conntrack-tools branch, expect/vyatta, updated. conntrack-tools-1.0.0-13-g8d4298b

Pablo Neira Ayuso netfilter-cvslog-bounces at lists.netfilter.org
Wed Nov 16 01:56:42 CET 2011 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "conntrack-tools".

The branch, expect/vyatta has been updated
  discards  47946bb1aa057fb6955ad92934ae89aaf93c4831 (commit)
  discards  38a41950ac807e4d79928e9d1b4a70b7fe508e59 (commit)
  discards  9a644c42532a1c8a46cb7a2e731606c696f33b61 (commit)
  discards  dfbefbeffa44f5fc7eb8d2f556e3a94c2c05c595 (commit)
       via  8d4298bc09b1c07e1a20149c2e4ebd0bbd197d9d (commit)
       via  8ebaa0ccce1f418d128cd4c18c15a977a665da9d (commit)
       via  706e1567a9db14cfc0aa97d65cf55ee1cf3c5599 (commit)
       via  624513ac35bc476e8af22245c03c4c1e6d399c9b (commit)

This update added new revisions after undoing existing revisions.  That is
to say, the old revision is not a strict subset of the new revision.  This
situation occurs when you --force push a change and generate a repository
containing something like this:

 * -- * -- B -- O -- O -- O (47946bb1aa057fb6955ad92934ae89aaf93c4831)
            \
             N -- N -- N (8d4298bc09b1c07e1a20149c2e4ebd0bbd197d9d)

When this happens we assume that you've already had alert emails for all
of the O revisions, and so we here report only the revisions in the N
branch from the common base, B.

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 8d4298bc09b1c07e1a20149c2e4ebd0bbd197d9d
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Thu Oct 27 13:01:40 2011 +0200

    conntrackd: support for expectation synchronization (incomplete!)
    
    This patch adds support to synchronize expectations between
    firewalls. However, you cannot commit them into the kernel yet.
    
    (term-1) user at client$ sudo modprobe nf_conntrack_ftp
    (term-1) user at client$ nc ftp.debian.org 21
    USER anonymous
    PASS
    PASV
    
    (Now switch to fw-1)
    
    root at fw1# conntrackd -i exp
    proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=34425 [active since 9s]
    
    (Now switch to fw-2)
    
    root at fw2# conntrackd -e exp
    proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=34425 [active since 5s]
    
    You have to enable the expectation support in the configuration
    file with the following option:
    
    Sync {
    	...
    	Options {
    		ExpectationSync On
    	}
    }
    
    Still needs to be implemented (it's on my TODO list):
    
    - Initial dump of the expect table.
    - Commit operation for expectations.
    - The direct injection support for expectations.
    - Flush operation for expectations.
    - User-space filtering for expectations.
    
    You'll have to get a fresh working copy of libnetfilter_conntrack,
    otherwise you'll hit one assertion in nfct_cmp().
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

commit 8ebaa0ccce1f418d128cd4c18c15a977a665da9d
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Mon Nov 14 22:48:22 2011 +0100

    conntrackd: simplify cache_get_extra function
    
    This patch simplifies cache_get_extra which now takes only one
    parameter that is the cache_object. With it, the extra area can be
    calculated.

commit 706e1567a9db14cfc0aa97d65cf55ee1cf3c5599
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Thu Oct 27 12:18:34 2011 +0200

    conntrackd: generalize local handler actions
    
    This patch prepares the introduction of actions with the expectation
    table. Mostly renamings.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

commit 624513ac35bc476e8af22245c03c4c1e6d399c9b
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Wed Oct 26 12:54:13 2011 +0200

    conntrackd: generalize/cleanup network message building/parsing
    
    This patch generalizes the network message building and parsing
    to prepare the upcoming expectation support.
    
    Basically, it renames:
    
    - NET_T_STATE_* by NET_T_STATE_CT_*, as I plan to add NET_T_STATE_EXP_*
    - BUILD_NETMSG by BUILD_NETMSG_FROM_CT, and build_payload by ct2msg.
      I plan to add exp2msg.
    - parse_payload by msg2ct, since I plan to add msg2exp.
    - modify object_status_to_network_type to prepare the support of
      expectations.
    - add prefix ct_ to all parsing functions in parse.c, as we will have
      similar functions to convert messages to expectation objects.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

-----------------------------------------------------------------------

Summary of changes:


hooks/post-receive
-- 
conntrack-tools

More information about the netfilter-cvslog mailing list