conntrack-tools i.e. conntrack and conntrackd (mirror of https://github.com/vyos/conntrack-tools.git) https://git.amelek.net/vyos/conntrack-tools.git/atom?h=conntrack-tools-0.9.9 2008-12-17T18:34:16+00:00 2008-12-17T18:34:16+00:00 Pablo Neira Ayuso pablo@netfilter.org 2008-12-17T18:34:16+00:00 urn:sha1:f9f184dbd989248a3eb4c68a7e950780902fb196 This patch adds a note on the impact of having small values for the McastSndSocketBuffer and McastRcvSocketBuffer clauses. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2008-12-17T18:31:42+00:00 Pablo Neira Ayuso pablo@netfilter.org 2008-12-17T18:31:42+00:00 urn:sha1:8be4e1c72909d7003735d92f2b3c2175ff84d2d9 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2008-12-17T18:19:21+00:00 Pablo Neira Ayuso pablo@netfilter.org 2008-12-17T18:19:21+00:00 urn:sha1:9bc7d7f8f333e79323495a193f92c9d4f1708da9 2008-12-17T18:08:59+00:00 Pablo Neira Ayuso pablo@netfilter.org 2008-12-17T18:08:59+00:00 urn:sha1:a3c63cd051503207459ba01cddb7e468d6ac10e3 This patch replaces "destroy" by "control" messages. Actually, the resend queue contains the maximum amount of control messages that we store to resend them in case of message omission. This patch also clarifies which is a good size to have. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2008-12-17T17:54:27+00:00 Pablo Neira Ayuso pablo@netfilter.org 2008-12-17T17:54:27+00:00 urn:sha1:789cfad661f4fbaa97384efa5843a60027b1ec91 This patch documents the SocketBufferSize and SocketBufferSizeGrowth clause. It also rises the default values which are fairly small for busy firewalls. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2008-12-17T17:38:38+00:00 Pablo Neira Ayuso pablo@netfilter.org 2008-12-17T17:38:38+00:00 urn:sha1:02486b7c22beee4ac8af694a1073d33775d0d388 This patch replaces SocketBufferSizeMaxGrown by SocketBufferSizeMaxGrowth. Both clauses are still valid but better to use the one that has no typos in the configuration files. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2008-11-30T10:40:36+00:00 Pablo Neira Ayuso pablo@netfilter.org 2008-11-30T10:40:36+00:00 urn:sha1:1fadc34c80a17e291f5ae86ecb84efbdb2aab265 This patch moves `Checksum' into the `Multicast' clause. This property is dependent of the multicast configuration. This patch is required to introduce the redundant dedicated link support that is on the way. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2008-11-25T22:34:48+00:00 Pablo Neira Ayuso pablo@netfilter.org 2008-11-25T22:34:48+00:00 urn:sha1:b2edf895af82914ab09a842641a45b7a806e9b1e This patch adds CIDR-based filtering support. The current implementation is O(n). This patch also introduces the vector data type which is used to store the IP address and the network mask. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2008-11-18T09:33:33+00:00 Pablo Neira Ayuso pablo@netfilter.org 2008-11-18T09:33:33+00:00 urn:sha1:6d8903cbf33ac10e8e03f884a58e374adc366887 This patch changes the current behaviour of the filtering selection. Up to now, conntrackd has used the kernel version to select the filtering method based on the following logic: If kernel is >= 2.6.26 we use BSF-based filtering from kernel-space, otherwise, default to userspace. However, this filtering method still lacks of IPv6 support and it requires a patch that got into 2.6.29 to filter IPv6 addresses from kernel-space. To fix this issue, we default to user-space filtering and let the user choose the method via the configuration file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2008-10-21T20:48:31+00:00 Pablo Neira Ayuso pablo@netfilter.org 2008-10-21T20:48:31+00:00 urn:sha1:61a1120a6bf28e9206e012f6c327b67d50edc1c8 This patch increases the size of the acknowledgment window based on some experiments in my testbed with oprofile. The previous default value was too small. This resulted in too many cycles to empty the resend queue. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>