Updating upstream with merged content from netfilter conntrack-tools version 1.0.1

1 files changed, 105 insertions, 1 deletions

diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index 6dfca98..d94bd85 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -73,6 +73,7 @@ static void __max_dedicated_links_reached(void);
 %token T_NETLINK_OVERRUN_RESYNC T_NICE T_IPV4_DEST_ADDR T_IPV6_DEST_ADDR
 %token T_SCHEDULER T_TYPE T_PRIO T_NETLINK_EVENTS_RELIABLE
 %token T_DISABLE_INTERNAL_CACHE T_DISABLE_EXTERNAL_CACHE T_ERROR_QUEUE_LENGTH
+%token T_OPTIONS T_TCP_WINDOW_TRACKING T_EXPECT_SYNC
 
 %token <string> T_IP T_PATH_VAL
 %token <val> T_NUMBER
@@ -808,8 +809,65 @@ sync_line: refreshtime
 	 | state_replication
 	 | cache_writethrough
 	 | destroy_timeout
+	 | option_line
 	 ;
 
+option_line: T_OPTIONS '{' options '}';
+
+options:
+       | options option 
+       ;
+
+option: T_TCP_WINDOW_TRACKING T_ON
+{
+	CONFIG(sync).tcp_window_tracking = 1;
+};
+
+option: T_TCP_WINDOW_TRACKING T_OFF
+{
+	CONFIG(sync).tcp_window_tracking = 0;
+};
+
+option: T_EXPECT_SYNC T_ON
+{
+	CONFIG(flags) |= CTD_EXPECT;
+	CONFIG(netlink).subsys_id = NFNL_SUBSYS_NONE;
+	CONFIG(netlink).groups = NF_NETLINK_CONNTRACK_NEW |
+				 NF_NETLINK_CONNTRACK_UPDATE |
+				 NF_NETLINK_CONNTRACK_DESTROY |
+				 NF_NETLINK_CONNTRACK_EXP_NEW |
+				 NF_NETLINK_CONNTRACK_EXP_UPDATE |
+				 NF_NETLINK_CONNTRACK_EXP_DESTROY;
+};
+
+option: T_EXPECT_SYNC T_OFF
+{
+	CONFIG(netlink).subsys_id = NFNL_SUBSYS_CTNETLINK;
+	CONFIG(netlink).groups = NF_NETLINK_CONNTRACK_NEW |
+				 NF_NETLINK_CONNTRACK_UPDATE |
+				 NF_NETLINK_CONNTRACK_DESTROY;
+};
+
+option: T_EXPECT_SYNC '{' expect_list '}'
+{
+	CONFIG(flags) |= CTD_EXPECT;
+	CONFIG(netlink).subsys_id = NFNL_SUBSYS_NONE;
+	CONFIG(netlink).groups = NF_NETLINK_CONNTRACK_NEW |
+				 NF_NETLINK_CONNTRACK_UPDATE |
+				 NF_NETLINK_CONNTRACK_DESTROY |
+				 NF_NETLINK_CONNTRACK_EXP_NEW |
+				 NF_NETLINK_CONNTRACK_EXP_UPDATE |
+				 NF_NETLINK_CONNTRACK_EXP_DESTROY;
+};
+
+expect_list:
+            | expect_list expect_item ;
+
+expect_item: T_STRING
+{
+	exp_filter_add(STATE(exp_filter), $1);
+}
+
 sync_mode_alarm: T_SYNC_MODE T_ALARM '{' sync_mode_alarm_list '}'
 {
 	conf.flags |= CTD_SYNC_ALARM;
@@ -1221,6 +1279,44 @@ filter_protocol_item : T_TCP
 				 pent->p_proto);
 };
 
+filter_protocol_item : T_UDP
+{
+	struct protoent *pent;
+
+	pent = getprotobyname("udp");
+	if (pent == NULL) {
+		print_err(CTD_CFG_WARN, "getprotobyname() cannot find "
+					"protocol `udp' in /etc/protocols");
+		break;
+	}
+	ct_filter_add_proto(STATE(us_filter), pent->p_proto);
+
+	__kernel_filter_start();
+
+	nfct_filter_add_attr_u32(STATE(filter),
+				 NFCT_FILTER_L4PROTO,
+				 pent->p_proto);
+};
+
+filter_protocol_item : T_UDP
+{
+	struct protoent *pent;
+
+	pent = getprotobyname("udp");
+	if (pent == NULL) {
+		print_err(CTD_CFG_WARN, "getprotobyname() cannot find "
+					"protocol `udp' in /etc/protocols");
+		break;
+	}
+	ct_filter_add_proto(STATE(us_filter), pent->p_proto);
+
+	__kernel_filter_start();
+
+	nfct_filter_add_attr_u32(STATE(filter),
+				 NFCT_FILTER_L4PROTO,
+				 pent->p_proto);
+};
+
 filter_item : T_ADDRESS T_ACCEPT '{' filter_address_list '}'
 {
 	ct_filter_set_logic(STATE(us_filter),
@@ -1561,6 +1657,7 @@ init_config(char *filename)
 	/* Zero may be a valid facility */
 	CONFIG(syslog_facility) = -1;
 	CONFIG(stats).syslog_facility = -1;
+	CONFIG(netlink).subsys_id = -1;
 
 	yyrestart(fp);
 	yyparse();
@@ -1599,7 +1696,7 @@ init_config(char *filename)
 	/* default number of bucket of the hashtable that are committed in
 	   one run loop. XXX: no option available to tune this value yet. */
 	if (CONFIG(general).commit_steps == 0)
-		CONFIG(general).commit_steps = 64;
+		CONFIG(general).commit_steps = 8192;
 
 	/* if overrun, automatically resync with kernel after 30 seconds */
 	if (CONFIG(nl_overrun_resync) == 0)
@@ -1609,5 +1706,12 @@ init_config(char *filename)
 	if (CONFIG(channelc).error_queue_length == 0)
 		CONFIG(channelc).error_queue_length = 128;
 
+	if (CONFIG(netlink).subsys_id == -1) {
+		CONFIG(netlink).subsys_id = NFNL_SUBSYS_CTNETLINK;
+		CONFIG(netlink).groups = NF_NETLINK_CONNTRACK_NEW |
+					 NF_NETLINK_CONNTRACK_UPDATE |
+					 NF_NETLINK_CONNTRACK_DESTROY;
+	}
+
 	return 0;
 }