summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2015-11-26conntrack-tools: drop unrequired build-depends from debian packagingAlex Harpin
Drop the unrequired build-depends from the nfct package in debian/control.
2015-11-261:1.4.2-1+vyos2+lithium12debian/1.4.2-1+vyos2+lithium12Alex Harpin
2015-11-26conntrack-tools: bump build requirements for 1.4.2Alex Harpin
Bump the build requirements of conntrack-tools 1.4.2 to the versions needed for a build.
2015-11-25Merge tag 'conntrack-tools-1.4.2' into lithiumAlex Harpin
conntrack-tools 1.4.2 release
2015-11-251:1.4.1-1+vyos2+lithium11debian/1.4.1-1+vyos2+lithium11Alex Harpin
2015-11-24conntrack-tools: bump build requirements for 1.4.1Alex Harpin
Bump the build requirements of conntrack-tools 1.4.1 to the versions needed for a build.
2015-11-24Merge tag 'conntrack-tools-1.4.1' into lithiumAlex Harpin
conntrack-tools 1.4.1 release
2015-11-241:1.4.0-1+vyos2+lithium10debian/1.4.0-1+vyos2+lithium10Alex Harpin
2015-11-24conntrack-tools: bump build requirements to actual levelAlex Harpin
Bump the build requirements of conntrack-tools 1.4.0 to the actual level needed for a build.
2015-11-221:1.4.0-1+vyos2+lithium9debian/1.4.0-1+vyos2+lithium9Alex Harpin
2015-11-22Update debian packagingAlex Harpin
2015-11-211:1.4.0-1+vyos2+lithium8Alex Harpin
2015-11-21Merge tag 'conntrack-tools-1.4.0' into lithiumAlex Harpin
conntrack-tools 1.4.0 release
2015-10-111:1.2.1-1+vyos2+lithium7debian/1.2.1-1+vyos2+lithium7Alex Harpin
2015-10-021:1.0.1-3+vyos2+lithium6debian/1.0.1-3+vyos2+lithium6Alex Harpin
2015-10-02conntrackd: build: fix crash when optional kernel modules are not loadedPablo Neira Ayuso
Fix a possible crash if conntrackd sees DCCP, SCTP and ICMPv6 traffic and the corresponding kernel modules that track this traffic are not available. Fixes: http://bugzilla.netfilter.org/show_bug.cgi?id=910 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-06-141:1.0.1-3+vyos2+lithium5debian/1.0.1-3+vyos2+lithium5Alex Harpin
2015-06-14conntrack: update dh_gencontrol with new development build flagAlex Harpin
2014-12-231:1.0.1-3+vyos2+lithium4debian/1.0.1-3+vyos2+lithium4Alex Harpin
2014-12-23Update maintainer addressAlex Harpin
2014-12-13Force releaseAlex Harpin
2014-12-131:1.0.1-3+vyos2+lithium3debian/1.0.1-3+vyos2+lithium3Alex Harpin
2014-10-251:1.0.1-3+vyos2+lithium2debian/1.0.1-3+vyos2+lithium2Daniil Baturin
2014-10-25Force releaseDaniil Baturin
2014-01-091:1.0.1-3+vyos1+helium4vyos/1.1.0-beta1debian/1.0.1-3+vyos1+helium4heliumDaniil Baturin
2014-01-09Fix version formatDaniil Baturin
2014-01-081:1.0.1-3+vyos+helium2debian/1.0.1-3+vyos+helium2Daniil Baturin
2014-01-081:1.0.1-3+vyos+helium1Daniil Baturin
2014-01-08New branchDaniil Baturin
2013-11-161:1.0.1-2+vyatta35+hydrogen1debian/1.0.1-2+vyatta35+hydrogen1Daniil Baturin
2013-11-16New branchDaniil Baturin
2013-08-06conntrack-tools 1.4.2 releasePablo Neira Ayuso
bump dependency with libnetfilter_conntrack to 1.0.4, otherwise we don't get the connlabel support. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-08-06cthelper: fix IPv6 address and mask in newly created expectationsPablo Neira Ayuso
Set to zero the entire address if needed, not just 4 bytes. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-07-24conntrack: fix reporting of unknown argumentsClemence Faure
short options were always reported as "unknown argument". getopt(3) says: if [it] finds an option character in argv that was not included in optstring, or if it detects a missing option argument, it returns '?' and sets the external variable optopt to the actual option character. If the first character [...] of optstring is a colon (':'), then getopt() returns ':' instead of '?' to indicate a missing option argument. Signed-off-by: Clemence Faure <clemence.faure@sophos.com> Signed-off-by: Florian Westphal <fw@strlen.de>
2013-07-24conntrack: fix -L format outputFlorian Westphal
commit d343b8c (conntrack: add connlabel format attribute) erronously removed _UNKNOWN format, i.e. conntrack -L displayed [UPDATE] tcp 6 114 TIME_WAIT src=.. ^^^^^ Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
2013-07-23conntrackd: support replication of connlabelsFlorian Westphal
- check if ct has label attribute, and at least one label (bit) is set - serialize bitmap into array-of-u32, in network byte order - add code to build new nfct_bitmask object from array-of-u32 Current parse functions don't have length information, this adds optional parse2() which gets struct netattr pointer. Attributes that want to use parse2 need to set .maxsize to nonzero value. Signed-off-by: Florian Westphal <fw@strlen.de>
2013-07-23conntrack: introduce -l option to filter by labelsClemence Faure
Signed-off-by: Clemence Faure <clemence.faure@sophos.com> Signed-off-by: Florian Westphal <fw@strlen.de>
2013-07-11conntrackd: simplify expectation filteringPablo Neira Ayuso
This patch simplifies the expectation filtering by looking up for the master conntrack. If it does not exists, then we assume that we don't want this expectation either. This simplification also fixes the current broken expectation filtering, since the master conntrack from expectations has neither reply tuple nor state, however, the filtering code assumes the opposite. This partially reverts (479a37a conntrackd: fix crash with IPv6 expectation in the filtering code) since it was incorrectly setting the reply tuple of the master conntrack. Thanks to Bill Fink for providing feedback to resolve this issue. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-07-06conntrackd: fix crash with IPv6 expectation in the filtering codePablo Neira Ayuso
Jul 5 00:41:06 sen-fw1 kernel: [274422.060695] conntrackd[4821]: segfault at 0 ip 000000000040c660 sp 00007fffebb098a8 error 4 in conntrackd[400000+3d000] > #0 0x000000000040f217 in jhash2 (k=0x0, length=4, initval=0) at ../include/jhash.h:99 > a = 2654435769 b = 2654435769 c = 0 len = 4 > #1 0x000000000040f564 in ct_filter_hash6 (data=0x0, table=0x16ef630) at filter.c:57 > #2 0x000000000040ad34 in hashtable_hash (table=0x16ef630, data=0x0) at hash.c:63 > #3 0x000000000040fd19 in __ct_filter_test_ipv6 (f=0x16eeba0, ct=0x1703760) at filter.c:265 > id_src = 51 id_dst = 24051376 src = 0x1703760 dst = 0x0 The master conntrack of the expectation has no reply tuple. However, the filtering routine needs it. To avoid this issue, emulate the source address in the reply tuple. While at it, fix incorrect sanity checking that should have caught this issue. Thanks to Florian Westphal for initial diagnosing of this bug. Reported-by: Bill Fink <billfink@mindspring.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-07-06conntrackd: deprecate `Family' in configuration filePablo Neira Ayuso
This patch deprecates the `Family' tweak in the configuration file. Several reasons for this: * If not specified, this was default to IPv4 only in table dumps from the kernel. However, non-IPv4 events were still received. This is inconsistent. * It's an early tweak that was not documented (not included in any of the example files). If we want to support any sort of consistent filtering based on the family, this should happen in the filtering code. After this patch, conntrackd uses AF_UNSPEC to dump the conntrack and expectation tables from the kernel. Reported-by: Bill Fink <billfink@mindspring.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-07-06conntrackd: cache: fix hashing based on IPv6 addressPablo Neira Ayuso
Use source and destination address, not only source address for hashing. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-07-05conntrack: add connlabel format attributeFlorian Westphal
Signed-off-by: Florian Westphal <fw@strlen.de>
2013-06-07cthelper: helpers may not use private information areaPablo Neira Ayuso
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-06-07cthelper: add IPv6 supportPablo Neira Ayuso
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-06-07tests: cthelper: remove test infrastructure from this treePablo Neira Ayuso
I decided to move it to: http://git.netfilter.org/conntrackd-helper-tests to reduce the bloat of this tree, most people are not interested in this stuff when they grab it via git clone. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-06-05include: kill unused PLD_* macrosFlorian Westphal
Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-06-05conntrackd: fix compiler warningsFlorian Westphal
main.c:359:6: warning: ignoring return value of 'nice' [..] main.c:395:7: warning: ignoring return value of 'chdir' [..] run.c:43:17: warning: declaration of 'signal' shadows a global declaration Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-05-15conntrack: fix timestamps when microseconds are less than 100000Pablo Neira Ayuso
The fractional portion of timestamps reported by conntrack is printed as a left-justified integer instead of fixed-width and zero-padded. Closes netfilter's bugzilla 817: https://bugzilla.netfilter.org/show_bug.cgi?id=817 Reported-by: hoffman@stanford.edu Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-03-20conntrackd: fix parsing of non-abbreviated IPv6 address in config fileJames Guthrie
Both representations of this example IPv6 address should be accepted: fe80::1 fe80:0:0:0:0:0:0:1 This patch fixes the lexical parser for non-abbreviated version, which was not working. Signed-off-by: James Guthrie <jag@open.ch> Signed-off-by: Roman Hoog Antink <rha@open.ch> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-03-04build: requires libnetfilter_conntrack >= 1.0.3Pablo Neira Ayuso
Reported-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-29 04:08:12 +0000