[ANNOUNCE] conntrack-tools 1.4.7 release

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi!

The Netfilter project proudly presents:

conntrack-tools 1.4.7

This release contains new features:

* IPS_HW_OFFLOAD flag specifies that a conntrack entry has been
  offloaded into the hardware
* 'clash_resolve' and 'chaintoolong' stats counters
* Default to unspec family if '-f' flag is absent to improve support for
  dual-stack setups
* Support filtering events by IP address family
* Support flushing per IP address family
* Add "save" output format representing data in conntrack parameters
* Support loading conntrack commands from a batch file, e.g. generated
  by "save" output format
* Annotate portid in events by the program name (if found)
* Accept yes/no as synonyms to on/off in conntrackd.conf
* Support user space helper auto-loading upon daemon startup, relieving
  users from manual 'nfct add helper' calls
* Filter dumps by status on kernel side if possible
* Accept to filter for any status other than SEEN_REPLY using
  'UNREPLIED'
* Use libmnl internally
* Reuse netlink socket for improved performance with bulk CT entry loads
* Remove '-o userspace' flag and always tag user space triggered events
* Introduce '-A' command, a variant of '-I' which does not fail if the
  entry exists already

... and fixes:

* ICMP entry creation would fail when reply data was specified
* Sync zone value also
* Log external inject problems as warning only
* Endianness bug parsing IP addresses
* Ignore conntrack ID when looking up cache entries to allow for stuck
  old ones to be replaced eventually
* Broken parsing of IPv6 M-SEARCH requests in ssdp cthelper
* Eliminate the need for lazy binding in nfct
* Fix for use of unknown protocol values
* Sanitize protocol value parsing, catch illegal values
* Ensure unknown protocol values are included in '-o save' dumps

... and documentation updates:

* Fixed examples in manual
* Refer to nf_conntrack sysctl instead of the deprecated ip_conntrack
  one
* Misc updates to the manual
* Add an older example script creating an active-active setup using the
  cluster match

You can download the new release from:

https://netfilter.org/projects/conntrack-tools/downloads.html#conntrack-tools-1.4.7

To build the code, updated libnetfilter_conntrack 1.0.9 is required:

https://netfilter.org/projects/libnetfilter_conntrack/downloads.html#libnetfilter_conntrack-1.0.9

In case of bugs and feature requests, file them via:

* https://bugzilla.netfilter.org

Happy firewalling!

Aaron Thompson (1):
  conntrackd: cthelper: ssdp: Fix parsing of IPv6 M-SEARCH requests.

Adam Casella (1):
  conntrackd: cache: fix zone entry uniqueness in external cache

Arturo Borrero Gonzalez (8):
  .gitignore: add nano swap file
  conntrackd: external_inject: report inject issues as warning
  conntrackd: introduce yes & no config values
  tests: introduce new python-based framework for running tests
  tests: introduce some basic testcases for the new conntrack-tools
    testing framework
  tests: introduce replicating scenario and simple icmp test case
  tests: conntrackd: add testcase for missing hashtable buckets and max
    entries
  tests: conntrackd: silence sysctl

Florian Westphal (8):
  conntrack: add support for CLASH_RESOLVED counter
  conntrack: pretty-print the portid
  conntrack: enable kernel-based status filtering with -L -u STATUS
  conntrack: add shorthand mnemonic for UNREPLIED
  conntrack: add support for chaintoolong stat counter
  conntrack: fix compiler warnings
  conntrack: remove -o userspace
  conntrack: unbreak event mode

Jeremy Sowden (9):
  build: remove commented-out macros from configure.ac
  build: quote AC_INIT arguments
  build: replace `AM_PROG_LIBTOOL` and `AC_DISABLE_STATIC` with
    `LT_INIT`
  build: remove yacc-generated header from EXTRA_DIST
  build: clean yacc- and lex-generated files with maintainer-clean
  build: fix dependency-tracking of yacc-generated header
  build: only require bison and flex if the generated files do not exist
  build: remove MAINTAINERCLEANFILES
  build: replace `AM_PROG_LEX` with `AC_PROG_LEX`

Mikhail Sennikovsky (20):
  tests: icmp entry create/delete
  conntrack: fix icmp entry creation
  conntrack: implement save output format
  conntrack.8: man update for opts format support
  conntrack: accept commands from file
  conntrack.8: man update for --load-file support
  tests: saving and loading ct entries, save format
  tests: conntrack -L/-D ip family filtering
  tests/conntrack: script for stress-testing ct load
  conntrack: pass sock to nfct_mnl_*() functions
  conntrack: use libmnl for updating conntrack table
  conntrack: use libmnl for ct entries deletion
  conntrack: use libmnl for flushing conntrack table
  conntrack: use same modifier socket for bulk ops
  conntrack: set reply l4 proto for unknown protocol
  conntrack: fix protocol number parsing
  conntrack: fix -o save dump for unknown protocols
  conntrack: generalize command parsing
  conntrack: use C99 initializer syntax for option map
  conntrack: introduce new -A command

Pablo Neira Ayuso (44):
  conntrack: add support for the IPS_HW_OFFLOAD flag
  conntrack: add a few more tests
  doc: manual: fix conntrack examples
  doc: manual: refer to nf_conntrack sysctl
  doc: manual: general documentation revamp
  conntrack: default to unspec family for dualstack setups
  conntrack: allow to filter event by family
  conntrack: allow to flush per family
  conntrackd: add ip netns test script
  conntrack: add struct ct_cmd
  conntrack: add struct ct_tmpl
  conntrack: add do_command_ct()
  tests: conntrackd: move basic netns scenario setup to shell script
  conntrackd: set default hashtable buckets and max entries if not
    specified
  conntrack: pass command object to callbacks
  conntrack: pass ct_cmd to nfct_filter_init()
  conntrack: pass cmd to nfct_filter()
  conntrack: pass cmd to filter nat, mark and network functions
  conntrack: move options flag to ct_cmd object
  conntrack: add function to print command stats
  conntrack: release options after parsing
  conntrackd: fix endianness bug in IPv4 and IPv6 address
  conntrackd: cthelper: Set up userspace helpers when daemon starts
  doc: manual: Document userspace helper configuration at daemon startup
  conntrackd: cthelper: fix overlapping queue numbers in example file
  src: conntrackd: add #include <linux/netfilter/nfnetlink_queue.h>
  doc: add cluster match script
  conntrackd: do not include conntrack ID in hashtable cmp
  conntrack: pass filter_dump object to nfct_mnl_dump()
  conntrack: enhance mnl_nfct_dump_cb()
  conntrack: use libmnl for listing conntrack table
  conntrack: add nfct_mnl_talk() and nfct_mnl_recv() helper functions
  conntrack: add netlink flags to nfct_mnl_nlmsghdr_put()
  conntrack: use libmnl to create entry
  conntrack: rename nfct_mnl_recv() to __nfct_mnl_dump()
  conntrack: add nfct_mnl_request()
  nfct: remove lazy binding
  conntrack: consolidate socket open call
  conntrackd: build: always add ports to sync message
  conntrack: pass command object to nfct_mnl_request()
  conntrack: update CT_GET to use libmnl
  conntrack: update manpage with new -A command
  conntrack: use IPPROTO_RAW
  conntrack: slightly simplify parse_proto_num() by using strtoul()

Phil Sutter (9):
  hash: Flush tables when destroying
  cache: Fix features array allocation
  Fix potential buffer overrun in snprintf() calls
  helpers: ftp: Avoid ugly casts
  read_config_yy: Drop extra argument from dlog() call
  Don't call exit() from signal handler
  Drop pointless assignments
  connntrack: Fix for memleak when parsing -j arg
  local: Avoid sockaddr_un::sun_path buffer overflow

Yi Yang (1):
  conntrack: fix zone sync issue

Štěpán Němec (1):
  conntrack.8: minor copy edit
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux