path: root/src/cache.c
Commit message (Collapse)AuthorAgeFilesLines
* conntrackd: use strncpy to set up the cache namePablo Neira Ayuso2015-08-181-2/+3
| | | | | | | This is not exposed, but use the strncpy() variant to calm down static code validators. Signed-off-by: Pablo Neira Ayuso <>
* conntrackd: remove cache_data_get_object and replace by direct pointerPablo Neira Ayuso2012-01-101-5/+0
| | | | | | | We now include one pointer to the object in the extra section. This is required to generalize this code for the expectation support. We consume 4-8 bytes extra, but we will not need more changes to support expectations which is a good idea.
* conntrackd: simplify cache_get_extra functionPablo Neira Ayuso2012-01-101-2/+2
| | | | | | | | This patch simplifies cache_get_extra which now takes only one parameter that is the cache_object. With it, the extra area can be calculated. Signed-off-by: Pablo Neira Ayuso <>
* conntrackd: generalize caching infrastructurePablo Neira Ayuso2012-01-101-89/+65
| | | | | | | | This patch generalizes the caching infrastructure to store different object types. This patch is the first in the series to prepare support for the synchronization of expectations. Signed-off-by: Pablo Neira Ayuso <>
* conntrackd: use nfct_copy() with override flag in cache_object_new()Pablo Neira Ayuso2011-02-171-1/+1
| | | | | | | | | Using memcpy() is not safe, it breaks secctx and it may break more things in the future. Moreover, nfct_size*() functions will be deprecated soon, they are evil since they open the window to memcpy(). Signed-off-by: Pablo Neira Ayuso <>
* conntrackd: reduce the number of gettimeofday() syscallsPablo Neira Ayuso2009-08-211-2/+2
| | | | | | | | This patch reduces the number of gettimeofday syscalls by caching the current time in a variable at the beginning of the main loop. Based on a suggestion from Vincent Jardin. Signed-off-by: Pablo Neira Ayuso <>
* conntrackd: use conntrack ID in the cache lookupPablo Neira Ayuso2009-07-211-1/+3
| | | | | | | | | | | | This patch adds the conntrack ID to the comparison that is made in the lookup of entries that are stored in the cache. For old kernels, this field is set to zero for all entries so this patch does not make any difference. For recent kernels, this allows to keep two entries with the same tuple and different IDs: this is possible if NetlinkEventsReliable is set on. Moreover, this patch is useful to test the reliable ctnetlink event delivery in 2.6.31 works fine. Signed-off-by: Pablo Neira Ayuso <>
* conntrackd: add iterators with limited steps in hash and cache typesPablo Neira Ayuso2009-07-171-0/+7
| | | | | | | This patch adds cache_iterate_limit() and hashtable_iterate_limit() that allows to limit the iteration to given a number of states. Signed-off-by: Pablo Neira Ayuso <>
* conntrackd: fix memory leak in cache_update_force()Pablo Neira Ayuso2009-06-211-1/+3
| | | | | | | | This patch fixes a memory leak in cache_update_force(). The problem occurs if the object does not exists in the cache and we fail to add it. Signed-off-by: Pablo Neira Ayuso <>
* conntrackd: remove the cache write-through policyPablo Neira Ayuso2009-05-231-1/+0
| | | | | | | | | | | | | | This patch removes the cache write-through clause. This feature remained undocumented although some has found it looking at the source code. This feature has remained in the tree for quite some time although it has several limitations. Moreover, it is specifically broken and dangerous for Linux kernels >= 2.6.29 since it generates loops in the synchronization. We do this removal first to prepare the introduction of a feature to bypass the external cache. Signed-off-by: Pablo Neira Ayuso <>
* src: add support for approximate timeout calculation during commitPablo Neira Ayuso2009-01-251-1/+2
| | | | | | | | | | During the commit phase, the entries in the external cache entries are inserted in the kernel conntrack table. Currently, we use a fixed timeout that is specified in the config file. With this patch, if you don't specify the fixed timeout value via CommitTimeout, the daemon calculates the real timeout value during the commit phase. Signed-off-by: Pablo Neira Ayuso <>
* cache: move lifetime feature to main cache codePablo Neira Ayuso2009-01-251-1/+2
| | | | | | | | The lifetime feature is used by all working modes, it is useful to know how long it has been an entry living in the cache. This patch moves the lifetime feature to the main caching code. Signed-off-by: Pablo Neira Ayuso <>
* cache: add objects statisticsPablo Neira Ayuso2009-01-171-9/+9
| | | | | | | | | This patch adds the object counter to `conntrackd -s cache'. This is useful to detect object leaks in runtime. This patch also changes the layout of the output to fit the display in less than 24 lines (assuming 24x80 terminal). Signed-off-by: Pablo Neira Ayuso <>
* sync: enqueue state updates to tx_queuePablo Neira Ayuso2009-01-171-34/+25
| | | | | | | | | | With this patch, all the states updates are enqueued in the tx_queue. Thus, there's a single output path. This patch adds a simple refcounting mechanism to note when an object is sitting in the txqueue. This patch also removes the alarm that is required by the ftfw approach. Signed-off-by: Pablo Neira Ayuso <>
* cache: add status field to store the object statusPablo Neira Ayuso2009-01-151-3/+7
| | | | | | | | | This patch adds the status field to the cache object. This avoids the (ab)use of the alarm to check if an entry is active or dead. This is the first step to possibly move the alarm to the cache_extra memory space of the ftfw (which is the only use by now). Signed-off-by: Pablo Neira Ayuso <>
* src: rework of the hash-cache infrastructurePablo Neira Ayuso2009-01-151-169/+104
| | | | | | | | | | | | | | | | | | | | | | | | Currently, the caching system is implemented in a two layer architecture: hashtable (inner layer) and cache (upper layer). This patch reworks the hash-cache infrastructure to solve some initial design problems to make it more flexible, the main strong points of this patch are: * Memory handling is done in the cache layer, not in the inner hashtable layer. This removes one of the main dependencies between the hashtable and the cache classes. * Remove excessive encapsulation: the former cache used to hide a lot of details of the inner hashtable implementation. * Fix over-hashing of some operations: lookup-delete-add required three hash calculations. Similarly, the update-or-add operation required two hash calculations. Now, we calculate the hash once and re-use the value how many times as we need. This patch simplifies the caching system. As a result, we save ~130 lines of code. Small code means and less complexity means less chance to have bugs. Signed-off-by: Pablo Neira Ayuso <>
* src: constify hashtable parameter in hash() callbacksPablo Neira Ayuso2009-01-141-3/+5
| | | | | | | This patch constifies the hashtable parameter that is passed to the hash callbacks registered when the hashtable is created. Signed-off-by: Pablo Neira Ayuso <>
* cache: fix ENOSPC errors due to over-population of inactive entriesPablo Neira Ayuso2008-12-221-1/+1
| | | | | | | | | | | | | | | This patch fixes a problem that can result in cache over-population with inactive entries due to mismatching in the comparison. This may result in lots of ENOSPC errors while trying to add new entries to the internal cache. We may have entries in the internal cache that with the same original tuple, but different reply tuple due to NAT port adjustment. Thus, the comparison that happens during the entry hashtable lookup fails and we add a new entry while keeping the old one. Signed-off-by: Pablo Neira Ayuso <>
* cache_iterators: add total entries available in the cache to statsPablo Neira Ayuso2008-12-221-2/+2
| | | | | | | | | This patch adds the total number of entries currently living in the cache. Currently, we have two type of entries, active and inactive. The inactive ones talk about an ended connection. This is useful for trouble-shooting if we hit enospc when adding new entries. Signed-off-by: Pablo Neira Ayuso <>
* src: add cache statistics via `-s cache'Pablo Neira Ayuso2008-12-211-21/+68
| | | | | | | | | | | | This patch adds cache statistics that you can check via `conntrackd -s cache'. This information is useful for trouble-shooting. This patch replaces several log messages that can be triggered in runtime. The idea behind this patch is to avoid log message flooding under errors. Signed-off-by: Pablo Neira Ayuso <>
* cache: cleanup, rename __del2() by __del()Pablo Neira Ayuso2008-12-171-3/+3
| | | | | | | This patch renames __del2() by __del(). The name of this function is a reminiscent of a removed __del() function time ago. Signed-off-by: Pablo Neira Ayuso <>
* src: cleanup, rename hashtable_test() by hashtable_find()Pablo Neira Ayuso2008-12-171-4/+4
| | | | | | | | This patch renames the function hashtable_test() by hashtable_find() which is a better name IMO to describe this function. Signed-off-by: Pablo Neira Ayuso <>
* cache: use jhash2 instead of double jhash+jhash_2wordsPablo Neira Ayuso2008-10-211-19/+17
| | | | | | | | Currently, oprofile reports ~17% of sample in the hashing. With this patch, that uses jhash2 instead of a double call to jhash and one to jhash_2words, it goes down to ~11%. Signed-off-by: Pablo Neira Ayuso <>
* cache: fix update of scheduled-to-timeout entriesPablo Neira Ayuso2008-10-201-44/+55
| | | | | | | This patch fixes a problem that allows the update of entries that are scheduled to be removed. Signed-off-by: Pablo Neira Ayuso <>
* ftfw: show consistent information to users for problem diagnosingPablo Neira Ayuso2008-08-011-2/+12
| | | | | | | | | | This patch hides information that may confuse users while they are diagnosing problems in their setup. For example, we hide entries that are schedule to expire - from the user side, they are already destroyed entries; and we show in the counters the real active entries, not all that are stored in the caches. Signed-off-by: Pablo Neira Ayuso <>
* fix broken normal deletion in cachesPablo Neira Ayuso2008-08-011-31/+31
| | | | | | | | | | | | This patch fixes the non-timer-based cache deletion. This bug affects the alarm-based approach since the backup replicas did not get the deletion event, thus, delaying the deletion. This patch introduces cache_find() to look up for a conntrack object and __cache_del_timer() to perform direct deletions by means of the pointer obtained with cache_find(). Signed-off-by: Pablo Neira Ayuso <>
* add more sanity checks in the input pathPablo Neira Ayuso2008-08-011-8/+0
| | | | | | | Some users have reported crashes when nf_conntrack_ipv6 was not present. This patch performs more robust sanity checks in the input path. Signed-off-by: Pablo Neira Ayuso <>
* increase deletion stats when the timer is scheduled in cache_del_timeout()Pablo Neira Ayuso2008-05-311-2/+7
* fix leak in cache_destroy(): release objects before destroying the cachePablo Neira Ayuso2008-05-261-0/+1
* check for missing IPv6 address before hashingPablo Neira Ayuso2008-05-211-0/+8
* - remove (misleading) counters and use information from the statistics modePablo Neira Ayuso2008-05-161-73/+2
| | | | | - use generic nfct_copy() from libnetfilter_conntrack to update objects - use generic nfct_cmp() to compare objects
* Fix reorder possible reordering of destroy messages under message omission. ↵/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-291-25/+56
| | | | This patch introduces the TimeoutDestroy clause to determine how long a conntrack remains in the internal cache once it has been destroy from the kernel table.
* revert relicensing... still we use linux_list.h code which seems to be GPLv2 ↵/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-03-081-1/+1
| | | | only which is incompatible AFAIK
* relicense conntrack-tools as GPLv3+, so far the most significant contributor ↵/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-03-081-1/+1
| | | | has been Max Kellermann and has no issues with relicensing their contributions.
* add IPv6 support to conntrackd/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-02-021-40/+67
* Max Kellermann <>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-171-2/+4
| | | | import only required C headers and put local headers on top to check
* Max Kellermann <>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-171-9/+9
| | | | use C99 integers (uint32_t instead of u_int32_t)
* Max Kellermann <>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-151-13/+15
| | | | Fix tons of gcc warnings
* Max Kellermann <>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-151-1/+1
| | | | use const when possible
* - hash lookup speedups based on comments from netdev's discussions/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2007-12-311-4/+11
| | | | | - minor fix for hash6 in cache.c (however, ipv6 support is still broken - several updates in the TODO file
* Add CacheWriteThrough clause: external cache write through policy. This ↵/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2007-11-251-8/+9
| | | | feature is particularly useful for active-active setup without connection persistency, ie. you cannot know which firewall would filter a packet that belongs to a connection.
* - conntrack-tools requires libnetfilter_conntrack >= 0.0.81 /C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2007-07-091-38/+2
| | | | | | | | | | | | | - add len field to nethdr - implement buffered send/recv to batch messages - stop using netlink format for network messages: use similar TLV-based format - reduce synchronization messages size up to 60% - introduce periodic alive messages for sync-nack protocol - timeslice alarm implementation: remove alarm pthread, remove locking - simplify debugging functions: use nfct_snprintf instead - remove major use of libnfnetlink functions: use libnetfilter_conntrack API - deprecate conntrackd -F, use conntrack -F instead - major rework of the network infrastructure: much simple, less messy
* - more cleanups and code refactorization/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2007-06-191-1/+0
| | | | | | - remove several debug calls - create a child to dispatch dump requests: this will help to simplify the current locking schema. Later.
* - introduce cache_iterate/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2007-05-201-0/+9
| | | | | | | | - empty debug_ct function if DEBUG_CT is not set - revisit overrun handler: this is a hard battle, just try to do our best here, call Patrick :) - explicit warning message when netlink_buffer_max_growth is reached - fix silly bug in stats-mode when dumping in XML format - fix UDP handler for conntrack
* - remove dead code sync-mode.c/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2007-05-181-4/+5
| | | | | | | - flush nack queue in the conntrackd -f path - do not increase add_fail counter for EEXIST errors - cleanup sync-nack code - improve mcast_recv_netmsg: sanity check before checksumming!
* first step forward to merge conntrackd and conntrack into the same building ↵/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2007-04-161-0/+446