| Age | Commit message (Collapse) | Author |
|---|
|
This patch changes the current behaviour of the filtering selection.
Up to now, conntrackd has used the kernel version to select the
filtering method based on the following logic: If kernel is >= 2.6.26
we use BSF-based filtering from kernel-space, otherwise, default to
userspace.
However, this filtering method still lacks of IPv6 support and
it requires a patch that got into 2.6.29 to filter IPv6 addresses
from kernel-space. To fix this issue, we default to user-space
filtering and let the user choose the method via the configuration
file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes the documentation about the CacheWriteTrhough clause.
This feature is scheduled for removal since the asynchronous nature of
conntrackd does not allow multi-path routing support. I'm lying,
actually there's a chance to support it, but we have to guarantee that
the RTT in the message synchronization between the firewall is smaller
than the RTT between the peer and the firewalls.
Moreover, this option has made more bad than good since people enable it
when things don't work. Making the whole troubleshooting more
complicated.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch rises the default value of the hashtables in terms
of buckets and entries to the default value in nf_conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes the use of /tmp to create the UNIX socket file to
communicate with conntrackd in the example configuration files. This was
OK in the early alpha days, but not anymore.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the clause PurgeTimeout that sets the new timer
when conntrackd -t is called. This command is particularly useful
when the sysadmin triggers hand-overs between several nodes without
rebooting as it reduces the timers of the remaining entries in
the kernel. Thus, avoiding clashes between new and old entries that
may trigger INVALID packets.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch reworks the documentation section. It removes the replicated
keepalived.conf files and merge all the scripts into one to reduce
confusion and improve maintainability.
It's likely that the documentation directory will suffer more
restructurations in the near future.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes the directories node1/ and node2/ since the
differences are few small and the user should be able to get it running
if he RTFM.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Logging is set off by default instead of what the example files state.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Remove obsolete clause Replicate in the example configuration files.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch reworks the user-space filtering. Although we have
kernel-space filtering since Linux kernel >= 2.6.26, we keep userspace
filtering to ensure backward compatibility. Moreover, this patch
prepares the implementation of the kernel-space filtering via
libnetfilter_conntrack's high-level berkeley socket filter API.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
