conntrackd: flush operation use the child process and origin infrastructure

With this patch, the flush operation is performed by a child process.
Thus, the parent process digests destroy events that ctnetlink reports
back and, thanks to the origin infrastructure, we skip the messy
implicit synchronization that are triggered by such events.

This patch requires a Linux kernel >= 2.6.29 to benefit from this
change, otherwise it has no effect.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 27 insertions, 1 deletions

diff --git a/src/sync-mode.c b/src/sync-mode.c
index 91e028e..a0ba830 100644
--- a/src/sync-mode.c
+++ b/src/sync-mode.c
@@ -203,11 +203,37 @@ static void interface_handler(void)
 		interface_candidate();
 }
 
+/* this is called once the flusher process has finished */
+static void flush_done_cb(void *data)
+{
+	struct nfct_handle *h = data;
+	origin_unregister(h);
+	nfct_close(h);
+}
+
 static void do_reset_cache_alarm(struct alarm_block *a, void *data)
 {
+	struct nfct_handle *h;
+
+	/* disposable flusher handler */
+	h = nfct_open(CONNTRACK, 0);
+	if (h == NULL) {
+		dlog(LOG_ERR, "cannot open flusher handler");
+		return;
+	}
+	/* register this handler as the origin of a flush operation */
+	origin_register(h, CTD_ORIGIN_FLUSH);
+
 	STATE(stats).nl_kernel_table_flush++;
 	dlog(LOG_NOTICE, "flushing kernel conntrack table (scheduled)");
-	nl_flush_conntrack_table(STATE(request));
+
+	/* fork a child process that performs the flush operation,
+	 * meanwhile the parent process handles events. */
+	if (fork_process_new(flush_done_cb, h) == 0) {
+		nl_flush_conntrack_table(h);
+		exit(EXIT_SUCCESS);
+	}
+	/* this is not required if events don't get lost */
 	cache_flush(STATE_SYNC(internal));
 }