diff options
| author | Arturo Borrero Gonzalez <arturo@netfilter.org> | 2020-12-04 11:50:25 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-12-08 12:50:35 +0100 |
| commit | 592bb1686053cdb5cacdb1d6266d64ce976d7bf7 (patch) | |
| tree | 3fc4e9ba0e09480275f6241dff050677ef5d7508 | |
| parent | 0d24357897eddef5ab86031b0062b8a4f2b84ba4 (diff) | |
conntrackd: external_inject: report inject issues as warning
In busy firewalls that run conntrackd in NOTRACK with both internal and
external caches disabled, external_inject can get lots of traffic. In
case of issues injecting or updating conntrack entries a log entry will
be generated, the infamous inject-addX, inject-updX messages.
But there is nothing end users can do about this error message, which is
purely internal. This patch is basically cosmetic, relaxing the message
from ERROR to WARNING. The information reported is also extended a bit.
The idea is to leave ERROR messages to issues that would *stop* or
*prevent* conntrackd from working at all.
Another nice thing to do in the future is to rate-limit this message,
which is generated in the data path and can easily fill log files. But
ideally, the actual root cause would be fixed, and there would be no
WARNING message reported at all, meaning that all conntrack entries are
smoothly synced between the firewalls in the cluster. We can work on
that later.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | src/external_inject.c | 28 |
1 files changed, 19 insertions, 9 deletions
diff --git a/src/external_inject.c b/src/external_inject.c index 0ad3478..920d7c4 100644 --- a/src/external_inject.c +++ b/src/external_inject.c @@ -76,12 +76,14 @@ retry: } } external_inject_stat.add_fail++; - dlog(LOG_ERR, "inject-add1: %s", strerror(errno)); + dlog(LOG_WARNING, + "could not add new ct entry, even when deleting it first: %s", + strerror(errno)); dlog_ct(STATE(log), ct, NFCT_O_PLAIN); return; } external_inject_stat.add_fail++; - dlog(LOG_ERR, "inject-add2: %s", strerror(errno)); + dlog(LOG_WARNING, "could not add new ct entry: %s", strerror(errno)); dlog_ct(STATE(log), ct, NFCT_O_PLAIN); } else { external_inject_stat.add_ok++; @@ -102,7 +104,9 @@ static void external_inject_ct_upd(struct nf_conntrack *ct) if (errno == ENOENT) { if (nl_create_conntrack(inject, ct, 0) == -1) { external_inject_stat.upd_fail++; - dlog(LOG_ERR, "inject-upd1: %s", strerror(errno)); + dlog(LOG_WARNING, + "could not update ct entry, even if creating it instead: %s", + strerror(errno)); dlog_ct(STATE(log), ct, NFCT_O_PLAIN); } else { external_inject_stat.upd_ok++; @@ -117,7 +121,9 @@ static void external_inject_ct_upd(struct nf_conntrack *ct) if (ret == 0 || (ret == -1 && errno == ENOENT)) { if (nl_create_conntrack(inject, ct, 0) == -1) { external_inject_stat.upd_fail++; - dlog(LOG_ERR, "inject-upd2: %s", strerror(errno)); + dlog(LOG_WARNING, + "could not update ct entry, even when deleting it first: %s", + strerror(errno)); dlog_ct(STATE(log), ct, NFCT_O_PLAIN); } else { external_inject_stat.upd_ok++; @@ -125,7 +131,7 @@ static void external_inject_ct_upd(struct nf_conntrack *ct) return; } external_inject_stat.upd_fail++; - dlog(LOG_ERR, "inject-upd3: %s", strerror(errno)); + dlog(LOG_WARNING, "could not update ct entry: %s", strerror(errno)); dlog_ct(STATE(log), ct, NFCT_O_PLAIN); } @@ -134,7 +140,7 @@ static void external_inject_ct_del(struct nf_conntrack *ct) if (nl_destroy_conntrack(inject, ct) == -1) { if (errno != ENOENT) { external_inject_stat.del_fail++; - dlog(LOG_ERR, "inject-del: %s", strerror(errno)); + dlog(LOG_WARNING, "could not destroy ct entry: %s", strerror(errno)); dlog_ct(STATE(log), ct, NFCT_O_PLAIN); } } else { @@ -200,12 +206,15 @@ retry: } } exp_external_inject_stat.add_fail++; - dlog(LOG_ERR, "inject-add1: %s", strerror(errno)); + dlog(LOG_WARNING, + "could not add new exp entry, even when deleting it first: %s", + strerror(errno)); dlog_exp(STATE(log), exp, NFCT_O_PLAIN); return; } exp_external_inject_stat.add_fail++; - dlog(LOG_ERR, "inject-add2: %s", strerror(errno)); + dlog(LOG_WARNING, + "could not add new exp entry: %s", strerror(errno)); dlog_exp(STATE(log), exp, NFCT_O_PLAIN); } else { exp_external_inject_stat.add_ok++; @@ -217,7 +226,8 @@ static void external_inject_exp_del(struct nf_expect *exp) if (nl_destroy_expect(inject, exp) == -1) { if (errno != ENOENT) { exp_external_inject_stat.del_fail++; - dlog(LOG_ERR, "inject-del: %s", strerror(errno)); + dlog(LOG_WARNING, + "could not delete exp entry: %s", strerror(errno)); dlog_exp(STATE(log), exp, NFCT_O_PLAIN); } } else { |