| Age | Commit message (Collapse) | Author |
|---|
|
This patch adds cache statistics that you can check via
`conntrackd -s cache'. This information is useful for
trouble-shooting.
This patch replaces several log messages that can be triggered in
runtime. The idea behind this patch is to avoid log message flooding
under errors.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds networks statistics that you can check via
`conntrackd -s network'. This information is useful for
trouble-shooting.
This patch replaces several log messages that can be triggered in
runtime. The idea behind this patch is to avoid log message flooding
under errors.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch deletes three unused flags SYNC_MODE_ALARM,
SYNC_MODE_FTFW_BIT and DONT_CHECKSUM. They were replaced by
the CTD_* flags at some point of the development.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds cidr.h to Makefile.am in include/
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch bumps the version of the conntrack-tools to 0.9.9.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a type in a warning message.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds a note on the impact of having small values for
the McastSndSocketBuffer and McastRcvSocketBuffer clauses.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
This patch replaces "destroy" by "control" messages. Actually, the
resend queue contains the maximum amount of control messages that
we store to resend them in case of message omission. This patch also
clarifies which is a good size to have.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch documents the SocketBufferSize and SocketBufferSizeGrowth
clause. It also rises the default values which are fairly small for
busy firewalls.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch replaces SocketBufferSizeMaxGrown by
SocketBufferSizeMaxGrowth. Both clauses are still valid but better
to use the one that has no typos in the configuration files.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds an initial log message to report the initial netlink
event socket buffer size.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch renames __del2() by __del(). The name of this function
is a reminiscent of a removed __del() function time ago.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch renames the function hashtable_test() by
hashtable_find() which is a better name IMO to describe this
function.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds a message-type checking before we parse the message.
Thus, we skip the parsing of messages with bad types.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch reduces the size of alive messages by removing the
"from" and "to" fields which are not of any help. This patch also
removes the IS_CTL() macro since it does not return true for
the control messages anymore but only for IS_ACK(), IS_NACK() and
IS_RESYNC().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds more strict checking in the message type. We add a
new message type NET_T_CTL for control messages.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch includes resync messages in the tx queue. Thus, if a
resync message gets lost, it is resent.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes a IS_DATA(net) in tx_queue_xmit which is not
possible to happen anymore since there are no chances to have
data in the transmission queue (instead it is all in the
transmission list).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch replaces the use of NFCT_Q_* in the message type by
specific network message type NET_T_*. The query types are reserved
for libnetfilter_conntrack operations.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch updates the dependency between conntrack-tools and
libnetfilter_conntrack. This is required because of commit
2473a408abdd79fb4b24c5c56f769791203c0cd8 in libnetfilter_conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
We do not need to include the reply tuple in the update messages.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch includes the TCP flag/mask attributes in update messages
if this is a TCP connection.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch includes the TCP flag/mask attributes if this is a TCP
connection, otherwise do not include.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch uses a clone object that includes the original tuple and
the new timer to be set. This fixes EINVAL and EBUSY errors reporting
while trying to update the timer of some conntrack entries.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a race condition that triggers EILSEQ errors
(wrong sequence message). The problems is triggered when the child
process resets the timers at the same time that the parent process
requests a resync. Since both the child and the parent process use
the same descriptors, the sequence tracking code in libnfnetlink
gets confused as it considers that it is receiving out of sequence
netlink messages.
This patch introduces internal handlers to commit and reset timers
so that the parent and the child do not use the same descriptors
to operate with the kernel.
This patch changes the prototype of all nf_*_conntrack() functions.
Now, the nfct handler is passed as first parameter, this change is
required to fix this problem. The rest of the changes on the API
is done for consistency.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
The current wait() error handling was insufficient. This patch
introduce more verbose error reporting.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch recovers the option -F for conntrackd. This will be
particularly useful to flush the kernel conntrack table without
getting the event notification of the conntrack deletions
(that will happen with Linux kernel >= 2.6.29).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds strict attribute size checking. This is good to
detect corrupted or malformed messages.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch aligns the data offset that is returned by the NTA_DATA
macro.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch simplifies the message format of the replication
messages. As a result, we save four bytes. The netpld header
was introduced in the early protocol design. Today, it does
not have any reason to exist.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes __do_send() and replace it with the mcast_send()
call. The debugging information that provides is not useful anymore
with the tcpdump plugin.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch simplifies mcast_buffered_send_netmsg() by removing the
length parameter. Instead, we use the length field in the nethdr
to know the message size to be sent.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes the unused function mcast_send_netmsg().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes NTA_MASTER_L4PROTO parsing which was missing. This
problem was introduced in "network: rework TLV-based protocol", commit
id 76ac8ebe5e49385585c8e29fe530ed4baef390bf, ie. somewhere in the
development of 0.9.9. This patch also fixes the size of parsing
callback array that is NTA_MAX, not ATTR_MAX. This problem does not
affect conntrack-tools <= 0.9.8.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch unsets the ATTR_HELPER_NAME attributes, otherwise we hit
EBUSY for related conntrack entries while resetting the timers.
Signed-off: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch constifies the first parameter, which is a conntrack
object, in all nl_*_conntrack() functions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch uses NFCT_Q_CREATE in nl_create_conntrack() and
NFCT_Q_UPDATE in nl_update_conntrack(). The NFCT_Q_CREATE_UPDATE
query does not set the NLM_F_EXCL flag, so that it tries to update
the entry if we fail to create.
Under several scenarios, this may lead to problems. For example,
the creation of related conntracks contain the master information.
This is fine to create an entry, but an update will hit
EOPNOTSUPP as ctnetlink considers that you are trying to change
the master of an existing conntrack - and this is not a supported
operation, of course.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch changes the behaviour of nl_create_conntrack() and
nl_update_conntrack() which now clone the conntrack object
received as parameter. This was not required as these functions
were called inside fork(), thus, they modified a copy of the
real conntrack objects in the child process.
However, this behaviour is broken following the try-again
logic in __do_commit_step. For example, if we try to update
an expected conntrack object that has vanished for whatever
reason, since nl_update_conntrack() modifies the object (unset
the master conntrack information), nl_create_conntrak() will
create an entry without the master conntrack information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, NTA_TIMEOUT is not included in the replication
messages anymore. During the fail-over, we set a small timeout
to purge the entries that were not recovered successfully
(however, unsuccessful recovery should not happen ever).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds FIXED_TIMEOUT and EXPECTED to the conntrack(8)
manpage.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, you can filter expected connections:
# conntrack -L --status EXPECTED
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch documents the incompatibilities introduced by the recent
changes in the message format. I don't like breaking backward, but
we are still in development stage, and those changes result in more
efficient message building according to oprofile (see previous
commits in conntrack-tools' git tree).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch changes the prototype of mcast_buffered_init() to receive
as argument the MTU size instead of the multicast configuration. This
decouples the initialization of the tx buffer from the multicast
configuration. This patch is needed by the multi-dedicated link
support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch moves `Checksum' into the `Multicast' clause. This
property is dependent of the multicast configuration. This patch
is required to introduce the redundant dedicated link support
that is on the way.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch move the options release to free_options(). It also
move the free_options call after the error checking because
exit_error already free the option.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, you can specify the following command to dump the
expectation table, instead of writing 'expect'.
# conntrack -L e
also, it is valid the following command:
# conntrack -L ex
# conntrack -L exp
and so on.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch replaces a couple of hardcoded buffer sizes by sizeof()
calls. This sort of code is error-prone.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
