diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-03-05 23:57:44 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-03-05 23:58:03 +0100 |
commit | 4bc3b22e426db1e592071ec2853fbd81525d4a61 (patch) | |
tree | 7640e02ccc5cc47dac779ada60a970a211d888cd /input/flow/ulogd_inpflow_NFCT.c | |
parent | ae77bf25af848e7c1db76a254e7ef4cdfa91c285 (diff) |
NFCT: add `reliable' config option to enable reliable flow-based logging
Reliability comes at the cost of dropping new flows if the
destroy event that ctnetlink delivers to us is lost. Under
heavy stress this may imply dropping packets, you've been
warned.
If you do want not to lose one single flow-logging information,
enable this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'input/flow/ulogd_inpflow_NFCT.c')
-rw-r--r-- | input/flow/ulogd_inpflow_NFCT.c | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/input/flow/ulogd_inpflow_NFCT.c b/input/flow/ulogd_inpflow_NFCT.c index 31535a9..b45a435 100644 --- a/input/flow/ulogd_inpflow_NFCT.c +++ b/input/flow/ulogd_inpflow_NFCT.c @@ -72,7 +72,7 @@ struct nfct_pluginstance { #define EVENT_MASK NF_NETLINK_CONNTRACK_NEW | NF_NETLINK_CONNTRACK_DESTROY static struct config_keyset nfct_kset = { - .num_ces = 8, + .num_ces = 9, .ces = { { .key = "pollinterval", @@ -122,6 +122,12 @@ static struct config_keyset nfct_kset = { .options = CONFIG_OPT_NONE, .u.value = 60, }, + { + .key = "reliable", + .type = CONFIG_TYPE_INT, + .options = CONFIG_OPT_NONE, + .u.value = 0, + }, }, }; #define pollint_ce(x) (x->ces[0]) @@ -132,6 +138,7 @@ static struct config_keyset nfct_kset = { #define nlsockbufsize_ce(x) (x->ces[5]) #define nlsockbufmaxsize_ce(x) (x->ces[6]) #define nlresynctimeout_ce(x) (x->ces[7]) +#define reliable_ce(x) (x->ces[8]) enum nfct_keys { NFCT_ORIG_IP_SADDR = 0, @@ -1019,6 +1026,16 @@ static int constructor_nfct_events(struct ulogd_pluginstance *upi) "set to %d\n", cpi->nlbufsiz); } + if (reliable_ce(upi->config_kset).u.value != 0) { + int on = 1; + + setsockopt(nfct_fd(cpi->cth), SOL_NETLINK, + NETLINK_BROADCAST_SEND_ERROR, &on, sizeof(int)); + setsockopt(nfct_fd(cpi->cth), SOL_NETLINK, + NETLINK_NO_ENOBUFS, &on, sizeof(int)); + ulogd_log(ULOGD_NOTICE, "NFCT reliable logging " + "has been enabled."); + } cpi->nfct_fd.fd = nfct_fd(cpi->cth); cpi->nfct_fd.cb = &read_cb_nfct; cpi->nfct_fd.data = cpi; |