conntrack-tools i.e. conntrack and conntrackd (mirror of https://github.com/vyos/conntrack-tools.git) https://git.amelek.net/vyos/conntrack-tools.git/atom?h=conntrack-tools-0.9.14 2009-12-19T14:24:20+00:00 2009-12-19T14:24:20+00:00 Pablo Neira Ayuso pablo@netfilter.org 2009-10-06T09:19:28+00:00 urn:sha1:65645763ebe870fa01b5c1a5dbe810feb9397ff2 This patch adds state-synchronization for ICMP. You SHOULD use a Linux kernel >= 2.6.31, otherwise this patch can result in tons of state-updates. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2009-10-20T23:43:07+00:00 Pablo Neira Ayuso pablo@netfilter.org 2009-10-20T23:43:07+00:00 urn:sha1:8ad5df6121c46753a6d12fafa5ab9da309ddb721 This patch adds the clause `DisableInternalCache' that allows you to bypass the internal cache. This clause can only be used with the notrack synchronization mode. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2009-09-23T16:12:37+00:00 Pablo Neira Ayuso pablo@netfilter.org 2009-09-23T16:12:37+00:00 urn:sha1:6360f319362fd13c86c3387a4bac57665d5ecd73 Under stress, the TCP stack may return EAGAIN if there is not space left in the sender buffer. We also enqueue any other error. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2009-09-23T13:18:30+00:00 Pablo Neira Ayuso pablo@netfilter.org 2009-09-23T13:18:30+00:00 urn:sha1:da1160ad2c6e05c9e5594e17e5e35cbb461871e4 This patch fixes a bug in the TCP support that breaks re-connections of the client side if several TCP channels are used in the configuration file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2009-09-11T14:19:41+00:00 Pablo Neira Ayuso pablo@netfilter.org 2009-09-11T14:19:41+00:00 urn:sha1:189dbc5853ce73448ca0d2423bbac3aa23712478 Use the TCP header size (20 bytes) instead of the UDP header size (8 bytes) to calculate the maximum packet size. Reported-by: Samuel Gauthier <samuel.gauthier@6wind.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2009-09-03T10:18:43+00:00 Pablo Neira Ayuso pablo@netfilter.org 2009-09-03T10:18:43+00:00 urn:sha1:9d2c667b951fa67f70bebc863f005dd1d10de91c We cannot assume that we will not write in the net message before we send it, because the memory allocated for the net message (__net) is only reserved in BUILD_NETMSG (because of the { } block in it). This patch marks the buffer as static to avoid this problem. Based on a patch from Samuel Gauthier <samuel.gauthier@6wind.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2009-08-23T10:11:20+00:00 Pablo Neira Ayuso pablo@netfilter.org 2009-08-23T10:11:20+00:00 urn:sha1:cf3be894fcb95adb360425c8482954522e9110d2 This patch adds support for TCP as protocol to replicate state-changes between two daemons. Note that this only makes sense with the notrack mode. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2009-08-21T14:06:11+00:00 Pablo Neira Ayuso pablo@netfilter.org 2009-08-21T14:06:11+00:00 urn:sha1:9d99a7699d7021a1c219d6553e037ac7ba4a5a37 With this patch, we can remove file descriptors dinamically from our own file descriptor pool. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2009-08-21T14:06:08+00:00 Pablo Neira Ayuso pablo@netfilter.org 2009-08-21T14:06:08+00:00 urn:sha1:58411110894c0a9e6a1a1ec9dbdf2fbe2ef3da00 This patch reduces the number of gettimeofday syscalls by caching the current time in a variable at the beginning of the main loop. Based on a suggestion from Vincent Jardin. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2009-08-19T14:59:38+00:00 Pablo Neira Ayuso pablo@netfilter.org 2009-08-19T14:59:38+00:00 urn:sha1:3e6852f806c4368eda451b39f12b2ac2f2b5d33b This patch adds the clause `DisableExternalCache' that allows you to disable the external cache and to directly inject the entries into the kernel conntrack table. As a result, the CPU consumption of conntrackd increases. This clause can only be used with the FT-FW and the notrack synchronization modes, but not with the alarm mode. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>