conntrack-tools branch, expect/vyatta, updated. conntrack-tools-1.0.0-14-g7386788
Pablo Neira Ayuso
netfilter-cvslog-bounces at lists.netfilter.org
Wed Dec 7 22:48:00 CET 2011
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "conntrack-tools".
The branch, expect/vyatta has been updated
discards 6d48b0658bd38d4547b2e17ab7d7ada779f07ba0 (commit)
via 73867880f7c6d8e2bc7296718c2bdc6662263c9e (commit)
This update added new revisions after undoing existing revisions. That is
to say, the old revision is not a strict subset of the new revision. This
situation occurs when you --force push a change and generate a repository
containing something like this:
* -- * -- B -- O -- O -- O (6d48b0658bd38d4547b2e17ab7d7ada779f07ba0)
\
N -- N -- N (73867880f7c6d8e2bc7296718c2bdc6662263c9e)
When this happens we assume that you've already had alert emails for all
of the O revisions, and so we here report only the revisions in the N
branch from the common base, B.
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 73867880f7c6d8e2bc7296718c2bdc6662263c9e
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Thu Oct 27 13:01:40 2011 +0200
conntrackd: support for expectation synchronization (incomplete!)
This patch adds support to synchronize expectations between
firewalls. However, you cannot commit them into the kernel yet.
(term-1) user at client$ sudo modprobe nf_conntrack_ftp
(term-1) user at client$ nc ftp.debian.org 21
USER anonymous
PASS
PASV
(Now switch to fw-1)
root at fw1# conntrackd -i exp
proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=34425 [active since 9s]
(Now switch to fw-2)
root at fw2# conntrackd -e exp
proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=34425 [active since 5s]
You have to enable the expectation support in the configuration
file with the following option:
Sync {
...
Options {
ExpectationSync On
}
}
Still needs to be implemented (it's on my TODO list):
- Commit operation for expectations (done, but does not work yet).
- The direct injection support for expectations.
- Flush operation for expectations.
- User-space filtering for expectations.
You'll have to get a fresh working copy of libnetfilter_conntrack,
otherwise you'll hit one assertion in nfct_cmp().
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
-----------------------------------------------------------------------
Summary of changes:
include/conntrackd.h | 2 ++
src/sync-mode.c | 4 +++-
2 files changed, 5 insertions(+), 1 deletions(-)
hooks/post-receive
--
conntrack-tools
More information about the netfilter-cvslog
mailing list