conntrack-tools i.e. conntrack and conntrackd (mirror of https://github.com/vyos/conntrack-tools.git) https://git.amelek.net/vyos/conntrack-tools.git/atom?h=conntrack-tools-0.9.8 2008-10-21T18:14:10+00:00 2008-10-21T18:14:10+00:00 Pablo Neira Ayuso pablo@netfilter.org 2008-10-21T18:14:10+00:00 urn:sha1:bcb482d23f95c130faa54f7831ea661ad120a89c This patch adds missing information on -t when conntrackd is invoked with -h. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2008-10-21T17:11:42+00:00 Pablo Neira Ayuso pablo@netfilter.org 2008-10-21T17:11:42+00:00 urn:sha1:50162d3c19e38a491d95ec26767438ec25bab0dc This patch avoids a double filtering in user-space and kernel-space if the kernel support BSF. Since we do not use BSF for dumps and resyncs, we add a new parameter to ignore_conntrack to indicate if we have to perform the filtering in user-space or not. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2008-10-21T17:05:02+00:00 Pablo Neira Ayuso pablo@netfilter.org 2008-10-21T17:05:02+00:00 urn:sha1:6d6ebd1247076c88ceeb8d9528d62cd38a5e909a Currently, oprofile reports ~17% of sample in the hashing. With this patch, that uses jhash2 instead of a double call to jhash and one to jhash_2words, it goes down to ~11%. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2008-10-21T16:50:51+00:00 Pablo Neira Ayuso pablo@netfilter.org 2008-10-21T16:50:51+00:00 urn:sha1:705435f574e45348f5613672588b453d6285ef20 This patch fixes a segfault when conntrackd -k is invoked for an instance of conntrackd with no use of the Filter clause. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2008-10-21T16:25:12+00:00 Pablo Neira Ayuso pablo@netfilter.org 2008-10-21T16:25:12+00:00 urn:sha1:5fa52f81764d078d0a719a8902ad00a0d3acd511 This patch adds a log message to tell that conntrackd are using kernel-space filtering. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2008-10-20T12:17:13+00:00 Pablo Neira Ayuso pablo@netfilter.org 2008-10-20T12:17:13+00:00 urn:sha1:5000afe7e1a3ae4a14995e051d3ee716d8a6c784 This patch fixes double insertion in the tx_list if we receive two (or more) consecutive resync request in short time. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2008-10-20T12:15:46+00:00 Pablo Neira Ayuso pablo@netfilter.org 2008-10-20T12:15:46+00:00 urn:sha1:9c2fd73489f516eb56f8fe216913ea70e3b4a76a This patch fixes a problem that is reported by conntrackd while trying to parse the example configuration file. We fix this instead of the example file to make it consistent with other replication approaches. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2008-10-20T12:13:51+00:00 Pablo Neira Ayuso pablo@netfilter.org 2008-10-20T12:13:51+00:00 urn:sha1:a7c245bafd98a04414903787448ac17bb0922b70 This patches fixes two problems: - If we failt to update an entry, we remove it and try again. This happens when we still have an entry in a final state like TIME_WAIT while we see a new connection (SYN_SENT) with the same tuple. In this particular case, we fail to update since some status bits are only settable, but not unsettable. - If we hit ETIME in an update, we have to go over the creation patch, otherwise we hit ENOENT in the next run. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2008-10-20T12:09:04+00:00 Pablo Neira Ayuso pablo@netfilter.org 2008-10-20T12:09:04+00:00 urn:sha1:8509a878c0df580b7496c7fd0afd961c4c3c771d This patch fixes a problem that allows the update of entries that are scheduled to be removed. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2008-10-16T13:40:49+00:00 Pablo Neira Ayuso pablo@netfilter.org 2008-10-16T13:40:49+00:00 urn:sha1:b8ed29727d24862523d57066ede86635d8dbacbf This patch cleanups the NAT filtering. The former code had three branches, one if src and dst NAT are set, else one if src NAT is set, else one if dst NAT is set. Now, we check if src NAT is set or if dst NAT is set. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>