From 142f42e8be74c8d3139e93a340a015ced9b64f34 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: May 07 2014 19:49:35 +0000 Subject: Revert "* Mon May 07 2012 Paul Wouters - 1.0.1-1" This reverts commit fe8bf312366c96a6a3a70e2873fe1f98a1dafd22. --- diff --git a/.gitignore b/.gitignore index f6f2be9..4eb5016 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,3 @@ conntrack-tools-0.9.14.tar.bz2 /conntrack-tools-0.9.15.tar.bz2 /conntrack-tools-1.0.0.tar.bz2 -/conntrack-tools-1.0.1.tar.bz2 diff --git a/conntrack-tools-NULL.patch b/conntrack-tools-NULL.patch deleted file mode 100644 index 1c5d927..0000000 --- a/conntrack-tools-NULL.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -Naur conntrack-tools-1.0.1-orig/src/parse.c conntrack-tools-1.0.1/src/parse.c ---- conntrack-tools-1.0.1-orig/src/parse.c 2012-01-04 11:48:15.490258748 -0500 -+++ conntrack-tools-1.0.1/src/parse.c 2012-05-07 22:49:51.590626617 -0400 -@@ -16,6 +16,9 @@ - * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - */ - -+/* for NULL :P */ -+#include -+ - #include "network.h" - - #include diff --git a/conntrack-tools.spec b/conntrack-tools.spec index 246f4ed..74e030a 100644 --- a/conntrack-tools.spec +++ b/conntrack-tools.spec @@ -1,28 +1,18 @@ Name: conntrack-tools -Version: 1.0.1 -Release: 1%{?dist} -Summary: Manipulate netfilter connection tracking table and run High Availability +Version: 1.0.0 +Release: 2%{?dist} +Summary: Tools to manipulate netfilter connection tracking table Group: System Environment/Base License: GPLv2 URL: http://netfilter.org Source0: http://netfilter.org/projects/%{name}/files/%{name}-%{version}.tar.bz2 -Source1: conntrackd.service -Source2: conntrackd.conf -Patch1: conntrack-tools-NULL.patch +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: libnfnetlink-devel >= 1.0.0, libnetfilter_conntrack-devel >= 0.9.1 -BuildRequires: pkgconfig bison flex +BuildRequires: pkgconfig bison flex Provides: conntrack = 1.0-1 Obsoletes: conntrack < 1.0-1 -BuildRequires: systemd-units -Requires(post): systemd-sysv -Requires(post): systemd-units -Requires(preun): systemd-units -Requires(postun): systemd-units %description -With conntrack-tools you can setup a High Availability cluster and -synchronize conntrack state between multiple firewalls. - The conntrack-tools package contains two programs: - conntrack: the command line interface to interact with the connection tracking system. @@ -40,50 +30,26 @@ show an event message (one line) per newly established connection. %prep %setup -q -%patch1 -p1 %build %configure --disable-static %{__make} %{?_smp_mflags} -chmod 644 doc/sync/primary-backup.sh %install -%{__make} install DESTDIR=%{buildroot} -mkdir -p %{buildroot}%{_sysconfdir}/conntrackd -install -d 0755 %{buildroot}%{_unitdir} -install -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/ -install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/ +rm -rf $RPM_BUILD_ROOT +%{__make} install DESTDIR=$RPM_BUILD_ROOT + +%clean +rm -rf $RPM_BUILD_ROOT %files -%doc COPYING AUTHORS TODO doc -%dir %{_sysconfdir}/conntrackd -%config(noreplace) %{_sysconfdir}/conntrackd/conntrackd.conf -%{_unitdir}/conntrackd.service +%defattr(-,root,root,-) +%doc COPYING AUTHORS INSTALL TODO doc %{_sbindir}/conntrack %{_sbindir}/conntrackd %{_mandir}/man8/* -%preun -if [ $1 -eq 0 ]; then - # Package removal, not upgrade - /bin/systemctl --no-reload disable conntrackd.service > /dev/null 2>&1 || : - /bin/systemctl stop conntrackd.service > /dev/null 2>&1 || : -fi - -%postun -/bin/systemctl daemon-reload >/dev/null 2>&1 || : -if [ $1 -ge 1 ] ; then - # Package upgrade, not uninstall - /bin/systemctl try-restart conntrackd.service >/dev/null 2>&1 || : -fi - %changelog -* Mon May 07 2012 Paul Wouters - 1.0.1-1 -- Updated to 1.0.1 -- Added daemon using systemd and configuration file -- Removed legacy spec requirements -- Patch for: parse.c:240:34: error: 'NULL' undeclared - * Thu Jan 12 2012 Fedora Release Engineering - 1.0.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild @@ -128,7 +94,7 @@ fi - remove rollup patch * Wed Jul 16 2008 Paul P. Komkoff Jr - 0.9.7-2 -- fix Patch0/%%patch. +- fix Patch0/%patch. * Wed Jul 16 2008 Paul P. Komkoff Jr - 0.9.7-1 - new upstream version diff --git a/conntrackd.conf b/conntrackd.conf deleted file mode 100644 index 3970e91..0000000 --- a/conntrackd.conf +++ /dev/null @@ -1,419 +0,0 @@ - -# See also: http://conntrack-tools.netfilter.org/support.html -# -# There are 3 different modes of running conntrackd: "alarm", "notrack" and "ftfw" -# -# The default package ships with a FTFW configuration, see /usr/share/doc/conntrackd* -# for example configurations for other modes. - - -# -# Synchronizer settings -# -Sync { - Mode FTFW { - # - # Size of the resend queue (in objects). This is the maximum - # number of objects that can be stored waiting to be confirmed - # via acknoledgment. If you keep this value low, the daemon - # will have less chances to recover state-changes under message - # omission. On the other hand, if you keep this value high, - # the daemon will consume more memory to store dead objects. - # Default is 131072 objects. - # - # ResendQueueSize 131072 - - # - # This parameter allows you to set an initial fixed timeout - # for the committed entries when this node goes from backup - # to primary. This mechanism provides a way to purge entries - # that were not recovered appropriately after the specified - # fixed timeout. If you set a low value, TCP entries in - # Established states with no traffic may hang. For example, - # an SSH connection without KeepAlive enabled. If not set, - # the daemon uses an approximate timeout value calculation - # mechanism. By default, this option is not set. - # - # CommitTimeout 180 - - # - # If the firewall replica goes from primary to backup, - # the conntrackd -t command is invoked in the script. - # This command schedules a flush of the table in N seconds. - # This is useful to purge the connection tracking table of - # zombie entries and avoid clashes with old entries if you - # trigger several consecutive hand-overs. Default is 60 seconds. - # - # PurgeTimeout 60 - - # Set the acknowledgement window size. If you decrease this - # value, the number of acknowlegdments increases. More - # acknowledgments means more overhead as conntrackd has to - # handle more control messages. On the other hand, if you - # increase this value, the resend queue gets more populated. - # This results in more overhead in the queue releasing. - # The following value is based on some practical experiments - # measuring the cycles spent by the acknowledgment handling - # with oprofile. If not set, default window size is 300. - # - # ACKWindowSize 300 - - # - # This clause allows you to disable the external cache. Thus, - # the state entries are directly injected into the kernel - # conntrack table. As a result, you save memory in user-space - # but you consume slots in the kernel conntrack table for - # backup state entries. Moreover, disabling the external cache - # means more CPU consumption. You need a Linux kernel - # >= 2.6.29 to use this feature. By default, this clause is - # set off. If you are installing conntrackd for first time, - # please read the user manual and I encourage you to consider - # using the fail-over scripts instead of enabling this option! - # - # DisableExternalCache Off - } - - # - # Multicast IP and interface where messages are - # broadcasted (dedicated link). IMPORTANT: Make sure - # that iptables accepts traffic for destination - # 225.0.0.50, eg: - # - # iptables -I INPUT -d 225.0.0.50 -j ACCEPT - # iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT - # - Multicast { - # - # Multicast address: The address that you use as destination - # in the synchronization messages. You do not have to add - # this IP to any of your existing interfaces. If any doubt, - # do not modify this value. - # - IPv4_address 225.0.0.50 - - # - # The multicast group that identifies the cluster. If any - # doubt, do not modify this value. - # - Group 3780 - - # - # IP address of the interface that you are going to use to - # send the synchronization messages. Remember that you must - # use a dedicated link for the synchronization messages. - # - IPv4_interface 192.168.100.100 - - # - # The name of the interface that you are going to use to - # send the synchronization messages. - # - Interface eth2 - - # The multicast sender uses a buffer to enqueue the packets - # that are going to be transmitted. The default size of this - # socket buffer is available at /proc/sys/net/core/wmem_default. - # This value determines the chances to have an overrun in the - # sender queue. The overrun results packet loss, thus, losing - # state information that would have to be retransmitted. If you - # notice some packet loss, you may want to increase the size - # of the sender buffer. The default size is usually around - # ~100 KBytes which is fairly small for busy firewalls. - # - SndSocketBuffer 1249280 - - # The multicast receiver uses a buffer to enqueue the packets - # that the socket is pending to handle. The default size of this - # socket buffer is available at /proc/sys/net/core/rmem_default. - # This value determines the chances to have an overrun in the - # receiver queue. The overrun results packet loss, thus, losing - # state information that would have to be retransmitted. If you - # notice some packet loss, you may want to increase the size of - # the receiver buffer. The default size is usually around - # ~100 KBytes which is fairly small for busy firewalls. - # - RcvSocketBuffer 1249280 - - # - # Enable/Disable message checksumming. This is a good - # property to achieve fault-tolerance. In case of doubt, do - # not modify this value. - # - Checksum on - } - # - # You can specify more than one dedicated link. Thus, if one dedicated - # link fails, conntrackd can fail-over to another. Note that adding - # more than one dedicated link does not mean that state-updates will - # be sent to all of them. There is only one active dedicated link at - # a given moment. The `Default' keyword indicates that this interface - # will be selected as the initial dedicated link. You can have - # up to 4 redundant dedicated links. Note: Use different multicast - # groups for every redundant link. - # - # Multicast Default { - # IPv4_address 225.0.0.51 - # Group 3781 - # IPv4_interface 192.168.100.101 - # Interface eth3 - # # SndSocketBuffer 1249280 - # # RcvSocketBuffer 1249280 - # Checksum on - # } - - # - # You can use Unicast UDP instead of Multicast to propagate events. - # Note that you cannot use unicast UDP and Multicast at the same - # time, you can only select one. - # - # UDP { - # - # UDP address that this firewall uses to listen to events. - # - # IPv4_address 192.168.2.100 - # - # or you may want to use an IPv6 address: - # - # IPv6_address fe80::215:58ff:fe28:5a27 - - # - # Destination UDP address that receives events, ie. the other - # firewall's dedicated link address. - # - # IPv4_Destination_Address 192.168.2.101 - # - # or you may want to use an IPv6 address: - # - # IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c - - # - # UDP port used - # - # Port 3780 - - # - # The name of the interface that you are going to use to - # send the synchronization messages. - # - # Interface eth2 - - # - # The sender socket buffer size - # - # SndSocketBuffer 1249280 - - # - # The receiver socket buffer size - # - # RcvSocketBuffer 1249280 - - # - # Enable/Disable message checksumming. - # - # Checksum on - # } - - # - # Other unsorted options that are related to the synchronization. - # - # Options { - # - # TCP state-entries have window tracking disabled by default, - # you can enable it with this option. As said, default is off. - # This feature requires a Linux kernel >= 2.6.36. - # - # TCPWindowTracking Off - # } -} - -# -# General settings -# -General { - # - # Set the nice value of the daemon, this value goes from -20 - # (most favorable scheduling) to 19 (least favorable). Using a - # very low value reduces the chances to lose state-change events. - # Default is 0 but this example file sets it to most favourable - # scheduling as this is generally a good idea. See man nice(1) for - # more information. - # - Nice -20 - - # - # Select a different scheduler for the daemon, you can select between - # RR and FIFO and the process priority (minimum is 0, maximum is 99). - # See man sched_setscheduler(2) for more information. Using a RT - # scheduler reduces the chances to overrun the Netlink buffer. - # - # Scheduler { - # Type FIFO - # Priority 99 - # } - - # - # Number of buckets in the cache hashtable. The bigger it is, - # the closer it gets to O(1) at the cost of consuming more memory. - # Read some documents about tuning hashtables for further reference. - # - HashSize 32768 - - # - # Maximum number of conntracks, it should be double of: - # $ cat /proc/sys/net/netfilter/nf_conntrack_max - # since the daemon may keep some dead entries cached for possible - # retransmission during state synchronization. - # - HashLimit 131072 - - # - # Logfile: on (/var/log/conntrackd.log), off, or a filename - # Default: off - # - LogFile on - - # - # Syslog: on, off or a facility name (daemon (default) or local0..7) - # Default: off - # - #Syslog on - - # - # Lockfile - # - LockFile /var/lock/conntrack.lock - - # - # Unix socket configuration - # - UNIX { - Path /var/run/conntrackd.ctl - Backlog 20 - } - - # - # Netlink event socket buffer size. If you do not specify this clause, - # the default buffer size value in /proc/net/core/rmem_default is - # used. This default value is usually around 100 Kbytes which is - # fairly small for busy firewalls. This leads to event message dropping - # and high CPU consumption. This example configuration file sets the - # size to 2 MBytes to avoid this sort of problems. - # - NetlinkBufferSize 2097152 - - # - # The daemon doubles the size of the netlink event socket buffer size - # if it detects netlink event message dropping. This clause sets the - # maximum buffer size growth that can be reached. This example file - # sets the size to 8 MBytes. - # - NetlinkBufferSizeMaxGrowth 8388608 - - # - # If the daemon detects that Netlink is dropping state-change events, - # it automatically schedules a resynchronization against the Kernel - # after 30 seconds (default value). Resynchronizations are expensive - # in terms of CPU consumption since the daemon has to get the full - # kernel state-table and purge state-entries that do not exist anymore. - # Be careful of setting a very small value here. You have the following - # choices: On (enabled, use default 30 seconds value), Off (disabled) - # or Value (in seconds, to set a specific amount of time). If not - # specified, the daemon assumes that this option is enabled. - # - # NetlinkOverrunResync On - - # - # If you want reliable event reporting over Netlink, set on this - # option. If you set on this clause, it is a good idea to set off - # NetlinkOverrunResync. This option is off by default and you need - # a Linux kernel >= 2.6.31. - # - # NetlinkEventsReliable Off - - # - # By default, the daemon receives state updates following an - # event-driven model. You can modify this behaviour by switching to - # polling mode with the PollSecs clause. This clause tells conntrackd - # to dump the states in the kernel every N seconds. With regards to - # synchronization mode, the polling mode can only guarantee that - # long-lifetime states are recovered. The main advantage of this method - # is the reduction in the state replication at the cost of reducing the - # chances of recovering connections. - # - # PollSecs 15 - - # - # The daemon prioritizes the handling of state-change events coming - # from the core. With this clause, you can set the maximum number of - # state-change events (those coming from kernel-space) that the daemon - # will handle after which it will handle other events coming from the - # network or userspace. A low value improves interactivity (in terms of - # real-time behaviour) at the cost of extra CPU consumption. - # Default (if not set) is 100. - # - # EventIterationLimit 100 - - # - # Event filtering: This clause allows you to filter certain traffic, - # There are currently three filter-sets: Protocol, Address and - # State. The filter is attached to an action that can be: Accept or - # Ignore. Thus, you can define the event filtering policy of the - # filter-sets in positive or negative logic depending on your needs. - # You can select if conntrackd filters the event messages from - # user-space or kernel-space. The kernel-space event filtering - # saves some CPU cycles by avoiding the copy of the event message - # from kernel-space to user-space. The kernel-space event filtering - # is prefered, however, you require a Linux kernel >= 2.6.29 to - # filter from kernel-space. If you want to select kernel-space - # event filtering, use the keyword 'Kernelspace' instead of - # 'Userspace'. - # - Filter From Userspace { - # - # Accept only certain protocols: You may want to replicate - # the state of flows depending on their layer 4 protocol. - # - Protocol Accept { - TCP - SCTP - DCCP - # UDP - # ICMP # This requires a Linux kernel >= 2.6.31 - # IPv6-ICMP # This requires a Linux kernel >= 2.6.31 - } - - # - # Ignore traffic for a certain set of IP's: Usually all the - # IP assigned to the firewall since local traffic must be - # ignored, only forwarded connections are worth to replicate. - # Note that these values depends on the local IPs that are - # assigned to the firewall. - # - Address Ignore { - IPv4_address 127.0.0.1 # loopback - IPv4_address 192.168.0.100 # virtual IP 1 - IPv4_address 192.168.1.100 # virtual IP 2 - IPv4_address 192.168.0.1 - IPv4_address 192.168.1.1 - IPv4_address 192.168.100.100 # dedicated link ip - # - # You can also specify networks in format IP/cidr. - # IPv4_address 192.168.0.0/24 - # - # You can also specify an IPv6 address - # IPv6_address ::1 - } - - # - # Uncomment this line below if you want to filter by flow state. - # This option introduces a trade-off in the replication: it - # reduces CPU consumption at the cost of having lazy backup - # firewall replicas. The existing TCP states are: SYN_SENT, - # SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK, - # TIME_WAIT, CLOSED, LISTEN. - # - # State Accept { - # ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP - # } - } -} diff --git a/conntrackd.service b/conntrackd.service deleted file mode 100644 index 25d0aac..0000000 --- a/conntrackd.service +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=connection tracking daemon for debugging and High Availablity -After=syslog.target network.target - -[Service] -Type=simple -#PIDFile=/var/run/xl2tpd/xl2tpd.pid -ExecStart=/usr/sbin/conntrackd -d -C /etc/conntrackd/conntrackd.conf - -[Install] -WantedBy=multi-user.target diff --git a/conntrackd.sysconfig b/conntrackd.sysconfig new file mode 100644 index 0000000..acaa2cd --- /dev/null +++ b/conntrackd.sysconfig @@ -0,0 +1,6 @@ +# Override the default config file +#CONNTRACKD_CONFIG=/etc/conntrackd/conntrackd.conf + +# Any arguments +#CONNTRACKD_ARGS= + diff --git a/sources b/sources index 4b93ca2..ab8af58 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -8a60f02a177fc31fe40cc992c4de90e2 conntrack-tools-1.0.1.tar.bz2 +5add24d4761baf17af630d5627a71752 conntrack-tools-1.0.0.tar.bz2