[ANNOUNCE] Release conntrack-tools 0.9.3

Pablo Neira Ayuso pablo at netfilter.org
Wed May 23 21:41:45 CEST 2007


The netfilter project proudly presents conntrack-tools-0.9.3

The userspace daemon conntrackd covers the specific aspects of stateful
Linux firewalls to enable high availability solutions, and can be used
as statistics collector of the firewall use as well. The daemon is
highly configurable and easily extensible. On the other hand, the
command line conntrack provides an interface to add, delete and update
flow entries, list current active flows and flush the complete
connection tracking table.

You can download it from:



	Pablo (on behalf of the Netfilter Project)

The dawn of the fourth age of Linux firewalling is coming; a time of
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris

-------------- next part --------------
version 0.9.3

= conntrackd =
o fix commit of confirmed expectations (reported by Nishit Shah)
o fix double increment of counters in cache_update_force() (Niko Tyni)
o nl_dump_handler must return NFCT_CB_CONTINUE (Niko Tyni)
o initialize buffer in nl_event_handler() and nl_dump_handler() (Niko Tyni) 
o CacheCommit value can be set via conntrackd.conf for the NACK approach
o fix leaks in the hashtable/cache flush path (Niko Tyni)
o fix leak if a connection already exists in the cache (Niko Tyni)
o introduce a new header that encapsulates netlink messages
o remove all '_entry' tail from all functions in cache.c
o split cache.c: move cache iterators to file cache_iterators.c
o fix inconsistencies in the cache API related to counters
o cleanup 'usage' message
o fix typo in examples/sync/nack/node1/conntrackd.conf
o introduce message checksumming as described in RFC1071 (enabled by default)
o major cleanups in the synchronization code
o just warn once that the maximum netlink socket buffer has been reached
o fix ignore conntrack entries by IP and introduce ignore pool abstraction layer
o introduce netlink socket buffer overrun handler
o constification of hash, compare and hashtable_test functions in hash.c
o introduce ACKnowledgement mechanisms to reduce the size of the resend queue
o remove OK messages at startup since provide useless data
o fix compilation warning in mcast.c: recvfrom takes socklen_t not size_t
o add a lock per buffer: makes buffer code thread safe
o introduce 'Replicate' clause to explicitely set states to be replicated
o kill cache feature abuse: introduce nicer cache hooks for sync algorithms
o fix oversized buffer allocated in the stack in the cache functions
o add support to dump internal/external cache in XML format '-x'
o add script for keepalived fault state (eg. unplugged cable/link down)

= conntrack =
o port conntrack to the new libnetfilter_conntrack API
o introduce '--output xml,extended,timestamp' option for '-L', '-G' and '-E'
o deprecated '--id'
o replace '-a' by '--src-nat' and '--dst-nat'
o use positive logic in error handling
o remove sctp support until is fully supported in the kernel side
o update conntrack manpage
o update test.sh file in examples/cli/
o several fixes for the output of usage messages

More information about the netfilter-announce mailing list