[conntrack-tools] conntrackd: cleanup port addition in the message building path
Pablo Neira
netfilter-cvslog-bounces at lists.netfilter.org
Tue Feb 16 15:11:48 CET 2010
Gitweb: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=conntrack-tools.git;a=commit;h=8c88b695289c1f3fca604a30e3ca59dd1c957377
commit 8c88b695289c1f3fca604a30e3ca59dd1c957377
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sun Jan 31 16:50:48 2010 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Tue Feb 16 15:05:16 2010 +0100
conntrackd: cleanup port addition in the message building path
This patch move the ports addition to the layer 4 functions, instead
of checking for the port attribute. It also add a function for UDP
otherwise we break support for this protocol.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 56817d1c0cc30bcd65c56c2f73634b256603cc4d
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Tue Dec 29 20:02:55 2009 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Thu Feb 11 12:06:37 2010 +0100
conntrackd: add support for TCP window scale factor synchronization
This patch adds a new option TCPWindowTracking that allows not
to disable TCP window tracking as it occurs by default.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
via 8c88b695289c1f3fca604a30e3ca59dd1c957377 (commit)
via 56817d1c0cc30bcd65c56c2f73634b256603cc4d (commit)
from 73da80df0c3cf4175662b3da4dfbd3574d34f96a (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 8c88b695289c1f3fca604a30e3ca59dd1c957377
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sun Jan 31 16:50:48 2010 +0100
conntrackd: cleanup port addition in the message building path
This patch move the ports addition to the layer 4 functions, instead
of checking for the port attribute. It also add a function for UDP
otherwise we break support for this protocol.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 56817d1c0cc30bcd65c56c2f73634b256603cc4d
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Tue Dec 29 20:02:55 2009 +0100
conntrackd: add support for TCP window scale factor synchronization
This patch adds a new option TCPWindowTracking that allows not
to disable TCP window tracking as it occurs by default.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
-----------------------------------------------------------------------
doc/sync/alarm/conntrackd.conf | 11 +++++++++++
doc/sync/ftfw/conntrackd.conf | 10 ++++++++++
doc/sync/notrack/conntrackd.conf | 11 +++++++++++
include/conntrackd.h | 1 +
include/network.h | 2 ++
src/build.c | 27 +++++++++++++++++++++------
src/netlink.c | 20 ++++++++++----------
src/parse.c | 10 ++++++++++
src/read_config_lex.l | 2 ++
src/read_config_yy.y | 18 ++++++++++++++++++
10 files changed, 96 insertions(+), 16 deletions(-)
This patch adds a new option TCPWindowTracking that allows not
to disable TCP window tracking as it occurs by default.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
diff --git a/doc/sync/alarm/conntrackd.conf b/doc/sync/alarm/conntrackd.conf
index 9b7d8c6..65c8715 100644
--- a/doc/sync/alarm/conntrackd.conf
+++ b/doc/sync/alarm/conntrackd.conf
@@ -180,6 +180,17 @@ Sync {
#
# Checksum on
# }
+
+ #
+ # Other unsorted options that are related to the synchronization.
+ #
+ # Options {
+ #
+ # TCP state-entries have window tracking disabled by default,
+ # you can enable it with this option. As said, default is off.
+ #
+ # TCPWindowTracking Off
+ # }
}
#
diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf
index 877ed68..481fe8b 100644
--- a/doc/sync/ftfw/conntrackd.conf
+++ b/doc/sync/ftfw/conntrackd.conf
@@ -204,6 +204,16 @@ Sync {
# Checksum on
# }
+ #
+ # Other unsorted options that are related to the synchronization.
+ #
+ # Options {
+ #
+ # TCP state-entries have window tracking disabled by default,
+ # you can enable it with this option. As said, default is off.
+ #
+ # TCPWindowTracking Off
+ # }
}
#
diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf
index 693209a..430ca25 100644
--- a/doc/sync/notrack/conntrackd.conf
+++ b/doc/sync/notrack/conntrackd.conf
@@ -242,6 +242,17 @@ Sync {
#
# Checksum on
# }
+
+ #
+ # Other unsorted options that are related to the synchronization.
+ #
+ # Options {
+ #
+ # TCP state-entries have window tracking disabled by default,
+ # you can enable it with this option. As said, default is off.
+ #
+ # TCPWindowTracking Off
+ # }
}
#
diff --git a/include/conntrackd.h b/include/conntrackd.h
index c7f33f0..b35c95d 100644
--- a/include/conntrackd.h
+++ b/include/conntrackd.h
@@ -102,6 +102,7 @@ struct ct_conf {
struct {
int internal_cache_disable;
int external_cache_disable;
+ int tcp_window_tracking;
} sync;
struct {
int events_reliable;
diff --git a/include/network.h b/include/network.h
index 70812b1..567317b 100644
--- a/include/network.h
+++ b/include/network.h
@@ -220,6 +220,8 @@ enum nta_attr {
NTA_ICMP_TYPE, /* uint8_t */
NTA_ICMP_CODE, /* uint8_t */
NTA_ICMP_ID, /* uint16_t */
+ NTA_TCP_WSCALE_ORIG, /* uint8_t */
+ NTA_TCP_WSCALE_REPL, /* uint8_t */
NTA_MAX
};
diff --git a/src/build.c b/src/build.c
index 6d8b12e..0bfe8c1 100644
--- a/src/build.c
+++ b/src/build.c
@@ -103,6 +103,10 @@ static void build_l4proto_tcp(const struct nf_conntrack *ct, struct nethdr *n)
return;
__build_u8(ct, ATTR_TCP_STATE, n, NTA_TCP_STATE);
+ if (CONFIG(sync).tcp_window_tracking) {
+ __build_u8(ct, ATTR_TCP_WSCALE_ORIG, n, NTA_TCP_WSCALE_ORIG);
+ __build_u8(ct, ATTR_TCP_WSCALE_REPL, n, NTA_TCP_WSCALE_REPL);
+ }
}
static void build_l4proto_sctp(const struct nf_conntrack *ct, struct nethdr *n)
diff --git a/src/netlink.c b/src/netlink.c
index a43f782..5b6452a 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -196,12 +196,12 @@ int nl_create_conntrack(struct nfct_handle *h,
nfct_setobjopt(ct, NFCT_SOPT_SETUP_REPLY);
- /*
- * TCP flags to overpass window tracking for recovered connections
- */
+ /* disable TCP window tracking for recovered connections if required */
if (nfct_attr_is_set(ct, ATTR_TCP_STATE)) {
- uint8_t flags = IP_CT_TCP_FLAG_BE_LIBERAL |
- IP_CT_TCP_FLAG_SACK_PERM;
+ uint8_t flags = IP_CT_TCP_FLAG_SACK_PERM;
+
+ if (!CONFIG(sync).tcp_window_tracking)
+ flags |= IP_CT_TCP_FLAG_BE_LIBERAL;
/* FIXME: workaround, we should send TCP flags in updates */
if (nfct_get_attr_u8(ct, ATTR_TCP_STATE) >=
@@ -261,12 +261,12 @@ int nl_update_conntrack(struct nfct_handle *h,
nfct_attr_unset(ct, ATTR_MASTER_PORT_DST);
}
- /*
- * TCP flags to overpass window tracking for recovered connections
- */
+ /* disable TCP window tracking for recovered connections if required */
if (nfct_attr_is_set(ct, ATTR_TCP_STATE)) {
- uint8_t flags = IP_CT_TCP_FLAG_BE_LIBERAL |
- IP_CT_TCP_FLAG_SACK_PERM;
+ uint8_t flags = IP_CT_TCP_FLAG_SACK_PERM;
+
+ if (!CONFIG(sync).tcp_window_tracking)
+ flags |= IP_CT_TCP_FLAG_BE_LIBERAL;
/* FIXME: workaround, we should send TCP flags in updates */
if (nfct_get_attr_u8(ct, ATTR_TCP_STATE) >=
diff --git a/src/parse.c b/src/parse.c
index e6eefe4..3eb7f44 100644
--- a/src/parse.c
+++ b/src/parse.c
@@ -161,6 +161,16 @@ static struct parser h[NTA_MAX] = {
.attr = ATTR_ICMP_ID,
.size = NTA_SIZE(sizeof(uint16_t)),
},
+ [NTA_TCP_WSCALE_ORIG] = {
+ .parse = parse_u8,
+ .attr = ATTR_TCP_WSCALE_ORIG,
+ .size = NTA_SIZE(sizeof(uint8_t)),
+ },
+ [NTA_TCP_WSCALE_REPL] = {
+ .parse = parse_u8,
+ .attr = ATTR_TCP_WSCALE_REPL,
+ .size = NTA_SIZE(sizeof(uint8_t)),
+ },
};
static void
diff --git a/src/read_config_lex.l b/src/read_config_lex.l
index b2d4bdb..f005099 100644
--- a/src/read_config_lex.l
+++ b/src/read_config_lex.l
@@ -138,6 +138,8 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k]
"NetlinkEventsReliable" { return T_NETLINK_EVENTS_RELIABLE; }
"DisableInternalCache" { return T_DISABLE_INTERNAL_CACHE; }
"DisableExternalCache" { return T_DISABLE_EXTERNAL_CACHE; }
+"Options" { return T_OPTIONS; }
+"TCPWindowTracking" { return T_TCP_WINDOW_TRACKING; }
"ErrorQueueLength" { return T_ERROR_QUEUE_LENGTH; }
{is_on} { return T_ON; }
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index 5f4e6be..bc76e92 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -73,6 +73,7 @@ static void __max_dedicated_links_reached(void);
%token T_NETLINK_OVERRUN_RESYNC T_NICE T_IPV4_DEST_ADDR T_IPV6_DEST_ADDR
%token T_SCHEDULER T_TYPE T_PRIO T_NETLINK_EVENTS_RELIABLE
%token T_DISABLE_INTERNAL_CACHE T_DISABLE_EXTERNAL_CACHE T_ERROR_QUEUE_LENGTH
+%token T_OPTIONS T_TCP_WINDOW_TRACKING
%token <string> T_IP T_PATH_VAL
%token <val> T_NUMBER
@@ -808,8 +809,25 @@ sync_line: refreshtime
| state_replication
| cache_writethrough
| destroy_timeout
+ | option_line
;
+option_line: T_OPTIONS '{' options '}';
+
+options:
+ | options option
+ ;
+
+option: T_TCP_WINDOW_TRACKING T_ON
+{
+ CONFIG(sync).tcp_window_tracking = 1;
+};
+
+option: T_TCP_WINDOW_TRACKING T_OFF
+{
+ CONFIG(sync).tcp_window_tracking = 0;
+};
+
sync_mode_alarm: T_SYNC_MODE T_ALARM '{' sync_mode_alarm_list '}'
{
conf.flags |= CTD_SYNC_ALARM;
More information about the netfilter-cvslog
mailing list