summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2008-08-01ftfw: show consistent information to users for problem diagnosingPablo Neira Ayuso
This patch hides information that may confuse users while they are diagnosing problems in their setup. For example, we hide entries that are schedule to expire - from the user side, they are already destroyed entries; and we show in the counters the real active entries, not all that are stored in the caches. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-01fix broken normal deletion in cachesPablo Neira Ayuso
This patch fixes the non-timer-based cache deletion. This bug affects the alarm-based approach since the backup replicas did not get the deletion event, thus, delaying the deletion. This patch introduces cache_find() to look up for a conntrack object and __cache_del_timer() to perform direct deletions by means of the pointer obtained with cache_find(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-01fix: wrong use of timersub in cache_timerPablo Neira Ayuso
Fix wrong output in the dump of the expire timer which was negative. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-01fix: use %zu instead of %u for size_tPablo Neira Ayuso
Use %zu instead of %u for size_t to remove compilation warning. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-01commit: retry at least once if we hit ETIME or ENOMEMEric Leblond
Some users are reporting ETIME errors in the update. This happens when you try to update a conntrack that is expiring. To avoid this problem, we retry once at least. We do similar for ENOMEM errors, although only users in virtual machines have reported this AFAIK. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-08-01add more sanity checks in the input pathPablo Neira Ayuso
Some users have reported crashes when nf_conntrack_ipv6 was not present. This patch performs more robust sanity checks in the input path. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-07-29CLI: add new option --buffer-size for -EPablo Neira Ayuso
Add new option --buffer-size for -E to set the netlink socket buffer size. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-07-29filter: skip protocol state filtering if state not presentPablo Neira Ayuso
Skip user-space the protocol state filter if the protocol state is not present in the event message. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-07-24log: syslog displays the entry that triggers the errorPablo Neira Ayuso
This patch fixes an inconsistency in the output. If syslog was chosen as logger, the conntrack entries that triggered an error were not displayed. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-07-23add support for kernel-space filtering via BSFPablo Neira Ayuso
This patch adds support for kernel-space filtering via BSF by means of the libnetfilter_conntrack's BSF high-level API. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-07-22Major rework of the user-space event filteringPablo Neira Ayuso
This patch reworks the user-space filtering. Although we have kernel-space filtering since Linux kernel >= 2.6.26, we keep userspace filtering to ensure backward compatibility. Moreover, this patch prepares the implementation of the kernel-space filtering via libnetfilter_conntrack's high-level berkeley socket filter API. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2008-06-22fix xml output: wrap output with one root elementPablo Neira Ayuso
2008-06-16use only the original tuple to check if a conntrack is presentPablo Neira Ayuso
2008-06-15fix unsecure usage of printf and include limits.h (PATH_MAX and INT_MAX)Albin Tonerre
2008-06-15check if entries already exist in kernel before injectionPablo Neira Ayuso
2008-05-31delay the closure of the dump descriptor to fix assertion with cache_wtconntrack-tools-0.9.7Pablo Neira Ayuso
2008-05-31increase deletion stats when the timer is scheduled in cache_del_timeout()Pablo Neira Ayuso
2008-05-27define SO_[RCV|SND]BUFFORCE if not setPablo Neira Ayuso
2008-05-27remove secmark support for conntrackdPablo Neira Ayuso
2008-05-26fix leak in cache_destroy(): release objects before destroying the cachePablo Neira Ayuso
2008-05-26rework the HELLO logic inside FT-FWPablo Neira Ayuso
2008-05-25add best effort replication protocol (aka NOTRACK)Pablo Neira Ayuso
2008-05-25add eventfd emulation to communicate receiver -> senderPablo Neira Ayuso
2008-05-22only allow the use of --secmark for listing (filtering)Pablo Neira Ayuso
add missing string.h required by strdup in config parsing
2008-05-21check for missing IPv6 address before hashingPablo Neira Ayuso
2008-05-20Updates (-U) show the effect of the operation in the conntrack entryPablo Neira Ayuso
2008-05-20add Mcast[Snd|Rcv]SocketBuffer clauses to tune multicast socket buffersPablo Neira Ayuso
2008-05-18improve network message sanity checkingsPablo Neira Ayuso
2008-05-16- remove (misleading) counters and use information from the statistics modePablo Neira Ayuso
- use generic nfct_copy() from libnetfilter_conntrack to update objects - use generic nfct_cmp() to compare objects
2008-04-29Fix reorder possible reordering of destroy messages under message omission. ↵/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
This patch introduces the TimeoutDestroy clause to determine how long a conntrack remains in the internal cache once it has been destroy from the kernel table.
2008-04-26rework of the FT-FW approach/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
2008-04-16add more verbose error notification when the injection of a conntrack fails/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
2008-04-16o fix NAT filtering via --src-nat and --dst-nat (reported by K.Oledzki)/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
o recover the ID support o show display counters to stderr o enable filtering by status and ID
2008-04-13fix conntrack -U -p tcp [...]/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
2008-04-13This is a major improvement of the conntrack command line tool:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
o check for missing source/address IP/ports in creation and get operations o way more flexible conntrack updates and deletions o fix NAT filtering via --src-nat and --dst-nat (reported by K.Oledzki) o show display counters to stderr o minor cleanups
2008-04-12o simplify parameter-handling code/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
o check for missing source/address IP/ports o minor cleanups
2008-04-09improve netlink overrun handling/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
2008-04-08fix asymmetric path support (still some open concerns)/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
2008-04-08fix compilation in ARM (reported by Thiemo Seufer via Max Kellermann)/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
2008-03-26fix minor compilation issue in amd64 with gcc4.3 (reported by Daniel Schepler/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
via M.Kellermann)
2008-03-25Krzysztof Oledzki <ole@ans.pl>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
o add ICMPv6 (-p icmpv6) support o add possibility to distinguish between invalid (unknown) and empty proto
2008-03-08revert relicensing... still we use linux_list.h code which seems to be GPLv2 ↵/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
only which is incompatible AFAIK
2008-03-08relicense conntrack-tools as GPLv3+, so far the most significant contributor ↵/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
has been Max Kellermann and has no issues with relicensing their contributions.
2008-02-22cleanup: remove config_set from main(), use config_file variable instead/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
2008-02-19compose the file descriptor set at initialization stage to save some cycles/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
2008-02-14From: Max Kellermann <max@duempel.org>/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
whitespace cleanups
2008-02-14From: Max Kellermann <max@duempel.org>/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
use list_for_each_entry()
2008-02-14From: Max Kellermann <max@duempel.org>/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
make alarm_run_queue a local variable
2008-02-14From: Max Kellermann <max@duempel.org>/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
use "for" loop instead of "while"
2008-02-14From: Max Kellermann <max@duempel.org>/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org
eliminate duplicated initialization
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-09 10:40:28 +0000