| Age | Commit message (Collapse) | Author |
|---|
|
During the commit phase, the entries in the external cache entries
are inserted in the kernel conntrack table. Currently, we use a
fixed timeout that is specified in the config file. With this patch,
if you don't specify the fixed timeout value via CommitTimeout, the
daemon calculates the real timeout value during the commit phase.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
The lifetime feature is used by all working modes, it is useful to
know how long it has been an entry living in the cache. This patch
moves the lifetime feature to the main caching code.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, the `-t' option adds an alarm that will flush the
cache after CONFIG(purge_timeout) seconds specified in the config
file. This looks much cleaner and more performance that looping
on the entire conntrack table to set the new timeout of every single
entry.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch moves the timeout mangling inside nl_*_conntrack().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This function is a synonimous of nl_get_conntrack(), use the get
function instead.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
The current commit code updates an entry it still exists in the
kernel. With this patch, we delete the entry and create a new one
to make sure that we start a clean session.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch obsoletes `DestroyTimeout' which has no clients anymore.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the -C command, to display the table counter. In the
case of `-C conntrack' the tool reads the proc interface. For
expectation, it loops on the table to count the number of entries
(as there is not proc interface to display the number of
expectations).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch moves the existing `-v' behaviour to `-s queue' where it
really belongs. The `-v' option is now left to display the version
which is the common use of it.
# conntrackd -v
Connection tracking userspace daemon v0.9.9. Licensed under GPLv2.
(C) 2006-2009 Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds ResendQueueSize, which sets the number of objects
that can be stored in the resend queue waiting to be confirmed.
The ResendBufferSize clause has been deprecated.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the object counter to `conntrackd -s cache'. This
is useful to detect object leaks in runtime. This patch also changes
the layout of the output to fit the display in less than 24 lines
(assuming 24x80 terminal).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the clause PollSecs that changes the normal
behaviour of conntrackd. With PollSecs set to > 0, conntrackd
polls every N seconds the entries.
This is the opposed behaviour of an event-driven behaviour but may
be useful for those that have really strong limitations in terms of
CPU consumption and want to perform a relaxed replication.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch moves the file descriptor registration after the
initialization instead of having a specific hook for this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch is a cleanup. The overrun handler is actually a way to
resynchronize against the conntrack kernel table. The name overrun
was used because it was initially its purpose. The new naming shows
its genericity.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds support for redundant dedicated links. You can add
a pool of dedicated links that can be used if the current active
fails.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, all the states updates are enqueued in the
tx_queue. Thus, there's a single output path. This patch adds a
simple refcounting mechanism to note when an object is sitting in
the txqueue. This patch also removes the alarm that is required by
the ftfw approach.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds a generic tx queue for all synchronization modes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch unifies the tx_list and the tx_queue to have only one
transmission queue. Since the tx_list hold state objects and
tx_queue control messages, I have introduced a queue node type
that can be used to differenciate the kind of information that
the node stores: object or control message.
This patch also reworks the existing queue class to include a
file descriptor that can be used to know if there are new data
added to the queue (see QUEUE_F_EVFD flag).
In this change, I have also modified the current evfd to make the
file descriptor to make read operations non-blocking. Moreover,
it keeps a counter that is used to know how many messages are
inserted in the queue.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the status field to the cache object. This avoids
the (ab)use of the alarm to check if an entry is active or dead.
This is the first step to possibly move the alarm to the cache_extra
memory space of the ftfw (which is the only use by now).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Currently, the caching system is implemented in a two layer
architecture: hashtable (inner layer) and cache (upper layer).
This patch reworks the hash-cache infrastructure to solve some
initial design problems to make it more flexible, the main strong
points of this patch are:
* Memory handling is done in the cache layer, not in the inner
hashtable layer. This removes one of the main dependencies between
the hashtable and the cache classes.
* Remove excessive encapsulation: the former cache used to hide a
lot of details of the inner hashtable implementation.
* Fix over-hashing of some operations: lookup-delete-add required
three hash calculations. Similarly, the update-or-add operation
required two hash calculations. Now, we calculate the hash once
and re-use the value how many times as we need.
This patch simplifies the caching system. As a result, we save ~130
lines of code. Small code means and less complexity means less
chance to have bugs.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Currently, the event handling can starve other event file
descriptors. This patch limits the number of event handling
iterations. The parameter is tunable via configuration file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch constifies the hashtable parameter that is passed to the
hash callbacks registered when the hashtable is created.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds run-time statistics that you can check via
`conntrackd -s runtime'. This information is useful for
trouble-shooting.
This patch replaces several log messages that can be triggered in
runtime. The idea behind this patch is to avoid log message flooding
under errors.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds cache statistics that you can check via
`conntrackd -s cache'. This information is useful for
trouble-shooting.
This patch replaces several log messages that can be triggered in
runtime. The idea behind this patch is to avoid log message flooding
under errors.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds networks statistics that you can check via
`conntrackd -s network'. This information is useful for
trouble-shooting.
This patch replaces several log messages that can be triggered in
runtime. The idea behind this patch is to avoid log message flooding
under errors.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch deletes three unused flags SYNC_MODE_ALARM,
SYNC_MODE_FTFW_BIT and DONT_CHECKSUM. They were replaced by
the CTD_* flags at some point of the development.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds cidr.h to Makefile.am in include/
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch renames the function hashtable_test() by
hashtable_find() which is a better name IMO to describe this
function.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch reduces the size of alive messages by removing the
"from" and "to" fields which are not of any help. This patch also
removes the IS_CTL() macro since it does not return true for
the control messages anymore but only for IS_ACK(), IS_NACK() and
IS_RESYNC().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds more strict checking in the message type. We add a
new message type NET_T_CTL for control messages.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch replaces the use of NFCT_Q_* in the message type by
specific network message type NET_T_*. The query types are reserved
for libnetfilter_conntrack operations.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a race condition that triggers EILSEQ errors
(wrong sequence message). The problems is triggered when the child
process resets the timers at the same time that the parent process
requests a resync. Since both the child and the parent process use
the same descriptors, the sequence tracking code in libnfnetlink
gets confused as it considers that it is receiving out of sequence
netlink messages.
This patch introduces internal handlers to commit and reset timers
so that the parent and the child do not use the same descriptors
to operate with the kernel.
This patch changes the prototype of all nf_*_conntrack() functions.
Now, the nfct handler is passed as first parameter, this change is
required to fix this problem. The rest of the changes on the API
is done for consistency.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch recovers the option -F for conntrackd. This will be
particularly useful to flush the kernel conntrack table without
getting the event notification of the conntrack deletions
(that will happen with Linux kernel >= 2.6.29).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds strict attribute size checking. This is good to
detect corrupted or malformed messages.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch aligns the data offset that is returned by the NTA_DATA
macro.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch simplifies the message format of the replication
messages. As a result, we save four bytes. The netpld header
was introduced in the early protocol design. Today, it does
not have any reason to exist.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch simplifies mcast_buffered_send_netmsg() by removing the
length parameter. Instead, we use the length field in the nethdr
to know the message size to be sent.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes the unused function mcast_send_netmsg().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes NTA_MASTER_L4PROTO parsing which was missing. This
problem was introduced in "network: rework TLV-based protocol", commit
id 76ac8ebe5e49385585c8e29fe530ed4baef390bf, ie. somewhere in the
development of 0.9.9. This patch also fixes the size of parsing
callback array that is NTA_MAX, not ATTR_MAX. This problem does not
affect conntrack-tools <= 0.9.8.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch constifies the first parameter, which is a conntrack
object, in all nl_*_conntrack() functions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch changes the behaviour of nl_create_conntrack() and
nl_update_conntrack() which now clone the conntrack object
received as parameter. This was not required as these functions
were called inside fork(), thus, they modified a copy of the
real conntrack objects in the child process.
However, this behaviour is broken following the try-again
logic in __do_commit_step. For example, if we try to update
an expected conntrack object that has vanished for whatever
reason, since nl_update_conntrack() modifies the object (unset
the master conntrack information), nl_create_conntrak() will
create an entry without the master conntrack information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, NTA_TIMEOUT is not included in the replication
messages anymore. During the fail-over, we set a small timeout
to purge the entries that were not recovered successfully
(however, unsuccessful recovery should not happen ever).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch changes the prototype of mcast_buffered_init() to receive
as argument the MTU size instead of the multicast configuration. This
decouples the initialization of the tx buffer from the multicast
configuration. This patch is needed by the multi-dedicated link
support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch is a cleanup. It moves the callbacks from netlink.c to
run.c where they are actually invoked. This is better for code
readability as I usually have to switch from run.c to netlink.c
to remember what the callbacks actually do.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes an unused array of file descriptors inside the
fds structure.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds CIDR-based filtering support. The current
implementation is O(n).
This patch also introduces the vector data type which is
used to store the IP address and the network mask.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the size of the attribute header (4 bytes) to the
length field of netattr. This fixes a possible invalid memory
access in malformed messages.
This change is included in the set of scheduled changes for 0.9.9
that break backward compatibility.
This patch also removes a memset of 4096 by one to initialize
the headers and the netattr paddings.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch changes the current behaviour of the filtering selection.
Up to now, conntrackd has used the kernel version to select the
filtering method based on the following logic: If kernel is >= 2.6.26
we use BSF-based filtering from kernel-space, otherwise, default to
userspace.
However, this filtering method still lacks of IPv6 support and
it requires a patch that got into 2.6.29 to filter IPv6 addresses
from kernel-space. To fix this issue, we default to user-space
filtering and let the user choose the method via the configuration
file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Since an IPv6 address can be seen as an array of uint32_t. Use
the optimized jhash2() function instead of the generic jhash().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
