conntrack-tools.git/src, branch conntrack-tools-0.9.10

netlink: set IP_CT_TCP_FLAG_CLOSE_INIT for TIME_WAIT states

2009-01-25T16:53:21+00:00

This patch sets IP_CT_TCP_FLAG_CLOSE_INIT if the entry is in TCP TIME_WAIT state. This patch is a workaround, the daemon should propagate the internal TCP flags to make it fully independent of possible changes in the TCP tracking code. Signed-off-by: Pablo Neira Ayuso

src: increase default PurgeTimeout value

2009-01-25T16:53:14+00:00

This patch increases the default PurgeTimeout value to 60 seconds. The former 15 seconds provides good real-time reaction in terms of user-side expected behaviour, but it is too small if you trigger random failure in a firewall cluster. Signed-off-by: Pablo Neira Ayuso

src: add support for approximate timeout calculation during commit

2009-01-25T16:53:05+00:00

During the commit phase, the entries in the external cache entries are inserted in the kernel conntrack table. Currently, we use a fixed timeout that is specified in the config file. With this patch, if you don't specify the fixed timeout value via CommitTimeout, the daemon calculates the real timeout value during the commit phase. Signed-off-by: Pablo Neira Ayuso

cache: move lifetime feature to main cache code

2009-01-25T16:53:02+00:00

The lifetime feature is used by all working modes, it is useful to know how long it has been an entry living in the cache. This patch moves the lifetime feature to the main caching code. Signed-off-by: Pablo Neira Ayuso

src: change behaviour of `-t' option

2009-01-25T16:52:56+00:00

With this patch, the `-t' option adds an alarm that will flush the cache after CONFIG(purge_timeout) seconds specified in the config file. This looks much cleaner and more performance that looping on the entire conntrack table to set the new timeout of every single entry. Signed-off-by: Pablo Neira Ayuso

src: don't clone when calling nl_*_conntrack functions

2009-01-25T16:51:23+00:00

This patch removes the clone conntrack objects created before calling nl_*_conntrack functions since they are not required anymore (the previous patch guarantees that objects passed as parameter are not modified). Signed-off-by: Pablo Neira Ayuso

cache: mangle timeout inside nl_*_conntrack() functions

2009-01-25T16:51:18+00:00

This patch moves the timeout mangling inside nl_*_conntrack(). Signed-off-by: Pablo Neira Ayuso

cache: remove nl_exist_conntrack() function

2009-01-25T16:51:09+00:00

This function is a synonimous of nl_get_conntrack(), use the get function instead. Signed-off-by: Pablo Neira Ayuso

cache_iterators: start a clean session if commit finds an entry

2009-01-25T12:44:22+00:00

The current commit code updates an entry it still exists in the kernel. With this patch, we delete the entry and create a new one to make sure that we start a clean session. Signed-off-by: Pablo Neira Ayuso

conntrack: fix use of -u which is optional with -I

2009-01-21T13:59:48+00:00

The option --status can be used with -I. Currently, this behaviour is broken. conntrack v0.9.9 (conntrack-tools): Illegal option `--status' with this command Try `conntrack -h' or 'conntrack --help' for more information. Signed-off-by: Pablo Neira Ayuso