- Update from 1.4.6 to 1.4.7
- Update of rootfile not required
- Requires update fo libnetfilter_conntrack from 1.0.8 to 1.0.9
- Changelog
conntrack-tools 1.4.7
This release contains new features:
* IPS_HW_OFFLOAD flag specifies that a conntrack entry has been
offloaded into the hardware
* 'clash_resolve' and 'chaintoolong' stats counters
* Default to unspec family if '-f' flag is absent to improve support for
dual-stack setups
* Support filtering events by IP address family
* Support flushing per IP address family
* Add "save" output format representing data in conntrack parameters
* Support loading conntrack commands from a batch file, e.g. generated
by "save" output format
* Annotate portid in events by the program name (if found)
* Accept yes/no as synonyms to on/off in conntrackd.conf
* Support user space helper auto-loading upon daemon startup, relieving
users from manual 'nfct add helper' calls
* Filter dumps by status on kernel side if possible
* Accept to filter for any status other than SEEN_REPLY using
'UNREPLIED'
* Use libmnl internally
* Reuse netlink socket for improved performance with bulk CT entry loads
* Remove '-o userspace' flag and always tag user space triggered events
* Introduce '-A' command, a variant of '-I' which does not fail if the
entry exists already
... and fixes:
* ICMP entry creation would fail when reply data was specified
* Sync zone value also
* Log external inject problems as warning only
* Endianness bug parsing IP addresses
* Ignore conntrack ID when looking up cache entries to allow for stuck
old ones to be replaced eventually
* Broken parsing of IPv6 M-SEARCH requests in ssdp cthelper
* Eliminate the need for lazy binding in nfct
* Fix for use of unknown protocol values
* Sanitize protocol value parsing, catch illegal values
* Ensure unknown protocol values are included in '-o save' dumps
... and documentation updates:
* Fixed examples in manual
* Refer to nf_conntrack sysctl instead of the deprecated ip_conntrack
one
* Misc updates to the manual
* Add an older example script creating an active-active setup using the
cluster match
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Historically, the MD5 checksums in our LFS files serve as a protection
against broken downloads, or accidentally corrupted source files.
While the sources are nowadays downloaded via HTTPS, it make sense to
beef up integrity protection for them, since transparently intercepting
TLS is believed to be feasible for more powerful actors, and the state
of the public PKI ecosystem is clearly not helping.
Therefore, this patch switches from MD5 to BLAKE2, updating all LFS
files as well as make.sh to deal with this checksum algorithm. BLAKE2 is
notably faster (and more secure) than SHA2, so the performance penalty
introduced by this patch is negligible, if noticeable at all.
In preparation of this patch, the toolchain files currently used have
been supplied with BLAKE2 checksums as well on
https://source.ipfire.org/.
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremeripfire.org>
Most of these files still used old dates and/or domain names for contact
mail addresses. This is now replaced by an up-to-date copyright line.
Just some housekeeping... :-)
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
