| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
Thus, we fix conntrackd -i for flows that were just retrieved
from the kernel:
tcp 6 ESTABLISHED src=192.168.1.135 dst=208.68.163.220 sport=42179 dport=5222 src=208.68.163.220 dst=192.168.1.135 sport=5222 dport=42179 [ASSURED] mark=0 [active since 1319450515s]
Note the wrong "active since" value.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch removes an unnecessary reset of the event iteration limiter
that is already done in the main select loop.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
The return initial value is overriden after the initial read. Don't
override this value, instead we check the return value of the read()
operation.
This patch also changes the error statistics accounting since we
consider that a request with no data is an error.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
With this patch, we open the event handler once the internal
cache (if any) is populated. This reduces the chances of a
possible premature overrun if we lauch conntrackd in a busy
firewall. However, we may still start with an internal cache
that may differ a bit from the once in the kernel.
This patch has no impact in setups where conntrackd is started
in a spare firewall.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch splits the __run() routine into two functions, run_polling()
and run_events() that are selected once in run-time. We save one branch
in a loop that intensively executed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds the clause `DisableInternalCache' that allows you
to bypass the internal cache. This clause can only be used with
the notrack synchronization mode.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch reduces the number of gettimeofday syscalls by caching
the current time in a variable at the beginning of the main loop.
Based on a suggestion from Vincent Jardin.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
With this patch, we reset the event iteration limit counter after
we have performed an event handling run. Thus, every run loop
always performs a maximum of EventIterationLimit event handling
instead of keeping the old credits for the next run loop.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds the LOCAL_RET_* return values. The return value
LOCAL_RET_STOLEN which allows to leave a client socket open while
waiting for an operation to finish.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch adds the ability to dump the list of existing child
processes. In general, it would be hard to display one since
child processes are generally forked for very specific tasks,
like commit and flush operations, and they have very limited
lifetime. However, this can be handy for debugging problems.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
In 6f5666a29cb7cbff08ce926ee1edb84a311ff6ee, I moved the flush
operation into a child process and to use a disposable handler
to perform flush requests. This patch adds a dedicated flush
handler since there is a possible race condition that can
happen if the child process ends before we have received all
the event messages that the flush request has triggered.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch allows to limit the number of simultaneous child processes.
This is required by the next patch that replaces disposable handlers
to commit and flush with permanent handlers.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch is a cleanup, it removes an unused nfct handler. This
removal is due to recent commits that has obsolete it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
With this patch, the flush operation is performed by a child process.
Thus, the parent process digests destroy events that ctnetlink reports
back and, thanks to the origin infrastructure, we skip the messy
implicit synchronization that are triggered by such events.
This patch requires a Linux kernel >= 2.6.29 to benefit from this
change, otherwise it has no effect.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Since Linux kernel 2.6.29, ctnetlink reports the changes that have
been done using ctnetlink. With this patch, conntrackd can recognize
who is the origin of the event messages. For example, this is
interesting to avoid a messy implicit bulk send during the commit
of entries.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a simple infrastructure that allows to account
the child processes that have been forked. This also includes
a callback handler that can be registered that is called once
the child process finishes.
We can extended this later to include an alarm to limit the
maximum lifetime of a forked child process. This is good to
ensure that child processes behave timely.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch moves the polling logic into the resync handler. The
dump handler action depended on the daemon working mode (polling
or event-driven) resulting in an inconsistent behaviour.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds NetlinkOverrunResync. This option can be used to
set the amount of time after which the daemon resynchronizes itself
with the kernel state-table if it detects a Netlink overrun.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch improves the polling support included in 0.9.10. The
polling now consists of getting the state table, wait for PollSecs,
then purge obsolete entries, and so on.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch removes:
* nl_init_dump_handler()
* nl_init_request_handler()
* nl_init_resync_handler()
since they all look very similar.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the clause PollSecs that changes the normal
behaviour of conntrackd. With PollSecs set to > 0, conntrackd
polls every N seconds the entries.
This is the opposed behaviour of an event-driven behaviour but may
be useful for those that have really strong limitations in terms of
CPU consumption and want to perform a relaxed replication.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch moves the file descriptor registration after the
initialization instead of having a specific hook for this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch is a cleanup. The overrun handler is actually a way to
resynchronize against the conntrack kernel table. The name overrun
was used because it was initially its purpose. The new naming shows
its genericity.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch relaxes the current approach when netlink reports
overruns. There are two situations that can trigger a
resynchronization with the kernel conntrack table:
a) Netlink overruns because the receiver buffer is too small:
increasing the netlink buffer size and schedule a resync with the
kernel table conntrack to resolve the inconsistency. The sysadmin
would notice in the logs and will try to set a bigger buffer in
the configuration file.
b) The system is under heavy workload (CPU is too busy): we should
avoid resync with the kernel table since this is an expensive
operation. We do our best here and keep replicating as much states
as possible. If CPU consumption lowers at some point, the we will
try to resync ourselves.
This patch reduces the chances to resynchronize with the kernel
conntrack table unless that two overruns do not happen in an
internal of 30 seconds.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Currently, the event handling can starve other event file
descriptors. This patch limits the number of event handling
iterations. The parameter is tunable via configuration file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch shows the current netlink buffer size via `-s runtime'.
# conntrackd -s ru
...
current buffer size (in bytes): 204800
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch adds run-time statistics that you can check via
`conntrackd -s runtime'. This information is useful for
trouble-shooting.
This patch replaces several log messages that can be triggered in
runtime. The idea behind this patch is to avoid log message flooding
under errors.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes a race condition that triggers EILSEQ errors
(wrong sequence message). The problems is triggered when the child
process resets the timers at the same time that the parent process
requests a resync. Since both the child and the parent process use
the same descriptors, the sequence tracking code in libnfnetlink
gets confused as it considers that it is receiving out of sequence
netlink messages.
This patch introduces internal handlers to commit and reset timers
so that the parent and the child do not use the same descriptors
to operate with the kernel.
This patch changes the prototype of all nf_*_conntrack() functions.
Now, the nfct handler is passed as first parameter, this change is
required to fix this problem. The rest of the changes on the API
is done for consistency.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
The current wait() error handling was insufficient. This patch
introduce more verbose error reporting.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch recovers the option -F for conntrackd. This will be
particularly useful to flush the kernel conntrack table without
getting the event notification of the conntrack deletions
(that will happen with Linux kernel >= 2.6.29).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch is a cleanup. It moves the callbacks from netlink.c to
run.c where they are actually invoked. This is better for code
readability as I usually have to switch from run.c to netlink.c
to remember what the callbacks actually do.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch adds the missing destroy_fds() in the exit path.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch fixes a segfault when conntrackd -k is invoked for an
instance of conntrackd with no use of the Filter clause.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch adds nl_get_conntrack and it changes the behaviour of
nl_exist_conntrack. Now, nl_get_conntrack requests the kernel for
a conntrack and updates the cached entry. On the other hand,
nl_exist_conntrack only inquiries for the existence of the
entry.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch reworks the user-space filtering. Although we have
kernel-space filtering since Linux kernel >= 2.6.26, we keep userspace
filtering to ensure backward compatibility. Moreover, this patch
prepares the implementation of the kernel-space filtering via
libnetfilter_conntrack's high-level berkeley socket filter API.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
|
| | |
|
| |
|
|
| |
only which is incompatible AFAIK
|
| |
|
|
| |
has been Max Kellermann and has no issues with relicensing their contributions.
|
| | |
|
| |
|
|
| |
whitespace cleanups
|
| | |
|
| |
|
|
|
|
| |
added struct local_server, several cleanups in local socket infrastructure
This patch include minor changes by the comitter
|
| |
|
|
| |
fix error checking of local_create_server()
|
| | |
|
| |
|
|
| |
- Save initialization stage in the __run() loop
|
| |
|
|
|
|
| |
- Pass next_alarm to __run() only if there is an alarm
- Eliminate the "timeout" parameter
- the alarm functions get_next_alarm_run() and do_alarm_run() return an timeval pointer instead of a boolean
|
| | |
|
| | |
|
| |
|
|
| |
improve error message if netlink initialization fails
|
