diff options
author | /C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org </C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org> | 2007-11-25 18:08:02 +0000 |
---|---|---|
committer | /C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org </C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org> | 2007-11-25 18:08:02 +0000 |
commit | 3c5e35974c65f4470e6543c2cc772c0f1824dc44 (patch) | |
tree | 11fd67edbffc4c626af730738465108f965eb863 /src/sync-mode.c | |
parent | 66cd168df39bfcf581bb36250a080a66331ee5cd (diff) | |
download | conntrack-tools-3c5e35974c65f4470e6543c2cc772c0f1824dc44.tar.gz conntrack-tools-3c5e35974c65f4470e6543c2cc772c0f1824dc44.zip |
Add CacheWriteThrough clause: external cache write through policy. This feature is particularly useful for active-active setup without connection persistency, ie. you cannot know which firewall would filter a packet that belongs to a connection.
Diffstat (limited to 'src/sync-mode.c')
-rw-r--r-- | src/sync-mode.c | 22 |
1 files changed, 17 insertions, 5 deletions
diff --git a/src/sync-mode.c b/src/sync-mode.c index e48b121..8a19ac5 100644 --- a/src/sync-mode.c +++ b/src/sync-mode.c @@ -147,6 +147,10 @@ static int init_sync(void) return -1; } + /* straight forward commit of conntrack to kernel space */ + if (CONFIG(cache_write_through)) + STATE_SYNC(sync)->external_cache_flags |= WRITE_THROUGH; + STATE_SYNC(external) = cache_create("external", STATE_SYNC(sync)->external_cache_flags, @@ -301,8 +305,10 @@ static int local_handler_sync(int fd, int type, void *data) static void dump_sync(struct nf_conntrack *ct) { + if (!CONFIG(cache_write_through)) + nfct_attr_unset(ct, ATTR_TIMEOUT); + /* This is required by kernels < 2.6.20 */ - nfct_attr_unset(ct, ATTR_TIMEOUT); nfct_attr_unset(ct, ATTR_ORIG_COUNTER_BYTES); nfct_attr_unset(ct, ATTR_ORIG_COUNTER_PACKETS); nfct_attr_unset(ct, ATTR_REPL_COUNTER_BYTES); @@ -339,8 +345,10 @@ static int overrun_cb(enum nf_conntrack_msg_type type, if (ignore_conntrack(ct)) return NFCT_CB_CONTINUE; + if (!CONFIG(cache_write_through)) + nfct_attr_unset(ct, ATTR_TIMEOUT); + /* This is required by kernels < 2.6.20 */ - nfct_attr_unset(ct, ATTR_TIMEOUT); nfct_attr_unset(ct, ATTR_ORIG_COUNTER_BYTES); nfct_attr_unset(ct, ATTR_ORIG_COUNTER_PACKETS); nfct_attr_unset(ct, ATTR_REPL_COUNTER_BYTES); @@ -420,12 +428,14 @@ static void event_new_sync(struct nf_conntrack *ct) { struct us_conntrack *u; + if (!CONFIG(cache_write_through)) + nfct_attr_unset(ct, ATTR_TIMEOUT); + /* required by linux kernel <= 2.6.20 */ nfct_attr_unset(ct, ATTR_ORIG_COUNTER_BYTES); nfct_attr_unset(ct, ATTR_ORIG_COUNTER_PACKETS); nfct_attr_unset(ct, ATTR_REPL_COUNTER_BYTES); nfct_attr_unset(ct, ATTR_REPL_COUNTER_PACKETS); - nfct_attr_unset(ct, ATTR_TIMEOUT); retry: if ((u = cache_add(STATE_SYNC(internal), ct))) { mcast_send_sync(u, ct, NFCT_Q_CREATE); @@ -447,7 +457,8 @@ static void event_update_sync(struct nf_conntrack *ct) { struct us_conntrack *u; - nfct_attr_unset(ct, ATTR_TIMEOUT); + if (!CONFIG(cache_write_through)) + nfct_attr_unset(ct, ATTR_TIMEOUT); if ((u = cache_update_force(STATE_SYNC(internal), ct)) == NULL) { debug_ct(ct, "can't update"); @@ -459,7 +470,8 @@ static void event_update_sync(struct nf_conntrack *ct) static int event_destroy_sync(struct nf_conntrack *ct) { - nfct_attr_unset(ct, ATTR_TIMEOUT); + if (!CONFIG(cache_write_through)) + nfct_attr_unset(ct, ATTR_TIMEOUT); if (cache_del(STATE_SYNC(internal), ct)) { mcast_send_sync(NULL, ct, NFCT_Q_DESTROY); |