| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
The network headers already contain the message type set. It is not
necessary to set it up again.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
With this patch, all the states updates are enqueued in the
tx_queue. Thus, there's a single output path. This patch adds a
simple refcounting mechanism to note when an object is sitting in
the txqueue. This patch also removes the alarm that is required by
the ftfw approach.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch adds a generic tx queue for all synchronization modes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch moves the helloing logic into ftfw_xmit. Still, the
helloing is kept in ftfw_send as we still have two possible paths
for messages. This will be removed in the next patches to make all
message go over a single txqueue.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch unifies the tx_list and the tx_queue to have only one
transmission queue. Since the tx_list hold state objects and
tx_queue control messages, I have introduced a queue node type
that can be used to differenciate the kind of information that
the node stores: object or control message.
This patch also reworks the existing queue class to include a
file descriptor that can be used to know if there are new data
added to the queue (see QUEUE_F_EVFD flag).
In this change, I have also modified the current evfd to make the
file descriptor to make read operations non-blocking. Moreover,
it keeps a counter that is used to know how many messages are
inserted in the queue.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, the caching system is implemented in a two layer
architecture: hashtable (inner layer) and cache (upper layer).
This patch reworks the hash-cache infrastructure to solve some
initial design problems to make it more flexible, the main strong
points of this patch are:
* Memory handling is done in the cache layer, not in the inner
hashtable layer. This removes one of the main dependencies between
the hashtable and the cache classes.
* Remove excessive encapsulation: the former cache used to hide a
lot of details of the inner hashtable implementation.
* Fix over-hashing of some operations: lookup-delete-add required
three hash calculations. Similarly, the update-or-add operation
required two hash calculations. Now, we calculate the hash once
and re-use the value how many times as we need.
This patch simplifies the caching system. As a result, we save ~130
lines of code. Small code means and less complexity means less
chance to have bugs.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch adds networks statistics that you can check via
`conntrackd -s network'. This information is useful for
trouble-shooting.
This patch replaces several log messages that can be triggered in
runtime. The idea behind this patch is to avoid log message flooding
under errors.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch reduces the size of alive messages by removing the
"from" and "to" fields which are not of any help. This patch also
removes the IS_CTL() macro since it does not return true for
the control messages anymore but only for IS_ACK(), IS_NACK() and
IS_RESYNC().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch adds more strict checking in the message type. We add a
new message type NET_T_CTL for control messages.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch includes resync messages in the tx queue. Thus, if a
resync message gets lost, it is resent.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch removes a IS_DATA(net) in tx_queue_xmit which is not
possible to happen anymore since there are no chances to have
data in the transmission queue (instead it is all in the
transmission list).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch replaces the use of NFCT_Q_* in the message type by
specific network message type NET_T_*. The query types are reserved
for libnetfilter_conntrack operations.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch simplifies the message format of the replication
messages. As a result, we save four bytes. The netpld header
was introduced in the early protocol design. Today, it does
not have any reason to exist.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch simplifies mcast_buffered_send_netmsg() by removing the
length parameter. Instead, we use the length field in the nethdr
to know the message size to be sent.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch removes a forced run of the transmission queue.
This is not required since we currently have an event descriptor
that indicates when to give a queue run to push pending messages.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the version field (8-bits long) to the nethdr
structure. This fields can be used to indicate the protocol version
in case that we detect an incompatibility between two conntrackd
daemons working with different protocol versions.
Unfortunately, this patch breaks backward compatibility, ie.
conntrackd <= 0.9.8 protocol is not compatible with the upcoming
conntrackd >= 0.9.9. Better do this now than later.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Since the resend list/queue contain elements in order, we can break
looping once we find the first element that is after the ack/nack
window. This patch fixes a bottleneck in the ack/nack handling
reported by oprofile.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces the option `-v' to show useful debugging
information, if any. As for now, only sync-ftfw.c make use of it to
display the content and the length of the resent list/queue. This
is useful to check for message leaks. Other working modes or
synchronization approaches may use it to display debugging
information in the future.
This patch removes _SIGNAL_DEBUG in sync-ftfw.c that was used for
for the same purpose. However, it could only be enabled at compilation
time and it uses signalling instead of the standard UNIX socket
interface that conntrackd provides.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes two bugs when a hello message is received:
* We can create malformed nack messages during the helloing.
We have to reset the acknowlegdment window, otherwise we may
create malformed nack messages.
* We have to empty the resend list/queue when a hello message is
received, otherwise the entries get stuck to the resend queue
once the sequence number wraps around.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes a race condition that can prevent one node from sending
the initial hello message required to reset the sequence tracking.
node A node B
| |
start | |
hello msg |----------------------->|
stop | |
start | |
|<-----------------------| hello-back msg
In the picture above, the node A never sends the hello messages. Thus,
the node B drops the next messages as they are in the before boundary.
This patch adds a new state to the the helloing state-machine to fix
this problem.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch fixes a race condition that can trigger a double
insertion to the tx_list. This happens if we receive two resync
request very close or resync just after a nack or vice-versa.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patches fixes a race that triggers a read-after-free access
to the tx_list. The state-entry is destroyed but it is still in the
list. The fix removes the state-entry from the tx_list in the destroy
path.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Remove useless debug messages, now we have a pluging for tcpdump to
debug the FT-FW protocol.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch checks that the [from, to] interval of ack and nack messages
is OK. In other words, we check that: to >= from
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
|
| | |
|
| |
|
|
| |
This patch introduces the TimeoutDestroy clause to determine how long a conntrack remains in the internal cache once it has been destroy from the kernel table.
|
| | |
|
| |
|
|
| |
only which is incompatible AFAIK
|
| |
|
|
| |
has been Max Kellermann and has no issues with relicensing their contributions.
|
| | |
|
| |
|
|
| |
use size_t
|
| |
|
|
| |
remove init_alarm() before add_alarm()
|
| |
|
|
| |
merge mod_alarm() into add_alarm(), remove alarm_set_expiration()
|
| | |
|
| |
|
|
| |
Simplify logging infrastructure
|
| |
|
|
| |
import only required C headers and put local headers on top to check
|
| |
|
|
| |
use C99 integers (uint32_t instead of u_int32_t)
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
update libnfnetlink dependencies
|
| |
|
|
| |
Fix tons of gcc warnings
|
| |
|
|
| |
set the return type of the parse functions to "void"
|
| |
|
|
| |
use const when possible
|
| |
|
|
| |
Use list_for_each_entry() instead of list_for_each()
|
| |
|
|
|
|
| |
the global variable "alarm" conflicts with the alarm() function from
unistd.h. resolve that conflict by giving those two global variables
a better name.
|
| | |
|
| |
|
|
| |
(Based on comments from Max Kellerman)
|
| | |
|
