conntrack-tools.git/src, branch conntrack-tools-1.0.0

conntrack: display informative message if expectation table is flushed

2011-02-22T14:34:59+00:00

With this patch, we display the following message after: # conntrack -F expect conntrack v0.9.15 (conntrack-tools): expectation table has been emptied. To make it consistent with the message displayed with conntrack -F. Signed-off-by: Pablo Neira Ayuso

conntrackd: remove use of deprecated nfct_maxsize()

2011-02-18T11:15:52+00:00

This patch removes the use of nfct_maxsize() and several abusive stack-based allocations. Signed-off-by: Pablo Neira Ayuso

conntrack: allocate template objects in the heap

2011-02-17T18:05:32+00:00

With this patch, we don't abuse the stack anymore, instead we allocate the template objects that are used in the heap. We stop using nfct_maxsize() which is now deprecated in libnetfilter_conntrack. Signed-off-by: Pablo Neira Ayuso

conntrackd: use nfct_copy() with override flag in cache_object_new()

2011-02-17T17:29:26+00:00

Using memcpy() is not safe, it breaks secctx and it may break more things in the future. Moreover, nfct_size*() functions will be deprecated soon, they are evil since they open the window to memcpy(). Signed-off-by: Pablo Neira Ayuso

conntrack: add -o ktimestamp option (it requires linux >= 2.6.38)

2011-02-17T15:46:05+00:00

This option requires Linux kernel >= 2.6.38, you have to enable conntrack timestamping with: echo 1 > /proc/sys/net/netfilter/nf_conntrack_timestamp # conntrack -L -o ktimestamp udp 17 59 src=192.168.1.128 dst=192.168.1.1 sport=52050 dport=53 src=192.168.1.1 dst=192.168.1.128 sport=53 dport=52050 [ASSURED] mark=0 delta-time=121 [start=Thu Feb 17 17:41:18 2011] use=1 # conntrack -L conntrack v0.9.15 (conntrack-tools): 20 flow entries have been shown. udp 17 31 src=192.168.1.128 dst=192.168.1.1 sport=52050 dport=53 src=192.168.1.1 dst=192.168.1.128 sport=53 dport=52050 [ASSURED] mark=0 delta-time=149 use=1 # conntrack -E -o ktimestamp ... [DESTROY] udp 17 src=192.168.1.128 dst=192.168.1.1 sport=40162 dport=53 src=192.168.1.1 dst=192.168.1.128 sport=53 dport=40162 [ASSURED] delta-time=3 [start=Thu Feb 17 17:44:57 2011] [stop=Thu Feb 17 17:45:00 2011] # conntrack -E [DESTROY] udp 17 src=192.168.1.128 dst=77.226.252.14 sport=123 dport=123 src=77.226.252.14 dst=192.168.1.128 sport=123 dport=123 delta-time=8 Signed-off-by: Pablo Neira Ayuso

conntrackd: rise number of committed entries per step

2011-02-16T16:33:54+00:00

This patch rises the number of committed entries per step from 64 to 8192. Experimental results in active-active setups here show that we reduce the commit time with this value significantly. This deserves some more study, it can be a good idea to remove this commit per step completely. I leave this for the future. Signed-off-by: Pablo Neira Ayuso

conntrackd: event iteration limiter is already reset in main select loop

2011-02-16T13:25:18+00:00

This patch removes an unnecessary reset of the event iteration limiter that is already done in the main select loop. Signed-off-by: Pablo Neira Ayuso

cache: log if we received a commit request while already one in progress

2011-02-15T00:51:11+00:00

This patch improves the case in which we receive a commit request but we are already performing one. This behaviour is suspicious since the HA manager should not trigger a double master transition. Otherwise, something probably is not configured appropriately. This improves 98756c2608f0879a2322919c7441973216565272 "cache: close commit request if we already have one in progress". Signed-off-by: Pablo Neira Ayuso

cache: close commit request if we already have one in progress

2011-02-13T21:38:01+00:00

We close a commit request if there's already one in progress. This patch fixes a problem that may be triggered if two consecutive commit requests are received. Signed-off-by: Pablo Neira Ayuso

sync: don't override initial return value of local handler

2011-02-13T20:52:56+00:00

Signed-off-by: Pablo Neira Ayuso