| Age | Commit message (Collapse) | Author |
|---|
|
Extend --mark option to optionally take a mask, seperated
by '/', e.g. --mark 0x80/0xf0.
When used with -L, only test those bits of the mark that
are in the mask range (behaves like iptables like -m mark).
When used with -U, zero out those bits indicated by the mask and
XOR the new mark into the result (behaves like iptables -j MARK
--set-xmark).
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, we display the following message after:
# conntrack -F expect
conntrack v0.9.15 (conntrack-tools): expectation table has been emptied.
To make it consistent with the message displayed with conntrack -F.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes the use of nfct_maxsize() and several abusive
stack-based allocations.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, we don't abuse the stack anymore, instead we allocate
the template objects that are used in the heap.
We stop using nfct_maxsize() which is now deprecated in
libnetfilter_conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Using memcpy() is not safe, it breaks secctx and it may break
more things in the future. Moreover, nfct_size*() functions will
be deprecated soon, they are evil since they open the window
to memcpy().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This option requires Linux kernel >= 2.6.38, you have to enable conntrack
timestamping with:
echo 1 > /proc/sys/net/netfilter/nf_conntrack_timestamp
# conntrack -L -o ktimestamp
udp 17 59 src=192.168.1.128 dst=192.168.1.1 sport=52050 dport=53 src=192.168.1.1 dst=192.168.1.128 sport=53 dport=52050 [ASSURED] mark=0 delta-time=121 [start=Thu Feb 17 17:41:18 2011] use=1
# conntrack -L
conntrack v0.9.15 (conntrack-tools): 20 flow entries have been shown.
udp 17 31 src=192.168.1.128 dst=192.168.1.1 sport=52050 dport=53 src=192.168.1.1 dst=192.168.1.128 sport=53 dport=52050 [ASSURED] mark=0 delta-time=149 use=1
# conntrack -E -o ktimestamp
...
[DESTROY] udp 17 src=192.168.1.128 dst=192.168.1.1 sport=40162 dport=53 src=192.168.1.1 dst=192.168.1.128 sport=53 dport=40162 [ASSURED] delta-time=3 [start=Thu Feb 17 17:44:57 2011] [stop=Thu Feb 17 17:45:00 2011]
# conntrack -E
[DESTROY] udp 17 src=192.168.1.128 dst=77.226.252.14 sport=123 dport=123 src=77.226.252.14 dst=192.168.1.128 sport=123 dport=123 delta-time=8
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch rises the number of committed entries per step from
64 to 8192. Experimental results in active-active setups here
show that we reduce the commit time with this value significantly.
This deserves some more study, it can be a good idea to remove
this commit per step completely. I leave this for the future.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes an unnecessary reset of the event iteration limiter
that is already done in the main select loop.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch improves the case in which we receive a commit request
but we are already performing one. This behaviour is suspicious
since the HA manager should not trigger a double master transition.
Otherwise, something probably is not configured appropriately.
This improves 98756c2608f0879a2322919c7441973216565272
"cache: close commit request if we already have one in progress".
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
We close a commit request if there's already one in progress. This
patch fixes a problem that may be triggered if two consecutive commit
requests are received.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
The return initial value is overriden after the initial read. Don't
override this value, instead we check the return value of the read()
operation.
This patch also changes the error statistics accounting since we
consider that a request with no data is an error.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
src/Makefile.am:24: whitespace following trailing backslash
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
PKG_CHECK_MODULES already produces its own (and more verbose)
messsage when a module cannot be found.
Mucking around with CFLAGS and LIBS is also not needed since
pkgconfig takes care of providing variables, so let's use them in
Makefile.am.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
So far, conntrack only allows to listen to events of new expectations.
With this patch, we can listen to events of destroyed expectations.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a bug that results in an incorrect parsing of
the NAT sequence adjustment in synchronization messages.
Spotted by Adam Gundy in the following message that was sent to the
netfilter ML: http://marc.info/?l=netfilter&m=127894708222913&w=2
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Looking at the output of `conntrackd -s`; I didn't know what 'mfrm'
meant under the 'message sequence tracking' section so I had to look
up the code for this. While doing so, I replaced 'mfrm' with
'malformed' in the output since I thought other users might be
confused as well as I was looking at that word.
Signed-off-by: Mohit Mehta <mohit.mehta@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch enables the event reliability in an early stage of the
event handler initialization.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, we open the event handler once the internal
cache (if any) is populated. This reduces the chances of a
possible premature overrun if we lauch conntrackd in a busy
firewall. However, we may still start with an internal cache
that may differ a bit from the once in the kernel.
This patch has no impact in setups where conntrackd is started
in a spare firewall.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
- NetlinkBufferSize value passed to the kernel gets doubled [see SO_RCVBUF
in net/core/sock.c]; it's halved now before it gets sent to the kernel.
This ensures that daemon starts up with a netlink socket buffer size
equal to the value set for NetlinkBufferSize in configuration file.
- Previously, netlink socket buffer size would only stop increasing after
it had increased beyond NetlinkBufferSizeMaxGrowth value. With this commit
netlink socket buffer size increases as long as it is less than or
equal to NetlinkBufferSizeMaxGrowth value.
Signed-off-by: Mohit Mehta <mohit.mehta@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds `--zone' to the command line tool. This adds
the missing user-space support for Patrick's McHardy iptables
CT target.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes several minor nitpicks to support IPv6 failover:
* ICMPv6 type/code/id were missing in synchronization messages.
* The use of '-' as string in the configuration file was not allowed.
* Include example in configuration file under doc/.
Reported-by: Mohit Mehta <mohit.mehta@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
It must refer to NetlinkBufferSize[*] instead of "SocketBufferSize[*].
Signed-off-by: Mohit Mehta <mohit.mehta@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch cleans up nat_parse() and it also displays nicer
error message for malformed arguments.
% conntrack -L --src-nat :80
conntrack v0.9.14 (conntrack-tools): No IP specified
Try `conntrack -h' or 'conntrack --help' for more information.
% conntrack -L --src-nat 1.1.1.1:
conntrack v0.9.14 (conntrack-tools): No port specified after `:'
Try `conntrack -h' or 'conntrack --help' for more information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes the filtering if the IP matches an entry but the PORT
does not matches. Without this patch, the entry is shown when it
should be not.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch restricts the behaviour that we previously introduced
in 142606c60808b3ab0496155ac3d086765e6baef3.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the missing bits to allow to filter with --any-nat
based on the IP address.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes another scenario in which the flow has some
PAT mangling and we passed the src-nat address that we want
to use to perform the filtering.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, conntrack does not show bogus entries that have no NAT
applied due to a relaxed checking.
conntrack -L --src-nat :80
tcp 6 342824 ESTABLISHED src=XX.214.188.80 dst=66.XX.7.180 sport=80 dport=13749 packets=4 bytes=6000 [UNREPLIED] src=66.XX.7.180 dst=XX.214.188.80 sport=13749 dport=80 packets=0 bytes=0 mark=0 secmark=0 use=1
conntrack v0.9.14 (conntrack-tools): 1 flow entries have been shown.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
In 142606c60808b3ab0496155ac3d086765e6baef3, I re-introduced the
inconsistent behaviour that I described in
85f94171a71880c744f265268f33ad58819caa74. Great.
This patch fixes this again.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the --any-nat option that allows to display src-NATted
OR dst-NATted flows.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch allows the following command to filter port-based NAT:
$ conntrack -L --dst-nat :9999
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch is a cleanup, it puts all the commands and options code
together. This makes easier and less error-prone the task to add
new commands and options.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch is a cleanup, it expands an array that contains the
correspondence between the option-flags and the option-names.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
In commit 56817d1c0cc30bcd65c56c2f73634b256603cc4d, I added the
TCP window scale factor support but it was incomplete. We have to
set the IP_CT_TCP_FLAG_WINDOW_SCALE flag to update the td_scale
field via ctnetlink. Check nlattr_to_tcp(...) function in
nf_conntrack_proto_tcp.c for more details.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
The patch that I committed in 2e06d62d341fdf936dbc1fa944d5e03f761aaf0e
was incomplete. With it, `-L --src-nat --dst-nat' shows source-natted
OR destination-natted flows. This patch changes the behaviour to
show source-natted AND destination-natted flows.
This is the consistent behaviour that we expect from conntrack
(this is how it works for other options indeed).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes the filtering with --src-nat and --dst-nat options.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch reverts 0865d22af0ec5876f721d44c90ac898fdfa435aa since
it breaks conntrack listing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
`conntrackd -i -x' does not display internal cache in XML, this
patch fixes the problem.
Signed-off-by: Mohit Mehta <mohit.mehta@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Since > 0.9.6, the conntrack listing with the options --src-nat
and --dst-nat does not work. This patch fixes the problem.
Reported-by: Mohit Mehta <mohit.mehta@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch splits the __run() routine into two functions, run_polling()
and run_events() that are selected once in run-time. We save one branch
in a loop that intensively executed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a hung that occurs if you invoke `conntrackd -c'
and you have disabled the external cache.
Note that `conntrackd -c' does nothing since there is no entries
in the external cache to be committed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch move the ports addition to the layer 4 functions, instead
of checking for the port attribute. It also add a function for UDP
otherwise we break support for this protocol.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds a new option TCPWindowTracking that allows not
to disable TCP window tracking as it occurs by default.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
UDP filtering was broken during the addition of the UDP-based
synchronization protocol that was introduced in 0.9.14. This
patch fixes the problem.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes the clause `State' in `Filter' that allows
you to filter by protocol state. This bug was introduced during
the implementation of the TCP-based synchronization.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
