diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2008-11-18 10:33:33 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2008-11-18 10:33:33 +0100 |
| commit | 6d8903cbf33ac10e8e03f884a58e374adc366887 (patch) | |
| tree | 23c0ae1222a109b6d91da3377f6e7a91e81a4ce0 | |
| parent | d6f1b4be37e97dabb5de2d9ae664ef8afeec37ae (diff) | |
| download | conntrack-tools-6d8903cbf33ac10e8e03f884a58e374adc366887.tar.gz conntrack-tools-6d8903cbf33ac10e8e03f884a58e374adc366887.zip | |
filter: choose the filtering method via configuration file
This patch changes the current behaviour of the filtering selection.
Up to now, conntrackd has used the kernel version to select the
filtering method based on the following logic: If kernel is >= 2.6.26
we use BSF-based filtering from kernel-space, otherwise, default to
userspace.
However, this filtering method still lacks of IPv6 support and
it requires a patch that got into 2.6.29 to filter IPv6 addresses
from kernel-space. To fix this issue, we default to user-space
filtering and let the user choose the method via the configuration
file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | doc/sync/alarm/conntrackd.conf | 12 | ||||
| -rw-r--r-- | doc/sync/ftfw/conntrackd.conf | 12 | ||||
| -rw-r--r-- | doc/sync/notrack/conntrackd.conf | 12 | ||||
| -rw-r--r-- | include/conntrackd.h | 2 | ||||
| -rw-r--r-- | src/main.c | 4 | ||||
| -rw-r--r-- | src/netlink.c | 8 | ||||
| -rw-r--r-- | src/read_config_lex.l | 3 | ||||
| -rw-r--r-- | src/read_config_yy.y | 16 |
8 files changed, 54 insertions, 15 deletions
diff --git a/doc/sync/alarm/conntrackd.conf b/doc/sync/alarm/conntrackd.conf index 8d34697..6995d6c 100644 --- a/doc/sync/alarm/conntrackd.conf +++ b/doc/sync/alarm/conntrackd.conf @@ -159,8 +159,16 @@ General { # State. The filter is attached to an action that can be: Accept or # Ignore. Thus, you can define the event filtering policy of the # filter-sets in positive or negative logic depending on your needs. - # - Filter { + # You can select if conntrackd filters the event messages from + # user-space or kernel-space. The kernel-space event filtering + # saves some CPU cycles by avoiding the copy of the event message + # from kernel-space to user-space. The kernel-space event filtering + # is prefered, however, you require a Linux kernel >= 2.6.29 to + # filter from kernel-space. If you want to select kernel-space + # event filtering, use the keyword 'Kernelspace' instead of + # 'Userspace'. + # + Filter from Userspace { # # Accept only certain protocols: You may want to replicate # the state of flows depending on their layer 4 protocol. diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf index 06c3d15..3a2ed0e 100644 --- a/doc/sync/ftfw/conntrackd.conf +++ b/doc/sync/ftfw/conntrackd.conf @@ -163,8 +163,16 @@ General { # State. The filter is attached to an action that can be: Accept or # Ignore. Thus, you can define the event filtering policy of the # filter-sets in positive or negative logic depending on your needs. - # - Filter { + # You can select if conntrackd filters the event messages from + # user-space or kernel-space. The kernel-space event filtering + # saves some CPU cycles by avoiding the copy of the event message + # from kernel-space to user-space. The kernel-space event filtering + # is prefered, however, you require a Linux kernel >= 2.6.29 to + # filter from kernel-space. If you want to select kernel-space + # event filtering, use the keyword 'Kernelspace' instead of + # 'Userspace'. + # + Filter from Userspace { # # Accept only certain protocols: You may want to replicate # the state of flows depending on their layer 4 protocol. diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf index 446e981..e9835e8 100644 --- a/doc/sync/notrack/conntrackd.conf +++ b/doc/sync/notrack/conntrackd.conf @@ -147,8 +147,16 @@ General { # State. The filter is attached to an action that can be: Accept or # Ignore. Thus, you can define the event filtering policy of the # filter-sets in positive or negative logic depending on your needs. - # - Filter { + # You can select if conntrackd filters the event messages from + # user-space or kernel-space. The kernel-space event filtering + # saves some CPU cycles by avoiding the copy of the event message + # from kernel-space to user-space. The kernel-space event filtering + # is prefered, however, you require a Linux kernel >= 2.6.29 to + # filter from kernel-space. If you want to select kernel-space + # event filtering, use the keyword 'Kernelspace' instead of + # 'Userspace'. + # + Filter from Userspace { # # Accept only certain protocols: You may want to replicate # the state of flows depending on their layer 4 protocol. diff --git a/include/conntrackd.h b/include/conntrackd.h index 448d594..dc992db 100644 --- a/include/conntrackd.h +++ b/include/conntrackd.h @@ -91,7 +91,7 @@ struct ct_conf { unsigned int resend_queue_size; /* FTFW protocol */ unsigned int window_size; int cache_write_through; - int kernel_support_netlink_bsf; + int filter_from_kernelspace; struct { char logfile[FILENAME_MAXLEN]; int syslog_facility; @@ -97,10 +97,6 @@ int main(int argc, char *argv[]) exit(EXIT_FAILURE); } - /* BSF filter attaching does not report unsupported operations */ - if (version >= 2 && major >= 6 && minor >= 26) - CONFIG(kernel_support_netlink_bsf) = 1; - for (i=1; i<argc; i++) { switch(argv[i][1]) { case 'd': diff --git a/src/netlink.c b/src/netlink.c index 89a4ebc..b8a2a02 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -80,7 +80,7 @@ static int event_handler(enum nf_conntrack_msg_type type, void *data) { /* skip user-space filtering if already do it in the kernel */ - if (ignore_conntrack(ct, !CONFIG(kernel_support_netlink_bsf))) + if (ignore_conntrack(ct, !CONFIG(filter_from_kernelspace))) return NFCT_CB_STOP; switch(type) { @@ -113,14 +113,16 @@ int nl_init_event_handler(void) return -1; if (STATE(filter)) { - if (CONFIG(kernel_support_netlink_bsf)) { + if (CONFIG(filter_from_kernelspace)) { if (nfct_filter_attach(nfct_fd(STATE(event)), STATE(filter)) == -1) { dlog(LOG_ERR, "cannot set event filtering: %s", strerror(errno)); } dlog(LOG_NOTICE, "using kernel-space event filtering"); - } + } else + dlog(LOG_NOTICE, "using user-space event filtering"); + nfct_filter_destroy(STATE(filter)); } diff --git a/src/read_config_lex.l b/src/read_config_lex.l index 79d5b89..cbb6ca8 100644 --- a/src/read_config_lex.l +++ b/src/read_config_lex.l @@ -112,6 +112,9 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k] "Accept" { return T_ACCEPT; } "Ignore" { return T_IGNORE; } "PurgeTimeout" { return T_PURGE; } +"From" { return T_FROM; } +"Userspace" { return T_USERSPACE; } +"Kernelspace" { return T_KERNELSPACE; } {is_on} { return T_ON; } {is_off} { return T_OFF; } diff --git a/src/read_config_yy.y b/src/read_config_yy.y index 0f6ffdc..06ada52 100644 --- a/src/read_config_yy.y +++ b/src/read_config_yy.y @@ -58,6 +58,7 @@ static void __kernel_filter_add_state(int value); %token T_SYSLOG T_WRITE_THROUGH T_STAT_BUFFER_SIZE T_DESTROY_TIMEOUT %token T_MCAST_RCVBUFF T_MCAST_SNDBUFF T_NOTRACK %token T_FILTER T_ADDRESS T_PROTOCOL T_STATE T_ACCEPT T_IGNORE +%token T_FROM T_USERSPACE T_KERNELSPACE %token <string> T_IP T_PATH_VAL %token <val> T_NUMBER @@ -686,7 +687,20 @@ family : T_FAMILY T_STRING conf.family = AF_INET; }; -filter : T_FILTER '{' filter_list '}'; +filter : T_FILTER '{' filter_list '}' +{ + CONFIG(filter_from_kernelspace) = 0; +}; + +filter : T_FILTER T_FROM T_USERSPACE '{' filter_list '}' +{ + CONFIG(filter_from_kernelspace) = 0; +}; + +filter : T_FILTER T_FROM T_KERNELSPACE '{' filter_list '}' +{ + CONFIG(filter_from_kernelspace) = 1; +}; filter_list : | filter_list filter_item; |