| Age | Commit message (Collapse) | Author |
|---|
|
- NetlinkBufferSize value passed to the kernel gets doubled [see SO_RCVBUF
in net/core/sock.c]; it's halved now before it gets sent to the kernel.
This ensures that daemon starts up with a netlink socket buffer size
equal to the value set for NetlinkBufferSize in configuration file.
- Previously, netlink socket buffer size would only stop increasing after
it had increased beyond NetlinkBufferSizeMaxGrowth value. With this commit
netlink socket buffer size increases as long as it is less than or
equal to NetlinkBufferSizeMaxGrowth value.
Signed-off-by: Mohit Mehta <mohit.mehta@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds `--zone' to the command line tool. This adds
the missing user-space support for Patrick's McHardy iptables
CT target.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
* NetlinkBufferSize value passed to the kernel gets doubled [see SO_RCVBUF
in net/core/sock.c]; it's halved now before it gets sent to the kernel.
This ensures that daemon starts up with a netlink socket buffer size
equal to the value set for NetlinkBufferSize in configuration file
* Previously, netlink socket buffer size would only stop increasing after
it had increased beyond NetlinkBufferSizeMaxGrowth value. With this commit
netlink socket buffer size increases as long as it is less than or
equal to NetlinkBufferSizeMaxGrowth value
|
|
|
|
This patch fixes several minor nitpicks to support IPv6 failover:
* ICMPv6 type/code/id were missing in synchronization messages.
* The use of '-' as string in the configuration file was not allowed.
* Include example in configuration file under doc/.
Reported-by: Mohit Mehta <mohit.mehta@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
It must refer to NetlinkBufferSize[*] instead of "SocketBufferSize[*].
Signed-off-by: Mohit Mehta <mohit.mehta@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch cleans up nat_parse() and it also displays nicer
error message for malformed arguments.
% conntrack -L --src-nat :80
conntrack v0.9.14 (conntrack-tools): No IP specified
Try `conntrack -h' or 'conntrack --help' for more information.
% conntrack -L --src-nat 1.1.1.1:
conntrack v0.9.14 (conntrack-tools): No port specified after `:'
Try `conntrack -h' or 'conntrack --help' for more information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes the filtering if the IP matches an entry but the PORT
does not matches. Without this patch, the entry is shown when it
should be not.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch restricts the behaviour that we previously introduced
in 142606c60808b3ab0496155ac3d086765e6baef3.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the missing bits to allow to filter with --any-nat
based on the IP address.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes another scenario in which the flow has some
PAT mangling and we passed the src-nat address that we want
to use to perform the filtering.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, conntrack does not show bogus entries that have no NAT
applied due to a relaxed checking.
conntrack -L --src-nat :80
tcp 6 342824 ESTABLISHED src=XX.214.188.80 dst=66.XX.7.180 sport=80 dport=13749 packets=4 bytes=6000 [UNREPLIED] src=66.XX.7.180 dst=XX.214.188.80 sport=13749 dport=80 packets=0 bytes=0 mark=0 secmark=0 use=1
conntrack v0.9.14 (conntrack-tools): 1 flow entries have been shown.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
In 142606c60808b3ab0496155ac3d086765e6baef3, I re-introduced the
inconsistent behaviour that I described in
85f94171a71880c744f265268f33ad58819caa74. Great.
This patch fixes this again.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the testsuite for the NAT filtering options.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the --any-nat option that allows to display src-NATted
OR dst-NATted flows.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
This patch allows the following command to filter port-based NAT:
$ conntrack -L --dst-nat :9999
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
This patch is a cleanup, it puts all the commands and options code
together. This makes easier and less error-prone the task to add
new commands and options.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch is a cleanup, it expands an array that contains the
correspondence between the option-flags and the option-names.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
This reverts commit b4d4591734726a7b38a579acf272022caf5a0534.
|
|
In commit 56817d1c0cc30bcd65c56c2f73634b256603cc4d, I added the
TCP window scale factor support but it was incomplete. We have to
set the IP_CT_TCP_FLAG_WINDOW_SCALE flag to update the td_scale
field via ctnetlink. Check nlattr_to_tcp(...) function in
nf_conntrack_proto_tcp.c for more details.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
The patch that I committed in 2e06d62d341fdf936dbc1fa944d5e03f761aaf0e
was incomplete. With it, `-L --src-nat --dst-nat' shows source-natted
OR destination-natted flows. This patch changes the behaviour to
show source-natted AND destination-natted flows.
This is the consistent behaviour that we expect from conntrack
(this is how it works for other options indeed).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes the filtering with --src-nat and --dst-nat options.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch reverts 0865d22af0ec5876f721d44c90ac898fdfa435aa since
it breaks conntrack listing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
of checking for the port attribute. It also adds a function for UDP
otherwise we break support for this protocol.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
`conntrackd -i -x' does not display internal cache in XML, this
patch fixes the problem.
Signed-off-by: Mohit Mehta <mohit.mehta@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
Since > 0.9.6, the conntrack listing with the options --src-nat
and --dst-nat does not work. This patch fixes the problem.
Reported-by: Mohit Mehta <mohit.mehta@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch completes the documentation with the following discussion
that took place in the mailing list.
http://marc.info/?l=netfilter&m=127335152521674&w=2
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch splits the __run() routine into two functions, run_polling()
and run_events() that are selected once in run-time. We save one branch
in a loop that intensively executed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes the configuration file that includes an example of
the PollSecs clause in Stats. This is wrong since it should go in
the General clause.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
From Richard Lucassen:
> Btw: if you search the "-m --mask" option in the manpage, you'll see a
> cosmetic typo: this option is on the same line as "-t --timeout"
Reported-by: Richard Lucassen <reply5@xaq.nl>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a hung that occurs if you invoke `conntrackd -c'
and you have disabled the external cache.
Note that `conntrackd -c' does nothing since there is no entries
in the external cache to be committed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch move the ports addition to the layer 4 functions, instead
of checking for the port attribute. It also add a function for UDP
otherwise we break support for this protocol.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds a new option TCPWindowTracking that allows not
to disable TCP window tracking as it occurs by default.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
