| Age | Commit message (Collapse) | Author |
|---|
|
This patch changes the current behaviour of the filtering selection.
Up to now, conntrackd has used the kernel version to select the
filtering method based on the following logic: If kernel is >= 2.6.26
we use BSF-based filtering from kernel-space, otherwise, default to
userspace.
However, this filtering method still lacks of IPv6 support and
it requires a patch that got into 2.6.29 to filter IPv6 addresses
from kernel-space. To fix this issue, we default to user-space
filtering and let the user choose the method via the configuration
file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch relaxes the parameter checking as now we don't need to
pass --status when we create a conntrack via command line interface.
In this case, the conntrack entry is created only with the
IPS_CONFIRMED flag.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
If the logic is set to -1, this means that we do not perform any
filtering for this sort of network address. Therefore, we don't
need to re-check if there is any filter later. This patch also
inlines the check functions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Since an IPv6 address can be seen as an array of uint32_t. Use
the optimized jhash2() function instead of the generic jhash().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
use XOR instead of branches in ct_filter_check.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch reworks the TLV-based protocol to reduce the overhead
in the message building. The idea is to group some attributes
that must be present in a consistent configuration. Putting them
together help us to save some cycles in the message building.
Now, oprofile reports ~15% of samples in the build path instead
of ~25%. CPU consumption for 3000 HTTP GET requests per second
(1000 concurrent with apache benchmark tool) is ~45% in my
testbed, that is ~19% more consumption than with no replication
at all.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the version field (8-bits long) to the nethdr
structure. This fields can be used to indicate the protocol version
in case that we detect an incompatibility between two conntrackd
daemons working with different protocol versions.
Unfortunately, this patch breaks backward compatibility, ie.
conntrackd <= 0.9.8 protocol is not compatible with the upcoming
conntrackd >= 0.9.9. Better do this now than later.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes a part of the code that can be used to
simulate message loss in the replication. This was useful to test the
FT-FW code. However, this code is not useful anymore as long as we
have netem: tc qdisc add dev eth0 root netem loss 0.1%
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Since the resend list/queue contain elements in order, we can break
looping once we find the first element that is after the ack/nack
window. This patch fixes a bottleneck in the ack/nack handling
reported by oprofile.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch introduces the option `-v' to show useful debugging
information, if any. As for now, only sync-ftfw.c make use of it to
display the content and the length of the resent list/queue. This
is useful to check for message leaks. Other working modes or
synchronization approaches may use it to display debugging
information in the future.
This patch removes _SIGNAL_DEBUG in sync-ftfw.c that was used for
for the same purpose. However, it could only be enabled at compilation
time and it uses signalling instead of the standard UNIX socket
interface that conntrackd provides.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch increases the size of the acknowledgment window based on
some experiments in my testbed with oprofile. The previous default value
was too small. This resulted in too many cycles to empty the resend
queue.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds missing information on -t when conntrackd is invoked
with -h.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch avoids a double filtering in user-space and kernel-space if
the kernel support BSF. Since we do not use BSF for dumps and resyncs,
we add a new parameter to ignore_conntrack to indicate if we have to
perform the filtering in user-space or not.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Currently, oprofile reports ~17% of sample in the hashing. With
this patch, that uses jhash2 instead of a double call to jhash
and one to jhash_2words, it goes down to ~11%.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a segfault when conntrackd -k is invoked for an
instance of conntrackd with no use of the Filter clause.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds a log message to tell that conntrackd are using
kernel-space filtering.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes double insertion in the tx_list if we receive
two (or more) consecutive resync request in short time.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a problem that is reported by conntrackd while
trying to parse the example configuration file. We fix this
instead of the example file to make it consistent with other
replication approaches.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patches fixes two problems:
- If we failt to update an entry, we remove it and try again. This
happens when we still have an entry in a final state like TIME_WAIT
while we see a new connection (SYN_SENT) with the same tuple. In
this particular case, we fail to update since some status bits are
only settable, but not unsettable.
- If we hit ETIME in an update, we have to go over the creation
patch, otherwise we hit ENOENT in the next run.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a problem that allows the update of entries that
are scheduled to be removed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch cleanups the NAT filtering. The former code had three
branches, one if src and dst NAT are set, else one if src NAT is
set, else one if dst NAT is set.
Now, we check if src NAT is set or if dst NAT is set.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes the dump counter displayed with -L expect.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes filtering for unsupported protocol. Thus, you can
use -L -p 47 or -L -p gre to filter `gre' traffic.
Based on an initial patch from Bryan Duff <bduff@astrocorp.com>.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
The mark-based filtering for events does not work if the mark is not
present in the event message. This happens because nfct_cmp() skips
the comparison of the compared objects since it they do not have the
same attributes set. This patch make use of the new NFCT_CMP_MASK
flag that returns false if the first object passed as parameter is
set and the second is not.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes the use of snprintf and directly print the XML header
to the standard output. This simplifies the handling.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch cleans up the update path for the conntrack utility.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This fixes two bugs when a hello message is received:
* We can create malformed nack messages during the helloing.
We have to reset the acknowlegdment window, otherwise we may
create malformed nack messages.
* We have to empty the resend list/queue when a hello message is
received, otherwise the entries get stuck to the resend queue
once the sequence number wraps around.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a race condition that can prevent one node from sending
the initial hello message required to reset the sequence tracking.
node A node B
| |
start | |
hello msg |----------------------->|
stop | |
start | |
|<-----------------------| hello-back msg
In the picture above, the node A never sends the hello messages. Thus,
the node B drops the next messages as they are in the before boundary.
This patch adds a new state to the the helloing state-machine to fix
this problem.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a race condition that can trigger a double
insertion to the tx_list. This happens if we receive two resync
request very close or resync just after a nack or vice-versa.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patches fixes a race that triggers a read-after-free access
to the tx_list. The state-entry is destroyed but it is still in the
list. The fix removes the state-entry from the tx_list in the destroy
path.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Remove useless debug messages, now we have a pluging for tcpdump to
debug the FT-FW protocol.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Check if the Linux kernel is >= 2.6.26, otherwise it does not support
kernel-space filtering. This is not clean but we have no choice, the BSF
infrastructure does not return ENOTSUPP for unsupported operations.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Minor cleanup to save a couple of lines in the Linux kernel version
checking.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, we rely on the real source and destination of the
packet to perform the filter. The current NAT detection tweak is broken
for certain situations.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch checks that the [from, to] interval of ack and nack messages
is OK. In other words, we check that: to >= from
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Insert string `conntrack-tools' in error messages to explicitly print
that this version is inside the conntrack-tools package.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
From: Pablo Neira Ayuso <pablo@netfilter.org>
If getopt_long returns '?', show an error telling that some
arguments are missing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Remove extra \n in error message.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Remove duplicated optarg checkings for options that require mandatory
paramaters. This checking is already done by getopt_long().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
We hit error if we try to change the expected bit for already existing
conntracks. On the other hand, if the conntrack does not exist, do not
change the expected bit, otherwise we also hit error.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Commit master entries before related ones to avoid ENOENT errors.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the clause PurgeTimeout that sets the new timer
when conntrackd -t is called. This command is particularly useful
when the sysadmin triggers hand-overs between several nodes without
rebooting as it reduces the timers of the remaining entries in
the kernel. Thus, avoiding clashes between new and old entries that
may trigger INVALID packets.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds nl_get_conntrack and it changes the behaviour of
nl_exist_conntrack. Now, nl_get_conntrack requests the kernel for
a conntrack and updates the cached entry. On the other hand,
nl_exist_conntrack only inquiries for the existence of the
entry.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Do not report ENOENT to log files, this may confuse users. There's a
race condition when shortening the timers and handling the destroy
messages. However, this problem is not serious as the point of the
shortening is to reduce the lifetime of the conntracks. If the conntrack
is dying, there's no point to shorten their lifetime anymore :)
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the new option `-t' for conntrackd. This option shortens
the value of the timeout for the cached entries that lives in the
kernel. This option is particularly useful to remove the zombie
established entries that remain in kernel if the user tests the platform
by forcing the takeover from one to another node several times.
We currently use the value of CommitTimeout which is sane for it. Adding
a new option does not seem to add more flexibility IMO.
Once we get the patches to notify user changes via ctnetlink and the
netlink flag NLM_F_ECHO works, we may directly invoke a massive purge of
the entries, however, such solution would still need evaluation.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch hides information that may confuse users while they are
diagnosing problems in their setup. For example, we hide entries
that are schedule to expire - from the user side, they are already
destroyed entries; and we show in the counters the real active entries,
not all that are stored in the caches.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes the non-timer-based cache deletion. This bug affects
the alarm-based approach since the backup replicas did not get the
deletion event, thus, delaying the deletion.
This patch introduces cache_find() to look up for a conntrack object
and __cache_del_timer() to perform direct deletions by means of the
pointer obtained with cache_find().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Fix wrong output in the dump of the expire timer which was negative.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Use %zu instead of %u for size_t to remove compilation warning.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Some users are reporting ETIME errors in the update. This happens
when you try to update a conntrack that is expiring. To avoid this
problem, we retry once at least. We do similar for ENOMEM errors,
although only users in virtual machines have reported this AFAIK.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
