summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2009-12-31 19:10:41 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2010-07-07 14:34:45 +0200
commita5c2a83f907a6a82912165bf2ef67ded13e84bc1 (patch)
tree6ce6063c1f7a70d7c4549d8be84a73c9c58fb9d4
parent5fe142121d73e7e261f9da532288f1857d25897b (diff)
downloadconntrack-tools-a5c2a83f907a6a82912165bf2ef67ded13e84bc1.tar.gz
conntrack-tools-a5c2a83f907a6a82912165bf2ef67ded13e84bc1.zip
conntrackd: open event handler once cache has been populated
With this patch, we open the event handler once the internal cache (if any) is populated. This reduces the chances of a possible premature overrun if we lauch conntrackd in a busy firewall. However, we may still start with an internal cache that may differ a bit from the once in the kernel. This patch has no impact in setups where conntrackd is started in a spare firewall. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--src/run.c31
1 files changed, 18 insertions, 13 deletions
diff --git a/src/run.c b/src/run.c
index f68dd91..5781939 100644
--- a/src/run.c
+++ b/src/run.c
@@ -355,19 +355,6 @@ init(void)
}
register_fd(STATE(local).fd, STATE(fds));
- if (!(CONFIG(flags) & CTD_POLL)) {
- STATE(event) = nl_init_event_handler();
- if (STATE(event) == NULL) {
- dlog(LOG_ERR, "can't open netlink handler: %s",
- strerror(errno));
- dlog(LOG_ERR, "no ctnetlink kernel support?");
- return -1;
- }
- nfct_callback_register2(STATE(event), NFCT_T_ALL,
- event_handler, NULL);
- register_fd(nfct_fd(STATE(event)), STATE(fds));
- }
-
/* resynchronize (like 'dump' socket) but it also purges old entries */
STATE(resync) = nfct_open(CONNTRACK, 0);
if (STATE(resync)== NULL) {
@@ -423,6 +410,24 @@ init(void)
dlog(LOG_NOTICE, "running in polling mode");
} else {
init_alarm(&STATE(resync_alarm), NULL, do_overrun_resync_alarm);
+ /*
+ * The last nfct handler that we register is the event handler.
+ * The reason to do this is that we may receive events while
+ * populating the internal cache. Thus, we hit ENOBUFS
+ * prematurely. However, if we open the event handler before
+ * populating the internal cache, we may still lose events
+ * that have occured during the population.
+ */
+ STATE(event) = nl_init_event_handler();
+ if (STATE(event) == NULL) {
+ dlog(LOG_ERR, "can't open netlink handler: %s",
+ strerror(errno));
+ dlog(LOG_ERR, "no ctnetlink kernel support?");
+ return -1;
+ }
+ nfct_callback_register2(STATE(event), NFCT_T_ALL,
+ event_handler, NULL);
+ register_fd(nfct_fd(STATE(event)), STATE(fds));
}
/* Signals handling */