conntrack-tools branch, expect/vyatta, updated. conntrack-tools-1.0.0-14-g7386788

Pablo Neira Ayuso netfilter-cvslog-bounces at lists.netfilter.org
Wed Dec 7 22:48:00 CET 2011


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "conntrack-tools".

The branch, expect/vyatta has been updated
  discards  6d48b0658bd38d4547b2e17ab7d7ada779f07ba0 (commit)
       via  73867880f7c6d8e2bc7296718c2bdc6662263c9e (commit)

This update added new revisions after undoing existing revisions.  That is
to say, the old revision is not a strict subset of the new revision.  This
situation occurs when you --force push a change and generate a repository
containing something like this:

 * -- * -- B -- O -- O -- O (6d48b0658bd38d4547b2e17ab7d7ada779f07ba0)
            \
             N -- N -- N (73867880f7c6d8e2bc7296718c2bdc6662263c9e)

When this happens we assume that you've already had alert emails for all
of the O revisions, and so we here report only the revisions in the N
branch from the common base, B.

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 73867880f7c6d8e2bc7296718c2bdc6662263c9e
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Thu Oct 27 13:01:40 2011 +0200

    conntrackd: support for expectation synchronization (incomplete!)
    
    This patch adds support to synchronize expectations between
    firewalls. However, you cannot commit them into the kernel yet.
    
    (term-1) user at client$ sudo modprobe nf_conntrack_ftp
    (term-1) user at client$ nc ftp.debian.org 21
    USER anonymous
    PASS
    PASV
    
    (Now switch to fw-1)
    
    root at fw1# conntrackd -i exp
    proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=34425 [active since 9s]
    
    (Now switch to fw-2)
    
    root at fw2# conntrackd -e exp
    proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=34425 [active since 5s]
    
    You have to enable the expectation support in the configuration
    file with the following option:
    
    Sync {
    	...
    	Options {
    		ExpectationSync On
    	}
    }
    
    Still needs to be implemented (it's on my TODO list):
    
    - Commit operation for expectations (done, but does not work yet).
    - The direct injection support for expectations.
    - Flush operation for expectations.
    - User-space filtering for expectations.
    
    You'll have to get a fresh working copy of libnetfilter_conntrack,
    otherwise you'll hit one assertion in nfct_cmp().
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

-----------------------------------------------------------------------

Summary of changes:
 include/conntrackd.h |    2 ++
 src/sync-mode.c      |    4 +++-
 2 files changed, 5 insertions(+), 1 deletions(-)


hooks/post-receive
-- 
conntrack-tools



More information about the netfilter-cvslog mailing list