path: root/src/run.c
Commit message (Collapse)AuthorAgeFilesLines
* conntrackd: flush operation use the child process and origin infrastructurePablo Neira Ayuso2009-05-231-2/+27
| | | | | | | | | | | | With this patch, the flush operation is performed by a child process. Thus, the parent process digests destroy events that ctnetlink reports back and, thanks to the origin infrastructure, we skip the messy implicit synchronization that are triggered by such events. This patch requires a Linux kernel >= 2.6.29 to benefit from this change, otherwise it has no effect. Signed-off-by: Pablo Neira Ayuso <>
* conntrackd: detect where the events comes fromPablo Neira Ayuso2009-05-231-6/+12
| | | | | | | | | | Since Linux kernel 2.6.29, ctnetlink reports the changes that have been done using ctnetlink. With this patch, conntrackd can recognize who is the origin of the event messages. For example, this is interesting to avoid a messy implicit bulk send during the commit of entries. Signed-off-by: Pablo Neira Ayuso <>
* conntrackd: add child process infrastructurePablo Neira Ayuso2009-05-231-0/+4
| | | | | | | | | | | | | This patch adds a simple infrastructure that allows to account the child processes that have been forked. This also includes a callback handler that can be registered that is called once the child process finishes. We can extended this later to include an alarm to limit the maximum lifetime of a forked child process. This is good to ensure that child processes behave timely. Signed-off-by: Pablo Neira Ayuso <>
* src: use resync handler for polling instead of dump handlerPablo Neira Ayuso2009-02-141-21/+20
| | | | | | | | This patch moves the polling logic into the resync handler. The dump handler action depended on the daemon working mode (polling or event-driven) resulting in an inconsistent behaviour. Signed-off-by: Pablo Neira Ayuso <>
* netlink: add new option NetlinkOverrunResyncPablo Neira Ayuso2009-02-081-4/+4
| | | | | | | | This patch adds NetlinkOverrunResync. This option can be used to set the amount of time after which the daemon resynchronizes itself with the kernel state-table if it detects a Netlink overrun. Signed-off-by: Pablo Neira Ayuso <>
* src: re-work polling strategyPablo Neira Ayuso2009-02-061-26/+59
| | | | | | | | This patch improves the polling support included in 0.9.10. The polling now consists of getting the state table, wait for PollSecs, then purge obsolete entries, and so on. Signed-off-by: Pablo Neira Ayuso <>
* netlink: refactorize several nl_init_*_handler() functionsPablo Neira Ayuso2009-02-051-3/+5
| | | | | | | | | | This patch removes: * nl_init_dump_handler() * nl_init_request_handler() * nl_init_resync_handler() since they all look very similar. Signed-off-by: Pablo Neira Ayuso <>
* src: add state polling support (oppossed to current event-driven)Pablo Neira Ayuso2009-01-171-12/+29
| | | | | | | | | | | | This patch adds the clause PollSecs that changes the normal behaviour of conntrackd. With PollSecs set to > 0, conntrackd polls every N seconds the entries. This is the opposed behaviour of an event-driven behaviour but may be useful for those that have really strong limitations in terms of CPU consumption and want to perform a relaxed replication. Signed-off-by: Pablo Neira Ayuso <>
* src: remove register_fds hooksPablo Neira Ayuso2009-01-171-16/+9
| | | | | | | This patch moves the file descriptor registration after the initialization instead of having a specific hook for this. Signed-off-by: Pablo Neira Ayuso <>
* src: rename overrun handler to resync handlerPablo Neira Ayuso2009-01-171-11/+11
| | | | | | | | | This patch is a cleanup. The overrun handler is actually a way to resynchronize against the conntrack kernel table. The name overrun was used because it was initially its purpose. The new naming shows its genericity. Signed-off-by: Pablo Neira Ayuso <>
* run: relax resynchronization algorithm when netlink overrunsPablo Neira Ayuso2009-01-151-9/+29
| | | | | | | | | | | | | | | | | | | | | | | | This patch relaxes the current approach when netlink reports overruns. There are two situations that can trigger a resynchronization with the kernel conntrack table: a) Netlink overruns because the receiver buffer is too small: increasing the netlink buffer size and schedule a resync with the kernel table conntrack to resolve the inconsistency. The sysadmin would notice in the logs and will try to set a bigger buffer in the configuration file. b) The system is under heavy workload (CPU is too busy): we should avoid resync with the kernel table since this is an expensive operation. We do our best here and keep replicating as much states as possible. If CPU consumption lowers at some point, the we will try to resync ourselves. This patch reduces the chances to resynchronize with the kernel conntrack table unless that two overruns do not happen in an internal of 30 seconds. Signed-off-by: Pablo Neira Ayuso <>
* run: limit the number of iterations over the event handlingPablo Neira Ayuso2009-01-151-3/+8
| | | | | | | | Currently, the event handling can starve other event file descriptors. This patch limits the number of event handling iterations. The parameter is tunable via configuration file. Signed-off-by: Pablo Neira Ayuso <>
* run: show current netlink buffer size in `-s runtime'Pablo Neira Ayuso2009-01-141-1/+3
| | | | | | | | | | This patch shows the current netlink buffer size via `-s runtime'. # conntrackd -s ru ... current buffer size (in bytes): 204800 Signed-off-by: Pablo Neira Ayuso <>
* src: add run-time statistics via `-s runtime'Pablo Neira Ayuso2008-12-211-9/+95
| | | | | | | | | | | | This patch adds run-time statistics that you can check via `conntrackd -s runtime'. This information is useful for trouble-shooting. This patch replaces several log messages that can be triggered in runtime. The idea behind this patch is to avoid log message flooding under errors. Signed-off-by: Pablo Neira Ayuso <>
* netlink: fix EILSEQ error messages due to process race conditionPablo Neira Ayuso2008-12-111-5/+5
| | | | | | | | | | | | | | | | | | | | | This patch fixes a race condition that triggers EILSEQ errors (wrong sequence message). The problems is triggered when the child process resets the timers at the same time that the parent process requests a resync. Since both the child and the parent process use the same descriptors, the sequence tracking code in libnfnetlink gets confused as it considers that it is receiving out of sequence netlink messages. This patch introduces internal handlers to commit and reset timers so that the parent and the child do not use the same descriptors to operate with the kernel. This patch changes the prototype of all nf_*_conntrack() functions. Now, the nfct handler is passed as first parameter, this change is required to fix this problem. The rest of the changes on the API is done for consistency. Signed-off-by: Pablo Neira Ayuso <>
* run: better wait() error handlingPablo Neira Ayuso2008-12-101-1/+33
| | | | | | | The current wait() error handling was insufficient. This patch introduce more verbose error reporting. Signed-off-by: Pablo Neira Ayuso <>
* src: recover conntrackd -F operationPablo Neira Ayuso2008-12-091-6/+2
| | | | | | | | | This patch recovers the option -F for conntrackd. This will be particularly useful to flush the kernel conntrack table without getting the event notification of the conntrack deletions (that will happen with Linux kernel >= 2.6.29). Signed-off-by: Pablo Neira Ayuso <>
* src: move callbacks to run.c for better readabilityPablo Neira Ayuso2008-11-271-5/+67
| | | | | | | | | This patch is a cleanup. It moves the callbacks from netlink.c to run.c where they are actually invoked. This is better for code readability as I usually have to switch from run.c to netlink.c to remember what the callbacks actually do. Signed-off-by: Pablo Neira Ayuso <>
* run: release fds structure in the exit pathPablo Neira Ayuso2008-11-261-0/+1
| | | | | | This patch adds the missing destroy_fds() in the exit path. Signed-off-by: Pablo Neira Ayuso <>
* filter: fix segfault if the Filter clause is unusedPablo Neira Ayuso2008-10-211-1/+2
| | | | | | | This patch fixes a segfault when conntrackd -k is invoked for an instance of conntrackd with no use of the Filter clause. Signed-off-by: Pablo Neira Ayuso <>
* netlink: add getter and check existence functionsPablo Neira Ayuso2008-08-071-0/+8
| | | | | | | | | | This patch adds nl_get_conntrack and it changes the behaviour of nl_exist_conntrack. Now, nl_get_conntrack requests the kernel for a conntrack and updates the cached entry. On the other hand, nl_exist_conntrack only inquiries for the existence of the entry. Signed-off-by: Pablo Neira Ayuso <>
* Major rework of the user-space event filteringPablo Neira Ayuso2008-07-221-2/+2
| | | | | | | | | | This patch reworks the user-space filtering. Although we have kernel-space filtering since Linux kernel >= 2.6.26, we keep userspace filtering to ensure backward compatibility. Moreover, this patch prepares the implementation of the kernel-space filtering via libnetfilter_conntrack's high-level berkeley socket filter API. Signed-off-by: Pablo Neira Ayuso <>
* delay the closure of the dump descriptor to fix assertion with cache_wtconntrack-tools-0.9.7Pablo Neira Ayuso2008-05-311-1/+3
* improve netlink overrun handling/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-091-2/+25
* revert relicensing... still we use linux_list.h code which seems to be GPLv2 ↵/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-03-081-1/+1
| | | | only which is incompatible AFAIK
* relicense conntrack-tools as GPLv3+, so far the most significant contributor ↵/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-03-081-1/+1
| | | | has been Max Kellermann and has no issues with relicensing their contributions.
* compose the file descriptor set at initialization stage to save some cycles/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-02-191-12/+19
* From: Max Kellermann <>/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-02-141-6/+6
| | | | whitespace cleanups
* implement a rb-tree based alarm framework/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-291-6/+0
* Max Kellermann <>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-231-7/+6
| | | | | | added struct local_server, several cleanups in local socket infrastructure This patch include minor changes by the comitter
* Max Kellermann <>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-231-1/+1
| | | | fix error checking of local_create_server()
* minor cleanups/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-221-5/+5
* Max Kellermann <>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-221-6/+3
| | | | - Save initialization stage in the __run() loop
* Max Kellermann <>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-221-30/+14
| | | | | | - Pass next_alarm to __run() only if there is an alarm - Eliminate the "timeout" parameter - the alarm functions get_next_alarm_run() and do_alarm_run() return an timeval pointer instead of a boolean
* yet another rework of the alarm scheduler/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-181-14/+28
* Fix wrong dlog call/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-181-5/+4
* Max Kellermann <>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-181-4/+6
| | | | improve error message if netlink initialization fails
* Max Kellermann <>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-181-12/+12
| | | | Simplify logging infrastructure
* Max Kellermann <>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-171-5/+2
| | | | import only required C headers and put local headers on top to check
* remove unix socket file on exit/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-151-1/+1
* Max Kellermann <>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-151-4/+13
| | | | Fix tons of gcc warnings
* Max Kellermann <>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-151-0/+1
| | | | add missing function prototypes
* fix broken next alarm calculation in the run loop/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-141-1/+2
* improve alarm framework based on suggestions from Max Duempel/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-141-7/+8
* set up the configuration flags when defaulting/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-141-0/+1
* fix statistics mode CPU sucks up (broken with 7178)/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-091-2/+6
* wake up the daemon iff there are real events to handle instead of polling ↵/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-091-32/+15
| | | | (Based on comments from Max Kellerman)
* fix segfaul in the exit path for the statistics mode (introduced in r7175)/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-071-1/+1
* obsolete `-S' option: Use information provided by the config file/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-051-13/+9
* o add support for connection logging to the statistics mode via Logfile/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-031-13/+13
| | | | | | o minor irrelevant fixes for uncommon error paths and fix several typos o use LOG_INFO for connection logging, use LOG_NOTICE for other information o minor error handling updates