| Age | Commit message (Collapse) | Author |
|---|
|
This patch adds a note on the impact of having small values for
the McastSndSocketBuffer and McastRcvSocketBuffer clauses.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
This patch replaces "destroy" by "control" messages. Actually, the
resend queue contains the maximum amount of control messages that
we store to resend them in case of message omission. This patch also
clarifies which is a good size to have.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch documents the SocketBufferSize and SocketBufferSizeGrowth
clause. It also rises the default values which are fairly small for
busy firewalls.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch replaces SocketBufferSizeMaxGrown by
SocketBufferSizeMaxGrowth. Both clauses are still valid but better
to use the one that has no typos in the configuration files.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch moves `Checksum' into the `Multicast' clause. This
property is dependent of the multicast configuration. This patch
is required to introduce the redundant dedicated link support
that is on the way.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds CIDR-based filtering support. The current
implementation is O(n).
This patch also introduces the vector data type which is
used to store the IP address and the network mask.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch changes the current behaviour of the filtering selection.
Up to now, conntrackd has used the kernel version to select the
filtering method based on the following logic: If kernel is >= 2.6.26
we use BSF-based filtering from kernel-space, otherwise, default to
userspace.
However, this filtering method still lacks of IPv6 support and
it requires a patch that got into 2.6.29 to filter IPv6 addresses
from kernel-space. To fix this issue, we default to user-space
filtering and let the user choose the method via the configuration
file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch increases the size of the acknowledgment window based on
some experiments in my testbed with oprofile. The previous default value
was too small. This resulted in too many cycles to empty the resend
queue.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes the documentation about the CacheWriteTrhough clause.
This feature is scheduled for removal since the asynchronous nature of
conntrackd does not allow multi-path routing support. I'm lying,
actually there's a chance to support it, but we have to guarantee that
the RTT in the message synchronization between the firewall is smaller
than the RTT between the peer and the firewalls.
Moreover, this option has made more bad than good since people enable it
when things don't work. Making the whole troubleshooting more
complicated.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch rises the default value of the hashtables in terms
of buckets and entries to the default value in nf_conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the manual in docbook format to the conntrack-tools.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes the use of /tmp to create the UNIX socket file to
communicate with conntrackd in the example configuration files. This was
OK in the early alpha days, but not anymore.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the clause PurgeTimeout that sets the new timer
when conntrackd -t is called. This command is particularly useful
when the sysadmin triggers hand-overs between several nodes without
rebooting as it reduces the timers of the remaining entries in
the kernel. Thus, avoiding clashes between new and old entries that
may trigger INVALID packets.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Minor fix for the primary-backup.sh script
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Fix missing updates in keepalived.conf and primary-backup.sh
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch reworks the documentation section. It removes the replicated
keepalived.conf files and merge all the scripts into one to reduce
confusion and improve maintainability.
It's likely that the documentation directory will suffer more
restructurations in the near future.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes the directories node1/ and node2/ since the
differences are few small and the user should be able to get it running
if he RTFM.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Logging is set off by default instead of what the example files state.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Remove obsolete clause Replicate in the example configuration files.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch reworks the user-space filtering. Although we have
kernel-space filtering since Linux kernel >= 2.6.26, we keep userspace
filtering to ensure backward compatibility. Moreover, this patch
prepares the implementation of the kernel-space filtering via
libnetfilter_conntrack's high-level berkeley socket filter API.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
Simplify logging infrastructure
|
|
|
|
stats mode
|
|
o minor irrelevant fixes for uncommon error paths and fix several typos
o use LOG_INFO for connection logging, use LOG_NOTICE for other information
o minor error handling updates
|
|
|
