| Age | Commit message (Collapse) | Author |
|---|
|
This patch recovers the option -F for conntrackd. This will be
particularly useful to flush the kernel conntrack table without
getting the event notification of the conntrack deletions
(that will happen with Linux kernel >= 2.6.29).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds strict attribute size checking. This is good to
detect corrupted or malformed messages.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch aligns the data offset that is returned by the NTA_DATA
macro.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch simplifies the message format of the replication
messages. As a result, we save four bytes. The netpld header
was introduced in the early protocol design. Today, it does
not have any reason to exist.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes __do_send() and replace it with the mcast_send()
call. The debugging information that provides is not useful anymore
with the tcpdump plugin.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch simplifies mcast_buffered_send_netmsg() by removing the
length parameter. Instead, we use the length field in the nethdr
to know the message size to be sent.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes the unused function mcast_send_netmsg().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes NTA_MASTER_L4PROTO parsing which was missing. This
problem was introduced in "network: rework TLV-based protocol", commit
id 76ac8ebe5e49385585c8e29fe530ed4baef390bf, ie. somewhere in the
development of 0.9.9. This patch also fixes the size of parsing
callback array that is NTA_MAX, not ATTR_MAX. This problem does not
affect conntrack-tools <= 0.9.8.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch unsets the ATTR_HELPER_NAME attributes, otherwise we hit
EBUSY for related conntrack entries while resetting the timers.
Signed-off: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch constifies the first parameter, which is a conntrack
object, in all nl_*_conntrack() functions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch uses NFCT_Q_CREATE in nl_create_conntrack() and
NFCT_Q_UPDATE in nl_update_conntrack(). The NFCT_Q_CREATE_UPDATE
query does not set the NLM_F_EXCL flag, so that it tries to update
the entry if we fail to create.
Under several scenarios, this may lead to problems. For example,
the creation of related conntracks contain the master information.
This is fine to create an entry, but an update will hit
EOPNOTSUPP as ctnetlink considers that you are trying to change
the master of an existing conntrack - and this is not a supported
operation, of course.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch changes the behaviour of nl_create_conntrack() and
nl_update_conntrack() which now clone the conntrack object
received as parameter. This was not required as these functions
were called inside fork(), thus, they modified a copy of the
real conntrack objects in the child process.
However, this behaviour is broken following the try-again
logic in __do_commit_step. For example, if we try to update
an expected conntrack object that has vanished for whatever
reason, since nl_update_conntrack() modifies the object (unset
the master conntrack information), nl_create_conntrak() will
create an entry without the master conntrack information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, NTA_TIMEOUT is not included in the replication
messages anymore. During the fail-over, we set a small timeout
to purge the entries that were not recovered successfully
(however, unsuccessful recovery should not happen ever).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds FIXED_TIMEOUT and EXPECTED to the conntrack(8)
manpage.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, you can filter expected connections:
# conntrack -L --status EXPECTED
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch documents the incompatibilities introduced by the recent
changes in the message format. I don't like breaking backward, but
we are still in development stage, and those changes result in more
efficient message building according to oprofile (see previous
commits in conntrack-tools' git tree).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch changes the prototype of mcast_buffered_init() to receive
as argument the MTU size instead of the multicast configuration. This
decouples the initialization of the tx buffer from the multicast
configuration. This patch is needed by the multi-dedicated link
support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch moves `Checksum' into the `Multicast' clause. This
property is dependent of the multicast configuration. This patch
is required to introduce the redundant dedicated link support
that is on the way.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch move the options release to free_options(). It also
move the free_options call after the error checking because
exit_error already free the option.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, you can specify the following command to dump the
expectation table, instead of writing 'expect'.
# conntrack -L e
also, it is valid the following command:
# conntrack -L ex
# conntrack -L exp
and so on.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch replaces a couple of hardcoded buffer sizes by sizeof()
calls. This sort of code is error-prone.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a wrong warning display to stdout instead of stderr.
Make the warning message homogeneous to others.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch is a cleanup. It moves the callbacks from netlink.c to
run.c where they are actually invoked. This is better for code
readability as I usually have to switch from run.c to netlink.c
to remember what the callbacks actually do.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes a forced run of the transmission queue.
This is not required since we currently have an event descriptor
that indicates when to give a queue run to push pending messages.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes an unused array of file descriptors inside the
fds structure.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the missing destroy_fds() in the exit path.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds CIDR-based filtering support. The current
implementation is O(n).
This patch also introduces the vector data type which is
used to store the IP address and the network mask.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the size of the attribute header (4 bytes) to the
length field of netattr. This fixes a possible invalid memory
access in malformed messages.
This change is included in the set of scheduled changes for 0.9.9
that break backward compatibility.
This patch also removes a memset of 4096 by one to initialize
the headers and the netattr paddings.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch cleans up the protocol extensions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch changes the current behaviour of the filtering selection.
Up to now, conntrackd has used the kernel version to select the
filtering method based on the following logic: If kernel is >= 2.6.26
we use BSF-based filtering from kernel-space, otherwise, default to
userspace.
However, this filtering method still lacks of IPv6 support and
it requires a patch that got into 2.6.29 to filter IPv6 addresses
from kernel-space. To fix this issue, we default to user-space
filtering and let the user choose the method via the configuration
file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch relaxes the parameter checking as now we don't need to
pass --status when we create a conntrack via command line interface.
In this case, the conntrack entry is created only with the
IPS_CONFIRMED flag.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
If the logic is set to -1, this means that we do not perform any
filtering for this sort of network address. Therefore, we don't
need to re-check if there is any filter later. This patch also
inlines the check functions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Since an IPv6 address can be seen as an array of uint32_t. Use
the optimized jhash2() function instead of the generic jhash().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
use XOR instead of branches in ct_filter_check.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch reworks the TLV-based protocol to reduce the overhead
in the message building. The idea is to group some attributes
that must be present in a consistent configuration. Putting them
together help us to save some cycles in the message building.
Now, oprofile reports ~15% of samples in the build path instead
of ~25%. CPU consumption for 3000 HTTP GET requests per second
(1000 concurrent with apache benchmark tool) is ~45% in my
testbed, that is ~19% more consumption than with no replication
at all.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the version field (8-bits long) to the nethdr
structure. This fields can be used to indicate the protocol version
in case that we detect an incompatibility between two conntrackd
daemons working with different protocol versions.
Unfortunately, this patch breaks backward compatibility, ie.
conntrackd <= 0.9.8 protocol is not compatible with the upcoming
conntrackd >= 0.9.9. Better do this now than later.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes a part of the code that can be used to
simulate message loss in the replication. This was useful to test the
FT-FW code. However, this code is not useful anymore as long as we
have netem: tc qdisc add dev eth0 root netem loss 0.1%
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Since the resend list/queue contain elements in order, we can break
looping once we find the first element that is after the ack/nack
window. This patch fixes a bottleneck in the ack/nack handling
reported by oprofile.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch introduces the option `-v' to show useful debugging
information, if any. As for now, only sync-ftfw.c make use of it to
display the content and the length of the resent list/queue. This
is useful to check for message leaks. Other working modes or
synchronization approaches may use it to display debugging
information in the future.
This patch removes _SIGNAL_DEBUG in sync-ftfw.c that was used for
for the same purpose. However, it could only be enabled at compilation
time and it uses signalling instead of the standard UNIX socket
interface that conntrackd provides.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds information about -U which was missing.
Reported-by: Karel Rericha <karel@maxtel.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch increases the size of the acknowledgment window based on
some experiments in my testbed with oprofile. The previous default value
was too small. This resulted in too many cycles to empty the resend
queue.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch bumps the version to 0.9.8
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds missing information on -t when conntrackd is invoked
with -h.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch updates the conntrackd manpage some re-writes, missing
options and new dependencies.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes the documentation about the CacheWriteTrhough clause.
This feature is scheduled for removal since the asynchronous nature of
conntrackd does not allow multi-path routing support. I'm lying,
actually there's a chance to support it, but we have to guarantee that
the RTT in the message synchronization between the firewall is smaller
than the RTT between the peer and the firewalls.
Moreover, this option has made more bad than good since people enable it
when things don't work. Making the whole troubleshooting more
complicated.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch avoids a double filtering in user-space and kernel-space if
the kernel support BSF. Since we do not use BSF for dumps and resyncs,
we add a new parameter to ignore_conntrack to indicate if we have to
perform the filtering in user-space or not.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Currently, oprofile reports ~17% of sample in the hashing. With
this patch, that uses jhash2 instead of a double call to jhash
and one to jhash_2words, it goes down to ~11%.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a segfault when conntrackd -k is invoked for an
instance of conntrackd with no use of the Filter clause.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds a log message to tell that conntrackd are using
kernel-space filtering.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
