summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2008-09-25ftfw: reset window and flush the resend queue during helloingPablo Neira Ayuso
This fixes two bugs when a hello message is received: * We can create malformed nack messages during the helloing. We have to reset the acknowlegdment window, otherwise we may create malformed nack messages. * We have to empty the resend list/queue when a hello message is received, otherwise the entries get stuck to the resend queue once the sequence number wraps around. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-09-25ftfw: fix race condition in the helloing routinePablo Neira Ayuso
This patch fixes a race condition that can prevent one node from sending the initial hello message required to reset the sequence tracking. node A node B | | start | | hello msg |----------------------->| stop | | start | | |<-----------------------| hello-back msg In the picture above, the node A never sends the hello messages. Thus, the node B drops the next messages as they are in the before boundary. This patch adds a new state to the the helloing state-machine to fix this problem. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-09-25ftfw: fix race that triggers a double insertion into tx_listPablo Neira Ayuso
This patch fixes a race condition that can trigger a double insertion to the tx_list. This happens if we receive two resync request very close or resync just after a nack or vice-versa. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-09-21fix: remove node from tx_list when the state-entry is destroyPablo Neira Ayuso
This patches fixes a race that triggers a read-after-free access to the tx_list. The state-entry is destroyed but it is still in the list. The fix removes the state-entry from the tx_list in the destroy path. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-09-18config: use /var/run to create the UNIX socket filePablo Neira Ayuso
This patch removes the use of /tmp to create the UNIX socket file to communicate with conntrackd in the example configuration files. This was OK in the early alpha days, but not anymore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-09-17cleanup: remove some debug messages from sync-ftfw.cPablo Neira Ayuso
Remove useless debug messages, now we have a pluging for tcpdump to debug the FT-FW protocol. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-09-17filter: check if kernel-space filtering is availablePablo Neira Ayuso
Check if the Linux kernel is >= 2.6.26, otherwise it does not support kernel-space filtering. This is not clean but we have no choice, the BSF infrastructure does not return ENOTSUPP for unsupported operations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-09-17cleanup: Linux kernel version checkingPablo Neira Ayuso
Minor cleanup to save a couple of lines in the Linux kernel version checking. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-09-16filter: fix NAT detection tweakPablo Neira Ayuso
With this patch, we rely on the real source and destination of the packet to perform the filter. The current NAT detection tweak is broken for certain situations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-09-16ftfw: check for malformed ack and nack messagesPablo Neira Ayuso
This patch checks that the [from, to] interval of ack and nack messages is OK. In other words, we check that: to >= from Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-15compilation: relax too strict warning checkingPablo Neira Ayuso
This patch removes the -Werror option during the compilation. Some users have reported problems related to the code generated by flex and bison. This results in useless reports and a bad experience for end-users. Ideally, it would be great to have something like 'autoconf prettify' for less verbose output. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-12cli: insert `conntrack-tools' string in help and error messagesPablo Neira Ayuso
Insert string `conntrack-tools' in error messages to explicitly print that this version is inside the conntrack-tools package. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-12cli: check for missing arguments in getopt_longPablo Neira Ayuso
From: Pablo Neira Ayuso <pablo@netfilter.org> If getopt_long returns '?', show an error telling that some arguments are missing. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-12cli: remove unrequired \n in error messagePablo Neira Ayuso
Remove extra \n in error message. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-12cli: remove duplicated optarg checkingPablo Neira Ayuso
Remove duplicated optarg checkings for options that require mandatory paramaters. This checking is already done by getopt_long(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-07netlink: avoid errors related to the expected bit handlingPablo Neira Ayuso
We hit error if we try to change the expected bit for already existing conntracks. On the other hand, if the conntrack does not exist, do not change the expected bit, otherwise we also hit error. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-07cache iterators: commit master entries before related onesPablo Neira Ayuso
Commit master entries before related ones to avoid ENOENT errors. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-07cache iterators: rework cache_reset_timersPablo Neira Ayuso
This patch adds the clause PurgeTimeout that sets the new timer when conntrackd -t is called. This command is particularly useful when the sysadmin triggers hand-overs between several nodes without rebooting as it reduces the timers of the remaining entries in the kernel. Thus, avoiding clashes between new and old entries that may trigger INVALID packets. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-07netlink: add getter and check existence functionsPablo Neira Ayuso
This patch adds nl_get_conntrack and it changes the behaviour of nl_exist_conntrack. Now, nl_get_conntrack requests the kernel for a conntrack and updates the cached entry. On the other hand, nl_exist_conntrack only inquiries for the existence of the entry. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-04script: yet another minor fixPablo Neira Ayuso
Minor fix for the primary-backup.sh script Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-02cache_iterators: do not report ENOENT in cache_reset_timersPablo Neira Ayuso
Do not report ENOENT to log files, this may confuse users. There's a race condition when shortening the timers and handling the destroy messages. However, this problem is not serious as the point of the shortening is to reduce the lifetime of the conntracks. If the conntrack is dying, there's no point to shorten their lifetime anymore :) Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-02script: fix broken if branchesPablo Neira Ayuso
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-02fix missing updates in the example filesPablo Neira Ayuso
Fix missing updates in keepalived.conf and primary-backup.sh Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-02conntrackd: add -t option to shorten conntrack timeoutsPablo Neira Ayuso
This patch adds the new option `-t' for conntrackd. This option shortens the value of the timeout for the cached entries that lives in the kernel. This option is particularly useful to remove the zombie established entries that remain in kernel if the user tests the platform by forcing the takeover from one to another node several times. We currently use the value of CommitTimeout which is sane for it. Adding a new option does not seem to add more flexibility IMO. Once we get the patches to notify user changes via ctnetlink and the netlink flag NLM_F_ECHO works, we may directly invoke a massive purge of the entries, however, such solution would still need evaluation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-02script: rework scripts that enable interaction with keepalivedPablo Neira Ayuso
This patch reworks the documentation section. It removes the replicated keepalived.conf files and merge all the scripts into one to reduce confusion and improve maintainability. It's likely that the documentation directory will suffer more restructurations in the near future. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-01doc: remove duplicated example filesPablo Neira Ayuso
This patch removes the directories node1/ and node2/ since the differences are few small and the user should be able to get it running if he RTFM. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-01ftfw: show consistent information to users for problem diagnosingPablo Neira Ayuso
This patch hides information that may confuse users while they are diagnosing problems in their setup. For example, we hide entries that are schedule to expire - from the user side, they are already destroyed entries; and we show in the counters the real active entries, not all that are stored in the caches. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-01fix broken normal deletion in cachesPablo Neira Ayuso
This patch fixes the non-timer-based cache deletion. This bug affects the alarm-based approach since the backup replicas did not get the deletion event, thus, delaying the deletion. This patch introduces cache_find() to look up for a conntrack object and __cache_del_timer() to perform direct deletions by means of the pointer obtained with cache_find(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-01fix: wrong use of timersub in cache_timerPablo Neira Ayuso
Fix wrong output in the dump of the expire timer which was negative. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-01fix: wrong information related to default logging actionPablo Neira Ayuso
Logging is set off by default instead of what the example files state. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-01cleanup: remove obsolete clause Replicate in the example conffilesPablo Neira Ayuso
Remove obsolete clause Replicate in the example configuration files. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-01fix: use %zu instead of %u for size_tPablo Neira Ayuso
Use %zu instead of %u for size_t to remove compilation warning. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-01commit: retry at least once if we hit ETIME or ENOMEMEric Leblond
Some users are reporting ETIME errors in the update. This happens when you try to update a conntrack that is expiring. To avoid this problem, we retry once at least. We do similar for ENOMEM errors, although only users in virtual machines have reported this AFAIK. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-01add more sanity checks in the input pathPablo Neira Ayuso
Some users have reported crashes when nf_conntrack_ipv6 was not present. This patch performs more robust sanity checks in the input path. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-07-29CLI: add new option --buffer-size for -EPablo Neira Ayuso
Add new option --buffer-size for -E to set the netlink socket buffer size. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-07-29filter: skip protocol state filtering if state not presentPablo Neira Ayuso
Skip user-space the protocol state filter if the protocol state is not present in the event message. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-07-24log: syslog displays the entry that triggers the errorPablo Neira Ayuso
This patch fixes an inconsistency in the output. If syslog was chosen as logger, the conntrack entries that triggered an error were not displayed. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-07-23add support for kernel-space filtering via BSFPablo Neira Ayuso
This patch adds support for kernel-space filtering via BSF by means of the libnetfilter_conntrack's BSF high-level API. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-07-22Major rework of the user-space event filteringPablo Neira Ayuso
This patch reworks the user-space filtering. Although we have kernel-space filtering since Linux kernel >= 2.6.26, we keep userspace filtering to ensure backward compatibility. Moreover, this patch prepares the implementation of the kernel-space filtering via libnetfilter_conntrack's high-level berkeley socket filter API. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-06-22fix xml output: wrap output with one root elementPablo Neira Ayuso
2008-06-16use only the original tuple to check if a conntrack is presentPablo Neira Ayuso
2008-06-15do not include Changelog in tarballs, user git shortlog for changelog insteadPablo Neira Ayuso
2008-06-15fix unsecure usage of printf and include limits.h (PATH_MAX and INT_MAX)Albin Tonerre
2008-06-15check if entries already exist in kernel before injectionPablo Neira Ayuso
2008-05-31delay the closure of the dump descriptor to fix assertion with cache_wtconntrack-tools-0.9.7Pablo Neira Ayuso
2008-05-31increase deletion stats when the timer is scheduled in cache_del_timeout()Pablo Neira Ayuso
2008-05-27define SO_[RCV|SND]BUFFORCE if not setPablo Neira Ayuso
2008-05-27fix make distcheckPablo Neira Ayuso
2008-05-27remove secmark support for conntrackdPablo Neira Ayuso
2008-05-26fix leak in cache_destroy(): release objects before destroying the cachePablo Neira Ayuso