conntrack-tools i.e. conntrack and conntrackd (mirror of https://github.com/vyos/conntrack-tools.git) https://git.amelek.net/vyos/conntrack-tools.git/atom?h=upstream 2015-10-02T06:43:42+00:00 2015-10-02T06:43:42+00:00 Alex Harpin development@landsofshadow.co.uk 2015-10-02T06:43:42+00:00 urn:sha1:ef5ae91676c8ada2a12ea72f889a54452dd94981 2015-09-29T18:39:42+00:00 Daniel Borkmann daniel@iogearbox.net 2015-08-25T13:33:51+00:00 urn:sha1:8845f3db20c951fcf1db3229a818cfd185f17f2e This patch adds support for zone directions. Since all options have the orig/reply as a prefix, I named it --orig-zone and --reply-zone to stay consistent with the rest of the cmdline options. As for the option chars, there was no unallocated reasonable combination, thus only long options are officially exposed in the help, similarly as in other cases. Test suite results, after patch: OK: 79 BAD: 0 Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2015-08-26T18:43:55+00:00 Pablo Neira Ayuso pablo@netfilter.org 2015-08-21T17:18:38+00:00 urn:sha1:dd73ceecdbe87b6ecf9e96643cd5326e520d7a1c This patch gets the nfct syntax in sync with nft so it looks like this: nfct <add|delete|...> object ... instead of: nfct object <add|delete|...> ... This patch retains backward compatibility so you can still use the old syntax. The manpage and tests have been also updated to promote the adoption of this syntax. We should have little existing clients of this tool as we can only use this to configure the cttimeout and cthelper infrastructures. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2015-08-26T18:43:55+00:00 Arturo Borrero arturo.borrero.glez@gmail.com 2015-08-20T11:38:42+00:00 urn:sha1:6ea080984022c6ece3e465d81b7b0b0f9709d356 The nfct program uses none of the symbols of libnetfilter_conntrack. Linking against it means that distributors have to maintain an useless depedency. This was spotted by the dpkg-shlibdeps tool. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2015-08-18T17:22:07+00:00 Pablo Neira Ayuso pablo@netfilter.org 2015-08-18T17:16:26+00:00 urn:sha1:4134f1dafcc981757c40177bb3c5a3a7a144ff30 Fortunately, the TLVs come in order in the message, however, if the order is changed we'll incorrectly set up the expectation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2015-08-18T17:22:07+00:00 Pablo Neira Ayuso pablo@netfilter.org 2015-08-18T17:11:42+00:00 urn:sha1:09d14955e436b144bc69b998c172b3ea47683195 This is not exposed, but use the strncpy() variant to calm down static code validators. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2015-08-18T17:22:07+00:00 Pablo Neira Ayuso pablo@netfilter.org 2015-08-18T17:08:37+00:00 urn:sha1:743e4948eb3bdbdb3a7751c54f2c715ba829afd2 The same code is executed regardless the reason why accept() has failed. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2015-08-18T17:22:06+00:00 Pablo Neira Ayuso pablo@netfilter.org 2015-08-18T17:05:23+00:00 urn:sha1:097bb594e6844fe3edc1b01768a8ced37433378b Make sure we have a clean exit on error, everything needs to be properly released. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2015-08-18T17:22:06+00:00 Pablo Neira Ayuso pablo@netfilter.org 2015-08-18T16:59:18+00:00 urn:sha1:99dc0ba1e12c40a1c69c6f831a78a06248b3e2a4 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2015-08-18T17:22:06+00:00 Pablo Neira Ayuso pablo@netfilter.org 2015-08-18T16:56:51+00:00 urn:sha1:be691dc236610ab349c3bffb9a891613f75c6ebe Release the child_process structure in case that fork() fails. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>