[ANNOUNCE] conntrack-tools 0.9.8 released

[ANNOUNCE] conntrack-tools 0.9.8 released

[Pablo Neira Ayuso]

[-- Attachment #1: Type: text/plain, Size: 1269 bytes --]

Hi!

The netfilter project proudly presents another development release of
the conntrack-tools. This release includes important updates, fixes and
improvements. Moreover, a new user manual has been released,
contributions to improve are welcome! Detailed changelog is attached.

What are the conntrack-tools?

- The userspace daemon so-called conntrackd that covers the specific
aspects of stateful Linux firewalls to enable high availability
solutions. It can be used as statistics collector of the firewall use as
well. The daemon is highly configurable and easily extensible.

- The command line interface (CLI) conntrack that provides an interface
to add, delete and update flow entries, list current active flows in
plain text/XML, current IPv4 NAT'ed flows, reset counters, and flush the
complete connection tracking table among many other.

Where can I download it from?

http://www.netfilter.org/projects/conntrack-tools/downloads.html

Where can I get more information about them?

http://people.netfilter.org/pablo/conntrack-tools/

Where can I have a look at the new user manual?

http://people.netfilter.org/pablo/conntrack-tools/install.html

On behalf of the Netfilter Project,
Pablo

Enjoy!

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers



[-- Attachment #2: ChangeLog --]
[-- Type: text/plain, Size: 3668 bytes --]

Albin Tonerre (1):
      fix unsecure usage of printf and include limits.h (PATH_MAX and INT_MAX)
 
Pablo Neira Ayuso (63):
      check if entries already exist in kernel before injection
      do not include Changelog in tarballs, use git shortlog instead
      use only the original tuple to check if a conntrack is present
      fix xml output: wrap output with one root element
      Major rework of the user-space event filtering
      add support for kernel-space filtering via BSF
      log: syslog displays the entry that triggers the error
      filter: skip protocol state filtering if state not present
      conntrack: add new option --buffer-size for -E
      add more sanity checks in the input path
      commit: retry at least once if we hit ETIME or ENOMEM
      fix: use %zu instead of %u for size_t
      cleanup: remove obsolete clause Replicate in the example conffiles
      fix: wrong information related to default logging action
      fix: wrong use of timersub in cache_timer
      fix broken normal deletion in caches
      ftfw: show consistent information to users for problem diagnosing
      doc: remove duplicated example files
      script: rework scripts that enable interaction with keepalived
      conntrackd: add -t option to shorten conntrack timeouts
      fix missing updates in the example files
      script: fix broken if branches
      cache_iterators: do not report ENOENT in cache_reset_timers
      script: yet another minor fix
      netlink: add getter and check existence functions
      cache iterators: rework cache_reset_timers
      cache iterators: commit master entries before related ones
      netlink: avoid errors related to the expected bit handling
      conntrack: remove duplicated optarg checking
      conntrack: remove unrequired \n in error message
      conntrack: check for missing arguments in getopt_long
      conntrack: insert `conntrack-tools' string in help and error messages
      compilation: relax too strict warning checking
      ftfw: check for malformed ack and nack messages
      filter: fix NAT detection tweak
      cleanup: Linux kernel version checking
      filter: check if kernel-space filtering is available
      cleanup: remove some debug messages from sync-ftfw.c
      config: use /var/run to create the UNIX socket file
      fix: remove node from tx_list when the state-entry is destroy
      ftfw: fix race that triggers a double insertion into tx_list
      ftfw: fix race condition in the helloing routine
      ftfw: reset window and flush the resend queue during helloing
      conntrack: cleanup for the update path
      conntrack: cleanup XML header handling
      conntrack: fix mark-based filtering for event display
      conntrack: fix filtering for unsupported protocol
      conntrack: fix dump counter displayed with -L expect
      manual: add initial user manual
      doc: update INSTALL file
      conntrack: cleanup for NAT filtering
      cache: fix update of scheduled-to-timeout entries
      cache-iterators: improve committing
      config: fix usage of 'PurgeTimeout' in Sync NOTRACK
      notrack: fix double receival of resync requests
      doc: rise default size of the hashtable in the example file
      netlink: report when kernel-space event filtering is in use
      filter: fix segfault if the Filter clause is unused
      cache: use jhash2 instead of double jhash+jhash_2words
      filter: do not filter in user-space if kernel supports BSF
      doc: remove example about CacheWriteTrough
      doc: update conntrackd manpage
      conntrackd: add missing information on -t to the help
      conntrackd: bump version to 0.9.8

Re: [ANNOUNCE] conntrack-tools 0.9.8 released

[Karel Rericha]

2008/10/21 Pablo Neira Ayuso <pablo@netfilter.org>:
> Hi!
>
> The netfilter project proudly presents another development release of
> the conntrack-tools. This release includes important updates, fixes and
> improvements. Moreover, a new user manual has been released,
> contributions to improve are welcome! Detailed changelog is attached.
>

Hi Pablo and list,

is there any way to delete mark from connection (all marks from all
connections) without deleting connection itself ?

We are using iptables with

...  -m mark ! --mark 0 -j CONNMARK --save-mark

but we would like few times a day delete all marks from all
connections to let connections are marked again (with different marks
based on time). Conntrack-tools would have been fine tool for it, if
such option had been included. Or is there any other way to do it?

Thanks, Karel

Re: [ANNOUNCE] conntrack-tools 0.9.8 released

[Pablo Neira Ayuso]

Karel Rericha wrote:
> Hi Pablo and list,
> 
> is there any way to delete mark from connection (all marks from all
> connections) without deleting connection itself ?
> 
> We are using iptables with
> 
> ...  -m mark ! --mark 0 -j CONNMARK --save-mark
> 
> but we would like few times a day delete all marks from all
> connections to let connections are marked again (with different marks
> based on time). Conntrack-tools would have been fine tool for it, if
> such option had been included. Or is there any other way to do it?

When you mean "delete all marks", you refer to resetting the connection
marks to zero? This command should be enough.

# conntrack -U -m 0

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

Re: [ANNOUNCE] conntrack-tools 0.9.8 released

[Karel Rericha]

2008/10/22 Pablo Neira Ayuso <pablo@netfilter.org>:

> When you mean "delete all marks", you refer to resetting the connection
> marks to zero? This command should be enough.

Yes, resetting all marks to zero, sry for not being clear enough.

> # conntrack -U -m 0

Works great from conntrack-tools 0.9.7 (0.9.6 complains about missing
parameters), "man conntrack" does not show -U command and thats why I
missed it. "conntrack --help" shows much more information.

Thanks for help Pablo

Karel

Re: [ANNOUNCE] conntrack-tools 0.9.8 released

[Pablo Neira Ayuso]

[-- Attachment #1: Type: text/plain, Size: 715 bytes --]

Karel Rericha wrote:
> 2008/10/22 Pablo Neira Ayuso <pablo@netfilter.org>:
> 
>> When you mean "delete all marks", you refer to resetting the connection
>> marks to zero? This command should be enough.
> 
> Yes, resetting all marks to zero, sry for not being clear enough.

Never mind.

>> # conntrack -U -m 0

This is only supported by conntrack-tools >= 0.9.7 as you have noticed.

> Works great from conntrack-tools 0.9.7 (0.9.6 complains about missing
> parameters), "man conntrack" does not show -U command and thats why I
> missed it. "conntrack --help" shows much more information.

I have committed the following patch. Thank you for the report.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

[-- Attachment #2: x --]
[-- Type: text/plain, Size: 838 bytes --]

diff --git a/conntrack.8 b/conntrack.8
index bfb2de0..cbf8434 100644
--- a/conntrack.8
+++ b/conntrack.8
@@ -1,4 +1,4 @@
-.TH CONNTRACK 8 "May 6, 2007" "" ""
+.TH CONNTRACK 8 "Oct 22, 2008" "" ""
 
 .\" Man page written by Harald Welte <laforge@netfilter.org (Jun 2005)
 .\" Maintained by Pablo Neira Ayuso <pablo@netfilter.org (May 2007)
@@ -14,6 +14,8 @@ conntrack \- command line interface for netfilter connection tracking
 .br
 .BR "conntrack -I [table] parameters"
 .br
+.BR "conntrack -U [table] parameters"
+.br
 .BR "conntrack -E [table] parameters"
 .br
 .BR "conntrack -F [table]"
@@ -62,6 +64,9 @@ Delete an entry from the given table.
 .BI "-I, --create "
 Create a new entry from the given table.
 .TP
+.BI "-U, --update "
+Update an entry from the given table.
+.TP
 .BI "-E, --event "
 Display a real-time event log.
 .TP

Re: [ANNOUNCE] conntrack-tools 0.9.8 released

[Bryan Duff]

Is there a changelog posted somewhere?

Thanks.

Also you may want to update your "more information" link below.

-Bryan

Pablo Neira Ayuso wrote:
> Hi!
>
> The netfilter project proudly presents another development release of
> the conntrack-tools. This release includes important updates, fixes and
> improvements. Moreover, a new user manual has been released,
> contributions to improve are welcome! Detailed changelog is attached.
>
> What are the conntrack-tools?
>
> - The userspace daemon so-called conntrackd that covers the specific
> aspects of stateful Linux firewalls to enable high availability
> solutions. It can be used as statistics collector of the firewall use as
> well. The daemon is highly configurable and easily extensible.
>
> - The command line interface (CLI) conntrack that provides an interface
> to add, delete and update flow entries, list current active flows in
> plain text/XML, current IPv4 NAT'ed flows, reset counters, and flush the
> complete connection tracking table among many other.
>
> Where can I download it from?
>
> http://www.netfilter.org/projects/conntrack-tools/downloads.html
>
> Where can I get more information about them?
>
> http://people.netfilter.org/pablo/conntrack-tools/
>
> Where can I have a look at the new user manual?
>
> http://people.netfilter.org/pablo/conntrack-tools/install.html
>
> On behalf of the Netfilter Project,
> Pablo
>
> Enjoy!
>
>   

Re: [ANNOUNCE] conntrack-tools 0.9.8 released

[Pablo Neira Ayuso]

[-- Attachment #1: Type: text/plain, Size: 415 bytes --]

Bryan Duff wrote:
> Is there a changelog posted somewhere?

Hm, did I forget to include it in the email. Attached again. The
ChangeLog is extracted from git shortlog, you may want to get more
detailed information from git.netfilter.org.

> Also you may want to update your "more information" link below.

http://conntrack-tools.netfilter.org/manual.html

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

[-- Attachment #2: ChangeLog --]
[-- Type: text/plain, Size: 3671 bytes --]

Albin Tonerre (1):
      fix unsecure usage of printf and include limits.h (PATH_MAX and INT_MAX)

Eric Leblond (1):
      commit: retry at least once if we hit ETIME or ENOMEM

Pablo Neira Ayuso (63):
      check if entries already exist in kernel before injection
      do not include Changelog in tarballs, user git shortlog for changelog instead
      use only the original tuple to check if a conntrack is present
      fix xml output: wrap output with one root element
      Major rework of the user-space event filtering
      add support for kernel-space filtering via BSF
      log: syslog displays the entry that triggers the error
      filter: skip protocol state filtering if state not present
      CLI: add new option --buffer-size for -E
      add more sanity checks in the input path
      fix: use %zu instead of %u for size_t
      cleanup: remove obsolete clause Replicate in the example conffiles
      fix: wrong information related to default logging action
      fix: wrong use of timersub in cache_timer
      fix broken normal deletion in caches
      ftfw: show consistent information to users for problem diagnosing
      doc: remove duplicated example files
      script: rework scripts that enable interaction with keepalived
      conntrackd: add -t option to shorten conntrack timeouts
      fix missing updates in the example files
      script: fix broken if branches
      cache_iterators: do not report ENOENT in cache_reset_timers
      script: yet another minor fix
      netlink: add getter and check existence functions
      cache iterators: rework cache_reset_timers
      cache iterators: commit master entries before related ones
      netlink: avoid errors related to the expected bit handling
      cli: remove duplicated optarg checking
      cli: remove unrequired \n in error message
      cli: check for missing arguments in getopt_long
      cli: insert `conntrack-tools' string in help and error messages
      compilation: relax too strict warning checking
      ftfw: check for malformed ack and nack messages
      filter: fix NAT detection tweak
      cleanup: Linux kernel version checking
      filter: check if kernel-space filtering is available
      cleanup: remove some debug messages from sync-ftfw.c
      config: use /var/run to create the UNIX socket file
      fix: remove node from tx_list when the state-entry is destroy
      ftfw: fix race that triggers a double insertion into tx_list
      ftfw: fix race condition in the helloing routine
      ftfw: reset window and flush the resend queue during helloing
      conntrack: cleanup for the update path
      conntrack: cleanup XML header handling
      conntrack: fix mark-based filtering for event display
      conntrack: fix filtering for unsupported protocol
      conntrack: fix dump counter displayed with -L expect
      manual: add initial user manual
      doc: update INSTALL file
      conntrack: cleanup for NAT filtering
      cache: fix update of scheduled-to-timeout entries
      cache-iterators: improve committing
      config: fix usage of 'PurgeTimeout' in Sync NOTRACK
      notrack: fix double receival of resync requests
      doc: rise default size of the hashtable in the example file
      netlink: report when kernel-space event filtering is in use
      filter: fix segfault if the Filter clause is unused
      cache: use jhash2 instead of double jhash+jhash_2words
      filter: do not filter in user-space if kernel supports BSF
      doc: remove example about CacheWriteTrough
      doc: update conntrackd manpage
      conntrackd: add missing information on -t to the help
      conntrackd: bump version to 0.9.8