| Age | Commit message (Collapse) | Author |
|---|
|
This patch re-introduces `-s queue' but now it displays generic
queue statistics.
# conntrackd -s queue
active queue objects: 0
queue txqueue:
current elements: 0
maximum elements: 2147483647
not enough space errors: 0
queue rsqueue:
current elements: 72
maximum elements: 128
not enough space errors: 0
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the name field to identify the queue by means of
a string. This patch is used by the next one that introduces
per-queue statistics.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch renames the statistics option that displays the content
of the resend queue which is used by the ftfw mode.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
In 400ae54438c4b85126f9fab0ae1dc067823b70f7, we added the SCTP
support by means of a structure that was encapsulated in an
TLV attribute. However, this structure didn't handle alignment
and endianess issues appropriately. Similar problem was
introduced in b808645ec71b7cc22cf5106b3d79625d07e6077c along
with the DCCP support.
This patch moves every field of this structure to independent
attributes. I decided not to use nesting to make building and
parsing more simple.
Using TLV is a good idea, specially for DCCP and SCTP that are
under development and that may include new fields and obsolete
them in the future.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the ability to dump the list of existing child
processes. In general, it would be hard to display one since
child processes are generally forked for very specific tasks,
like commit and flush operations, and they have very limited
lifetime. However, this can be handy for debugging problems.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds a dedicated commit handler since there is a possible
race condition that can happen if the child process ends before we
have received all the event messages that the commit request has
triggered.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
In 6f5666a29cb7cbff08ce926ee1edb84a311ff6ee, I moved the flush
operation into a child process and to use a disposable handler
to perform flush requests. This patch adds a dedicated flush
handler since there is a possible race condition that can
happen if the child process ends before we have received all
the event messages that the flush request has triggered.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch allows to limit the number of simultaneous child processes.
This is required by the next patch that replaces disposable handlers
to commit and flush with permanent handlers.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch is a cleanup, it removes an unused nfct handler. This
removal is due to recent commits that has obsolete it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes a reminiscent of the lifetime cache feature.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes the cache write-through clause. This feature
remained undocumented although some has found it looking at the
source code. This feature has remained in the tree for quite
some time although it has several limitations. Moreover, it
is specifically broken and dangerous for Linux kernels >= 2.6.29
since it generates loops in the synchronization.
We do this removal first to prepare the introduction of a feature
to bypass the external cache.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, the flush operation is performed by a child process.
Thus, the parent process digests destroy events that ctnetlink reports
back and, thanks to the origin infrastructure, we skip the messy
implicit synchronization that are triggered by such events.
This patch requires a Linux kernel >= 2.6.29 to benefit from this
change, otherwise it has no effect.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Since Linux kernel 2.6.29, ctnetlink reports the changes that have
been done using ctnetlink. With this patch, conntrackd can recognize
who is the origin of the event messages. For example, this is
interesting to avoid a messy implicit bulk send during the commit
of entries.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds a simple infrastructure that allows to account
the child processes that have been forked. This also includes
a callback handler that can be registered that is called once
the child process finishes.
We can extended this later to include an alarm to limit the
maximum lifetime of a forked child process. This is good to
ensure that child processes behave timely.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds initial support for DCCP state replication.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds initial support for SCTP state replication.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds GRE support for the command line tool conntrack.
With this patch, we support all protocols available in the kernel.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.
|
|
With this patch, you can change the scheduler policy and priority
for conntrackd. Using a RT scheduler policy reduces the chances to
hit ENOBUFS in Netlink.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds DCCP support for the command line tool conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds SCTP support to the command line tool conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds UDPlite support for the command line tool conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch extends the generic_opt_check() function to add
extra information on the possible option combinations. Under
some specific situations, like the creation and getting of
a conntrack, you may specify the original or the reply tuple
but at least one MUST be present. This handling has been
always tricky, it still remains but we're more user friendly
at least.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes a couple of constants that have no clients in
the conntrackd code.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds `-S' command to display kernel statistics. Using
raw `cat' on /proc and the hexadecimal output is not very handy.
This option parses the /proc entry and display the information
is a more human friendly way.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a problem that was introduced while adding the
multichannel support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch obsoletes the `ListenTo' clause which is a reminiscent
of the intial event filtering code.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes several structure fields that are unused.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes an EINVAL error returned by bind() when opening
an UDP server socket to propagate state-changes over the dedicated
link. This patch also includes the change of the example
configuration files in case that you want to use UDP over IPv6.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch obsoletes `-s multicast' by `-s link' to display the
dedicated link statistics, as the current dedicated link protocol
use can be unicast UDP or multicast. The term "link" is more
generic.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes a compilation warning. The buffer passed to
be sent must be const.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds support for unicast UDP to the channel
infrastructure. With this patch, you can select UDP unicast to
propagate state-changes instead of multicast.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch is a cleanup. It renames the mcast_track_*() functions
by nethdr_track_*() because this functions are related to message
sequence tracking. They are not stick to multicast at all.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch reworks conntrackd to make it independent of the protocol
used to propagate state-changes. This patch adds the channel layer
abstraction, this layer allows you to add support for different
protocols like unicast UDP or TIPC.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch renames the mcast_iface to interface since this nlif
handler is not related with multicast itself, but to monitor the
link interface used to propagate state-changes. This patch is a
cleanup.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes an endianess issue in the acknowledgment network
header. This breaks backward compatibility if different conntrackd
versions are used.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes an endianess issue in the synchronization network
header. This breaks backward compatibility if different conntrackd
versions are used.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes the use of NFCT_DIR_MAX. This constant is part of
the old libnetfilter_conntrack API which has been removed from the
git tree. It was introduced in the early days of conntrackd, thus,
the use of this constant. Unfortunately, I did not notice until now.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch allows flushing the internal and/or the external cache.
The `-f' with no extra parameters still works to flush both the
internal and the external cache.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes the disabling on NetlinkOverrunResync, which
was broken.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds NetlinkOverrunResync. This option can be used to
set the amount of time after which the daemon resynchronizes itself
with the kernel state-table if it detects a Netlink overrun.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch improves the polling support included in 0.9.10. The
polling now consists of getting the state table, wait for PollSecs,
then purge obsolete entries, and so on.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes:
* nl_init_dump_handler()
* nl_init_request_handler()
* nl_init_resync_handler()
since they all look very similar.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
During the commit phase, the entries in the external cache entries
are inserted in the kernel conntrack table. Currently, we use a
fixed timeout that is specified in the config file. With this patch,
if you don't specify the fixed timeout value via CommitTimeout, the
daemon calculates the real timeout value during the commit phase.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
The lifetime feature is used by all working modes, it is useful to
know how long it has been an entry living in the cache. This patch
moves the lifetime feature to the main caching code.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, the `-t' option adds an alarm that will flush the
cache after CONFIG(purge_timeout) seconds specified in the config
file. This looks much cleaner and more performance that looping
on the entire conntrack table to set the new timeout of every single
entry.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch moves the timeout mangling inside nl_*_conntrack().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This function is a synonimous of nl_get_conntrack(), use the get
function instead.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
The current commit code updates an entry it still exists in the
kernel. With this patch, we delete the entry and create a new one
to make sure that we start a clean session.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch obsoletes `DestroyTimeout' which has no clients anymore.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
