diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-05-02 18:01:13 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-05-02 18:35:37 +0200 |
| commit | 5ec684be08547619c68cfd50e58efa40f6e47f5d (patch) | |
| tree | 12026cabd063bc9723894fc73b21a8bcd377d980 | |
| parent | 42cb292d6c9e8567db2e30e183b1bd31093700ad (diff) | |
conntrack: consolidate socket open call
Create netlink socket once and reuse it, rather than open + close it
over and over again.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | src/conntrack.c | 65 |
1 files changed, 17 insertions, 48 deletions
diff --git a/src/conntrack.c b/src/conntrack.c index 894bf3f..a773543 100644 --- a/src/conntrack.c +++ b/src/conntrack.c @@ -75,6 +75,7 @@ struct nfct_mnl_socket { static struct nfct_mnl_socket _sock; static struct nfct_mnl_socket _modifier_sock; +static struct nfct_mnl_socket _event_sock; struct u32_mask { uint32_t value; @@ -2429,7 +2430,7 @@ out_err: } static int nfct_mnl_socket_open(struct nfct_mnl_socket *socket, - unsigned int events) + unsigned int events) { socket->mnl = mnl_socket_open(NETLINK_NETFILTER); if (socket->mnl == NULL) { @@ -3269,29 +3270,25 @@ static void do_parse(struct ct_cmd *ct_cmd, int argc, char *argv[]) ct_cmd->socketbuffersize = socketbuffersize; } -static int do_command_ct(const char *progname, struct ct_cmd *cmd) +static int do_command_ct(const char *progname, struct ct_cmd *cmd, + struct nfct_mnl_socket *sock) { struct nfct_mnl_socket *modifier_sock = &_modifier_sock; - struct nfct_mnl_socket *sock = &_sock; + struct nfct_mnl_socket *event_sock = &_event_sock; struct nfct_filter_dump *filter_dump; int res = 0; switch(cmd->command) { case CT_LIST: - if (nfct_mnl_socket_open(sock, 0) < 0) - exit_error(OTHER_PROBLEM, "Can't open handler"); - if (cmd->type == CT_TABLE_DYING) { res = nfct_mnl_dump(sock, NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_GET_DYING, mnl_nfct_dump_cb, cmd, NULL); - nfct_mnl_socket_close(sock); break; } else if (cmd->type == CT_TABLE_UNCONFIRMED) { res = nfct_mnl_dump(sock, NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_GET_UNCONFIRMED, mnl_nfct_dump_cb, cmd, NULL); - nfct_mnl_socket_close(sock); break; } @@ -3335,10 +3332,7 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd) printf("</conntrack>\n"); fflush(stdout); } - - nfct_mnl_socket_close(sock); break; - case EXP_LIST: cth = nfct_open(EXPECT, 0); if (!cth) @@ -3367,10 +3361,6 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd) nfct_set_attr(cmd->tmpl.ct, ATTR_CONNLABELS, xnfct_bitmask_clone(cmd->tmpl.label_modify)); - res = nfct_mnl_socket_open(sock, 0); - if (res < 0) - exit_error(OTHER_PROBLEM, "Can't open netlink socket"); - res = nfct_mnl_request(sock, NFNL_SUBSYS_CTNETLINK, cmd->family, IPCTNL_MSG_CT_NEW, NLM_F_CREATE | NLM_F_ACK | NLM_F_EXCL, @@ -3378,7 +3368,6 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd) if (res >= 0) counter++; - nfct_mnl_socket_close(sock); break; case EXP_CREATE: @@ -3395,8 +3384,7 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd) break; case CT_UPDATE: - if (nfct_mnl_socket_open(sock, 0) < 0 || - nfct_mnl_socket_open(modifier_sock, 0) < 0) + if (nfct_mnl_socket_open(modifier_sock, 0) < 0) exit_error(OTHER_PROBLEM, "Can't open handler"); nfct_filter_init(cmd); @@ -3405,12 +3393,10 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd) cmd, NULL); nfct_mnl_socket_close(modifier_sock); - nfct_mnl_socket_close(sock); break; case CT_DELETE: - if (nfct_mnl_socket_open(sock, 0) < 0 || - nfct_mnl_socket_open(modifier_sock, 0) < 0) + if (nfct_mnl_socket_open(modifier_sock, 0) < 0) exit_error(OTHER_PROBLEM, "Can't open handler"); nfct_filter_init(cmd); @@ -3435,7 +3421,6 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd) nfct_filter_dump_destroy(filter_dump); nfct_mnl_socket_close(modifier_sock); - nfct_mnl_socket_close(sock); break; case EXP_DELETE: @@ -3472,14 +3457,9 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd) break; case CT_FLUSH: - res = nfct_mnl_socket_open(sock, 0); - if (res < 0) - exit_error(OTHER_PROBLEM, "Can't open netlink socket"); - res = nfct_mnl_request(sock, NFNL_SUBSYS_CTNETLINK, cmd->family, IPCTNL_MSG_CT_DELETE, NLM_F_ACK, NULL, NULL); - nfct_mnl_socket_close(sock); fprintf(stderr, "%s v%s (conntrack-tools): ",PROGNAME,VERSION); fprintf(stderr,"connection tracking table has been emptied.\n"); break; @@ -3505,9 +3485,9 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd) if (cmd->event_mask & CT_EVENT_F_DEL) nl_events |= NF_NETLINK_CONNTRACK_DESTROY; - res = nfct_mnl_socket_open(sock, nl_events); + res = nfct_mnl_socket_open(event_sock, nl_events); } else { - res = nfct_mnl_socket_open(sock, + res = nfct_mnl_socket_open(event_sock, NF_NETLINK_CONNTRACK_NEW | NF_NETLINK_CONNTRACK_UPDATE | NF_NETLINK_CONNTRACK_DESTROY); @@ -3565,7 +3545,7 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd) } res = mnl_cb_run(buf, res, 0, 0, event_cb, cmd); } - mnl_socket_close(sock->mnl); + mnl_socket_close(event_sock->mnl); break; case EXP_EVENT: @@ -3599,20 +3579,14 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd) /* If we fail with netlink, fall back to /proc to ensure * backward compatibility. */ - if (nfct_mnl_socket_open(sock, 0) < 0) - goto try_proc_count; - res = nfct_mnl_request(sock, NFNL_SUBSYS_CTNETLINK, AF_UNSPEC, IPCTNL_MSG_CT_GET_STATS, 0, nfct_global_stats_cb, NULL); - nfct_mnl_socket_close(sock); - /* don't look at /proc, we got the information via ctnetlink */ if (res >= 0) break; -try_proc_count: { #define NF_CONNTRACK_COUNT_PROC "/proc/sys/net/netfilter/nf_conntrack_count" FILE *fd; @@ -3644,15 +3618,10 @@ try_proc_count: /* If we fail with netlink, fall back to /proc to ensure * backward compatibility. */ - if (nfct_mnl_socket_open(sock, 0) < 0) - goto try_proc; - res = nfct_mnl_dump(sock, NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_GET_STATS_CPU, nfct_stats_cb, NULL, NULL); - nfct_mnl_socket_close(sock); - /* don't look at /proc, we got the information via ctnetlink */ if (res >= 0) break; @@ -3663,15 +3632,10 @@ try_proc_count: /* If we fail with netlink, fall back to /proc to ensure * backward compatibility. */ - if (nfct_mnl_socket_open(sock, 0) < 0) - goto try_proc; - res = nfct_mnl_dump(sock, NFNL_SUBSYS_CTNETLINK_EXP, IPCTNL_MSG_EXP_GET_STATS_CPU, nfexp_stats_cb, NULL, NULL); - nfct_mnl_socket_close(sock); - /* don't look at /proc, we got the information via ctnetlink */ if (res >= 0) break; @@ -3893,6 +3857,7 @@ static const char *ct_unsupp_cmd_file(const struct ct_cmd *cmd) int main(int argc, char *argv[]) { + struct nfct_mnl_socket *sock = &_sock; struct ct_cmd *cmd, *next; LIST_HEAD(cmd_list); int res = 0; @@ -3907,6 +3872,9 @@ int main(int argc, char *argv[]) register_gre(); register_unknown(); + if (nfct_mnl_socket_open(sock, 0) < 0) + exit_error(OTHER_PROBLEM, "Can't open handler"); + if (argc > 2 && (!strcmp(argv[1], "-R") || !strcmp(argv[1], "--load-file"))) { ct_parse_file(&cmd_list, argv[0], argv[2]); @@ -3918,7 +3886,7 @@ int main(int argc, char *argv[]) ct_unsupp_cmd_file(cmd)); } list_for_each_entry_safe(cmd, next, &cmd_list, list) { - res |= do_command_ct(argv[0], cmd); + res |= do_command_ct(argv[0], cmd, sock); list_del(&cmd->list); free(cmd); } @@ -3928,10 +3896,11 @@ int main(int argc, char *argv[]) exit_error(OTHER_PROBLEM, "OOM"); do_parse(cmd, argc, argv); - do_command_ct(argv[0], cmd); + do_command_ct(argv[0], cmd, sock); res = print_stats(cmd); free(cmd); } + nfct_mnl_socket_close(sock); return res < 0 ? EXIT_FAILURE : EXIT_SUCCESS; } |