| Age | Commit message (Collapse) | Author |
|---|
|
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
We require the latest libnetfilter_conntrack version to fix several
bugs.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds a comment on the TCPWindowTracking option to warn
that this will be supported since the Linux kernel 2.6.35.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a bug that results in an incorrect parsing of
the NAT sequence adjustment in synchronization messages.
Spotted by Adam Gundy in the following message that was sent to the
netfilter ML: http://marc.info/?l=netfilter&m=127894708222913&w=2
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
Looking at the output of `conntrackd -s`; I didn't know what 'mfrm'
meant under the 'message sequence tracking' section so I had to look
up the code for this. While doing so, I replaced 'mfrm' with
'malformed' in the output since I thought other users might be
confused as well as I was looking at that word.
Signed-off-by: Mohit Mehta <mohit.mehta@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
This patch enables the event reliability in an early stage of the
event handler initialization.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, we open the event handler once the internal
cache (if any) is populated. This reduces the chances of a
possible premature overrun if we lauch conntrackd in a busy
firewall. However, we may still start with an internal cache
that may differ a bit from the once in the kernel.
This patch has no impact in setups where conntrackd is started
in a spare firewall.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
- NetlinkBufferSize value passed to the kernel gets doubled [see SO_RCVBUF
in net/core/sock.c]; it's halved now before it gets sent to the kernel.
This ensures that daemon starts up with a netlink socket buffer size
equal to the value set for NetlinkBufferSize in configuration file.
- Previously, netlink socket buffer size would only stop increasing after
it had increased beyond NetlinkBufferSizeMaxGrowth value. With this commit
netlink socket buffer size increases as long as it is less than or
equal to NetlinkBufferSizeMaxGrowth value.
Signed-off-by: Mohit Mehta <mohit.mehta@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds `--zone' to the command line tool. This adds
the missing user-space support for Patrick's McHardy iptables
CT target.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
* NetlinkBufferSize value passed to the kernel gets doubled [see SO_RCVBUF
in net/core/sock.c]; it's halved now before it gets sent to the kernel.
This ensures that daemon starts up with a netlink socket buffer size
equal to the value set for NetlinkBufferSize in configuration file
* Previously, netlink socket buffer size would only stop increasing after
it had increased beyond NetlinkBufferSizeMaxGrowth value. With this commit
netlink socket buffer size increases as long as it is less than or
equal to NetlinkBufferSizeMaxGrowth value
|
|
|
|
This patch fixes several minor nitpicks to support IPv6 failover:
* ICMPv6 type/code/id were missing in synchronization messages.
* The use of '-' as string in the configuration file was not allowed.
* Include example in configuration file under doc/.
Reported-by: Mohit Mehta <mohit.mehta@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
It must refer to NetlinkBufferSize[*] instead of "SocketBufferSize[*].
Signed-off-by: Mohit Mehta <mohit.mehta@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch cleans up nat_parse() and it also displays nicer
error message for malformed arguments.
% conntrack -L --src-nat :80
conntrack v0.9.14 (conntrack-tools): No IP specified
Try `conntrack -h' or 'conntrack --help' for more information.
% conntrack -L --src-nat 1.1.1.1:
conntrack v0.9.14 (conntrack-tools): No port specified after `:'
Try `conntrack -h' or 'conntrack --help' for more information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes the filtering if the IP matches an entry but the PORT
does not matches. Without this patch, the entry is shown when it
should be not.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch restricts the behaviour that we previously introduced
in 142606c60808b3ab0496155ac3d086765e6baef3.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the missing bits to allow to filter with --any-nat
based on the IP address.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes another scenario in which the flow has some
PAT mangling and we passed the src-nat address that we want
to use to perform the filtering.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, conntrack does not show bogus entries that have no NAT
applied due to a relaxed checking.
conntrack -L --src-nat :80
tcp 6 342824 ESTABLISHED src=XX.214.188.80 dst=66.XX.7.180 sport=80 dport=13749 packets=4 bytes=6000 [UNREPLIED] src=66.XX.7.180 dst=XX.214.188.80 sport=13749 dport=80 packets=0 bytes=0 mark=0 secmark=0 use=1
conntrack v0.9.14 (conntrack-tools): 1 flow entries have been shown.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
In 142606c60808b3ab0496155ac3d086765e6baef3, I re-introduced the
inconsistent behaviour that I described in
85f94171a71880c744f265268f33ad58819caa74. Great.
This patch fixes this again.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the testsuite for the NAT filtering options.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the --any-nat option that allows to display src-NATted
OR dst-NATted flows.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
This patch allows the following command to filter port-based NAT:
$ conntrack -L --dst-nat :9999
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
This patch is a cleanup, it puts all the commands and options code
together. This makes easier and less error-prone the task to add
new commands and options.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch is a cleanup, it expands an array that contains the
correspondence between the option-flags and the option-names.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
This reverts commit b4d4591734726a7b38a579acf272022caf5a0534.
|
|
In commit 56817d1c0cc30bcd65c56c2f73634b256603cc4d, I added the
TCP window scale factor support but it was incomplete. We have to
set the IP_CT_TCP_FLAG_WINDOW_SCALE flag to update the td_scale
field via ctnetlink. Check nlattr_to_tcp(...) function in
nf_conntrack_proto_tcp.c for more details.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
The patch that I committed in 2e06d62d341fdf936dbc1fa944d5e03f761aaf0e
was incomplete. With it, `-L --src-nat --dst-nat' shows source-natted
OR destination-natted flows. This patch changes the behaviour to
show source-natted AND destination-natted flows.
This is the consistent behaviour that we expect from conntrack
(this is how it works for other options indeed).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes the filtering with --src-nat and --dst-nat options.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch reverts 0865d22af0ec5876f721d44c90ac898fdfa435aa since
it breaks conntrack listing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
of checking for the port attribute. It also adds a function for UDP
otherwise we break support for this protocol.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
`conntrackd -i -x' does not display internal cache in XML, this
patch fixes the problem.
Signed-off-by: Mohit Mehta <mohit.mehta@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
