| Age | Commit message (Collapse) | Author |
|---|
|
This patch adds the --any-nat option that allows to display src-NATted
OR dst-NATted flows.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch allows the following command to filter port-based NAT:
$ conntrack -L --dst-nat :9999
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch is a cleanup, it puts all the commands and options code
together. This makes easier and less error-prone the task to add
new commands and options.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch is a cleanup, it expands an array that contains the
correspondence between the option-flags and the option-names.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
In commit 56817d1c0cc30bcd65c56c2f73634b256603cc4d, I added the
TCP window scale factor support but it was incomplete. We have to
set the IP_CT_TCP_FLAG_WINDOW_SCALE flag to update the td_scale
field via ctnetlink. Check nlattr_to_tcp(...) function in
nf_conntrack_proto_tcp.c for more details.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
The patch that I committed in 2e06d62d341fdf936dbc1fa944d5e03f761aaf0e
was incomplete. With it, `-L --src-nat --dst-nat' shows source-natted
OR destination-natted flows. This patch changes the behaviour to
show source-natted AND destination-natted flows.
This is the consistent behaviour that we expect from conntrack
(this is how it works for other options indeed).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes the filtering with --src-nat and --dst-nat options.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch reverts 0865d22af0ec5876f721d44c90ac898fdfa435aa since
it breaks conntrack listing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
`conntrackd -i -x' does not display internal cache in XML, this
patch fixes the problem.
Signed-off-by: Mohit Mehta <mohit.mehta@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Since > 0.9.6, the conntrack listing with the options --src-nat
and --dst-nat does not work. This patch fixes the problem.
Reported-by: Mohit Mehta <mohit.mehta@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch completes the documentation with the following discussion
that took place in the mailing list.
http://marc.info/?l=netfilter&m=127335152521674&w=2
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch splits the __run() routine into two functions, run_polling()
and run_events() that are selected once in run-time. We save one branch
in a loop that intensively executed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes the configuration file that includes an example of
the PollSecs clause in Stats. This is wrong since it should go in
the General clause.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
From Richard Lucassen:
> Btw: if you search the "-m --mask" option in the manpage, you'll see a
> cosmetic typo: this option is on the same line as "-t --timeout"
Reported-by: Richard Lucassen <reply5@xaq.nl>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a hung that occurs if you invoke `conntrackd -c'
and you have disabled the external cache.
Note that `conntrackd -c' does nothing since there is no entries
in the external cache to be committed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch move the ports addition to the layer 4 functions, instead
of checking for the port attribute. It also add a function for UDP
otherwise we break support for this protocol.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds a new option TCPWindowTracking that allows not
to disable TCP window tracking as it occurs by default.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
UDP filtering was broken during the addition of the UDP-based
synchronization protocol that was introduced in 0.9.14. This
patch fixes the problem.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch bumps conntrack-tools version to 0.9.14.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch documents the `-B' command in conntrackd that allows you
to force a bulk send to other firewall nodes in the cluster.
Reported-by: Tino Keitel <tkeitel@innominate.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, we allow to manually create TCP entries in the table.
Basically, we disable TCP window tracking for this entry to avoid
problems.
Reported-by: Roman Fiedler <roman.fiedler@ait.ac.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch documents the internal cache disabling feature that
is available for the NOTRACK mode. I have also added an example
on how to set up a TCP-based state-synchronization.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes the clause `State' in `Filter' that allows
you to filter by protocol state. This bug was introduced during
the implementation of the TCP-based synchronization.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds state-synchronization for ICMP. You SHOULD use a
Linux kernel >= 2.6.31, otherwise this patch can result in tons
of state-updates.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, we use an indirect call to build the layer 4
information into the synchronization message.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the clause `DisableInternalCache' that allows you
to bypass the internal cache. This clause can only be used with
the notrack synchronization mode.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
In 0b03f4b759e439edd2c3da0add08050276d7dc5f, I forgot to increase
the stats for successful cases. This patch fixes this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
# conntrackd -s
external inject:
connections created: 0 failed: 0
connections updated: 0 failed: 0
connections destroyed: 0 failed: 0
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Read an integer right away with fscanf() instead of read()-ing to a
buffer, which was actually to small for the terminating '\0', and
atoi()-ing. Furthermore read() might not read enough, though unlikely
here.
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Avoid this error:
conntrack v0.9.13 (conntrack-tools): Operation failed: No such file or
directory
when using 'conntrack -E -e ALL ...'.
This is caused by the fact that netfilter expectations also get
delivered, but things are not setup for this, nfnl_catch returns -1
and errno = ENOENT.
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
When 'conntrack' is called with no arguments then garbage is printed
after the usage message. This patch fixes this.
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a missing calculation of maxfd when a file descriptor
is unregistered.
Reported-by: Jean Mickael Guerin <jean-mickael.guerin@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the alive control message to the notrack mode.
This helps to diagnose problems in the synchronization and
the state of the channel, specifically for TCP-based channels.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Under stress, the TCP stack may return EAGAIN if there is not
space left in the sender buffer. We also enqueue any other
error.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch rate-limits the amount of connect() calls to avoid
syn-floods when the other peer is not connected and we are
generating updates.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
In 49540362b2a25aadbaf25fd087414776aa5a67a8, we forgot to break lines
at 80 characters. This patch cleans up this issue.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a bug in the TCP support that breaks
re-connections of the client side if several TCP
channels are used in the configuration file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch avoids the shadowing of the global `conf' variable that
is used to store the configuration information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, we increase the error stats if:
* we failed to connect to the other peer.
* some unexpected error made connect() fail.
* sendto returned ECONNRESET or EPIPE.
Moreover, we propagate the sendto() errors to upper layers
under failure as Samuel Gauthier suggested.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
In 9406f29b89f6727c3db5485d109466701393b4d4, we added different
return values for the UNIX sockets that we use to extract the
daemon statistics. Unfortunately, I forgot to change this
as well. This patch fixes a problem that blocks the client
socket indefinitely.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Use the TCP header size (20 bytes) instead of the UDP header size
(8 bytes) to calculate the maximum packet size.
Reported-by: Samuel Gauthier <samuel.gauthier@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
DisableExternalCache is supposed to be put in mode NOTRACK{} or
Mode FTFW{} statement.
Signed-off-by: Samuel Gauthier <samuel.gauthier@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
As we get attr->nta_attr directly from net message, it can be corrupted.
Hence, we must check that nta_attr value is valid before trying to reach
h[attr->nta_attr] element.
Signed-off-by: Samuel Gauthier <samuel.gauthier@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
We cannot assume that we will not write in the net message before we
send it, because the memory allocated for the net message (__net) is
only reserved in BUILD_NETMSG (because of the { } block in it).
This patch marks the buffer as static to avoid this problem.
Based on a patch from Samuel Gauthier <samuel.gauthier@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds support for TCP as protocol to replicate
state-changes between two daemons. Note that this only
makes sense with the notrack mode.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, we can remove file descriptors dinamically
from our own file descriptor pool.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch reduces the number of gettimeofday syscalls by caching
the current time in a variable at the beginning of the main loop.
Based on a suggestion from Vincent Jardin.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the clause `DisableExternalCache' that allows you
to disable the external cache and to directly inject the entries
into the kernel conntrack table. As a result, the CPU consumption
of conntrackd increases. This clause can only be used with the
FT-FW and the notrack synchronization modes, but not with the
alarm mode.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes an infinite loop that can occur if a message of
zero length is received. Moreover, now we always stop the processing
if the message is malformed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a crash in the exit path for channels that
are not buffered (no CHANNEL_F_BUFFERED flag set). This fix
does not affect any existing channel in the tree.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
