diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2009-12-31 19:10:41 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2010-07-07 14:34:45 +0200 |
commit | a5c2a83f907a6a82912165bf2ef67ded13e84bc1 (patch) | |
tree | 6ce6063c1f7a70d7c4549d8be84a73c9c58fb9d4 | |
parent | 5fe142121d73e7e261f9da532288f1857d25897b (diff) | |
download | conntrack-tools-a5c2a83f907a6a82912165bf2ef67ded13e84bc1.tar.gz conntrack-tools-a5c2a83f907a6a82912165bf2ef67ded13e84bc1.zip |
conntrackd: open event handler once cache has been populated
With this patch, we open the event handler once the internal
cache (if any) is populated. This reduces the chances of a
possible premature overrun if we lauch conntrackd in a busy
firewall. However, we may still start with an internal cache
that may differ a bit from the once in the kernel.
This patch has no impact in setups where conntrackd is started
in a spare firewall.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | src/run.c | 31 |
1 files changed, 18 insertions, 13 deletions
@@ -355,19 +355,6 @@ init(void) } register_fd(STATE(local).fd, STATE(fds)); - if (!(CONFIG(flags) & CTD_POLL)) { - STATE(event) = nl_init_event_handler(); - if (STATE(event) == NULL) { - dlog(LOG_ERR, "can't open netlink handler: %s", - strerror(errno)); - dlog(LOG_ERR, "no ctnetlink kernel support?"); - return -1; - } - nfct_callback_register2(STATE(event), NFCT_T_ALL, - event_handler, NULL); - register_fd(nfct_fd(STATE(event)), STATE(fds)); - } - /* resynchronize (like 'dump' socket) but it also purges old entries */ STATE(resync) = nfct_open(CONNTRACK, 0); if (STATE(resync)== NULL) { @@ -423,6 +410,24 @@ init(void) dlog(LOG_NOTICE, "running in polling mode"); } else { init_alarm(&STATE(resync_alarm), NULL, do_overrun_resync_alarm); + /* + * The last nfct handler that we register is the event handler. + * The reason to do this is that we may receive events while + * populating the internal cache. Thus, we hit ENOBUFS + * prematurely. However, if we open the event handler before + * populating the internal cache, we may still lose events + * that have occured during the population. + */ + STATE(event) = nl_init_event_handler(); + if (STATE(event) == NULL) { + dlog(LOG_ERR, "can't open netlink handler: %s", + strerror(errno)); + dlog(LOG_ERR, "no ctnetlink kernel support?"); + return -1; + } + nfct_callback_register2(STATE(event), NFCT_T_ALL, + event_handler, NULL); + register_fd(nfct_fd(STATE(event)), STATE(fds)); } /* Signals handling */ |