| Age | Commit message (Collapse) | Author |
|---|
|
This script is released under GPLv2+. Update copyright notice
as well.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Remove reference which states that this is still under development
and refer to version 1.0.0.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Now that we have fixed several aspects of the event filtering in
2.6.38, I reintroduce the documentation for this feature.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Sorry, the iptables CT target is not yet ready for use until some
patches are pushed to the Linux kernel.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This update adds to the documentation the following information:
* add reference to "Demystifying cluster-based fault-tolerant firewalls"
* add how-to disable the external cache
* add how-to disable the internal cache
* add how-to set the synchronization transport protocol
* document iptables CT target
* ask for sponsors to finish H323 and SIP support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch includes a minor documentation update with two new
questions in the FAQ.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes wrong Linux kernel requirements in the example
configuration files. We require a Linux kernel >= 2.6.36 instead
of >= 2.6.35 as the files suggest.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds a comment on the TCPWindowTracking option to warn
that this will be supported since the Linux kernel 2.6.35.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes several minor nitpicks to support IPv6 failover:
* ICMPv6 type/code/id were missing in synchronization messages.
* The use of '-' as string in the configuration file was not allowed.
* Include example in configuration file under doc/.
Reported-by: Mohit Mehta <mohit.mehta@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch completes the documentation with the following discussion
that took place in the mailing list.
http://marc.info/?l=netfilter&m=127335152521674&w=2
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes the configuration file that includes an example of
the PollSecs clause in Stats. This is wrong since it should go in
the General clause.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds a new option TCPWindowTracking that allows not
to disable TCP window tracking as it occurs by default.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
UDP filtering was broken during the addition of the UDP-based
synchronization protocol that was introduced in 0.9.14. This
patch fixes the problem.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch documents the internal cache disabling feature that
is available for the NOTRACK mode. I have also added an example
on how to set up a TCP-based state-synchronization.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds state-synchronization for ICMP. You SHOULD use a
Linux kernel >= 2.6.31, otherwise this patch can result in tons
of state-updates.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
In 49540362b2a25aadbaf25fd087414776aa5a67a8, we forgot to break lines
at 80 characters. This patch cleans up this issue.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
DisableExternalCache is supposed to be put in mode NOTRACK{} or
Mode FTFW{} statement.
Signed-off-by: Samuel Gauthier <samuel.gauthier@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds support for TCP as protocol to replicate
state-changes between two daemons. Note that this only
makes sense with the notrack mode.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the clause `DisableExternalCache' that allows you
to disable the external cache and to directly inject the entries
into the kernel conntrack table. As a result, the CPU consumption
of conntrackd increases. This clause can only be used with the
FT-FW and the notrack synchronization modes, but not with the
alarm mode.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the missing support to filter IPv6 from kernel-space
by means of the BSF API that libnetfilter_conntrack provides.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the NetlinkEventsReliable clause, this is useful
to turn on reliable Netlink event delivery. This features
requires a Linux kernel >= 2.6.31.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This is an update to commit 575fc906a302599cb9afeb136096dfd96bb57b17.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds initial support for DCCP state replication.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds initial support for SCTP state replication.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, you can change the scheduler policy and priority
for conntrackd. Using a RT scheduler policy reduces the chances to
hit ENOBUFS in Netlink.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch sets the most favourable nice value for conntrackd in the
default configuration files. This is generally a good idea to reduce
the chances to hit ENOBUFS.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes an EINVAL error returned by bind() when opening
an UDP server socket to propagate state-changes over the dedicated
link. This patch also includes the change of the example
configuration files in case that you want to use UDP over IPv6.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds support for unicast UDP to the channel
infrastructure. With this patch, you can select UDP unicast to
propagate state-changes instead of multicast.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Reported-by: Ralf <rm@amitrader.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds two alias that removes an inconsistency in the
configuration file names. Now, the clauses that refers to Netlink
starts by the prefix "Netlink".
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch reverts primary-backup-2.6.29-and-higher.sh. This script
is not safe for production enviroments until the commit phase
guarantees that the state-change propagation over netlink is
reliable. This script should be ready for 2.6.30 if the appropriate
kernel patches go into mainline in time.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch updates the script to remark the fact that it should be
used with Linux kernel < 2.6.29. Moreover, it adds a bulk-update
command after the commit in the primary path to avoid any race
condition (the backup may request a resync while this primary
is still committing the entries with an empty internal cache).
This is hackish, but I think that this is the best way to do this
for systems running a Linux kernel < 2.6.29.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds a new primary-backup.sh script for Linux kernels
>= 2.6.29. This script takes advantage of the user-space event
reporting that ctnetlink does since this kernel version.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch unset ACKWindowSize since it already sets the clause
to its default value.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds NetlinkOverrunResync. This option can be used to
set the amount of time after which the daemon resynchronizes itself
with the kernel state-table if it detects a Netlink overrun.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch details a bit more the hashtable parameters. Moreover,
it increases the default size of the hashtable.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a wrong use of 'from' instead of 'From' in the
example configuration files.
Reported-by: Yoann Juet <yoann.juet@univ-nantes.fr>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch disables CommitTimeout by default. The daemon now uses
the approximate timeout calculation by default.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch increases the default PurgeTimeout value to 60 seconds.
The former 15 seconds provides good real-time reaction in terms of
user-side expected behaviour, but it is too small if you trigger
random failure in a firewall cluster.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds ResendQueueSize, which sets the number of objects
that can be stored in the resend queue waiting to be confirmed.
The ResendBufferSize clause has been deprecated.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the clause PollSecs that changes the normal
behaviour of conntrackd. With PollSecs set to > 0, conntrackd
polls every N seconds the entries.
This is the opposed behaviour of an event-driven behaviour but may
be useful for those that have really strong limitations in terms of
CPU consumption and want to perform a relaxed replication.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds support for redundant dedicated links. You can add
a pool of dedicated links that can be used if the current active
fails.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Currently, the event handling can starve other event file
descriptors. This patch limits the number of event handling
iterations. The parameter is tunable via configuration file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds a note on the impact of having small values for
the McastSndSocketBuffer and McastRcvSocketBuffer clauses.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
