summaryrefslogtreecommitdiff
path: root/include
AgeCommit message (Collapse)Author
2008-09-17filter: check if kernel-space filtering is availablePablo Neira Ayuso
Check if the Linux kernel is >= 2.6.26, otherwise it does not support kernel-space filtering. This is not clean but we have no choice, the BSF infrastructure does not return ENOTSUPP for unsupported operations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-07cache iterators: commit master entries before related onesPablo Neira Ayuso
Commit master entries before related ones to avoid ENOENT errors. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-07cache iterators: rework cache_reset_timersPablo Neira Ayuso
This patch adds the clause PurgeTimeout that sets the new timer when conntrackd -t is called. This command is particularly useful when the sysadmin triggers hand-overs between several nodes without rebooting as it reduces the timers of the remaining entries in the kernel. Thus, avoiding clashes between new and old entries that may trigger INVALID packets. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-07netlink: add getter and check existence functionsPablo Neira Ayuso
This patch adds nl_get_conntrack and it changes the behaviour of nl_exist_conntrack. Now, nl_get_conntrack requests the kernel for a conntrack and updates the cached entry. On the other hand, nl_exist_conntrack only inquiries for the existence of the entry. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-02conntrackd: add -t option to shorten conntrack timeoutsPablo Neira Ayuso
This patch adds the new option `-t' for conntrackd. This option shortens the value of the timeout for the cached entries that lives in the kernel. This option is particularly useful to remove the zombie established entries that remain in kernel if the user tests the platform by forcing the takeover from one to another node several times. We currently use the value of CommitTimeout which is sane for it. Adding a new option does not seem to add more flexibility IMO. Once we get the patches to notify user changes via ctnetlink and the netlink flag NLM_F_ECHO works, we may directly invoke a massive purge of the entries, however, such solution would still need evaluation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-01ftfw: show consistent information to users for problem diagnosingPablo Neira Ayuso
This patch hides information that may confuse users while they are diagnosing problems in their setup. For example, we hide entries that are schedule to expire - from the user side, they are already destroyed entries; and we show in the counters the real active entries, not all that are stored in the caches. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-01fix broken normal deletion in cachesPablo Neira Ayuso
This patch fixes the non-timer-based cache deletion. This bug affects the alarm-based approach since the backup replicas did not get the deletion event, thus, delaying the deletion. This patch introduces cache_find() to look up for a conntrack object and __cache_del_timer() to perform direct deletions by means of the pointer obtained with cache_find(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-07-29CLI: add new option --buffer-size for -EPablo Neira Ayuso
Add new option --buffer-size for -E to set the netlink socket buffer size. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-07-23add support for kernel-space filtering via BSFPablo Neira Ayuso
This patch adds support for kernel-space filtering via BSF by means of the libnetfilter_conntrack's BSF high-level API. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-07-22Major rework of the user-space event filteringPablo Neira Ayuso
This patch reworks the user-space filtering. Although we have kernel-space filtering since Linux kernel >= 2.6.26, we keep userspace filtering to ensure backward compatibility. Moreover, this patch prepares the implementation of the kernel-space filtering via libnetfilter_conntrack's high-level berkeley socket filter API. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-06-22fix xml output: wrap output with one root elementPablo Neira Ayuso
2008-05-27fix make distcheckPablo Neira Ayuso
2008-05-26rework the HELLO logic inside FT-FWPablo Neira Ayuso
2008-05-25add best effort replication protocol (aka NOTRACK)Pablo Neira Ayuso
2008-05-25add eventfd emulation to communicate receiver -> senderPablo Neira Ayuso
2008-05-20add Mcast[Snd|Rcv]SocketBuffer clauses to tune multicast socket buffersPablo Neira Ayuso
2008-05-18improve network message sanity checkingsPablo Neira Ayuso
2008-04-29Fix reorder possible reordering of destroy messages under message omission. ↵/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
This patch introduces the TimeoutDestroy clause to determine how long a conntrack remains in the internal cache once it has been destroy from the kernel table.
2008-04-26rework of the FT-FW approach/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
2008-04-16add more verbose error notification when the injection of a conntrack fails/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
2008-04-16o fix NAT filtering via --src-nat and --dst-nat (reported by K.Oledzki)/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
o recover the ID support o show display counters to stderr o enable filtering by status and ID
2008-04-13fix conntrack -U -p tcp [...]/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
2008-04-09improve netlink overrun handling/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
2008-04-08fix asymmetric path support (still some open concerns)/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
2008-03-25Krzysztof Oledzki <ole@ans.pl>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
o add ICMPv6 (-p icmpv6) support o add possibility to distinguish between invalid (unknown) and empty proto
2008-03-25Pablo Neira Ayuso <pablo@netfilter.org>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
o remove .svn directory from make distcheck tarballs (reported by B.Benjamini) + Krzysztof Oledzki <ole@ans.pl>: o fix minor compilation warning
2008-02-19compose the file descriptor set at initialization stage to save some cycles/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
2008-02-14From: Max Kellermann <max@duempel.org>/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
whitespace cleanups
2008-02-02add IPv6 support to conntrackd/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
2008-01-29implement a rb-tree based alarm framework/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
2008-01-23Max Kellermann <max@duempel.org>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
use size_t
2008-01-23Max Kellermann <max@duempel.org>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
introduce alarm_pending()
2008-01-23Max Kellermann <max@duempel.org>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
remove unused prototype in network.h
2008-01-23Max Kellermann <max@duempel.org>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
added struct local_server, several cleanups in local socket infrastructure This patch include minor changes by the comitter
2008-01-22remove alarm counter/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
2008-01-22Max Kellermann <max@duempel.org>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
- Pass next_alarm to __run() only if there is an alarm - Eliminate the "timeout" parameter - the alarm functions get_next_alarm_run() and do_alarm_run() return an timeval pointer instead of a boolean
2008-01-20Based on patch from Max Kellermann <max@duempel.org>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
merge mod_alarm() into add_alarm(), remove alarm_set_expiration()
2008-01-18yet another rework of the alarm scheduler/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
2008-01-18Max Kellermann <max@duempel.org>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
Simplify logging infrastructure
2008-01-17Max Kellermann <max@duempel.org>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
import only required C headers and put local headers on top to check
2008-01-17Max Kellermann <max@duempel.org>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
use size_t for buffer sizes
2008-01-17Max Kellermann <max@duempel.org>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
add buffer_destroy() to buffer.c
2008-01-17Max Kellermann <max@duempel.org>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
use C99 integers (uint32_t instead of u_int32_t)
2008-01-15remove unix socket file on exit/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
2008-01-15minor constification fixes/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
update libnfnetlink dependencies
2008-01-15Max Kellermann <max@duempel.org>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
Fix tons of gcc warnings
2008-01-15merge several *_alarm() functions into init_alarm()/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
2008-01-15add traffic_stats.h and netlink.h to include/Makefile.am/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
2008-01-15Add include/netlink.h and include/traffic_stats.h/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
2008-01-15Max Kellermann <max@duempel.org>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
add missing function prototypes
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-22 02:15:18 +0000