the following rule-set: iptables -A OUTPUT -t raw -p udp -m udp --dport 111 -j CT --helper rpc iptables -A OUTPUT -t raw -p tcp -m tcp --dport 111 -j CT --helper rpc iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 111 -j ACCEPT iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -m udp --dport 111 -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -P OUTPUT DROP 4) Configure NFS and export some local directory. Then, mount it with version 3. mount.nfs -onfsvers=3 127.0.0.1:/srv/cvs /mnt/ You should see permanent expectations created for this. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-08-01T17:20:06+00:00 Pablo Neira Ayuso pablo@netfilter.org 2012-05-14T23:51:29+00:00 urn:sha1:5e8f64f46cb1dd71b0a94cb7dad87da00b8c5e32 This patch adds the user-space helper infrastructure. It also contains the implementation of the FTP helper in user-space. There's one example file that you can use to configure conntrackd as user-space connection tracking helper under: doc/helper/conntrackd.conf Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>