summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2008-11-25build: add attribute header size to total attribute lengthPablo Neira Ayuso
This patch adds the size of the attribute header (4 bytes) to the length field of netattr. This fixes a possible invalid memory access in malformed messages. This change is included in the set of scheduled changes for 0.9.9 that break backward compatibility. This patch also removes a memset of 4096 by one to initialize the headers and the netattr paddings. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-11-18conntrack: cleanup command line tool protocol extensionsPablo Neira Ayuso
This patch cleans up the protocol extensions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-11-18filter: choose the filtering method via configuration filePablo Neira Ayuso
This patch changes the current behaviour of the filtering selection. Up to now, conntrackd has used the kernel version to select the filtering method based on the following logic: If kernel is >= 2.6.26 we use BSF-based filtering from kernel-space, otherwise, default to userspace. However, this filtering method still lacks of IPv6 support and it requires a patch that got into 2.6.29 to filter IPv6 addresses from kernel-space. To fix this issue, we default to user-space filtering and let the user choose the method via the configuration file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-11-15conntrack: --status should not be mandatory with -IPablo Neira Ayuso
This patch relaxes the parameter checking as now we don't need to pass --status when we create a conntrack via command line interface. In this case, the conntrack entry is created only with the IPS_CONFIRMED flag. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-11-15filter: remove useless branch in the check functionsPablo Neira Ayuso
If the logic is set to -1, this means that we do not perform any filtering for this sort of network address. Therefore, we don't need to re-check if there is any filter later. This patch also inlines the check functions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-11-15filter: use jhash2 instead of jhash for IPv6 addressesPablo Neira Ayuso
Since an IPv6 address can be seen as an array of uint32_t. Use the optimized jhash2() function instead of the generic jhash(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-11-09filter: use XOR instead of branchesPablo Neira Ayuso
use XOR instead of branches in ct_filter_check. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-11-02network: rework TLV-based protocolPablo Neira Ayuso
This patch reworks the TLV-based protocol to reduce the overhead in the message building. The idea is to group some attributes that must be present in a consistent configuration. Putting them together help us to save some cycles in the message building. Now, oprofile reports ~15% of samples in the build path instead of ~25%. CPU consumption for 3000 HTTP GET requests per second (1000 concurrent with apache benchmark tool) is ~45% in my testbed, that is ~19% more consumption than with no replication at all. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-11-02network: add protocol version field (breaks backward compatibility)Pablo Neira Ayuso
This patch adds the version field (8-bits long) to the nethdr structure. This fields can be used to indicate the protocol version in case that we detect an incompatibility between two conntrackd daemons working with different protocol versions. Unfortunately, this patch breaks backward compatibility, ie. conntrackd <= 0.9.8 protocol is not compatible with the upcoming conntrackd >= 0.9.9. Better do this now than later. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-11-02network: remove message omission test-codePablo Neira Ayuso
This patch removes a part of the code that can be used to simulate message loss in the replication. This was useful to test the FT-FW code. However, this code is not useful anymore as long as we have netem: tc qdisc add dev eth0 root netem loss 0.1% Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-10-26ftfw: remove bottleneck in ack/nack handlingPablo Neira Ayuso
Since the resend list/queue contain elements in order, we can break looping once we find the first element that is after the ack/nack window. This patch fixes a bottleneck in the ack/nack handling reported by oprofile. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-10-26ftfw: add option `-v' to output debugging information (if any)Pablo Neira Ayuso
This patch introduces the option `-v' to show useful debugging information, if any. As for now, only sync-ftfw.c make use of it to display the content and the length of the resent list/queue. This is useful to check for message leaks. Other working modes or synchronization approaches may use it to display debugging information in the future. This patch removes _SIGNAL_DEBUG in sync-ftfw.c that was used for for the same purpose. However, it could only be enabled at compilation time and it uses signalling instead of the standard UNIX socket interface that conntrackd provides. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-10-22conntrack: add missing -U in conntrack(8) manpagePablo Neira Ayuso
This patch adds information about -U which was missing. Reported-by: Karel Rericha <karel@maxtel.cz> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-10-21ftfw: rise the size of the acknowledgment window in the examplePablo Neira Ayuso
This patch increases the size of the acknowledgment window based on some experiments in my testbed with oprofile. The previous default value was too small. This resulted in too many cycles to empty the resend queue. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-10-21conntrackd: bump version to 0.9.8conntrack-tools-0.9.8Pablo Neira Ayuso
This patch bumps the version to 0.9.8 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-10-21conntrackd: add missing information on -t to the helpPablo Neira Ayuso
This patch adds missing information on -t when conntrackd is invoked with -h. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-10-21doc: update conntrackd manpagePablo Neira Ayuso
This patch updates the conntrackd manpage some re-writes, missing options and new dependencies. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-10-21doc: remove example about CacheWriteTroughPablo Neira Ayuso
This patch removes the documentation about the CacheWriteTrhough clause. This feature is scheduled for removal since the asynchronous nature of conntrackd does not allow multi-path routing support. I'm lying, actually there's a chance to support it, but we have to guarantee that the RTT in the message synchronization between the firewall is smaller than the RTT between the peer and the firewalls. Moreover, this option has made more bad than good since people enable it when things don't work. Making the whole troubleshooting more complicated. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-10-21filter: do not filter in user-space if kernel supports BSFPablo Neira Ayuso
This patch avoids a double filtering in user-space and kernel-space if the kernel support BSF. Since we do not use BSF for dumps and resyncs, we add a new parameter to ignore_conntrack to indicate if we have to perform the filtering in user-space or not. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-10-21cache: use jhash2 instead of double jhash+jhash_2wordsPablo Neira Ayuso
Currently, oprofile reports ~17% of sample in the hashing. With this patch, that uses jhash2 instead of a double call to jhash and one to jhash_2words, it goes down to ~11%. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-10-21filter: fix segfault if the Filter clause is unusedPablo Neira Ayuso
This patch fixes a segfault when conntrackd -k is invoked for an instance of conntrackd with no use of the Filter clause. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-10-21netlink: report when kernel-space event filtering is in usePablo Neira Ayuso
This patch adds a log message to tell that conntrackd are using kernel-space filtering. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-10-20doc: rise default size of the hashtable in the example filePablo Neira Ayuso
This patch rises the default value of the hashtables in terms of buckets and entries to the default value in nf_conntrack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-10-20notrack: fix double receival of resync requestsPablo Neira Ayuso
This patch fixes double insertion in the tx_list if we receive two (or more) consecutive resync request in short time. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-10-20config: fix usage of 'PurgeTimeout' in Sync NOTRACKPablo Neira Ayuso
This patch fixes a problem that is reported by conntrackd while trying to parse the example configuration file. We fix this instead of the example file to make it consistent with other replication approaches. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-10-20cache-iterators: improve committingPablo Neira Ayuso
This patches fixes two problems: - If we failt to update an entry, we remove it and try again. This happens when we still have an entry in a final state like TIME_WAIT while we see a new connection (SYN_SENT) with the same tuple. In this particular case, we fail to update since some status bits are only settable, but not unsettable. - If we hit ETIME in an update, we have to go over the creation patch, otherwise we hit ENOENT in the next run. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-10-20cache: fix update of scheduled-to-timeout entriesPablo Neira Ayuso
This patch fixes a problem that allows the update of entries that are scheduled to be removed. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-10-16conntrack: cleanup for NAT filteringPablo Neira Ayuso
This patch cleanups the NAT filtering. The former code had three branches, one if src and dst NAT are set, else one if src NAT is set, else one if dst NAT is set. Now, we check if src NAT is set or if dst NAT is set. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-10-13doc: update INSTALL filePablo Neira Ayuso
This patch updates the INSTALL file. Now it only describes the compilation and installation of the conntrack-tools. For further information, we refer to the user manual that is available under doc/manual. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-10-13manual: add initial user manualPablo Neira Ayuso
This patch adds the manual in docbook format to the conntrack-tools. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-10-09conntrack: fix dump counter displayed with -L expectPablo Neira Ayuso
This patch fixes the dump counter displayed with -L expect. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-10-04conntrack: fix filtering for unsupported protocolPablo Neira Ayuso
This patch fixes filtering for unsupported protocol. Thus, you can use -L -p 47 or -L -p gre to filter `gre' traffic. Based on an initial patch from Bryan Duff <bduff@astrocorp.com>. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-10-02conntrack: fix mark-based filtering for event displayPablo Neira Ayuso
The mark-based filtering for events does not work if the mark is not present in the event message. This happens because nfct_cmp() skips the comparison of the compared objects since it they do not have the same attributes set. This patch make use of the new NFCT_CMP_MASK flag that returns false if the first object passed as parameter is set and the second is not. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-09-28conntrack: cleanup XML header handlingPablo Neira Ayuso
This patch removes the use of snprintf and directly print the XML header to the standard output. This simplifies the handling. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-09-28conntrack: cleanup for the update pathPablo Neira Ayuso
This patch cleans up the update path for the conntrack utility. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-09-25ftfw: reset window and flush the resend queue during helloingPablo Neira Ayuso
This fixes two bugs when a hello message is received: * We can create malformed nack messages during the helloing. We have to reset the acknowlegdment window, otherwise we may create malformed nack messages. * We have to empty the resend list/queue when a hello message is received, otherwise the entries get stuck to the resend queue once the sequence number wraps around. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-09-25ftfw: fix race condition in the helloing routinePablo Neira Ayuso
This patch fixes a race condition that can prevent one node from sending the initial hello message required to reset the sequence tracking. node A node B | | start | | hello msg |----------------------->| stop | | start | | |<-----------------------| hello-back msg In the picture above, the node A never sends the hello messages. Thus, the node B drops the next messages as they are in the before boundary. This patch adds a new state to the the helloing state-machine to fix this problem. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-09-25ftfw: fix race that triggers a double insertion into tx_listPablo Neira Ayuso
This patch fixes a race condition that can trigger a double insertion to the tx_list. This happens if we receive two resync request very close or resync just after a nack or vice-versa. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-09-21fix: remove node from tx_list when the state-entry is destroyPablo Neira Ayuso
This patches fixes a race that triggers a read-after-free access to the tx_list. The state-entry is destroyed but it is still in the list. The fix removes the state-entry from the tx_list in the destroy path. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-09-18config: use /var/run to create the UNIX socket filePablo Neira Ayuso
This patch removes the use of /tmp to create the UNIX socket file to communicate with conntrackd in the example configuration files. This was OK in the early alpha days, but not anymore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-09-17cleanup: remove some debug messages from sync-ftfw.cPablo Neira Ayuso
Remove useless debug messages, now we have a pluging for tcpdump to debug the FT-FW protocol. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-09-17filter: check if kernel-space filtering is availablePablo Neira Ayuso
Check if the Linux kernel is >= 2.6.26, otherwise it does not support kernel-space filtering. This is not clean but we have no choice, the BSF infrastructure does not return ENOTSUPP for unsupported operations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-09-17cleanup: Linux kernel version checkingPablo Neira Ayuso
Minor cleanup to save a couple of lines in the Linux kernel version checking. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-09-16filter: fix NAT detection tweakPablo Neira Ayuso
With this patch, we rely on the real source and destination of the packet to perform the filter. The current NAT detection tweak is broken for certain situations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-09-16ftfw: check for malformed ack and nack messagesPablo Neira Ayuso
This patch checks that the [from, to] interval of ack and nack messages is OK. In other words, we check that: to >= from Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-15compilation: relax too strict warning checkingPablo Neira Ayuso
This patch removes the -Werror option during the compilation. Some users have reported problems related to the code generated by flex and bison. This results in useless reports and a bad experience for end-users. Ideally, it would be great to have something like 'autoconf prettify' for less verbose output. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-12cli: insert `conntrack-tools' string in help and error messagesPablo Neira Ayuso
Insert string `conntrack-tools' in error messages to explicitly print that this version is inside the conntrack-tools package. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-12cli: check for missing arguments in getopt_longPablo Neira Ayuso
From: Pablo Neira Ayuso <pablo@netfilter.org> If getopt_long returns '?', show an error telling that some arguments are missing. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-12cli: remove unrequired \n in error messagePablo Neira Ayuso
Remove extra \n in error message. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-12cli: remove duplicated optarg checkingPablo Neira Ayuso
Remove duplicated optarg checkings for options that require mandatory paramaters. This checking is already done by getopt_long(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>