| Age | Commit message (Collapse) | Author |
|---|
|
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the user-space helper infrastructure. It also
contains the implementation of the FTP helper in user-space.
There's one example file that you can use to configure conntrackd
as user-space connection tracking helper under:
doc/helper/conntrackd.conf
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch moves the specific ctnetlink code to ctnl.c to prepare
the introduction of the cthelper infrastructure.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch generalizes the select-based file descriptor infrastructure
by allowing you to register file descriptors and its callbacks. Instead
of hardcoding the descriptors that needs to be checked.
Now, struct fds_item contains a callback and pointer to data that is
passed to it:
struct fds_item {
struct list_head head;
int fd;
+ void (*cb)(void *data);
+ void *data;
};
Then, we check which ones are active in the select_main_step() function:
list_for_each_entry(cur, &STATE(fds)->list, head) {
if (FD_ISSET(cur->fd, &readfds))
cur->cb(cur->data);
}
And it invoked the corresponding callback.
I had to slightly modify the channel infrastructure to fit it into
the changes.
This modularity is required for the upcoming cthelper support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Before this patch, we called accept() to likely return EAGAIN.
This is not required as select() will tell us that we're ready
to accept. Therefore, that early accept() invocation complicates
the whole handling just to get the connection accepted a bit
before.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
this release fixes a compilation issue in 1.2.0, sorry.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
nfct-extensions/timeout.c: In function ‘nfct_timeout_cb’:
nfct-extensions/timeout.c:99:2: warning: passing argument 4 of ‘nfct_timeout_snprintf’ makes integer from pointer without a cast [enabled by default]
/usr/include/libnetfilter_cttimeout/libnetfilter_cttimeout.h:114:5: note: expected ‘unsigned int’ but argument is of type ‘struct nfct_timeout *’
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This files includes some short description on `nfct'.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
For automated testing of the conntrack utility.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
All automated testing for the conntrack-tools will now reside under
the test directory.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
libnetfilter_conntrack 1.0.1 includes important updates for the
expectation side, which is used in this major milestone release.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
CC nfct-extensions/timeout.o
../../src/nfct-extensions/timeout.c: In function ‘nfct_cmd_timeout_parse_params’:
../../src/nfct-extensions/timeout.c:40:27: warning: variable ‘ret’ set but not used [-Wunused-but-set-variable]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Major milestone including the new `nfct' utility and the expectation
support for conntrackd.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the automated tests for the cttimeout infrastructure.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
I'll need for the upcoming cthelper infrastructure. Moreover, we avoid
more fragmentation in the netfilter user-space utilities. And the plan
is that `nfct' will replace `conntrack' at some point.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
else, piping "conntrack -E expect" output will be buffered/delayed,
which is not what users expect. Normal conntrack events are already
flushed.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds missing information regarding several conntrackd
options to the manpage and the help info that is displayed in the
command line.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
You have to use this:
iptables -I PREROUTING -t raw -j CT --ctevents assured,destroy
instead of:
iptables -I PREROUTING -t raw -j CT --ctevents assured
Otherwise, conntrackd cache gets full since no destroy events
are delivered.
Reported-by: Kerin Millar <kerframil@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
Now it includes:
ExpectationSync {
...
ras
q.931
h.245
}
Which are the set of helpers for h.323.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
You can use:
ExpectationSync {
ftp
ras
q.931
sip
}
or:
ExpectationSync {
FTP
RAS
Q.931
SIP
}
no matter lower/upper case.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch uses the new infrastructure that allows us to filter
by mark from kernel-space.
This change ensures backward compatibility with kernels with
no support for filtering by mark (Linux kernel <= 3.4.x).
This requires lastest libnetfilter_conntrack library.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
I forgot to modify the body of msg2exp to include the recently
committed support for the expectation class, helper name and NAT.
This patch fixes the problem.
Now in node-1 (primary), it shows:
proto=17 src=192.168.11.4 dst=192.168.10.5 sport=0 dport=5060 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.10.5 master-dst=192.168.11.4 sport=5060 dport=5060 PERMANENT class=0 helper=sip [active since 31s]
And it node-2 (secondary), it shows:
proto=17 src=192.168.11.4 dst=192.168.10.5 sport=0 dport=5060 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.10.5 master-dst=192.168.11.4 sport=5060 dport=5060 PERMANENT class=0 helper=sip [active since 180s]
This has been tested with the SIP conntrack helper.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
For both conntrack and expectations.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the missing bits to support NAT expectation support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds support for synchronizing the expectation class.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
expectations in XML format."
Generated files got committed by git commit -a, thus reverting the commit.
This reverts commit d8def099fed622b42f7b66468981d6d5c7aac74c.
|
|
expectations in XML format.
|
|
|
|
% conntrack -U -u FIXED_TIMEOUT
conntrack v1.0.1 (conntrack-tools): Operation failed: Device or resource busy
With this patch, you can make indeed make it:
% conntrack -U -u FIXED_TIMEOUT
[...]
conntrack v1.0.1 (conntrack-tools): 8 flow entries have been updated.
This patch also adds the corresponding simple QA tests.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch allows you to dump the internal and external expectation
cache in XML.
% conntrackd -i exp -x
<flow><layer3 protonum="2" protoname="ipv4"><expected><src>192.168.1.135</src><dst>130.89.148.12</dst></expected><mask><src>255.255.255.255</src><dst>255.255.255.255</dst></mask><master><src>192.168.1.135</src><dst>130.89.148.12</dst></master></layer3><layer4 protonum="6" protoname="tcp"><expected><sport>0</sport><dport>9082</dport></expected><mask><sport>0</sport><dport>65535</dport></mask><master><sport>50518</sport><dport>21</dport></master></layer4><meta><helper-name>ftp</helper-name></meta></flow>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Now you can dump expectations in XML format and display the timestamp.
conntrack -L exp -o xml,timestamp
<?xml version="1.0" encoding="utf-8"?>
<expect>
<flow><layer3 protonum="2" protoname="ipv4"><expected><src>192.168.1.135</src><dst>130.89.148.12</dst></expected><mask><src>255.255.255.255</src><dst>255.255.255.255</dst></mask><master><src>192.168.1.135</src><dst>130.89.148.12</dst></master></layer3><layer4 protonum="6" protoname="tcp"><expected><sport>0</sport><dport>32877</dport></expected><mask><sport>0</sport><dport>65535</dport></mask><master><sport>49881</sport><dport>21</dport></master></layer4><meta><helper-name>ftp</helper-name><timeout>294</timeout><when><hour>21</hour><min>22</min><sec>09</sec><wday>1</wday><day>22</day><month>1</month><year>2012</year></when></meta></flow>
</expect>
You have to upgrade libnetfilter_conntrack to access this feature.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
