conntrack-tools.git - conntrack-tools i.e. conntrack and conntrackd (mirror of https://github.com/vyos/conntrack-tools.git)

Age	Commit message (Collapse)	Author
2013-07-11	conntrackd: simplify expectation filtering	Pablo Neira Ayuso
	This patch simplifies the expectation filtering by looking up for the master conntrack. If it does not exists, then we assume that we don't want this expectation either. This simplification also fixes the current broken expectation filtering, since the master conntrack from expectations has neither reply tuple nor state, however, the filtering code assumes the opposite. This partially reverts (479a37a conntrackd: fix crash with IPv6 expectation in the filtering code) since it was incorrectly setting the reply tuple of the master conntrack. Thanks to Bill Fink for providing feedback to resolve this issue. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-07-06	conntrackd: fix crash with IPv6 expectation in the filtering code	Pablo Neira Ayuso
	Jul 5 00:41:06 sen-fw1 kernel: [274422.060695] conntrackd[4821]: segfault at 0 ip 000000000040c660 sp 00007fffebb098a8 error 4 in conntrackd[400000+3d000] > #0 0x000000000040f217 in jhash2 (k=0x0, length=4, initval=0) at ../include/jhash.h:99 > a = 2654435769 b = 2654435769 c = 0 len = 4 > #1 0x000000000040f564 in ct_filter_hash6 (data=0x0, table=0x16ef630) at filter.c:57 > #2 0x000000000040ad34 in hashtable_hash (table=0x16ef630, data=0x0) at hash.c:63 > #3 0x000000000040fd19 in __ct_filter_test_ipv6 (f=0x16eeba0, ct=0x1703760) at filter.c:265 > id_src = 51 id_dst = 24051376 src = 0x1703760 dst = 0x0 The master conntrack of the expectation has no reply tuple. However, the filtering routine needs it. To avoid this issue, emulate the source address in the reply tuple. While at it, fix incorrect sanity checking that should have caught this issue. Thanks to Florian Westphal for initial diagnosing of this bug. Reported-by: Bill Fink <billfink@mindspring.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-08-03	conntrackd: don't resync expectations if such sync has been disabled	Vincent Bernat
	conntrackd was segfaulting with `ExpectationSync` set to `Off` and PollSecs (polling mode) in use. Signed-off-by: Vincent Bernat <bernat@luffy.cx> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-08-01	conntrackd: move ctnetlink code to ctnl.c (removed from run.c)	Pablo Neira Ayuso
	This patch moves the specific ctnetlink code to ctnl.c to prepare the introduction of the cthelper infrastructure. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>