| Age | Commit message (Collapse) | Author |
|---|
|
Error: UNUSED_VALUE:
conntrack-tools-1.0.0/src/conntrack.c:1297: returned_pointer: Pointer "nl" returned by "strchr(buf, 10)" is never used.
Reported-by: Jiri Popelka <jpopelka@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This speeds up operation when a lot of conntracks exist, but only
a few of them have to be altered.
This change is user-visible because the exit message
("%d flow entries have been updated") will now print the number of entries
that have been altered instead of the total number of conntracks seen.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Extend --mark option to optionally take a mask, seperated
by '/', e.g. --mark 0x80/0xf0.
When used with -L, only test those bits of the mark that
are in the mask range (behaves like iptables like -m mark).
When used with -U, zero out those bits indicated by the mask and
XOR the new mark into the result (behaves like iptables -j MARK
--set-xmark).
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
[...]
CC external_inject.o
CC internal_cache.o
CC internal_bypass.o
CC read_config_yy.o
CC read_config_lex.o
CCLD conntrackd
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Remove reference which states that this is still under development
and refer to version 1.0.0.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
The existing code requires new features that went into the
current library version.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Now that we have fixed several aspects of the event filtering in
2.6.38, I reintroduce the documentation for this feature.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Since Linux kernel 2.6.31, the LISTEN state is SYN_SENT2. With this
patch, we allow to use -p tcp --state SYN_SENT2 which was not possible
so far.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, we display the following message after:
# conntrack -F expect
conntrack v0.9.15 (conntrack-tools): expectation table has been emptied.
To make it consistent with the message displayed with conntrack -F.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes the use of nfct_maxsize() and several abusive
stack-based allocations.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, we don't abuse the stack anymore, instead we allocate
the template objects that are used in the heap.
We stop using nfct_maxsize() which is now deprecated in
libnetfilter_conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Using memcpy() is not safe, it breaks secctx and it may break
more things in the future. Moreover, nfct_size*() functions will
be deprecated soon, they are evil since they open the window
to memcpy().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This option requires Linux kernel >= 2.6.38, you have to enable conntrack
timestamping with:
echo 1 > /proc/sys/net/netfilter/nf_conntrack_timestamp
# conntrack -L -o ktimestamp
udp 17 59 src=192.168.1.128 dst=192.168.1.1 sport=52050 dport=53 src=192.168.1.1 dst=192.168.1.128 sport=53 dport=52050 [ASSURED] mark=0 delta-time=121 [start=Thu Feb 17 17:41:18 2011] use=1
# conntrack -L
conntrack v0.9.15 (conntrack-tools): 20 flow entries have been shown.
udp 17 31 src=192.168.1.128 dst=192.168.1.1 sport=52050 dport=53 src=192.168.1.1 dst=192.168.1.128 sport=53 dport=52050 [ASSURED] mark=0 delta-time=149 use=1
# conntrack -E -o ktimestamp
...
[DESTROY] udp 17 src=192.168.1.128 dst=192.168.1.1 sport=40162 dport=53 src=192.168.1.1 dst=192.168.1.128 sport=53 dport=40162 [ASSURED] delta-time=3 [start=Thu Feb 17 17:44:57 2011] [stop=Thu Feb 17 17:45:00 2011]
# conntrack -E
[DESTROY] udp 17 src=192.168.1.128 dst=77.226.252.14 sport=123 dport=123 src=77.226.252.14 dst=192.168.1.128 sport=123 dport=123 delta-time=8
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch rises the number of committed entries per step from
64 to 8192. Experimental results in active-active setups here
show that we reduce the commit time with this value significantly.
This deserves some more study, it can be a good idea to remove
this commit per step completely. I leave this for the future.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes an unnecessary reset of the event iteration limiter
that is already done in the main select loop.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch improves the case in which we receive a commit request
but we are already performing one. This behaviour is suspicious
since the HA manager should not trigger a double master transition.
Otherwise, something probably is not configured appropriately.
This improves 98756c2608f0879a2322919c7441973216565272
"cache: close commit request if we already have one in progress".
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
We close a commit request if there's already one in progress. This
patch fixes a problem that may be triggered if two consecutive commit
requests are received.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
The return initial value is overriden after the initial read. Don't
override this value, instead we check the return value of the read()
operation.
This patch also changes the error statistics accounting since we
consider that a request with no data is an error.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Sorry, the iptables CT target is not yet ready for use until some
patches are pushed to the Linux kernel.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This update adds to the documentation the following information:
* add reference to "Demystifying cluster-based fault-tolerant firewalls"
* add how-to disable the external cache
* add how-to disable the internal cache
* add how-to set the synchronization transport protocol
* document iptables CT target
* ask for sponsors to finish H323 and SIP support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
AC_PROG_{LEX,YACC} already searches for the programs, so no need to do
it again with AC_CHECK_PROGS.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
src/Makefile.am:24: whitespace following trailing backslash
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
PKG_CHECK_MODULES already produces its own (and more verbose)
messsage when a module cannot be found.
Mucking around with CFLAGS and LIBS is also not needed since
pkgconfig takes care of providing variables, so let's use them in
Makefile.am.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
automake options also need to definitely go into configure.ac,
otherwise they only apply to a single directory.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
So far, conntrack only allows to listen to events of new expectations.
With this patch, we can listen to events of destroyed expectations.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
This patch includes a minor documentation update with two new
questions in the FAQ.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes wrong Linux kernel requirements in the example
configuration files. We require a Linux kernel >= 2.6.36 instead
of >= 2.6.35 as the files suggest.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
We require the latest libnetfilter_conntrack version to fix several
bugs.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds a comment on the TCPWindowTracking option to warn
that this will be supported since the Linux kernel 2.6.35.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
