summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2009-01-25doc: unset CommitTimeout by defaultPablo Neira Ayuso
This patch disables CommitTimeout by default. The daemon now uses the approximate timeout calculation by default. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-25netlink: set IP_CT_TCP_FLAG_CLOSE_INIT for TIME_WAIT statesPablo Neira Ayuso
This patch sets IP_CT_TCP_FLAG_CLOSE_INIT if the entry is in TCP TIME_WAIT state. This patch is a workaround, the daemon should propagate the internal TCP flags to make it fully independent of possible changes in the TCP tracking code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-25src: increase default PurgeTimeout valuePablo Neira Ayuso
This patch increases the default PurgeTimeout value to 60 seconds. The former 15 seconds provides good real-time reaction in terms of user-side expected behaviour, but it is too small if you trigger random failure in a firewall cluster. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-25src: add support for approximate timeout calculation during commitPablo Neira Ayuso
During the commit phase, the entries in the external cache entries are inserted in the kernel conntrack table. Currently, we use a fixed timeout that is specified in the config file. With this patch, if you don't specify the fixed timeout value via CommitTimeout, the daemon calculates the real timeout value during the commit phase. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-25cache: move lifetime feature to main cache codePablo Neira Ayuso
The lifetime feature is used by all working modes, it is useful to know how long it has been an entry living in the cache. This patch moves the lifetime feature to the main caching code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-25src: change behaviour of `-t' optionPablo Neira Ayuso
With this patch, the `-t' option adds an alarm that will flush the cache after CONFIG(purge_timeout) seconds specified in the config file. This looks much cleaner and more performance that looping on the entire conntrack table to set the new timeout of every single entry. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-25src: don't clone when calling nl_*_conntrack functionsPablo Neira Ayuso
This patch removes the clone conntrack objects created before calling nl_*_conntrack functions since they are not required anymore (the previous patch guarantees that objects passed as parameter are not modified). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-25cache: mangle timeout inside nl_*_conntrack() functionsPablo Neira Ayuso
This patch moves the timeout mangling inside nl_*_conntrack(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-25cache: remove nl_exist_conntrack() functionPablo Neira Ayuso
This function is a synonimous of nl_get_conntrack(), use the get function instead. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-25cache_iterators: start a clean session if commit finds an entryPablo Neira Ayuso
The current commit code updates an entry it still exists in the kernel. With this patch, we delete the entry and create a new one to make sure that we start a clean session. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-21conntrack: fix use of -u which is optional with -IPablo Neira Ayuso
The option --status can be used with -I. Currently, this behaviour is broken. conntrack v0.9.9 (conntrack-tools): Illegal option `--status' with this command Try `conntrack -h' or 'conntrack --help' for more information. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-21src: obsolete `DestroyTimeout' clausePablo Neira Ayuso
This patch obsoletes `DestroyTimeout' which has no clients anymore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-17conntrack: add -C command to display the counterPablo Neira Ayuso
This patch adds the -C command, to display the table counter. In the case of `-C conntrack' the tool reads the proc interface. For expectation, it loops on the table to count the number of entries (as there is not proc interface to display the number of expectations). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-17src: add `-s queue' and change `-v' behaviourPablo Neira Ayuso
This patch moves the existing `-v' behaviour to `-s queue' where it really belongs. The `-v' option is now left to display the version which is the common use of it. # conntrackd -v Connection tracking userspace daemon v0.9.9. Licensed under GPLv2. (C) 2006-2009 Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-17ftfw: add ResendQueueSize and deprecate ResendBufferSize clausesPablo Neira Ayuso
This patch adds ResendQueueSize, which sets the number of objects that can be stored in the resend queue waiting to be confirmed. The ResendBufferSize clause has been deprecated. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-17cache: add objects statisticsPablo Neira Ayuso
This patch adds the object counter to `conntrackd -s cache'. This is useful to detect object leaks in runtime. This patch also changes the layout of the output to fit the display in less than 24 lines (assuming 24x80 terminal). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-17src: add state polling support (oppossed to current event-driven)Pablo Neira Ayuso
This patch adds the clause PollSecs that changes the normal behaviour of conntrackd. With PollSecs set to > 0, conntrackd polls every N seconds the entries. This is the opposed behaviour of an event-driven behaviour but may be useful for those that have really strong limitations in terms of CPU consumption and want to perform a relaxed replication. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-17src: remove register_fds hooksPablo Neira Ayuso
This patch moves the file descriptor registration after the initialization instead of having a specific hook for this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-17src: rename overrun handler to resync handlerPablo Neira Ayuso
This patch is a cleanup. The overrun handler is actually a way to resynchronize against the conntrack kernel table. The name overrun was used because it was initially its purpose. The new naming shows its genericity. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-17src: support for redundant dedicated linksPablo Neira Ayuso
This patch adds support for redundant dedicated links. You can add a pool of dedicated links that can be used if the current active fails. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-17network: do not re-set the message type in nethdr_set* functionsPablo Neira Ayuso
The network headers already contain the message type set. It is not necessary to set it up again. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-17sync: enqueue state updates to tx_queuePablo Neira Ayuso
With this patch, all the states updates are enqueued in the tx_queue. Thus, there's a single output path. This patch adds a simple refcounting mechanism to note when an object is sitting in the txqueue. This patch also removes the alarm that is required by the ftfw approach. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-17sync: add generic tx_queue for all synchronization modesPablo Neira Ayuso
This patch adds a generic tx queue for all synchronization modes. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-17ftfw: move helloing to ftfw_xmit()Pablo Neira Ayuso
This patch moves the helloing logic into ftfw_xmit. Still, the helloing is kept in ftfw_send as we still have two possible paths for messages. This will be removed in the next patches to make all message go over a single txqueue. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-15sync: unify tx_list and tx_queue into one single tx_queuePablo Neira Ayuso
This patch unifies the tx_list and the tx_queue to have only one transmission queue. Since the tx_list hold state objects and tx_queue control messages, I have introduced a queue node type that can be used to differenciate the kind of information that the node stores: object or control message. This patch also reworks the existing queue class to include a file descriptor that can be used to know if there are new data added to the queue (see QUEUE_F_EVFD flag). In this change, I have also modified the current evfd to make the file descriptor to make read operations non-blocking. Moreover, it keeps a counter that is used to know how many messages are inserted in the queue. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-15run: relax resynchronization algorithm when netlink overrunsPablo Neira Ayuso
This patch relaxes the current approach when netlink reports overruns. There are two situations that can trigger a resynchronization with the kernel conntrack table: a) Netlink overruns because the receiver buffer is too small: increasing the netlink buffer size and schedule a resync with the kernel table conntrack to resolve the inconsistency. The sysadmin would notice in the logs and will try to set a bigger buffer in the configuration file. b) The system is under heavy workload (CPU is too busy): we should avoid resync with the kernel table since this is an expensive operation. We do our best here and keep replicating as much states as possible. If CPU consumption lowers at some point, the we will try to resync ourselves. This patch reduces the chances to resynchronize with the kernel conntrack table unless that two overruns do not happen in an internal of 30 seconds. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-15cache: add status field to store the object statusPablo Neira Ayuso
This patch adds the status field to the cache object. This avoids the (ab)use of the alarm to check if an entry is active or dead. This is the first step to possibly move the alarm to the cache_extra memory space of the ftfw (which is the only use by now). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-15src: rework of the hash-cache infrastructurePablo Neira Ayuso
Currently, the caching system is implemented in a two layer architecture: hashtable (inner layer) and cache (upper layer). This patch reworks the hash-cache infrastructure to solve some initial design problems to make it more flexible, the main strong points of this patch are: * Memory handling is done in the cache layer, not in the inner hashtable layer. This removes one of the main dependencies between the hashtable and the cache classes. * Remove excessive encapsulation: the former cache used to hide a lot of details of the inner hashtable implementation. * Fix over-hashing of some operations: lookup-delete-add required three hash calculations. Similarly, the update-or-add operation required two hash calculations. Now, we calculate the hash once and re-use the value how many times as we need. This patch simplifies the caching system. As a result, we save ~130 lines of code. Small code means and less complexity means less chance to have bugs. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-15run: limit the number of iterations over the event handlingPablo Neira Ayuso
Currently, the event handling can starve other event file descriptors. This patch limits the number of event handling iterations. The parameter is tunable via configuration file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-14filter: add prefix ct_filter_ to hash and compare functionsPablo Neira Ayuso
This patch adds the prefix ct_filter_ to the hash and compare functions. This is useful to disambiguate when interpreting the oprofile reports. Note that without this patch there are two functions called hash and compare in the source tree. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-14hashtable: check NULL instead of ! for pointersPablo Neira Ayuso
This patch is a cleanup. Check NULL instead of using ! for null pointers. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-14hashtable: use calloc instead of malloc + memsetPablo Neira Ayuso
This patch is a cleanup, use calloc instead of malloc + memset. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-14src: constify hashtable parameter in hash() callbacksPablo Neira Ayuso
This patch constifies the hashtable parameter that is passed to the hash callbacks registered when the hashtable is created. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-14netlink: don't double the netlink buffer twice during resizePablo Neira Ayuso
The Linux kernel doubles the the size of the buffer by default. See sock_setsockopt() in net/core/sock.c. We don't need to multiply the current size by two. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-14run: show current netlink buffer size in `-s runtime'Pablo Neira Ayuso
This patch shows the current netlink buffer size via `-s runtime'. # conntrackd -s ru ... current buffer size (in bytes): 204800 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-01-14filter: skip filtering by state if the event has no state infoPablo Neira Ayuso
This patch fixes a bug that may result in wrong filtering of destroy events which usually don't contain the state information. In that case, skip the filtering. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-12-22cache: fix ENOSPC errors due to over-population of inactive entriesPablo Neira Ayuso
This patch fixes a problem that can result in cache over-population with inactive entries due to mismatching in the comparison. This may result in lots of ENOSPC errors while trying to add new entries to the internal cache. We may have entries in the internal cache that with the same original tuple, but different reply tuple due to NAT port adjustment. Thus, the comparison that happens during the entry hashtable lookup fails and we add a new entry while keeping the old one. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-12-22cache_iterators: add total entries available in the cache to statsPablo Neira Ayuso
This patch adds the total number of entries currently living in the cache. Currently, we have two type of entries, active and inactive. The inactive ones talk about an ended connection. This is useful for trouble-shooting if we hit enospc when adding new entries. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-12-21cache_iterators: display the commit time taken in the logsPablo Neira Ayuso
This patch reports to the logfile the time taken to commit the entries. The output is expressed in seconds.microseconds. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-12-21conntrackd: fix missing \n in conntrackd -hPablo Neira Ayuso
This patch fixes a missing \n in the help message displayed with conntrackd -h. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-12-21sync-mode: remove unnecessary split linesPablo Neira Ayuso
This patch removes unnecessary split lines in several log messages. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-12-21src: add run-time statistics via `-s runtime'Pablo Neira Ayuso
This patch adds run-time statistics that you can check via `conntrackd -s runtime'. This information is useful for trouble-shooting. This patch replaces several log messages that can be triggered in runtime. The idea behind this patch is to avoid log message flooding under errors. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-12-21src: add cache statistics via `-s cache'Pablo Neira Ayuso
This patch adds cache statistics that you can check via `conntrackd -s cache'. This information is useful for trouble-shooting. This patch replaces several log messages that can be triggered in runtime. The idea behind this patch is to avoid log message flooding under errors. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-12-21src: add network statistics via `-s network'Pablo Neira Ayuso
This patch adds networks statistics that you can check via `conntrackd -s network'. This information is useful for trouble-shooting. This patch replaces several log messages that can be triggered in runtime. The idea behind this patch is to avoid log message flooding under errors. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-12-21headers: delete unused flags in conntrackd.hPablo Neira Ayuso
This patch deletes three unused flags SYNC_MODE_ALARM, SYNC_MODE_FTFW_BIT and DONT_CHECKSUM. They were replaced by the CTD_* flags at some point of the development. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-12-18automake: add missing cidr.hconntrack-tools-0.9.9Pablo Neira Ayuso
This patch adds cidr.h to Makefile.am in include/ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-12-18configure: bump version to 0.9.9Pablo Neira Ayuso
This patch bumps the version of the conntrack-tools to 0.9.9. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-12-17netlink: fix type in warning message on SocketBufferSizeMaxGrowthPablo Neira Ayuso
This patch fixes a type in a warning message. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-12-17doc: add note on McastSndSocketBuffer and McastRcvSocketBufferPablo Neira Ayuso
This patch adds a note on the impact of having small values for the McastSndSocketBuffer and McastRcvSocketBuffer clauses. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-12-17doc: revert commit 9bc7d7f8f333e79323495a193f92c9d4f1708da9Pablo Neira Ayuso
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>