| Age | Commit message (Collapse) | Author |
|---|
|
This patch fixes several minor nitpicks to support IPv6 failover:
* ICMPv6 type/code/id were missing in synchronization messages.
* The use of '-' as string in the configuration file was not allowed.
* Include example in configuration file under doc/.
Reported-by: Mohit Mehta <mohit.mehta@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
It must refer to NetlinkBufferSize[*] instead of "SocketBufferSize[*].
Signed-off-by: Mohit Mehta <mohit.mehta@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch cleans up nat_parse() and it also displays nicer
error message for malformed arguments.
% conntrack -L --src-nat :80
conntrack v0.9.14 (conntrack-tools): No IP specified
Try `conntrack -h' or 'conntrack --help' for more information.
% conntrack -L --src-nat 1.1.1.1:
conntrack v0.9.14 (conntrack-tools): No port specified after `:'
Try `conntrack -h' or 'conntrack --help' for more information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes the filtering if the IP matches an entry but the PORT
does not matches. Without this patch, the entry is shown when it
should be not.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch restricts the behaviour that we previously introduced
in 142606c60808b3ab0496155ac3d086765e6baef3.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the missing bits to allow to filter with --any-nat
based on the IP address.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes another scenario in which the flow has some
PAT mangling and we passed the src-nat address that we want
to use to perform the filtering.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, conntrack does not show bogus entries that have no NAT
applied due to a relaxed checking.
conntrack -L --src-nat :80
tcp 6 342824 ESTABLISHED src=XX.214.188.80 dst=66.XX.7.180 sport=80 dport=13749 packets=4 bytes=6000 [UNREPLIED] src=66.XX.7.180 dst=XX.214.188.80 sport=13749 dport=80 packets=0 bytes=0 mark=0 secmark=0 use=1
conntrack v0.9.14 (conntrack-tools): 1 flow entries have been shown.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
In 142606c60808b3ab0496155ac3d086765e6baef3, I re-introduced the
inconsistent behaviour that I described in
85f94171a71880c744f265268f33ad58819caa74. Great.
This patch fixes this again.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the testsuite for the NAT filtering options.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the --any-nat option that allows to display src-NATted
OR dst-NATted flows.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch allows the following command to filter port-based NAT:
$ conntrack -L --dst-nat :9999
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch is a cleanup, it puts all the commands and options code
together. This makes easier and less error-prone the task to add
new commands and options.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch is a cleanup, it expands an array that contains the
correspondence between the option-flags and the option-names.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
In commit 56817d1c0cc30bcd65c56c2f73634b256603cc4d, I added the
TCP window scale factor support but it was incomplete. We have to
set the IP_CT_TCP_FLAG_WINDOW_SCALE flag to update the td_scale
field via ctnetlink. Check nlattr_to_tcp(...) function in
nf_conntrack_proto_tcp.c for more details.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
The patch that I committed in 2e06d62d341fdf936dbc1fa944d5e03f761aaf0e
was incomplete. With it, `-L --src-nat --dst-nat' shows source-natted
OR destination-natted flows. This patch changes the behaviour to
show source-natted AND destination-natted flows.
This is the consistent behaviour that we expect from conntrack
(this is how it works for other options indeed).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes the filtering with --src-nat and --dst-nat options.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch reverts 0865d22af0ec5876f721d44c90ac898fdfa435aa since
it breaks conntrack listing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
`conntrackd -i -x' does not display internal cache in XML, this
patch fixes the problem.
Signed-off-by: Mohit Mehta <mohit.mehta@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Since > 0.9.6, the conntrack listing with the options --src-nat
and --dst-nat does not work. This patch fixes the problem.
Reported-by: Mohit Mehta <mohit.mehta@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch completes the documentation with the following discussion
that took place in the mailing list.
http://marc.info/?l=netfilter&m=127335152521674&w=2
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch splits the __run() routine into two functions, run_polling()
and run_events() that are selected once in run-time. We save one branch
in a loop that intensively executed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes the configuration file that includes an example of
the PollSecs clause in Stats. This is wrong since it should go in
the General clause.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
From Richard Lucassen:
> Btw: if you search the "-m --mask" option in the manpage, you'll see a
> cosmetic typo: this option is on the same line as "-t --timeout"
Reported-by: Richard Lucassen <reply5@xaq.nl>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a hung that occurs if you invoke `conntrackd -c'
and you have disabled the external cache.
Note that `conntrackd -c' does nothing since there is no entries
in the external cache to be committed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch move the ports addition to the layer 4 functions, instead
of checking for the port attribute. It also add a function for UDP
otherwise we break support for this protocol.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds a new option TCPWindowTracking that allows not
to disable TCP window tracking as it occurs by default.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
UDP filtering was broken during the addition of the UDP-based
synchronization protocol that was introduced in 0.9.14. This
patch fixes the problem.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch bumps conntrack-tools version to 0.9.14.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch documents the `-B' command in conntrackd that allows you
to force a bulk send to other firewall nodes in the cluster.
Reported-by: Tino Keitel <tkeitel@innominate.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, we allow to manually create TCP entries in the table.
Basically, we disable TCP window tracking for this entry to avoid
problems.
Reported-by: Roman Fiedler <roman.fiedler@ait.ac.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch documents the internal cache disabling feature that
is available for the NOTRACK mode. I have also added an example
on how to set up a TCP-based state-synchronization.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes the clause `State' in `Filter' that allows
you to filter by protocol state. This bug was introduced during
the implementation of the TCP-based synchronization.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds state-synchronization for ICMP. You SHOULD use a
Linux kernel >= 2.6.31, otherwise this patch can result in tons
of state-updates.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, we use an indirect call to build the layer 4
information into the synchronization message.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the clause `DisableInternalCache' that allows you
to bypass the internal cache. This clause can only be used with
the notrack synchronization mode.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
In 0b03f4b759e439edd2c3da0add08050276d7dc5f, I forgot to increase
the stats for successful cases. This patch fixes this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
# conntrackd -s
external inject:
connections created: 0 failed: 0
connections updated: 0 failed: 0
connections destroyed: 0 failed: 0
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Read an integer right away with fscanf() instead of read()-ing to a
buffer, which was actually to small for the terminating '\0', and
atoi()-ing. Furthermore read() might not read enough, though unlikely
here.
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Avoid this error:
conntrack v0.9.13 (conntrack-tools): Operation failed: No such file or
directory
when using 'conntrack -E -e ALL ...'.
This is caused by the fact that netfilter expectations also get
delivered, but things are not setup for this, nfnl_catch returns -1
and errno = ENOENT.
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
When 'conntrack' is called with no arguments then garbage is printed
after the usage message. This patch fixes this.
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a missing calculation of maxfd when a file descriptor
is unregistered.
Reported-by: Jean Mickael Guerin <jean-mickael.guerin@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the alive control message to the notrack mode.
This helps to diagnose problems in the synchronization and
the state of the channel, specifically for TCP-based channels.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Under stress, the TCP stack may return EAGAIN if there is not
space left in the sender buffer. We also enqueue any other
error.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch rate-limits the amount of connect() calls to avoid
syn-floods when the other peer is not connected and we are
generating updates.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
In 49540362b2a25aadbaf25fd087414776aa5a67a8, we forgot to break lines
at 80 characters. This patch cleans up this issue.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a bug in the TCP support that breaks
re-connections of the client side if several TCP
channels are used in the configuration file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch avoids the shadowing of the global `conf' variable that
is used to store the configuration information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, we increase the error stats if:
* we failed to connect to the other peer.
* some unexpected error made connect() fail.
* sendto returned ECONNRESET or EPIPE.
Moreover, we propagate the sendto() errors to upper layers
under failure as Samuel Gauthier suggested.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
