| Age | Commit message (Collapse) | Author |
|---|
|
This patch fixes a hung that occurs if you invoke `conntrackd -c'
and you have disabled the external cache.
Note that `conntrackd -c' does nothing since there is no entries
in the external cache to be committed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch move the ports addition to the layer 4 functions, instead
of checking for the port attribute. It also add a function for UDP
otherwise we break support for this protocol.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds a new option TCPWindowTracking that allows not
to disable TCP window tracking as it occurs by default.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
UDP filtering was broken during the addition of the UDP-based
synchronization protocol that was introduced in 0.9.14. This
patch fixes the problem.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch bumps conntrack-tools version to 0.9.14.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch documents the `-B' command in conntrackd that allows you
to force a bulk send to other firewall nodes in the cluster.
Reported-by: Tino Keitel <tkeitel@innominate.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, we allow to manually create TCP entries in the table.
Basically, we disable TCP window tracking for this entry to avoid
problems.
Reported-by: Roman Fiedler <roman.fiedler@ait.ac.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch documents the internal cache disabling feature that
is available for the NOTRACK mode. I have also added an example
on how to set up a TCP-based state-synchronization.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes the clause `State' in `Filter' that allows
you to filter by protocol state. This bug was introduced during
the implementation of the TCP-based synchronization.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds state-synchronization for ICMP. You SHOULD use a
Linux kernel >= 2.6.31, otherwise this patch can result in tons
of state-updates.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, we use an indirect call to build the layer 4
information into the synchronization message.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the clause `DisableInternalCache' that allows you
to bypass the internal cache. This clause can only be used with
the notrack synchronization mode.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
In 0b03f4b759e439edd2c3da0add08050276d7dc5f, I forgot to increase
the stats for successful cases. This patch fixes this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
# conntrackd -s
external inject:
connections created: 0 failed: 0
connections updated: 0 failed: 0
connections destroyed: 0 failed: 0
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Read an integer right away with fscanf() instead of read()-ing to a
buffer, which was actually to small for the terminating '\0', and
atoi()-ing. Furthermore read() might not read enough, though unlikely
here.
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Avoid this error:
conntrack v0.9.13 (conntrack-tools): Operation failed: No such file or
directory
when using 'conntrack -E -e ALL ...'.
This is caused by the fact that netfilter expectations also get
delivered, but things are not setup for this, nfnl_catch returns -1
and errno = ENOENT.
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
When 'conntrack' is called with no arguments then garbage is printed
after the usage message. This patch fixes this.
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a missing calculation of maxfd when a file descriptor
is unregistered.
Reported-by: Jean Mickael Guerin <jean-mickael.guerin@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the alive control message to the notrack mode.
This helps to diagnose problems in the synchronization and
the state of the channel, specifically for TCP-based channels.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Under stress, the TCP stack may return EAGAIN if there is not
space left in the sender buffer. We also enqueue any other
error.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch rate-limits the amount of connect() calls to avoid
syn-floods when the other peer is not connected and we are
generating updates.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
In 49540362b2a25aadbaf25fd087414776aa5a67a8, we forgot to break lines
at 80 characters. This patch cleans up this issue.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a bug in the TCP support that breaks
re-connections of the client side if several TCP
channels are used in the configuration file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch avoids the shadowing of the global `conf' variable that
is used to store the configuration information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, we increase the error stats if:
* we failed to connect to the other peer.
* some unexpected error made connect() fail.
* sendto returned ECONNRESET or EPIPE.
Moreover, we propagate the sendto() errors to upper layers
under failure as Samuel Gauthier suggested.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
In 9406f29b89f6727c3db5485d109466701393b4d4, we added different
return values for the UNIX sockets that we use to extract the
daemon statistics. Unfortunately, I forgot to change this
as well. This patch fixes a problem that blocks the client
socket indefinitely.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Use the TCP header size (20 bytes) instead of the UDP header size
(8 bytes) to calculate the maximum packet size.
Reported-by: Samuel Gauthier <samuel.gauthier@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
DisableExternalCache is supposed to be put in mode NOTRACK{} or
Mode FTFW{} statement.
Signed-off-by: Samuel Gauthier <samuel.gauthier@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
As we get attr->nta_attr directly from net message, it can be corrupted.
Hence, we must check that nta_attr value is valid before trying to reach
h[attr->nta_attr] element.
Signed-off-by: Samuel Gauthier <samuel.gauthier@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
We cannot assume that we will not write in the net message before we
send it, because the memory allocated for the net message (__net) is
only reserved in BUILD_NETMSG (because of the { } block in it).
This patch marks the buffer as static to avoid this problem.
Based on a patch from Samuel Gauthier <samuel.gauthier@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds support for TCP as protocol to replicate
state-changes between two daemons. Note that this only
makes sense with the notrack mode.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, we can remove file descriptors dinamically
from our own file descriptor pool.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch reduces the number of gettimeofday syscalls by caching
the current time in a variable at the beginning of the main loop.
Based on a suggestion from Vincent Jardin.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the clause `DisableExternalCache' that allows you
to disable the external cache and to directly inject the entries
into the kernel conntrack table. As a result, the CPU consumption
of conntrackd increases. This clause can only be used with the
FT-FW and the notrack synchronization modes, but not with the
alarm mode.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes an infinite loop that can occur if a message of
zero length is received. Moreover, now we always stop the processing
if the message is malformed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a crash in the exit path for channels that
are not buffered (no CHANNEL_F_BUFFERED flag set). This fix
does not affect any existing channel in the tree.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the conntrack ID to the comparison that is made in
the lookup of entries that are stored in the cache. For old kernels,
this field is set to zero for all entries so this patch does not
make any difference. For recent kernels, this allows to keep two
entries with the same tuple and different IDs: this is possible if
NetlinkEventsReliable is set on. Moreover, this patch is useful to
test the reliable ctnetlink event delivery in 2.6.31 works fine.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the missing support to filter IPv6 from kernel-space
by means of the BSF API that libnetfilter_conntrack provides.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the NetlinkEventsReliable clause, this is useful
to turn on reliable Netlink event delivery. This features
requires a Linux kernel >= 2.6.31.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, we reset the event iteration limit counter after
we have performed an event handling run. Thus, every run loop
always performs a maximum of EventIterationLimit event handling
instead of keeping the old credits for the next run loop.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, a) we set the file descriptors for the
synchronization channels as non-blocking, b) we perform more than
one recv() call per select() signal on the socket and c) we limit
the iteration to the value that EventIterationLimit has set.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch reworks the commit phase to avoid the forking. This is
particularly useful in active-active setups in which one node
has to commit the external cache while it is receiving new entries
to be added in the external cache. This results in really high
commit times due to the penalty of the copy-on-write that fork
performs.
The default number of steps in one run loop is limited to 64 by now.
No option to tune this parameter is still available via the
configuration file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds cache_iterate_limit() and hashtable_iterate_limit()
that allows to limit the iteration to given a number of states.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the LOCAL_RET_* return values. The return value
LOCAL_RET_STOLEN which allows to leave a client socket open while
waiting for an operation to finish.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch updates the library version requirements.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch bumps conntrack-tools version to 0.9.13.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This is an update to commit 575fc906a302599cb9afeb136096dfd96bb57b17.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes an incorrect use of nfct_get_attr_u32() instead of
nfct_get_attr_u8() to obtain the current TCP state. This patch also
sets the IP_CT_TCP_FLAG_CLOSE_INIT for states >= TIME_WAIT.
The function nl_update_conntrack() is currently unused so this fix
does not resolve any pending issue.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a memory leak in cache_update_force(). The problem
occurs if the object does not exists in the cache and we fail to
add it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
