conntrack-tools.git/src, branch conntrack-tools-0.9.15

conntrackd: fix parsing of NAT sequence adjustment in synchronization messages

2010-07-13T09:30:08+00:00

This patch fixes a bug that results in an incorrect parsing of the NAT sequence adjustment in synchronization messages. Spotted by Adam Gundy in the following message that was sent to the netfilter ML: http://marc.info/?l=netfilter&m=127894708222913&w=2 Signed-off-by: Pablo Neira Ayuso

conntrackd: replace cryptic `mfrm' by `malformed' in `-s'

2010-07-09T14:45:48+00:00

Looking at the output of `conntrackd -s`; I didn't know what 'mfrm' meant under the 'message sequence tracking' section so I had to look up the code for this. While doing so, I replaced 'mfrm' with 'malformed' in the output since I thought other users might be confused as well as I was looking at that word. Signed-off-by: Mohit Mehta Signed-off-by: Pablo Neira Ayuso

conntrackd: setup event reliability after handler creation

2010-07-07T12:42:22+00:00

This patch enables the event reliability in an early stage of the event handler initialization. Signed-off-by: Pablo Neira Ayuso

conntrackd: open event handler once cache has been populated

2010-07-07T12:34:45+00:00

With this patch, we open the event handler once the internal cache (if any) is populated. This reduces the chances of a possible premature overrun if we lauch conntrackd in a busy firewall. However, we may still start with an internal cache that may differ a bit from the once in the kernel. This patch has no impact in setups where conntrackd is started in a spare firewall. Signed-off-by: Pablo Neira Ayuso

conntrackd: enforce strict logic for NetlinkBufferSize[*] clauses

2010-07-07T10:39:48+00:00

- NetlinkBufferSize value passed to the kernel gets doubled [see SO_RCVBUF in net/core/sock.c]; it's halved now before it gets sent to the kernel. This ensures that daemon starts up with a netlink socket buffer size equal to the value set for NetlinkBufferSize in configuration file. - Previously, netlink socket buffer size would only stop increasing after it had increased beyond NetlinkBufferSizeMaxGrowth value. With this commit netlink socket buffer size increases as long as it is less than or equal to NetlinkBufferSizeMaxGrowth value. Signed-off-by: Mohit Mehta Signed-off-by: Pablo Neira Ayuso

conntrack: add zone support

2010-07-05T15:58:45+00:00

This patch adds `--zone' to the command line tool. This adds the missing user-space support for Patrick's McHardy iptables CT target. Signed-off-by: Pablo Neira Ayuso

conntrackd: fix ICMPv6 support

2010-07-01T15:38:07+00:00

This patch fixes several minor nitpicks to support IPv6 failover: * ICMPv6 type/code/id were missing in synchronization messages. * The use of '-' as string in the configuration file was not allowed. * Include example in configuration file under doc/. Reported-by: Mohit Mehta Signed-off-by: Pablo Neira Ayuso

conntrackd: update error message for max netlink socket size reached

2010-07-01T15:26:55+00:00

It must refer to NetlinkBufferSize[*] instead of "SocketBufferSize[*]. Signed-off-by: Mohit Mehta Signed-off-by: Pablo Neira Ayuso

conntrack: cleanup parsing of the NAT arguments

2010-07-01T15:09:49+00:00

This patch cleans up nat_parse() and it also displays nicer error message for malformed arguments. % conntrack -L --src-nat :80 conntrack v0.9.14 (conntrack-tools): No IP specified Try `conntrack -h' or 'conntrack --help' for more information. % conntrack -L --src-nat 1.1.1.1: conntrack v0.9.14 (conntrack-tools): No port specified after `:' Try `conntrack -h' or 'conntrack --help' for more information. Signed-off-by: Pablo Neira Ayuso

conntrack: fix `conntrack --[src|dst|any]-nat IP:PORT' if port mismatches

2010-07-01T14:52:41+00:00

This patch fixes the filtering if the IP matches an entry but the PORT does not matches. Without this patch, the entry is shown when it should be not. Signed-off-by: Pablo Neira Ayuso