conntrack-tools branch, expect/vyatta, updated. conntrack-tools-1.0.0-14-g6d48b06

Pablo Neira Ayuso netfilter-cvslog-bounces at lists.netfilter.org
Tue Dec 6 18:49:12 CET 2011 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "conntrack-tools".

The branch, expect/vyatta has been updated
  discards  c331f3ecd5c229a4211ef1632730afe435df63d7 (commit)
       via  6d48b0658bd38d4547b2e17ab7d7ada779f07ba0 (commit)

This update added new revisions after undoing existing revisions.  That is
to say, the old revision is not a strict subset of the new revision.  This
situation occurs when you --force push a change and generate a repository
containing something like this:

 * -- * -- B -- O -- O -- O (c331f3ecd5c229a4211ef1632730afe435df63d7)
            \
             N -- N -- N (6d48b0658bd38d4547b2e17ab7d7ada779f07ba0)

When this happens we assume that you've already had alert emails for all
of the O revisions, and so we here report only the revisions in the N
branch from the common base, B.

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 6d48b0658bd38d4547b2e17ab7d7ada779f07ba0
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Thu Oct 27 13:01:40 2011 +0200

    conntrackd: support for expectation synchronization (incomplete!)
    
    This patch adds support to synchronize expectations between
    firewalls. However, you cannot commit them into the kernel yet.
    
    (term-1) user at client$ sudo modprobe nf_conntrack_ftp
    (term-1) user at client$ nc ftp.debian.org 21
    USER anonymous
    PASS
    PASV
    
    (Now switch to fw-1)
    
    root at fw1# conntrackd -i exp
    proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=34425 [active since 9s]
    
    (Now switch to fw-2)
    
    root at fw2# conntrackd -e exp
    proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=34425 [active since 5s]
    
    You have to enable the expectation support in the configuration
    file with the following option:
    
    Sync {
    	...
    	Options {
    		ExpectationSync On
    	}
    }
    
    Still needs to be implemented (it's on my TODO list):
    
    - Commit operation for expectations (done, but does not work yet).
    - The direct injection support for expectations.
    - Flush operation for expectations.
    - User-space filtering for expectations.
    
    You'll have to get a fresh working copy of libnetfilter_conntrack,
    otherwise you'll hit one assertion in nfct_cmp().
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

-----------------------------------------------------------------------

Summary of changes:
 include/conntrackd.h |    1 +
 include/log.h        |    2 +
 include/netlink.h    |    4 ++
 src/cache-exp.c      |  110 +++++++++++++++++++++++++++++++++++++++++++++++++-
 src/log.c            |   37 +++++++++++++++++
 src/main.c           |   12 +++++-
 src/netlink.c        |   29 +++++++++++++
 src/parse.c          |    2 +-
 src/run.c            |   27 ++++++++++++
 src/sync-mode.c      |    8 ++++
 10 files changed, 228 insertions(+), 4 deletions(-)


hooks/post-receive
-- 
conntrack-tools

More information about the netfilter-cvslog mailing list