diff options
Diffstat (limited to 'debian')
-rw-r--r-- | debian/README.source | 2 | ||||
-rw-r--r-- | debian/changelog | 1259 | ||||
-rw-r--r-- | debian/compat | 1 | ||||
-rw-r--r-- | debian/conntrack.install | 2 | ||||
-rw-r--r-- | debian/conntrackd.README.Debian | 8 | ||||
-rw-r--r-- | debian/conntrackd.conf | 101 | ||||
-rw-r--r-- | debian/conntrackd.default | 5 | ||||
-rw-r--r-- | debian/conntrackd.init | 61 | ||||
-rw-r--r-- | debian/conntrackd.install | 4 | ||||
-rw-r--r-- | debian/conntrackd.logrotate | 9 | ||||
-rw-r--r-- | debian/conntrackd.postinst | 17 | ||||
-rw-r--r-- | debian/conntrackd.postrm | 19 | ||||
-rw-r--r-- | debian/conntrackd.preinst | 25 | ||||
-rw-r--r-- | debian/control | 24 | ||||
-rw-r--r-- | debian/copyright | 21 | ||||
-rwxr-xr-x | debian/rules | 88 | ||||
-rw-r--r-- | debian/watch | 4 |
17 files changed, 1650 insertions, 0 deletions
diff --git a/debian/README.source b/debian/README.source new file mode 100644 index 0000000..b9e490d --- /dev/null +++ b/debian/README.source @@ -0,0 +1,2 @@ +We use dpatch for patch handling inside our nagios packages. Please see +/usr/share/doc/dpatch/README.source.gz (if you have installed dpatch) for documentation about dpatch. diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..6c39ed9 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,1259 @@ +conntrack (1:1.0.1-2+vyatta27) unstable; urgency=low + + * forced release + + -- Gaurav Sinha <gaurav.sinha@vyatta.com> Wed, 30 May 2012 14:48:09 -0700 + +conntrack (1:1.0.1-2+vyatta26) unstable; urgency=low + + * forced release + + -- Gaurav Sinha <gaurav.sinha@vyatta.com> Wed, 30 May 2012 13:03:49 -0700 + +conntrack (1:1.0.1-2+vyatta25) unstable; urgency=low + + * force release:dependency fix on build machine + + -- Gaurav Sinha <gaurav.sinha@vyatta.com> Wed, 30 May 2012 10:55:48 -0700 + +conntrack (1:1.0.1-2+vyatta24) unstable; urgency=low + + * force release:post build dependency fix on build machine + + -- Gaurav Sinha <gaurav.sinha@vyatta.com> Wed, 30 May 2012 09:47:46 -0700 + +conntrack (1:1.0.1-2+vyatta23) unstable; urgency=low + + [ Pablo Neira Ayuso ] + * conntrack: allow to filter by mark from kernel-space + * conntrackd: allow using lower/upper case in ExpectationSync + * doc: add ras, q.931 and h.245 to examples configuration file + * doc: fix example on how to filter events via iptables CT target + + [ Adrian Bridgett ] + * src: manpage and help display improvements + + [ Pablo Neira Ayuso ] + * icmp[v6]: --icmp[v6]-[type|code] are optional for updates and + deletes + + [ Florian Westphal ] + * conntrack: flush stdout for each expectation event, too + + [ Pablo Neira Ayuso ] + * src: integrate nfct into the conntrack-tools tree + * tests: add nfct tests for cttimeout + * build: bump version to 1.2.0 + * nfct: fix compilation warning in cttimeout support + * build: update dependencies with libnetfilter_conntrack (>= 1.0.1) + * move qa directory to tests/conntrack/ + * tests: conntrack: add run-test.sh script + * add nfct(8) manpage + * add README.nfct + * nfct: fix compilation of timeout extension + * bump version to 1.2.1 + + [ Jan Engelhardt ] + * update .gitignore + + [ Pablo Neira Ayuso ] + * conntrackd: simplify TCP connection handling logic + * conntrackd: generalize file descriptor infrastructure + * conntrackd: move ctnetlink code to ctnl.c (removed from run.c) + * conntrackd: add cthelper infrastructure (+ example FTP helper) + + [ Jozsef Kadlecsik ] + * conntrackd: RPC helper added to cthelper + * conntrackd: TNS helper added to cthelper + + [ Pablo Neira Ayuso ] + * tests: conntrackd: add cthelper-test infrastructure + + [ Gaurav Sinha ] + + -- Gaurav Sinha <gaurav.sinha@vyatta.com> Wed, 30 May 2012 07:59:05 -0700 + +conntrack (1:1.0.1-2+vyatta22) unstable; urgency=low + + * force release:i386 vm build environ fixed + + -- Gaurav <gaurav.sinha@vyatta.com> Mon, 09 Apr 2012 17:05:19 -0700 + +conntrack (1:1.0.1-2+vyatta21) unstable; urgency=low + + * new branch + + -- Deepti Kulkarni <deepti@vyatta.com> Sat, 03 Mar 2012 02:24:17 -0800 + +conntrack (1:1.0.1-2+vyatta20) unstable; urgency=low + + [ Pablo Neira Ayuso ] + * conntrackd: add support expectation class synchronization + * conntrackd: add NAT expectation support + * conntrackd: add support to synchronize helper name + * conntrackd: support expectfn synchronization for expectations + * conntrackd: fix parsing of expectation class, helper name and NAT + + [ Gaurav Sinha ] + + -- Gaurav Sinha <gaurav.sinha@vyatta.com> Wed, 08 Feb 2012 11:53:16 -0800 + +conntrack (1:1.0.1-2+vyatta19) unstable; urgency=low + + * reset epoch + * 1:1.0.1-2+vyatta18 + + -- Stephen Hemminger <stephen.hemminger@vyatta.com> Fri, 03 Feb 2012 09:01:41 -0800 + +conntrack (1:1.0.1-2+vyatta18) unstable; urgency=low + + * add epoch to version number to match Debian numbering + + -- Stephen Hemminger <shemminger@vyatta.com> Tue, 31 Jan 2012 11:15:50 -0800 + +conntrack (1.0.1-2+vyatta18) unstable; urgency=low + + [ Pablo Neira Ayuso ] + * conntrackd: fix expectation filtering if ExpectationSync On is used + * conntrack: add expectation support for `-o' option + * conntrackd: support `-i exp -x' and `-e exp -x' options + * conntrack: fix setting fixed-timeout status flag + + [ Gaurav Sinha ] + * Merge of conntrack-tools from netfilter.org with support for dumping + expectations in XML format. + * Revert "Merge of conntrack-tools from netfilter.org with support for + dumping expectations in XML format." + * updating version string for conntrack-tools to 1.0.1 + + -- Gaurav Sinha <gaurav.sinha@vyatta.com> Mon, 23 Jan 2012 15:23:34 -0800 + +conntrack (1.0.1-2+vyatta17) unstable; urgency=low + + * Bumping version to 1.0.1 + + -- Gaurav Sinha <gaurav.sinha@vyatta.com> Fri, 20 Jan 2012 16:09:58 -0800 + +conntrack (0.9.14-2+vyatta16) unstable; urgency=low + + * Fixing build issue in debian/rules + + -- Gaurav Sinha <gaurav.sinha@vyatta.com> Fri, 20 Jan 2012 16:09:58 -0800 + +conntrack (0.9.14-2+vyatta15) unstable; urgency=low + + [ /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org ] + * add pablo's conntrack tool + * - add support for new list-conntrack-and-zero-counters flag (-z) + * add GPL + + [ /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=pablo/emailAddress=pablo@netfilter.org ] + * Major resync + * o Created changelog file + * Kill hardcoded CONNTRACK_LIB_DIR=/usr/local/lib, now it uses $prefix + value + * Simplify event_handler + * Completed some stuff related to protocol helpers: + * o Added descriptive error messages. + * Fix wrong handler number in expectation dumping + * Added missing libct_proto_icmp file + + [ /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org ] + * o Fixed syntax error (tab/space issue) in help message + + [ /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=pablo/emailAddress=pablo@netfilter.org ] + * o Use conntrack netlink attributes: Major change + + [ /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org ] + * major re-sync with current names/definitions in libctnetlink and + kernel + * libctnetlink now called libnfnetlink_conntrack + + [ /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=pablo/emailAddress=pablo@netfilter.org ] + * More re-sync to work fine with current ip_conntrack_netlink + implementation + + [ /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org ] + * use new header file + + [ /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=pablo/emailAddress=pablo@netfilter.org ] + * Resync to current libnfnetlink_conntrack and 2.6.14 tree + * Resync to 2.6.14 and libnfnetlink_conntrack + * Bumped version to 0.80 + * kill TODO file + * o Fix packet and bytes counters (use __be64_to_cpu) + * Fix ip_conntrack_netlink load-on-demand + + [ /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org ] + * make sure we build against KERELDIR! + * get rid of old "-A" stuff + * get rid of c++ style comments + * major update (See ChangeLog) + * fix "dist-bzip2" for firt reelase + * make sure manpage is included in dist + + [ /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=pablo/emailAddress=pablo@netfilter.org ] + * o Fix up counters + * See Changelog + * See ChangeLog + * See ChangeLog + * See ChangeLog + * See ChangeLog + * See ChangeLog + * See ChangeLog + * See ChangeLog + * See ChangeLog + * See ChangeLog + * See ChangeLog. This fixes an indentation problem in conntrack.c, + I've separated + * See ChangeLog + * See ChangeLog + * o Add --id to the conntrack manpage + * o Fix --id parameter parsing + * See ChangeLog + * See ChangeLog + * See ChangeLog + + [ /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org ] + * add extra argument to nfct_register_callback() to accomodate change + in libnetfilter_conntrack + * update changelog + * we don't use libnfnetlink directly, so we don't link it explicitly + + [ /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=pablo/emailAddress=pablo@netfilter.org ] + * See ChangeLog + * See ChangeLog + * See ChangeLog + + [ /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org ] + * - rename plugisn to remove 'lib' prefix + * don't use library versioning for extensions + * we don't use libnfnetlink directly, so there is no need for having + configure script checking for it + * - don't install the header files when 'make install' is run. they're + private + * update changelog to reflect recent changes + * - get rid of KERNELDIR + * use AM_CFLAGS, not CFLAGS + * update revision to 0.99 + * linke with libnetfilter_conntrack + * some libc's don't have IPPROTO_SCTP yet + + [ /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=pablo/emailAddress=pablo@netfilter.org ] + * Fixed oversized number of options (Marcus Sundberg) + * o Add support to filter events. ie: -p tcp --orig-port-dst 80 in + * o Restore include "conntrack.h" in ICMP handler + * We only support ipv4 at the moment, set l3protonum to AF_INET + * More changes to prepare upcoming ipv4 support + * <pablo@netfilter.org> + + [ /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org ] + * add debian package support (Max Kellermann) + * use '1.00' instead of '1.0' as version number + * make 'rules' executable, remove 'tarball' from cdbs + * add 'debian' to EXTRA_DIST + + [ /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=pablo/emailAddress=pablo@netfilter.org ] + * o Added missing parameters to set the ports of an expectation tuple + * o Add support to filter dumped entries. ie: + * fix ICMP protocol extension parse callback + + [ /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org ] + * [PATCH] conntrack: Fix option parsing for ARM (Philip Craig + + [ /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org ] + * [PATCH] fix conntrack compilation (Eric Leblond <eric@inl.fr>) + * [PATCH]: Userspace code related to fixed timeout patch (Eric Leblond + <eric@inl.fr>) + * [PATCH 5/6] conntrack pkt-config changes (KOVACS Krisztian + <hidden@balabit.hu>) + + [ /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=pablo/emailAddress=pablo@netfilter.org ] + * comment `autoheader' invocation from autogen.sh, we don't need any + config.h file to compile the conntrack tool + + [ /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org ] + * [patch] conntrack compile fix (Thomas Jarosch + <thomas.jarosch@intra2net.com>) + * [patch] conntrack tool: Fix loading of protocol helpers (Thomas + Jarosch <thomas.jarosch@intra2net.com>) + + [ /C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org ] + * initial import of the conntrack daemon to Netfilter SVN + * first step forward to merge conntrackd and conntrack into the same + building chain + * del initial daemon and cli directories + * - Merge conntrack and conntrackd changelogs, even if it will be + dropped from SVN soon. + * introduce conntrack(8) manpage + * - bump version to 0.9.3 + * - remove overkill recursive Makefile.am definition in examples/ (use + EXTRA_DIST) + * move test.sh into examples/ + * fix MODULE_DIR enviroment variable + * - add warning note to ctnl_test.c: old API is deprecated + * - update changelog + * o introduce '--output xml,extended,timestamp' option for '-L', '-G' + and '-E' + * add script for keepalived fault state (eg. unplugged cable/link + down) + * - remove dead code sync-mode.c + * - introduce cache_iterate + * add missing ignore_conntrack in the overrun handler + * - update TODO list + * simplify checksum code: use UDP/multicast checksum facilities + * conntrack --output requires one parameter (Krzysztof Oledzki) + * fix silly bug in build_network_message: out of bound memset + * fix error message in configure.in (Eric Leblond) + * o remove useless backlog parameter in multicast sockets + * o use NFCT_SOPT_SETUP_* facilities: nfct_setobjopt + * add aliases --sport and --dport to make it more iptables-like + * commit phase: if conntrack exists, update it + * - add support for `-L --src-nat' and `-L --dst-nat' to show natted + connections + * add library dependency checking + * remove dlopen infrastructure: simplification, it was too much for it + * - local requests return EXIT_FAILURE if it can't connect to the + daemon + * - more cleanups and code refactorization + * fork when internal/external dump and commit requests are received + * fix dyslexia bug in Changelog (Pablo... we live in 2007, not in + 2006) and + * do not include .svn directories in tarballs + * - conntrack-tools requires libnetfilter_conntrack >= 0.0.81 + * conntrackd: + * include protocol filter parameters in the manpage + * minor fix in the last commit: check conf->mtu instead of mtu that is + < 0 + * - simplify cache_flush function: use cache_del() + * fix NAT in changes committed in r6904 + * prepare 0.9.5 release + * remove script_fault.sh script + * conntrackd requires the connection tracking event API: insist more + in INSTALL + * conntrack-tools compilation problem (K.Kovacs) + * improve INSTALL file + * Remove window tracking disabling limitation (requires Linux kernel + >= 2.6.22) + * bump libnetfilter_conntrack version dependency + * add syslog support and bump version + * Add CacheWriteThrough clause: external cache write through policy. + This feature is particularly useful for active-active setup without + connection persistency, ie. you cannot know which firewall would + filter a packet that belongs to a connection. + * = conntrack = + * raise ignorepoll limit from 1024 to INT_MAX + * o Use more appropriate names for the existing synchronization modes: + * fix minor typo in warning message + + [ Ayuso/emailAddress=pablo@netfilter.org ] + * rename `examples' directory to `doc' + * o add support for related conntracks (requires Linux kernel >= + 2.6.22) + + [ /C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org ] + * show error and warning messages to stderr + * - hash lookup speedups based on comments from netdev's discussions + * o add support for connection logging to the statistics mode via + Logfile + * add more descriptive information to the conntrackd.conf example file + for the stats mode + * update TODO file: logging for the statistics has been implemented + * Ben Lentz <BLentz@channing-bete.com>: + * Ben Lentz <BLentz@channing-bete.com>: + * obsolete `-S' option: Use information provided by the config file + * update conntrackd(8) manpage last update reference + * daemonize conntrackd after initialization + * rename class `buffer' to `queue' which is what it really implements + * implement buffered connection logging to improve performance + * fix logfiles permissions, do not default to umask + * fix make distcheck + * fix segfaul in the exit path for the statistics mode (introduced in + r7175) + * wake up the daemon iff there are real events to handle instead of + polling (Based on comments from Max Kellerman) + * fix statistics mode CPU sucks up (broken with 7178) + * fix buffer flush before exiting + * add support for tagged vlan interfaces in the config file, e.g. + eth0.1 + * o remove -lpthread during compilation + * add support for `conntrack -E -o xml,timestamp' + * set up the configuration flags when defaulting + * improve alarm framework based on suggestions from Max Duempel + * make sure add_alarm() and mod_alarm() insert sorted by due time + * fix overflow in usecs in mod_alarm() + * fix broken next alarm calculation in the run loop + * Max Kellermann <max@duempel.org>: + * Max Kellermann <max@duempel.org>: + * Max Kellermann <max@duempel.org> + * Max Kellermann <max@duempel.org>: + * Max Kellermann <max@duempel.org>: + * Max Kellermann <max@duempel.org>: + * Max Kellermann <max@duempel.org>: + * Max Kellermann <max@duempel.org>: + * Max Kellermann <max@duempel.org>: + * constify queue_iterate() + * Max Kellermann <max@duempel.org>: + * Max Kellermann <max@duempel.org>: + * Add include/netlink.h and include/traffic_stats.h + * add traffic_stats.h and netlink.h to include/Makefile.am + * merge several *_alarm() functions into init_alarm() + * Max Kellermann <max@duempel.org>: + * Max Kellermann <max@duempel.org>: + * Max Kellermann <max@duempel.org>: + * Max Kellermann <max@duempel.org>: + * Max Kellermann <max@duempel.org>: + * minor constification fixes + * use list_del_init() and list_empty() to check if a node is in the + list + * more list_empty() use instead of directly check the header + * Max Kellermann <max@duempel.org>: + * fix missing bracket + * remove unrequired list_del_init in alarm.c + * remove unix socket file on exit + * use umask() to set up file permissions + * fix missing command initialization (breakage introduced in r7208) + * Max Kellermann <max@duempel.org>: + * enable C99 mode + * Max Kellermann <max@duempel.org>: + * Max Kellerman <max@duempel.org>: + * Max Kellermann <max@duempel.org>: + * Max Kellermann <max@duempel.org>: + * Max Kellermann <max@duempel.org>: + * Max Kellermann <max@duempel.org>: + * Max Kellermann <max@duempel.org>: + * Max Kellermann <max@duempel.org>: + * Max Kellermann <max@duempel.org>: + * Max Kellermann <max@duempel.org>: + * Max Kellermann <max@duempel.org>: + * Max Kellermann <max@duempel.org>: + * Max Kellermann <max@duempel.org>: + * Max Kellermann <max@duempel.org>: + * Max Kellermann <max@duempel.org>: + * Max Kellermann <max@duempel.org>: + * Max Kellermann <max@duempel.org>: + * Fix wrong dlog call + * yet another rework of the alarm scheduler + * Based on patch from Max Kellermann <max@duempel.org>: + * Max Kellermann <max@duempel.org>: + * Max Kellermann <max@duempel.org>: + * Max Kellermann <max@duempel.org>: + * remove alarm counter + * minor cleanups + * fix inconsistent alarm update in cache_alarm_update + * Max Kellermann <max@duempel.org>: + * Max Kellermann <max@duempel.org>: + * add comment to clarify handle_msg() + * Max Kellermann <max@duempel.org>: + * Max Kellermann <max@duempel.org>: + * missing casting to keep -Werror happy + * Max Kellermann <max@duempel.org>: + * Max Kellermann <max@duempel.org>: + * remain is size_t instead of ssize_t to remove the cast + * implement a rb-tree based alarm framework + * add IPv6 support to conntrackd + * remove leftover line referring old -S option + * o add IPv6 information to synchronization messages + * add missing bits for NAT sequence adjusment support + * From: Max Kellermann <max@duempel.org> + * From: Max Kellermann <max@duempel.org> + * From: Max Kellermann <max@duempel.org> + * From: Max Kellermann <max@duempel.org> + * From: Max Kellermann <max@duempel.org> + * compose the file descriptor set at initialization stage to save some + cycles + * cleanup: remove config_set from main(), use config_file variable + instead + * relicense conntrack-tools as GPLv3+, so far the most significant + contributor has been Max Kellermann and has no issues with + relicensing their contributions. + * revert relicensing... still we use linux_list.h code which seems to + be GPLv2 only which is incompatible AFAIK + * update changelog with 0.9.6 release date + * remove .svn from doc/ in tarballs (reported by Gilad Benjamini) + * Pablo Neira Ayuso <pablo@netfilter.org>: + * Krzysztof Oledzki <ole@ans.pl>: + * add missing libct_proto_icmpv6.c + * fix minor compilation issue in amd64 with gcc4.3 (reported by Daniel + Schepler + * fix compilation in ARM (reported by Thiemo Seufer via Max + Kellermann) + * fix asymmetric path support (still some open concerns) + * improve netlink overrun handling + * update manpages with the new URL + * o simplify parameter-handling code + * This is a major improvement of the conntrack command line tool: + * add initial automated qa testing for the conntrack cli + * check for pkg-config before anything (fix bogus missing libraries + failure) + * relax parameter checking for UDP and TCP + * fix conntrack -U -p tcp [...] + * o fix NAT filtering via --src-nat and --dst-nat (reported by + K.Oledzki) + * minor update of the manpages + * add more verbose error notification when the injection of a + conntrack fails + * rework of the FT-FW approach + * Fix reorder possible reordering of destroy messages under message + omission. This patch introduces the TimeoutDestroy clause to + determine how long a conntrack remains in the internal cache once it + has been destroy from the kernel table. + * minor fix of the manpage (Max Wilhelm) + + [ Pablo Neira Ayuso ] + * - remove (misleading) counters and use information from the + statistics mode + * improve network message sanity checkings + * add Mcast[Snd|Rcv]SocketBuffer clauses to tune multicast socket + buffers + * Updates (-U) show the effect of the operation in the conntrack entry + * check for missing IPv6 address before hashing + * only allow the use of --secmark for listing (filtering) + * add flex version warning (better with >= 2.5.33) + * add eventfd emulation to communicate receiver -> sender + * add best effort replication protocol (aka NOTRACK) + * rework the HELLO logic inside FT-FW + * fix leak in cache_destroy(): release objects before destroying the + cache + * remove secmark support for conntrackd + * fix make distcheck + * define SO_[RCV|SND]BUFFORCE if not set + * increase deletion stats when the timer is scheduled in + cache_del_timeout() + * delay the closure of the dump descriptor to fix assertion with + cache_wt + * check if entries already exist in kernel before injection + + [ Albin Tonerre ] + * fix unsecure usage of printf and include limits.h (PATH_MAX and + INT_MAX) + + [ Pablo Neira Ayuso ] + * do not include Changelog in tarballs, user git shortlog for + changelog instead + * use only the original tuple to check if a conntrack is present + * fix xml output: wrap output with one root element + * Major rework of the user-space event filtering + * add support for kernel-space filtering via BSF + * log: syslog displays the entry that triggers the error + * filter: skip protocol state filtering if state not present + * CLI: add new option --buffer-size for -E + * add more sanity checks in the input path + + [ Eric Leblond ] + * commit: retry at least once if we hit ETIME or ENOMEM + + [ Pablo Neira Ayuso ] + * fix: use %zu instead of %u for size_t + * cleanup: remove obsolete clause Replicate in the example conffiles + * fix: wrong information related to default logging action + * fix: wrong use of timersub in cache_timer + * fix broken normal deletion in caches + * ftfw: show consistent information to users for problem diagnosing + * doc: remove duplicated example files + * script: rework scripts that enable interaction with keepalived + * conntrackd: add -t option to shorten conntrack timeouts + * fix missing updates in the example files + * script: fix broken if branches + * cache_iterators: do not report ENOENT in cache_reset_timers + * script: yet another minor fix + * netlink: add getter and check existence functions + * cache iterators: rework cache_reset_timers + * cache iterators: commit master entries before related ones + * netlink: avoid errors related to the expected bit handling + * cli: remove duplicated optarg checking + * cli: remove unrequired \n in error message + * cli: check for missing arguments in getopt_long + * cli: insert `conntrack-tools' string in help and error messages + * compilation: relax too strict warning checking + * ftfw: check for malformed ack and nack messages + * filter: fix NAT detection tweak + * cleanup: Linux kernel version checking + * filter: check if kernel-space filtering is available + * cleanup: remove some debug messages from sync-ftfw.c + * config: use /var/run to create the UNIX socket file + * fix: remove node from tx_list when the state-entry is destroy + * ftfw: fix race that triggers a double insertion into tx_list + * ftfw: fix race condition in the helloing routine + * ftfw: reset window and flush the resend queue during helloing + * conntrack: cleanup for the update path + * conntrack: cleanup XML header handling + * conntrack: fix mark-based filtering for event display + * conntrack: fix filtering for unsupported protocol + * conntrack: fix dump counter displayed with -L expect + * manual: add initial user manual + * doc: update INSTALL file + * conntrack: cleanup for NAT filtering + * cache: fix update of scheduled-to-timeout entries + * cache-iterators: improve committing + * config: fix usage of 'PurgeTimeout' in Sync NOTRACK + * notrack: fix double receival of resync requests + * doc: rise default size of the hashtable in the example file + * netlink: report when kernel-space event filtering is in use + * filter: fix segfault if the Filter clause is unused + * cache: use jhash2 instead of double jhash+jhash_2words + * filter: do not filter in user-space if kernel supports BSF + * doc: remove example about CacheWriteTrough + * doc: update conntrackd manpage + * conntrackd: add missing information on -t to the help + * conntrackd: bump version to 0.9.8 + * ftfw: rise the size of the acknowledgment window in the example + * conntrack: add missing -U in conntrack(8) manpage + * ftfw: add option `-v' to output debugging information (if any) + * ftfw: remove bottleneck in ack/nack handling + * network: remove message omission test-code + * network: add protocol version field (breaks backward compatibility) + * network: rework TLV-based protocol + * filter: use XOR instead of branches + * filter: use jhash2 instead of jhash for IPv6 addresses + * filter: remove useless branch in the check functions + * conntrack: --status should not be mandatory with -I + * filter: choose the filtering method via configuration file + * conntrack: cleanup command line tool protocol extensions + * build: add attribute header size to total attribute length + * filter: CIDR-based filtering support + * run: release fds structure in the exit path + * fds: remove unused array of file descriptors + * ftfw: remove useless ftfw_run invocation in the alive alarm handler + * src: move callbacks to run.c for better readability + * conntrack: do_parse_parameter show warning to stderr (not to stdout) + * conntrack: remove hardcoded buffer size, use sizeof instead + * conntrack: support diminutives for -L + * conntrack: move release options code to free_options() + * config: move `Checksum' inside `Multicast' clause + * network: make tx buffer initialization independent of mcast config + * manpage: add notice about conntrackd version incompatibilities + * conntrack: add new --status EXPECTED to filter expected connections + * manpage: add --status FIXED_TIMEOUT and EXPECTED + * build: do not include NTA_TIMEOUT in the replication messages + * netlink: clone conntrack object while creation/update + * netlink: use NFCT_Q_[CREATE|UPDATE] instead of NFCT_Q_CREATE_UPDATE + * netlink: constify conntrack object parameter of nl_*_conntrack() + * netlink: remove unnecessary whitespace lines in netlink.h + * netlink: unset ATTR_HELPER_NAME to avoid EBUSY in + nl_update_conntrack() + * parse: fix missing master layer 4 protocol number assignation + * network: remove unused function mcast_send_netmsg() + * network: remove length parameter of mcast_buffered_send_netmsg() + * network: remove __do_send() function + * network: remove the netpld header from the messages + * network: fix data offset alignment returned by NTA_DATA macro + * parse: strict attribute size checking + * src: recover conntrackd -F operation + * run: better wait() error handling + * netlink: fix EILSEQ error messages due to process race condition + * cache_iterators: use a cloned object while resetting timers + * netlink: build TCP flags/mask only if this is a TCP connection + * netlink: conditional build of TCP flags/mask for updates + * netlink: do not build the reply tuple in update messages + * configure: conntrack-tools requires libnetfilter_conntrack 0.0.99 + * network: use NET_T_* instead of NFCT_Q_* + * ftfw: do not check for data messages in tx_queue_xmit + * ftfw: resync messages can be retransmitted + * network: do more strict message type checking + * ftfw: shrink alive message size + * sync-mode: check if message type is >= NET_T_STATE_MAX before + parsing + * src: cleanup, rename hashtable_test() by hashtable_find() + * cache: cleanup, rename __del2() by __del() + * netlink: log report initial netlink event socket buffer size + * doc: fix typo SocketBufferSizeMaxGrowth in example conffiles + * doc: document the netlink buffer size clauses + * doc: better documentation about ResendBufferSize + * x + * doc: revert commit 9bc7d7f8f333e79323495a193f92c9d4f1708da9 + * doc: add note on McastSndSocketBuffer and McastRcvSocketBuffer + * netlink: fix type in warning message on SocketBufferSizeMaxGrowth + * configure: bump version to 0.9.9 + * automake: add missing cidr.h + * headers: delete unused flags in conntrackd.h + * src: add network statistics via `-s network' + * src: add cache statistics via `-s cache' + * src: add run-time statistics via `-s runtime' + * sync-mode: remove unnecessary split lines + * conntrackd: fix missing \n in conntrackd -h + * cache_iterators: display the commit time taken in the logs + * cache_iterators: add total entries available in the cache to stats + * cache: fix ENOSPC errors due to over-population of inactive entries + * filter: skip filtering by state if the event has no state info + * run: show current netlink buffer size in `-s runtime' + * netlink: don't double the netlink buffer twice during resize + * src: constify hashtable parameter in hash() callbacks + * hashtable: use calloc instead of malloc + memset + * hashtable: check NULL instead of ! for pointers + * filter: add prefix ct_filter_ to hash and compare functions + * run: limit the number of iterations over the event handling + * src: rework of the hash-cache infrastructure + * cache: add status field to store the object status + * run: relax resynchronization algorithm when netlink overruns + * sync: unify tx_list and tx_queue into one single tx_queue + * ftfw: move helloing to ftfw_xmit() + * sync: add generic tx_queue for all synchronization modes + * sync: enqueue state updates to tx_queue + * network: do not re-set the message type in nethdr_set* functions + * src: support for redundant dedicated links + * src: rename overrun handler to resync handler + * src: remove register_fds hooks + * src: add state polling support (oppossed to current event-driven) + * cache: add objects statistics + * ftfw: add ResendQueueSize and deprecate ResendBufferSize clauses + * src: add `-s queue' and change `-v' behaviour + * conntrack: add -C command to display the counter + * src: obsolete `DestroyTimeout' clause + * conntrack: fix use of -u which is optional with -I + * cache_iterators: start a clean session if commit finds an entry + * cache: remove nl_exist_conntrack() function + * cache: mangle timeout inside nl_*_conntrack() functions + * src: don't clone when calling nl_*_conntrack functions + * src: change behaviour of `-t' option + * cache: move lifetime feature to main cache code + * src: add support for approximate timeout calculation during commit + * src: increase default PurgeTimeout value + * netlink: set IP_CT_TCP_FLAG_CLOSE_INIT for TIME_WAIT states + * doc: unset CommitTimeout by default + * doc: use 'From' instead of 'from' in the example configfiles + * doc: increase hashtable bucket size and limits in example files + * configure: bump version to 0.9.10 + + [ Jan Engelhardt ] + * build: upgrade build system + + [ Pablo Neira Ayuso ] + * build: replace INCLUDES by AM_CPPFLAGS according to autoreconf + * configure: conntrack-tools >= 0.9.10 requires libnfnetlink >= 0.0.40 + * netlink: refactorize several nl_init_*_handler() functions + * src: re-work polling strategy + * netlink: add new option NetlinkOverrunResync + * sync-mode: flush also internal cache after reset PurgeTimeout + * conntrack: allow use of --state with -D + * src: add Nice clause to set the nice value + * config: nl_overrun must be signed int instead of unsigned + * cache_iterators: fix wrong printf format in commit-time message + * src: use resync handler for polling instead of dump handler + * stats-mode: fix polling based logging + * conntrackd: add `-f internal' and `-f external' options + * conntrackd: display help information with `-h' + * conntrackd: don't initialize logging for client request + * doc: unset ACKWindowSize in example configuration files + * doc: add new primary-backup.sh script for >= 2.6.29 + * doc: add bulk update to primary-script.sh script + * headers: don't use NFCT_DIR_MAX in statistics structure + * network: fix endianess issue in synchronization network header + * network: fix endianess issue in acknowledgment network header + * sync-mode: change current link if message is correct + * src: remove obsolete debug() and debug_ct() calls + * doc: revert primary-backup-2.6.29-and-higher.sh script + * mcast: fix compilation warning due missing header + * config: add NetlinkBufferSize and NetlinkBufferSizeMaxGrowth + * netlink: use u8 getter for TCP states + * build: bump version to 0.9.11 + * src: fix compilation issue in gentoo due to missing include limits.h + + [ Jan Engelhardt ] + * build: add m4 directory + + [ Pablo Neira Ayuso ] + * doc: fix broken link to ulogd2 in the manual + * extensions: remove use of old libnetfilter API flags + * src: remove debian/ directory + * sync-mode: rename mcast_send_sync() to sync_send() + * sync-mode: rename mcast_iface structure to interface + * sync-mode: add abstract layer to make daemon independent of + multicast + * sync-mode: rename mcast_track_*() by nethdr_track_*() + * sync-mode: add unicast UDP support to propagate state-changes + * sync-mode: fix wrong output stats refering lost/malformed packets + * sync-mode: save one tab inside switch, cleanup + * sync-mode: cleanup reminiscent of multicast dependency + * mcast: mcast_send() takes a const pointer to buffer + * sync-mode: change `multicast' by `link' for `-s' option + * parse: fix broken destination port address translation + * udp: fix missing scope_id in the socket creation + * mcast: remove several unused structure fields + * config: obsolete `ListenTo' clause + * sync-mode: fix broken dedicated-link change in multichannel layer + * conntrack: fix missing bits in `-C' command + * conntrack: add `-S' command to display kernel statistics + * conntrack: remove broken command checking code + * doc: set nice to -20 in example config files + * config: cleanup error reporting during config file parsing + * build: bump version to 0.9.12 + * daemon: remove unused constants in header file + * conntrack: remove hardcoded iteration in TCP support + * conntrack: cleanup error output with `-p tcp --state' + * conntrack: save one indent in the TCP support + * conntrack: fix coupled-options sanity checkings + * conntrack: add UDPlite support + * conntrack: add SCTP support + * conntrack: add DCCP support + * conntrackd: change scheduler and priority via configuration file + * conntrack: fix English typo in output message + * conntrack: add GRE support + * sync: add support for SCTP state replication + * conntrack: add DCCP role parameter for conntrack creation + * sync: add support for DCCP state replication + + [ Samuel Gauthier ] + * build: use uint16_t instead of uint32_t for uint16_t attributes + + [ Pablo Neira Ayuso ] + * conntrackd: add child process infrastructure + * conntrackd: detect where the events comes from + * conntrackd: flush operation use the child process and origin + infrastructure + * conntrackd: remove the cache write-through policy + * conntrackd: remove redudant declaration of Port in the parser + * conntrackd: remove an unused extern declaration in cache.h + + [ Thomas Jarosch ] + * build: Added "m4" directory to make dist + + [ Pablo Neira Ayuso ] + * src: remove obsolete changelog file + * conntrackd: remove unused request nfct handler + * conntrackd: add missing initialization of PID in process + infrastructure + * conntrackd: block signals during the access to the process list + * conntrackd: allow to limit the number of simultaneous child + processes + * conntrackd: use a permanent handler for flush operations + * conntrackd: use a permanent handler for commit operations + * conntrackd: add support to display statistics on existing child + processes + * build: use TLV format for SCTP/DCCP protocol information + * conntrackd: rename `-s queue' option by `-s rsqueue' + * conntrackd: add the name field to queues + * conntrackd: add `-s queue' to display queue statistics + * conntrackd: add statistics about queue node objects + * conntrackd: add statistics for enospc errors in queues + * conntrackd: fix memory leak in cache_update_force() + * conntrackd: fix wrong TCP handling in unused nl_update_conntrack() + * conntrack: fix English typo in documentation + * build: bump version to 0.9.13 + * build: update library version requirements + + [ Jan Engelhardt ] + * doc: spell fix in conntrack(8) manpage + + [ Pablo Neira Ayuso ] + * local: add LOCAL_RET_* return values for UNIX sockets callbacks + * conntrackd: add iterators with limited steps in hash and cache types + * conntrackd: rework commit not to fork a child process + * conntrackd: improve handling of external messages + * conntrackd: reset event limit iteration counter + * conntrackd: add clause to enable ctnetlink reliable event delivery + * conntrackd: add support for IPv6 kernel-space filtering via BSF + * conntrackd: use conntrack ID in the cache lookup + * conntrackd: fix crash for unubuffered channel on exit path + * conntrackd: more robust sanity checking on synchronization messages + * conntrackd: add `DisableExternalCache' clause + * conntrackd: reduce the number of gettimeofday() syscalls + * conntrackd: allow to remove file descriptors from set + * conntrackd: add support state-replication based on TCP + * conntrackd: net message memory allocation is unsafe + + [ Samuel Gauthier ] + * conntrackd: better parse_payload protection against corrupted + packets + * conntrackd: fix bad configuration file for DisableExternalCache + statement + + [ Pablo Neira Ayuso ] + * conntrackd: fix MTU for TCP channels + * conntrackd: fix return value in notrack_local() + * conntrackd: improve error handling in tcp_send + * conntrackd: fix `conf' local variable in channel.c that shadows + global + * conntrackd: fix re-connect with multiple TCP channels + * conntrackd: break lines at 80 characters in example config files + * conntrackd: rate-limit the amount of connect() calls + * conntrackd: add retention queue for TCP errors + * conntrackd: add alive control messages to notrack mode + * conntrackd: fix wrong calculation of new maxfd on unregister_fds() + + [ Hannes Eder ] + * conntrack: fix output when no arguments are passed + * conntrack: avoid error with expectations when using 'conntrack -E -e + ALL ...' + * conntrack: use fscanf() instead of read() for showing counter + + [ Pablo Neira Ayuso ] + * conntrackd: add statistics when the external cache is disabled + * conntrackd: add missing external statistics + * conntrackd: add `DisableInternalCache' clause + * conntrackd: use indirect call to build layer 4 protocol information + * conntrackd: add ICMP support for state-synchronization + * conntrackd: fix flow-state filtering for TCP + * conntrackd: document internal cache disabling and TCP-based + synchronization + * conntrack: fix manually created TCP entries with window tracking + enabled + * conntrackd: document `-B' command + * build: bump version to 0.9.14 + * conntrackd: fix UDP filtering in configuration file + * conntrackd: add support for TCP window scale factor synchronization + * conntrackd: cleanup port addition in the message building path + * conntrackd: fix `conntrackd -c' if external cache is disabled + * conntrack: option `-t' in on the same line as `-m' in manpage + * conntrackd: PollSecs goes in the General clause for statistics + * conntrackd: split __run() routine for poll and event-driven modes + * doc: description on how to block traffic with conntrack was + incomplete + * conntrack: fix `-L --src-nat --dst-nat' + + [ Mohit Mehta ] + * conntrackd: `-i -x' does not display internal cache in XML + + [ Pablo Neira Ayuso ] + * conntrack: revert fix `-L --src-nat --dst-nat' + * conntrack: fix `conntrack -L --src-nat --dst-nat' (second try) + * conntrack: `-L --src-nat --dst-nat' filter using AND, not OR logic + * conntrackd: complete TCP window scale support + * conntrack: expand array that maps option-flags to option-names + * conntrack: put all the commands and options code together + * conntrack: fix port filter with `--src-nat' and `--dst-nat' + * conntrack: add `--any-nat' to filter any NATted flow + * conntrack: add testsuite for NAT filtering options + * conntrack: re-fix inconsistent display with `--src-nat' and `--dst- + nat' + * conntrack: fix bogus NATted flows in filtering + * conntrack: fix `conntrack --src-nat 3.3.3.3' and similar + * conntrack: fix `conntrack --src-nat 1.1.1.1' if PAT applied + * conntrack: fix `conntrack --any-nat 1.1.1.1' filtering + * conntrack: --[src|dst|any]-nat requires IP:PORT as argument + * conntrack: fix `conntrack --[src|dst|any]-nat IP:PORT' if port + mismatches + * conntrack: cleanup parsing of the NAT arguments + + [ Mohit Mehta ] + * conntrackd: update error message for max netlink socket size reached + + [ Pablo Neira Ayuso ] + * conntrackd: fix ICMPv6 support + * conntrack: add zone support + + [ Mohit Mehta ] + * conntrackd: enforce strict logic for NetlinkBufferSize[*] clauses + + [ Pablo Neira Ayuso ] + * conntrackd: open event handler once cache has been populated + * conntrackd: setup event reliability after handler creation + + [ Mohit Mehta ] + * conntrackd: replace cryptic `mfrm' by `malformed' in `-s' + + [ Pablo Neira Ayuso ] + * conntrackd: fix parsing of NAT sequence adjustment in + synchronization messages + * conntrackd: warn on TCPWindowTracking option (it requires kernel >= + 2.6.35) + * build: update libnetfilter_conntrack dependency (>= 0.0.102) + * build: bump version to 0.9.15 + * conntrackd: fix wrong kernel requirements for TCPWindowTracking in + example files + * conntrackd: minor documentation update (two new questions in the + FAQ) + * conntrack: fix missing line break in conntrack(8) manpage + * conntrack: allow to listen to all kind of expectation events + + [ Jan Engelhardt ] + * build: use autoconf-suggested naming of files + * build: use modern call syntax for AM_INIT_AUTOMAKE + * build: drop unused $(all_includes) + * build: remove statements without effect + * build: remove unused $(all_libraries) + * build: no need for error message in PKG_CHECK_MODULES + * Add .gitignore files + * build: resolve automake warning + * build: default to not building static libraries + * build: run autoupdate to replace obsolete constructs + * build: use AM_YFLAGS instead of overriding YACC + * build: remove redundant bison/lex tests + + [ Pablo Neira Ayuso ] + * doc: update conntrack-tools manual + * doc: remove reference to the CT target + * local: don't override initial return value + * sync: don't override initial return value of local handler + * cache: close commit request if we already have one in progress + * cache: log if we received a commit request while already one in + progress + * conntrackd: event iteration limiter is already reset in main select + loop + * conntrackd: rise number of committed entries per step + * conntrack: add -o ktimestamp option (it requires linux >= 2.6.38) + * conntrackd: use nfct_copy() with override flag in cache_object_new() + * conntrack: allocate template objects in the heap + * conntrackd: remove use of deprecated nfct_maxsize() + * doc: document -s option of conntrackd in the manual + * doc: document redundant link support for conntrackd + * conntrack: display informative message if expectation table is + flushed + * conntrack: support SYN_SENT2 TCP state as --state parameter + * doc: add reference to the CT target again + * doc: add missing conntrackd -s invocation with options + * build: conntrack-tools now requires libnetfilter_conntrack >= 0.9.1 + * doc: prepare 1.0.0 release in conntrack-tools manual + * build: bump version to 1.0.0 + * build: Linux kernel-style for compilation messages + + [ Florian Westphal ] + * conntrack: add support for mark mask + * conntrack: skip sending update message to kernel if conntrack is + unchanged + + [ Pablo Neira Ayuso ] + * conntrack: remove unused variable with -S + + [ Florian Westphal ] + * testsuite: add tests for --mark option + * conntrack: add missing break when parsing --id/--secmark options + + [ Pablo Neira Ayuso ] + * conntrackd: add missing initial caching of gettimeofday() + + [ Jan Engelhardt ] + * Update .gitignore + * build: use AC_CONFIG_AUX_DIR and stash away tools + * build: disable implicit .tar.gz archive generation and use POSIX + mode + + [ Pablo Neira Ayuso ] + * conntrackd: fix filtering of dump output if internal cache is + disabled + * doc: primary-backup.sh: clarify licensing terms (GPLv2+) + * conntrackd: fix checking of return value of queue_add() + * build: bump version to 1.0.1 + * conntrackd: generalize caching infrastructure + * conntrackd: generalize external handlers to prepare expectation + support + * conntrackd: generalize/cleanup network message building/parsing + * conntrackd: generalize local handler actions + * conntrackd: simplify cache_get_extra function + * conntrackd: remove cache_data_get_object and replace by direct + pointer + * conntrackd: constify ct parameter of ct_filter_* functions + * conntrackd: relax checkings in ct_filter_sanity_check + * conntrackd: minor cleanup for commit + * conntrackd: support for expectation synchronization + * doc: update conntrack-tools manual to detail expectation support + + [ Gaurav Sinha ] + * updating changelog for merge of expect-sync and oxnard + + -- Gaurav Sinha <gaurav.sinha@vyatta.com> Fri, 20 Jan 2012 15:55:05 -0800 + +conntrack (0.9.14-2+vyatta14) unstable; urgency=low + + * Collapse of expect-sync branch to oxnard. Brings in support for expect table sync. + + -- Gaurav Sinha <gaurav.sinha@vyatta.com> Thu, 07 Jul 2011 20:52:06 -0700 + +conntrack (0.9.14-2+vyatta13) unstable; urgency=low + + * new branch + + -- Deepti Kulkarni <deepti@vyatta.com> Thu, 07 Jul 2011 20:52:06 -0700 + +conntrack (0.9.14-2+vyatta12) unstable; urgency=low + + * new branch + + -- An-Cheng Huang <ancheng@vyatta.com> Tue, 28 Dec 2010 20:41:51 +0000 + +conntrack (0.9.14-2+vyatta11) unstable; urgency=low + + * UNRELEASED + + -- An-Cheng Huang <ancheng@vyatta.com> Thu, 02 Sep 2010 18:25:52 -0700 + +conntrack (0.9.14-2+vyatta10) unstable; urgency=low + + * remove debian patching from build + + -- An-Cheng Huang <ancheng@vyatta.com> Tue, 31 Aug 2010 15:58:54 -0700 + +conntrack (0.9.14-2+vyatta9) unstable; urgency=low + + * UNRELEASED + + -- An-Cheng Huang <ancheng@vyatta.com> Thu, 22 Jul 2010 17:20:32 -0700 + +conntrack (0.9.14-2+vyatta8) unstable; urgency=low + + * conntrackd: replace cyptic 'mfrm' with 'malformed' in '-s' + + -- Mohit Mehta <mohit.mehta@vyatta.com> Fri, 09 Jul 2010 10:35:04 -0700 + +conntrack (0.9.14-2+vyatta7) unstable; urgency=low + + * Enforce strict logic for NetlinkBufferSize, + NetlinkBufferSizeMaxGrowth clauses + + -- Mohit Mehta <mohit.mehta@vyatta.com> Wed, 07 Jul 2010 12:01:52 -0700 + +conntrack (0.9.14-2+vyatta6) unstable; urgency=low + + * update error message for max netlink socket size reached + + -- Mohit Mehta <mohit.mehta@vyatta.com> Thu, 01 Jul 2010 10:40:06 -0700 + +conntrack (0.9.14-2+vyatta5) unstable; urgency=low + + [ Mohit Mehta ] + * Revert "fix `conntrack -L --src-nat --dst-nat`" + + [ Pablo Neira Ayuso ] + * conntrack: fix `conntrack -L -n -g` (second try) + * conntrack: fix `conntrack -L -n -g` filter using AND, not OR logic + + [ Mohit Mehta ] + * update dh_gencontrol for dev build + + -- Mohit Mehta <mohit.mehta@vyatta.com> Tue, 22 Jun 2010 11:53:55 -0700 + +conntrack (0.9.14-2+vyatta4) unstable; urgency=low + + [ Pablo Neira Ayuso ] + * fix `conntrack -L --src-nat --dst-nat` + + [ Mohit Mehta ] + * fix `conntrackd -i -x` + + [ Pablo Neira Ayuso ] + * This patch move the ports addition to the layer 4 functions, instead + + [ Mohit Mehta ] + + -- Mohit Mehta <mohit.mehta@vyatta.com> Tue, 15 Jun 2010 12:23:35 -0700 + +conntrack (0.9.14-2+vyatta3) unstable; urgency=low + + * add missing m4 files + * update .gitignore + * remove generated files, apply debian patch 10-fix_udp_support.dpatch + * remove files for applied patch + + -- Mohit Mehta <mohit.mehta@vyatta.com> Mon, 14 Jun 2010 20:34:06 -0700 + +conntrack (0.9.14-2+vyatta2) unstable; urgency=low + + * UNRELEASED + + -- Mohit Mehta <mohit.mehta@vyatta.com> Mon, 14 Jun 2010 16:07:51 -0700 + +conntrack (0.9.14-2+vyatta1) unstable; urgency=low + + * vyatta conntrack-tools + + -- Mohit Mehta <mohit.mehta@vyatta.com> Mon, 14 Jun 2010 16:05:05 -0700 + +conntrack (1:0.9.14-2) unstable; urgency=low + + * Integrate lost NMU from Stefan Fritsch. Thanks Stefan + * Prevent dpkg conffile prompt for unmodified conntrackd.conf when upgrading + from pre 1:0.9.12-1 (closes: #542662). + + -- Alexander Wirt <formorer@debian.org> Sat, 13 Feb 2010 11:17:59 +0100 + +conntrack (1:0.9.14-1) unstable; urgency=low + + * New upstream version + * Add ${misc:Depends} to all binary packages + * Add dpatch support + * Bump standards version (no changes) + * Remove Max from Uploaders. Thanks for your work! + * Backport patch from HEAD to fix UDP filtering. + Thanks tino for the hint + + -- Alexander Wirt <formorer@debian.org> Sat, 30 Jan 2010 18:34:09 +0100 + +conntrack (1:0.9.13-1) unstable; urgency=low + + [ Max Kellermann ] + * new upstream release (Closes: #537896, #545918) + - require libnfnetlink 1.0.0, libnetfilter_conntrack 0.0.100 + - ChangeLog was removed by upstream + * updated home page in the copyright file (Closes: #533583) + * correct LSB dependencies in init script, patch by Petter Reinholdtsen + (Closes: #541079) + + [ Alexander Wirt ] + * Bump standards version + + -- Alexander Wirt <formorer@debian.org> Thu, 17 Sep 2009 12:32:19 +0200 + +conntrack (1:0.9.12-1) unstable; urgency=low + + [ Max Kellermann ] + * new upstream release + - build-depend on libnfnetlink 0.0.40, libnetfilter-conntrack 0.0.99 + - fixes FTBS (undeclared variable) + (Closes: #522181, #518891) + * moved conntrackd.conf to /etc/conntrackd/conntrackd.conf (Closes: #477679) + * updated sample configuration file + * updated home page to http://conntrack-tools.netfilter.org/ + * restart conntrackd after logrotate (Closes: #513079) + + [ Alexander Wirt ] + * Bump standards version + + -- Alexander Wirt <formorer@debian.org> Thu, 02 Apr 2009 11:37:25 +0200 + +conntrack (1:0.9.7-1) unstable; urgency=low + + [ Max Kellermann ] + * new upstream release + - dropped all patches because they have been merged by upstream + - depend on libnfnetlink 0.0.33, libnetfilter-conntrack 0.0.94 + + [ Alexander Wirt ] + * Bump standards version (No changes) + + -- Alexander Wirt <formorer@debian.org> Tue, 22 Jul 2008 23:33:30 +0200 + +conntrack (1:0.9.6-4) unstable; urgency=low + + [ Max Kellermann ] + * fix compilation on SPARC (printf argument mismatch) + + -- Alexander Wirt <formorer@debian.org> Mon, 14 Apr 2008 23:09:22 +0200 + +conntrack (1:0.9.6-3) unstable; urgency=low + + [ Max Kellermann ] + * fix gcc 4.3 compilation errors: + - "large integer implicitly truncated to unsigned type" (Closes: #472812) + - "'input' defined but not used" (Closes: #474768) + + -- Alexander Wirt <formorer@debian.org> Tue, 08 Apr 2008 22:08:10 +0200 + +conntrack (1:0.9.6-2) unstable; urgency=low + + * Build depend on bison (Closes: #472442) + + -- Alexander Wirt <formorer@debian.org> Mon, 24 Mar 2008 12:35:44 +0100 + +conntrack (1:0.9.6-1) unstable; urgency=low + + [ Max Kellermann ] + * new upstream release + * added package "conntrackd" + * updated watchfile for new upstream name "conntrack-tools" (Closes: + #449899) + * removed "-Wall" from CFLAGS override + * moved DH_COMPAT to debian/compat + * don't ignore "make distclean" errors + * bumped Standards-Version to 3.7.3 + * install upstream changelog + * added Homepage header to debian/control + * call dh_install with -X.svn because upstream accidently distributed + the .svn directories + + -- Alexander Wirt <formorer@debian.org> Fri, 21 Mar 2008 22:46:22 +0100 + +conntrack (1.00~beta2-1) unstable; urgency=low + + * initial debian release (Closes: #388615) + + -- Max Kellermann <max@duempel.org> Thu, 21 Sep 2006 18:04:51 +0200 diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..7ed6ff8 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +5 diff --git a/debian/conntrack.install b/debian/conntrack.install new file mode 100644 index 0000000..ab442d1 --- /dev/null +++ b/debian/conntrack.install @@ -0,0 +1,2 @@ +debian/tmp/usr/sbin/conntrack +debian/tmp/usr/share/man/man8/conntrack.8 diff --git a/debian/conntrackd.README.Debian b/debian/conntrackd.README.Debian new file mode 100644 index 0000000..8964ec4 --- /dev/null +++ b/debian/conntrackd.README.Debian @@ -0,0 +1,8 @@ +conntrackd can run in two modes: +- statistics mode +- synchronization mode + +This package comes with a sample configuration file for the statistics +mode in (/etc/conntrackd/conntrackd.conf). There are also sample +configuration files for the synchronization mode in +/usr/share/doc/conntrackd/examples. diff --git a/debian/conntrackd.conf b/debian/conntrackd.conf new file mode 100644 index 0000000..6d76261 --- /dev/null +++ b/debian/conntrackd.conf @@ -0,0 +1,101 @@ +# +# General settings +# +General { + # + # Number of buckets in the caches: hash table + # + HashSize 8192 + + # + # Maximum number of conntracks: + # it must be >= $ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max + # + HashLimit 65535 + + # + # Logfile: on (/var/log/conntrackd.log), off, or a filename + # Default: off + # + #LogFile on + + # + # Syslog: on, off or a facility name (daemon (default) or local0..7) + # Default: off + # + Syslog on + + # + # Lockfile + # + LockFile /var/lock/conntrackd.lock + + # + # Unix socket configuration + # + UNIX { + Path /var/run/conntrackd.sock + Backlog 20 + } + + # + # Netlink socket buffer size + # + SocketBufferSize 262142 + + # + # Increase the socket buffer up to maximun if required + # + SocketBufferSizeMaxGrown 655355 + + # + # Event filtering: This clause allows you to filter certain traffic, + # There are currently three filter-sets: Protocol, Address and + # State. The filter is attached to an action that can be: Accept or + # Ignore. Thus, you can define the event filtering policy of the + # filter-sets in positive or negative logic depending on your needs. + # + Filter { + # + # Accept only certain protocols: You may want to log the + # state of flows depending on their layer 4 protocol. + # + Protocol Accept { + TCP + } + + # + # Ignore traffic for a certain set of IP's. + # + Address Ignore { + IPv4_address 127.0.0.1 # loopback + } + + # + # Uncomment this line below if you want to filter by flow state. + # The existing TCP states are: SYN_SENT, SYN_RECV, ESTABLISHED, + # FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSED, LISTEN. + # + # State Accept { + # ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP + # } + } +} + +Stats { + # + # If you enable this option, the daemon writes the information about + # destroyed connections to a logfile. Default is off. + # Logfile: on, off, or a filename + # Default file: (/var/log/conntrackd-stats.log) + # + LogFile on + + # + # Enable connection logging via Syslog. Default is off. + # Syslog: on, off or a facility name (daemon (default) or local0..7) + # If you set the facility, use the same as in the General clause, + # otherwise you'll get a warning message. + # + #Syslog on +} diff --git a/debian/conntrackd.default b/debian/conntrackd.default new file mode 100644 index 0000000..9926d79 --- /dev/null +++ b/debian/conntrackd.default @@ -0,0 +1,5 @@ +# Which configuration file? +#CONFIG=/etc/conntrackd/conntrackd.conf + +# Additional options for daemon startup. +#OPTIONS="" diff --git a/debian/conntrackd.init b/debian/conntrackd.init new file mode 100644 index 0000000..0c5ccb9 --- /dev/null +++ b/debian/conntrackd.init @@ -0,0 +1,61 @@ +#!/bin/bash +# +# conntrackd Start conntrackd using /etc/conntrackd.conf +# +# Written by Max Kellermann <max@duempel.org> +# +### BEGIN INIT INFO +# Provides: conntrackd +# Required-Start: $network $syslog $remote_fs +# Required-Stop: $network $syslog $remote_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Description: Starts conntrackd +# short-description: Starts conntrackd +### END INIT INFO + +#includes lsb functions +source /lib/lsb/init-functions + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin +DAEMON=/usr/sbin/conntrackd + +test -x $DAEMON || exit 0 + +CONFIG=/etc/conntrackd/conntrackd.conf +OPTIONS="" + +test -f /etc/default/conntrackd && source /etc/default/conntrackd + +test -f $CONFIG || exit 0 + +case "$1" in + start) + log_begin_msg "Starting conntrackd" + start-stop-daemon --start --quiet \ + --exec $DAEMON \ + -- \ + -d \ + -C "$CONFIG" \ + $OPTIONS + log_end_msg $? + ;; + stop) + log_begin_msg "Stopping conntrackd" + $DAEMON \ + -C "$CONFIG" \ + -k + log_end_msg $? + ;; + restart|force-reload) + $0 stop + sleep 1 + $0 start + ;; + *) + log_action_msg "Usage: /etc/init.d/conntrackd {start|stop|restart|force-reload}" + exit 1 + ;; +esac + +exit 0 diff --git a/debian/conntrackd.install b/debian/conntrackd.install new file mode 100644 index 0000000..c1e634d --- /dev/null +++ b/debian/conntrackd.install @@ -0,0 +1,4 @@ +debian/tmp/usr/sbin/conntrackd +debian/tmp/usr/share/man/man8/conntrackd.8 +debian/conntrackd.conf etc/conntrackd +doc/stats doc/sync usr/share/doc/conntrackd/examples diff --git a/debian/conntrackd.logrotate b/debian/conntrackd.logrotate new file mode 100644 index 0000000..f8b88fd --- /dev/null +++ b/debian/conntrackd.logrotate @@ -0,0 +1,9 @@ +/var/log/conntrackd-stats.log { + weekly + rotate 2 + missingok + + postrotate + /etc/init.d/conntrackd restart + endscript +} diff --git a/debian/conntrackd.postinst b/debian/conntrackd.postinst new file mode 100644 index 0000000..847932b --- /dev/null +++ b/debian/conntrackd.postinst @@ -0,0 +1,17 @@ +#!/bin/sh +set -e + +action=$1 +version=$2 + +# package versions < 0.9.8-1 had the configuration file in a +# non-standard location +if [ "$action" = configure -a -n "$version" ] && + dpkg --compare-versions "$version" lt "1:0.9.8-1" && + test -f /etc/conntrackd.conf.dpkg-updating +then + # unmodified version, delete without prompting + rm /etc/conntrackd.conf.dpkg-updating +fi + +#DEBHELPER# diff --git a/debian/conntrackd.postrm b/debian/conntrackd.postrm new file mode 100644 index 0000000..4c29446 --- /dev/null +++ b/debian/conntrackd.postrm @@ -0,0 +1,19 @@ +#!/bin/sh +set -e + +action=$1 + +# package versions < 0.9.8-1 had the configuration file in a +# non-standard location +if [ "$action" = "abort-upgrade" ] && + [ -f /etc/conntrackd.conf.dpkg-updating ] +then + # unmodified version, restore + mv /etc/conntrackd.conf.dpkg-updating /etc/conntrackd.conf +fi + +if [ "$action" = "purge" ] ; then + rm -f /etc/conntrackd.conf.dpkg-updating +fi + +#DEBHELPER# diff --git a/debian/conntrackd.preinst b/debian/conntrackd.preinst new file mode 100644 index 0000000..2bb65ef --- /dev/null +++ b/debian/conntrackd.preinst @@ -0,0 +1,25 @@ +#!/bin/sh +set -e + +action=$1 +version=$2 + +if [ "$action" = upgrade -a -n "$version" ] && + dpkg --compare-versions "$version" lt "1:0.9.8-1" && + test -f /etc/conntrackd.conf && + ! test -e /etc/conntrackd/conntrackd.conf; then + # package versions < 0.9.8-1 had the configuration file in a + # non-standard location + mkdir -p /etc/conntrackd + if md5sum /etc/conntrackd.conf 2> /dev/null | + grep -q 9e463d9bb7902e513da1b90b326bd43d + then + # unmodified version, dpkg should not prompt, delete in postinst + mv /etc/conntrackd.conf /etc/conntrackd.conf.dpkg-updating + else + # move to new location to make dpkg prompt + mv /etc/conntrackd.conf /etc/conntrackd/conntrackd.conf + fi +fi + +#DEBHELPER# diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..6b78fea --- /dev/null +++ b/debian/control @@ -0,0 +1,24 @@ +Source: conntrack +Section: net +Priority: optional +Maintainer: Alexander Wirt <formorer@debian.org> +Homepage: http://conntrack-tools.netfilter.org/ +Build-Depends: debhelper (>= 5), libnfnetlink-dev (>= 1.0.0), + libnetfilter-conntrack-dev (>= 0.0.101), bison, flex +Standards-Version: 3.8.4 + +Package: conntrack +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: Program to modify the conntrack tables + conntrack is a userspace command line program targeted at system + administrators. It enables them to view and manage the in-kernel + connection tracking state table. + +Package: conntrackd +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: Connection tracking daemon + Conntrackd can replicate the status of the connections that are + currently being processed by your stateful firewall based on Linux. + Conntrackd can also run as statistics daemon. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..5ab105b --- /dev/null +++ b/debian/copyright @@ -0,0 +1,21 @@ +This package was debianized by Max Kellermann <max@duempel.org> on +Thu Sep 21 00:09:44 CEST 2006 + +It was downloaded from http://conntrack-tools.netfilter.org/downloads.html + +Upstream Authors: +Pablo Neira Ayuso <pablo@netfilter.org> +Harald Welte <laforge@netfilter.org> + +Copyright: + +(C) 2005 by Pablo Neira Ayuso <pablo@netfilter.org> +<laforge@netfilter.org> + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or (at + your option) any later version. + +On Debian GNU/Linux systems, the complete text of the GNU General +Public License can be found in `/usr/share/common-licenses/GPL'. diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..fb498be --- /dev/null +++ b/debian/rules @@ -0,0 +1,88 @@ +#!/usr/bin/make -f +# -*- mode: makefile; coding: utf-8 -*- + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) +DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) + +CFLAGS = -g + +ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) + CFLAGS += -O0 +else + CFLAGS += -O2 -fno-strict-aliasing +endif + +# fix "read_config_lex.c:4451: error: 'input' defined but not used" +CFLAGS += -DYY_NO_INPUT + +build: debian/stamp-build +debian/stamp-build: + dh_testdir + autoreconf -i + # ./configure + CFLAGS="$(CFLAGS)" ./configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) \ + --disable-dependency-tracking \ + --prefix=/usr + + # Build libnetfilter-conntrack + $(MAKE) + + touch $@ + +clean: clean1 +clean1: + dh_testdir + dh_testroot + rm -f debian/stamp-* + + [ ! -f Makefile ] || $(MAKE) distclean + + dh_clean + +install: debian/stamp-install +debian/stamp-install: debian/stamp-build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + + $(MAKE) DESTDIR=`pwd`/debian/tmp install + + touch $@ + + +# Build architecture-independent files here. +binary-indep: + +# Build architecture-dependent files here. +binary-arch: build install + dh_testdir -a + dh_testroot -a + dh_installdocs -a -A AUTHORS + dh_installchangelogs -a + dh_installlogrotate -a + dh_installinit -a + dh_install -a -X.svn + dh_link -a + dh_strip -a + dh_compress -a + dh_fixperms -a + dh_installdeb -a + dh_shlibdeps -a + if [ -f "../.VYATTA_DEV_BUILD" ]; then \ + dh_gencontrol -- -v999.dev; \ + else \ + dh_gencontrol; \ + fi + dh_md5sums -a + dh_builddeb -a + +source diff: + @echo >&2 'source and diff are obsolete - use dpkg-source -b'; false + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install \ + clean1 diff --git a/debian/watch b/debian/watch new file mode 100644 index 0000000..e684794 --- /dev/null +++ b/debian/watch @@ -0,0 +1,4 @@ +version=3 + +opts="uversionmangle=s/beta/~beta/" \ +http://ftp.netfilter.org/pub/conntrack-tools/conntrack-tools-(\S+)\.tar\.bz2 |