diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2009-06-11 19:34:54 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2009-06-11 19:34:54 +0200 |
commit | 9163f4673d919658c94f9de4ca32a2e9dacce2fd (patch) | |
tree | b6b26f63b2f5643c01a222c0717ad45e7894a2ff | |
parent | 6dad06ec56eeb942a1785246bf91fe7100a21c7e (diff) | |
download | conntrack-tools-9163f4673d919658c94f9de4ca32a2e9dacce2fd.tar.gz conntrack-tools-9163f4673d919658c94f9de4ca32a2e9dacce2fd.zip |
conntrackd: use a permanent handler for commit operations
This patch adds a dedicated commit handler since there is a possible
race condition that can happen if the child process ends before we
have received all the event messages that the commit request has
triggered.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | include/conntrackd.h | 2 | ||||
-rw-r--r-- | src/sync-mode.c | 35 |
2 files changed, 15 insertions, 22 deletions
diff --git a/include/conntrackd.h b/include/conntrackd.h index c5f6659..7a63f97 100644 --- a/include/conntrackd.h +++ b/include/conntrackd.h @@ -166,6 +166,8 @@ struct ct_sync_state { struct cache *internal; /* internal events cache (netlink) */ struct cache *external; /* external events cache (mcast) */ + struct nfct_handle *commit; + struct multichannel *channel; struct nlif_handle *interface; struct queue *tx_queue; diff --git a/src/sync-mode.c b/src/sync-mode.c index 102ecac..dca6eee 100644 --- a/src/sync-mode.c +++ b/src/sync-mode.c @@ -298,6 +298,13 @@ static int init_sync(void) STATE(fds)) == -1) return -1; + STATE_SYNC(commit) = nfct_open(CONNTRACK, 0); + if (STATE_SYNC(commit) == NULL) { + dlog(LOG_ERR, "can't create handler to commit"); + return -1; + } + origin_register(STATE_SYNC(commit), CTD_ORIGIN_COMMIT); + init_alarm(&STATE_SYNC(reset_cache_alarm), NULL, do_reset_cache_alarm); /* initialization of message sequence generation */ @@ -337,6 +344,9 @@ static void kill_sync(void) queue_destroy(STATE_SYNC(tx_queue)); + origin_unregister(STATE_SYNC(commit)); + nfct_close(STATE_SYNC(commit)); + if (STATE_SYNC(sync)->kill) STATE_SYNC(sync)->kill(); } @@ -390,14 +400,6 @@ static void dump_stats_sync_extended(int fd) send(fd, buf, size, 0); } -/* this is called once the committer process has finished */ -static void commit_done_cb(void *data) -{ - struct nfct_handle *h = data; - origin_unregister(h); - nfct_close(h); -} - /* handler for requests coming via UNIX socket */ static int local_handler_sync(int fd, int type, void *data) { @@ -432,30 +434,19 @@ static int local_handler_sync(int fd, int type, void *data) exit(EXIT_SUCCESS); } break; - case COMMIT: { - struct nfct_handle *h; - + case COMMIT: /* delete the reset alarm if any before committing */ del_alarm(&STATE_SYNC(reset_cache_alarm)); - /* disposable handler for commit operations */ - h = nfct_open(CONNTRACK, 0); - if (h == NULL) { - dlog(LOG_ERR, "can't create handler to commit"); - break; - } - origin_register(h, CTD_ORIGIN_COMMIT); - /* fork new process and insert it the process list */ ret = fork_process_new(CTD_PROC_COMMIT, CTD_PROC_F_EXCL, - commit_done_cb, h); + NULL, NULL); if (ret == 0) { dlog(LOG_NOTICE, "committing external cache"); - cache_commit(STATE_SYNC(external), h); + cache_commit(STATE_SYNC(external), STATE_SYNC(commit)); exit(EXIT_SUCCESS); } break; - } case RESET_TIMERS: if (!alarm_pending(&STATE_SYNC(reset_cache_alarm))) { dlog(LOG_NOTICE, "flushing conntrack table in %d secs", |