[conntrack-tools] src: recover conntrackd -F operation
Pablo Neira
netfilter-cvslog-bounces at lists.netfilter.org
Tue Dec 9 00:03:25 CET 2008
Gitweb: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=conntrack-tools.git;a=commit;h=dd93edbbd09af4523dfe0f0c3c92f510daf223e8
commit dd93edbbd09af4523dfe0f0c3c92f510daf223e8
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Tue Dec 9 00:02:44 2008 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Tue Dec 9 00:02:44 2008 +0100
src: recover conntrackd -F operation
This patch recovers the option -F for conntrackd. This will be
particularly useful to flush the kernel conntrack table without
getting the event notification of the conntrack deletions
(that will happen with Linux kernel >= 2.6.29).
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 1f5834262c91d835414b538857b67e058a1c1dac
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Mon Dec 8 23:58:31 2008 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Mon Dec 8 23:58:31 2008 +0100
parse: strict attribute size checking
This patch adds strict attribute size checking. This is good to
detect corrupted or malformed messages.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 63c3ae0f664ea7045446c4117646f767a5ccd647
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Mon Dec 8 11:20:44 2008 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Mon Dec 8 11:20:44 2008 +0100
network: fix data offset alignment returned by NTA_DATA macro
This patch aligns the data offset that is returned by the NTA_DATA
macro.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit a516e5f8e550a6073aae96491372c45ce340da88
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Mon Dec 8 11:10:47 2008 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Mon Dec 8 11:10:47 2008 +0100
network: remove the netpld header from the messages
This patch simplifies the message format of the replication
messages. As a result, we save four bytes. The netpld header
was introduced in the early protocol design. Today, it does
not have any reason to exist.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 1c7352133af433d3d3881bb21e1de0e9e32f5b8c
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Mon Dec 8 11:10:14 2008 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Mon Dec 8 11:10:14 2008 +0100
network: remove __do_send() function
This patch removes __do_send() and replace it with the mcast_send()
call. The debugging information that provides is not useful anymore
with the tcpdump plugin.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit bf6cfeb1dc6652eaff1b7c4edda45e15f5abf361
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Mon Dec 8 11:09:02 2008 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Mon Dec 8 11:09:02 2008 +0100
network: remove length parameter of mcast_buffered_send_netmsg()
This patch simplifies mcast_buffered_send_netmsg() by removing the
length parameter. Instead, we use the length field in the nethdr
to know the message size to be sent.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 29b5df53bcbef17722ab2b389f3352c4e86b4795
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Mon Dec 8 11:08:19 2008 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Mon Dec 8 11:08:19 2008 +0100
network: remove unused function mcast_send_netmsg()
This patch removes the unused function mcast_send_netmsg().
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 6042436a188581a327580f7821c0a3b94c4ef5d7
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Mon Dec 8 11:07:58 2008 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Mon Dec 8 11:07:58 2008 +0100
parse: fix missing master layer 4 protocol number assignation
This patch fixes NTA_MASTER_L4PROTO parsing which was missing. This
problem was introduced in "network: rework TLV-based protocol", commit
id 76ac8ebe5e49385585c8e29fe530ed4baef390bf, ie. somewhere in the
development of 0.9.9. This patch also fixes the size of parsing
callback array that is NTA_MAX, not ATTR_MAX. This problem does not
affect conntrack-tools <= 0.9.8.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 8663becfe12801a4b5a96137a0db26a8871948a3
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Mon Dec 8 11:07:51 2008 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Mon Dec 8 11:07:51 2008 +0100
netlink: unset ATTR_HELPER_NAME to avoid EBUSY in nl_update_conntrack()
This patch unsets the ATTR_HELPER_NAME attributes, otherwise we hit
EBUSY for related conntrack entries while resetting the timers.
Signed-off: Pablo Neira Ayuso <pablo at netfilter.org>
commit 528b304b587dc5ad5b147d53eeca60cb9df8c087
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sun Dec 7 12:03:54 2008 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sun Dec 7 12:03:54 2008 +0100
netlink: remove unnecessary whitespace lines in netlink.h
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 27ee6a0f1255cb6c7dadc55caf3928fd62354314
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sun Dec 7 12:03:42 2008 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sun Dec 7 12:03:42 2008 +0100
netlink: constify conntrack object parameter of nl_*_conntrack()
This patch constifies the first parameter, which is a conntrack
object, in all nl_*_conntrack() functions.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 2676982afacd502f3119cd323d060bbb88446057
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sun Dec 7 12:03:37 2008 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sun Dec 7 12:03:37 2008 +0100
netlink: use NFCT_Q_[CREATE|UPDATE] instead of NFCT_Q_CREATE_UPDATE
This patch uses NFCT_Q_CREATE in nl_create_conntrack() and
NFCT_Q_UPDATE in nl_update_conntrack(). The NFCT_Q_CREATE_UPDATE
query does not set the NLM_F_EXCL flag, so that it tries to update
the entry if we fail to create.
Under several scenarios, this may lead to problems. For example,
the creation of related conntracks contain the master information.
This is fine to create an entry, but an update will hit
EOPNOTSUPP as ctnetlink considers that you are trying to change
the master of an existing conntrack - and this is not a supported
operation, of course.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 65ad316d921930c9d5c1c8640fbf2f05ecd0ca49
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sat Dec 6 21:54:43 2008 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sat Dec 6 21:54:43 2008 +0100
netlink: clone conntrack object while creation/update
This patch changes the behaviour of nl_create_conntrack() and
nl_update_conntrack() which now clone the conntrack object
received as parameter. This was not required as these functions
were called inside fork(), thus, they modified a copy of the
real conntrack objects in the child process.
However, this behaviour is broken following the try-again
logic in __do_commit_step. For example, if we try to update
an expected conntrack object that has vanished for whatever
reason, since nl_update_conntrack() modifies the object (unset
the master conntrack information), nl_create_conntrak() will
create an entry without the master conntrack information.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 567222194512c6d42c7e253fc69c3837fe7b078c
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sat Dec 6 21:54:24 2008 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sat Dec 6 21:54:24 2008 +0100
build: do not include NTA_TIMEOUT in the replication messages
With this patch, NTA_TIMEOUT is not included in the replication
messages anymore. During the fail-over, we set a small timeout
to purge the entries that were not recovered successfully
(however, unsuccessful recovery should not happen ever).
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
via dd93edbbd09af4523dfe0f0c3c92f510daf223e8 (commit)
via 1f5834262c91d835414b538857b67e058a1c1dac (commit)
via 63c3ae0f664ea7045446c4117646f767a5ccd647 (commit)
via a516e5f8e550a6073aae96491372c45ce340da88 (commit)
via 1c7352133af433d3d3881bb21e1de0e9e32f5b8c (commit)
via bf6cfeb1dc6652eaff1b7c4edda45e15f5abf361 (commit)
via 29b5df53bcbef17722ab2b389f3352c4e86b4795 (commit)
via 6042436a188581a327580f7821c0a3b94c4ef5d7 (commit)
via 8663becfe12801a4b5a96137a0db26a8871948a3 (commit)
via 528b304b587dc5ad5b147d53eeca60cb9df8c087 (commit)
via 27ee6a0f1255cb6c7dadc55caf3928fd62354314 (commit)
via 2676982afacd502f3119cd323d060bbb88446057 (commit)
via 65ad316d921930c9d5c1c8640fbf2f05ecd0ca49 (commit)
via 567222194512c6d42c7e253fc69c3837fe7b078c (commit)
from 3ab102a8c26ad3f5db61f509eb5e478e95922fbf (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit dd93edbbd09af4523dfe0f0c3c92f510daf223e8
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Tue Dec 9 00:02:44 2008 +0100
src: recover conntrackd -F operation
This patch recovers the option -F for conntrackd. This will be
particularly useful to flush the kernel conntrack table without
getting the event notification of the conntrack deletions
(that will happen with Linux kernel >= 2.6.29).
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 1f5834262c91d835414b538857b67e058a1c1dac
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Mon Dec 8 23:58:31 2008 +0100
parse: strict attribute size checking
This patch adds strict attribute size checking. This is good to
detect corrupted or malformed messages.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 63c3ae0f664ea7045446c4117646f767a5ccd647
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Mon Dec 8 11:20:44 2008 +0100
network: fix data offset alignment returned by NTA_DATA macro
This patch aligns the data offset that is returned by the NTA_DATA
macro.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit a516e5f8e550a6073aae96491372c45ce340da88
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Mon Dec 8 11:10:47 2008 +0100
network: remove the netpld header from the messages
This patch simplifies the message format of the replication
messages. As a result, we save four bytes. The netpld header
was introduced in the early protocol design. Today, it does
not have any reason to exist.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 1c7352133af433d3d3881bb21e1de0e9e32f5b8c
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Mon Dec 8 11:10:14 2008 +0100
network: remove __do_send() function
This patch removes __do_send() and replace it with the mcast_send()
call. The debugging information that provides is not useful anymore
with the tcpdump plugin.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit bf6cfeb1dc6652eaff1b7c4edda45e15f5abf361
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Mon Dec 8 11:09:02 2008 +0100
network: remove length parameter of mcast_buffered_send_netmsg()
This patch simplifies mcast_buffered_send_netmsg() by removing the
length parameter. Instead, we use the length field in the nethdr
to know the message size to be sent.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 29b5df53bcbef17722ab2b389f3352c4e86b4795
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Mon Dec 8 11:08:19 2008 +0100
network: remove unused function mcast_send_netmsg()
This patch removes the unused function mcast_send_netmsg().
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 6042436a188581a327580f7821c0a3b94c4ef5d7
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Mon Dec 8 11:07:58 2008 +0100
parse: fix missing master layer 4 protocol number assignation
This patch fixes NTA_MASTER_L4PROTO parsing which was missing. This
problem was introduced in "network: rework TLV-based protocol", commit
id 76ac8ebe5e49385585c8e29fe530ed4baef390bf, ie. somewhere in the
development of 0.9.9. This patch also fixes the size of parsing
callback array that is NTA_MAX, not ATTR_MAX. This problem does not
affect conntrack-tools <= 0.9.8.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 8663becfe12801a4b5a96137a0db26a8871948a3
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Mon Dec 8 11:07:51 2008 +0100
netlink: unset ATTR_HELPER_NAME to avoid EBUSY in nl_update_conntrack()
This patch unsets the ATTR_HELPER_NAME attributes, otherwise we hit
EBUSY for related conntrack entries while resetting the timers.
Signed-off: Pablo Neira Ayuso <pablo at netfilter.org>
commit 528b304b587dc5ad5b147d53eeca60cb9df8c087
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sun Dec 7 12:03:54 2008 +0100
netlink: remove unnecessary whitespace lines in netlink.h
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 27ee6a0f1255cb6c7dadc55caf3928fd62354314
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sun Dec 7 12:03:42 2008 +0100
netlink: constify conntrack object parameter of nl_*_conntrack()
This patch constifies the first parameter, which is a conntrack
object, in all nl_*_conntrack() functions.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 2676982afacd502f3119cd323d060bbb88446057
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sun Dec 7 12:03:37 2008 +0100
netlink: use NFCT_Q_[CREATE|UPDATE] instead of NFCT_Q_CREATE_UPDATE
This patch uses NFCT_Q_CREATE in nl_create_conntrack() and
NFCT_Q_UPDATE in nl_update_conntrack(). The NFCT_Q_CREATE_UPDATE
query does not set the NLM_F_EXCL flag, so that it tries to update
the entry if we fail to create.
Under several scenarios, this may lead to problems. For example,
the creation of related conntracks contain the master information.
This is fine to create an entry, but an update will hit
EOPNOTSUPP as ctnetlink considers that you are trying to change
the master of an existing conntrack - and this is not a supported
operation, of course.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 65ad316d921930c9d5c1c8640fbf2f05ecd0ca49
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sat Dec 6 21:54:43 2008 +0100
netlink: clone conntrack object while creation/update
This patch changes the behaviour of nl_create_conntrack() and
nl_update_conntrack() which now clone the conntrack object
received as parameter. This was not required as these functions
were called inside fork(), thus, they modified a copy of the
real conntrack objects in the child process.
However, this behaviour is broken following the try-again
logic in __do_commit_step. For example, if we try to update
an expected conntrack object that has vanished for whatever
reason, since nl_update_conntrack() modifies the object (unset
the master conntrack information), nl_create_conntrak() will
create an entry without the master conntrack information.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 567222194512c6d42c7e253fc69c3837fe7b078c
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sat Dec 6 21:54:24 2008 +0100
build: do not include NTA_TIMEOUT in the replication messages
With this patch, NTA_TIMEOUT is not included in the replication
messages anymore. During the fail-over, we set a small timeout
to purge the entries that were not recovered successfully
(however, unsuccessful recovery should not happen ever).
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
-----------------------------------------------------------------------
conntrackd.8 | 4 ++
include/netlink.h | 21 ++++---------
include/network.h | 55 +++++++++++++++++------------------
src/build.c | 74 ++++++++++++++++++++++-------------------------
src/netlink.c | 45 ++++++++++++++++++++++------
src/network.c | 81 ++++++++++++++-------------------------------------
src/parse.c | 49 ++++++++++++++++++-------------
src/run.c | 8 +----
src/sync-alarm.c | 4 +--
src/sync-ftfw.c | 12 ++++----
src/sync-mode.c | 13 +++-----
src/sync-notrack.c | 9 ++---
12 files changed, 175 insertions(+), 200 deletions(-)
With this patch, NTA_TIMEOUT is not included in the replication
messages anymore. During the fail-over, we set a small timeout
to purge the entries that were not recovered successfully
(however, unsuccessful recovery should not happen ever).
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
diff --git a/include/network.h b/include/network.h
index 5da1db5..6ab099f 100644
--- a/include/network.h
+++ b/include/network.h
@@ -185,7 +185,7 @@ enum nta_attr {
NTA_PORT, /* struct nfct_attr_grp_port */
NTA_STATE = 4, /* uint8_t */
NTA_STATUS, /* uint32_t */
- NTA_TIMEOUT, /* uint32_t */
+ NTA_TIMEOUT, /* uint32_t -- unused */
NTA_MARK, /* uint32_t */
NTA_MASTER_IPV4 = 8, /* struct nfct_attr_grp_ipv4 */
NTA_MASTER_IPV6, /* struct nfct_attr_grp_ipv6 */
diff --git a/src/build.c b/src/build.c
index c776de8..84515cf 100644
--- a/src/build.c
+++ b/src/build.c
@@ -117,8 +117,6 @@ void build_netpld(struct nf_conntrack *ct, struct netpld *pld, int query)
if (nfct_attr_is_set(ct, ATTR_TCP_STATE))
__build_u8(ct, ATTR_TCP_STATE, pld, NTA_STATE);
- if (nfct_attr_is_set(ct, ATTR_TIMEOUT))
- __build_u32(ct, ATTR_TIMEOUT, pld, NTA_TIMEOUT);
if (nfct_attr_is_set(ct, ATTR_MARK))
__build_u32(ct, ATTR_MARK, pld, NTA_MARK);
More information about the netfilter-cvslog
mailing list