conntrack-tools i.e. conntrack and conntrackd (mirror of https://github.com/vyos/conntrack-tools.git) https://git.amelek.net/vyos/conntrack-tools.git/atom?h=upstream 2015-08-26T18:43:55+00:00 2015-08-26T18:43:55+00:00 Pablo Neira Ayuso pablo@netfilter.org 2015-08-21T17:18:38+00:00 urn:sha1:dd73ceecdbe87b6ecf9e96643cd5326e520d7a1c This patch gets the nfct syntax in sync with nft so it looks like this: nfct <add|delete|...> object ... instead of: nfct object <add|delete|...> ... This patch retains backward compatibility so you can still use the old syntax. The manpage and tests have been also updated to promote the adoption of this syntax. We should have little existing clients of this tool as we can only use this to configure the cttimeout and cthelper infrastructures. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2014-05-13T13:53:28+00:00 Pablo Neira Ayuso pablo@netfilter.org 2013-10-01T11:28:11+00:00 urn:sha1:1ecda7339e8678c0b4debe7003b4a42791ad478e This new interface supersedes the /proc interface: /proc/sys/net/netfilter/nf_conntrack_PROTO_STATE_timeout to tune default conntrack timeout helpers. # nfct timeout default-get inet tcp .l3proto = 2, .l4proto = 6, .policy = { .SYN_SENT = 120, .SYN_RECV = 60, .ESTABLISHED = 432000, .FIN_WAIT = 120, .CLOSE_WAIT = 60, .LAST_ACK = 30, .TIME_WAIT = 120, .CLOSE = 10, .SYN_SENT2 = 120, .RETRANS = 300, .UNACKNOWLEDGED = 300, }, }; # nfct timeout default-set inet tcp ESTABLISHED 100 As replacement for the existing /proc interfaces for timeout tweaking. This feature requires a Linux kernel >= 3.13. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2013-10-11T20:43:55+00:00 Hani Benhabiles kroosec@gmail.com 2013-10-11T20:05:34+00:00 urn:sha1:f3a760cad83a30524ef40d55d18fa1489252c8fb helper's list and flush commands handlers shouldn't call mnl_socket_close on the passed netlink socket as it is done in the main function after parse_params call. Bug introduced in (3c78a45 nfct: src: consolidate netlink socket creation). Signed-off-by: Hani Benhabiles <kroosec@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2013-10-01T11:23:39+00:00 Pablo Neira Ayuso pablo@netfilter.org 2013-10-01T11:23:39+00:00 urn:sha1:3c78a4543e12f5e82bdd771971d3534fa452117b Open the socket from the main function, then pass it as parameter to the corresponding interpreter. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2013-10-01T11:22:41+00:00 Pablo Neira Ayuso pablo@netfilter.org 2013-09-30T18:09:57+00:00 urn:sha1:386968d321d02571b593b3bbbf39891f44397469 Add helper function nfct_mnl_talk and use it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2013-09-30T16:22:15+00:00 Pablo Neira Ayuso pablo@netfilter.org 2013-09-30T14:31:03+00:00 urn:sha1:5c0d2ffd9cc954b94344795deaaadb1a8fd68b59 This patch is a cleanup to split this function in smaller chunks. It is required to prepare default protocol timeout tuning via netlink. 2013-09-30T15:01:04+00:00 Pablo Neira Ayuso pablo@netfilter.org 2013-09-30T14:06:58+00:00 urn:sha1:b495e1d22faff636589a9646fbd4bb30902d3542 The kernel bails out for unsupported protocols. Moreover, we don't need to upgrade to support new protocols. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2013-09-26T16:52:26+00:00 Pablo Neira Ayuso pablo@netfilter.org 2013-09-26T16:25:45+00:00 urn:sha1:0cf75aaf19ffd08e7c63fee737423d01343f4cb9 Modularize timeout and helper extensions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-08-01T17:38:01+00:00 Pablo Neira Ayuso pablo@netfilter.org 2012-08-01T17:36:01+00:00 urn:sha1:f9ad41077c473884f33c6677f81119614d5a8eb2 Instead of hardcoded path to /usr/lib/conntrack-tools/ which might not be true if options like --prefix with different location is passed to conntrack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-08-01T17:20:06+00:00 Pablo Neira Ayuso pablo@netfilter.org 2012-05-14T23:51:29+00:00 urn:sha1:5e8f64f46cb1dd71b0a94cb7dad87da00b8c5e32 This patch adds the user-space helper infrastructure. It also contains the implementation of the FTP helper in user-space. There's one example file that you can use to configure conntrackd as user-space connection tracking helper under: doc/helper/conntrackd.conf Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>