summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--doc/sync/alarm/conntrackd.conf13
-rw-r--r--doc/sync/ftfw/conntrackd.conf13
-rw-r--r--doc/sync/notrack/conntrackd.conf13
-rw-r--r--include/conntrackd.h1
-rw-r--r--src/read_config_lex.l1
-rw-r--r--src/read_config_yy.y23
-rw-r--r--src/run.c8
7 files changed, 67 insertions, 5 deletions
diff --git a/doc/sync/alarm/conntrackd.conf b/doc/sync/alarm/conntrackd.conf
index ad9bcd9..5e44d0d 100644
--- a/doc/sync/alarm/conntrackd.conf
+++ b/doc/sync/alarm/conntrackd.conf
@@ -192,6 +192,19 @@ General {
#
SocketBufferSizeMaxGrowth 8388608
+ #
+ # If the daemon detects that Netlink is dropping state-change events,
+ # it automatically schedules a resynchronization against the Kernel
+ # after 30 seconds (default value). Resynchronizations are expensive
+ # in terms of CPU consumption since the daemon has to get the full
+ # kernel state-table and purge state-entries that do not exist anymore.
+ # Be careful of setting a very small value here. You have the following
+ # choices: On (enabled, use default 30 seconds value), Off (disabled)
+ # or Value (in seconds, to set a specific amount of time). If not
+ # specified, the daemon assumes that this option is enabled.
+ #
+ # NetlinkOverrunResync On
+
#
# By default, the daemon receives state updates following an
# event-driven model. You can modify this behaviour by switching to
diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf
index 0021ea8..92cd9d1 100644
--- a/doc/sync/ftfw/conntrackd.conf
+++ b/doc/sync/ftfw/conntrackd.conf
@@ -201,6 +201,19 @@ General {
#
SocketBufferSizeMaxGrowth 8388608
+ #
+ # If the daemon detects that Netlink is dropping state-change events,
+ # it automatically schedules a resynchronization against the Kernel
+ # after 30 seconds (default value). Resynchronizations are expensive
+ # in terms of CPU consumption since the daemon has to get the full
+ # kernel state-table and purge state-entries that do not exist anymore.
+ # Be careful of setting a very small value here. You have the following
+ # choices: On (enabled, use default 30 seconds value), Off (disabled)
+ # or Value (in seconds, to set a specific amount of time). If not
+ # specified, the daemon assumes that this option is enabled.
+ #
+ # NetlinkOverrunResync On
+
#
# By default, the daemon receives state updates following an
# event-driven model. You can modify this behaviour by switching to
diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf
index b77d589..c64291b 100644
--- a/doc/sync/notrack/conntrackd.conf
+++ b/doc/sync/notrack/conntrackd.conf
@@ -182,6 +182,19 @@ General {
#
SocketBufferSizeMaxGrowth 8388608
+ #
+ # If the daemon detects that Netlink is dropping state-change events,
+ # it automatically schedules a resynchronization against the Kernel
+ # after 30 seconds (default value). Resynchronizations are expensive
+ # in terms of CPU consumption since the daemon has to get the full
+ # kernel state-table and purge state-entries that do not exist anymore.
+ # Be careful of setting a very small value here. You have the following
+ # choices: On (enabled, use default 30 seconds value), Off (disabled)
+ # or Value (in seconds, to set a specific amount of time). If not
+ # specified, the daemon assumes that this option is enabled.
+ #
+ # NetlinkOverrunResync On
+
#
# By default, the daemon receives state updates following an
# event-driven model. You can modify this behaviour by switching to
diff --git a/include/conntrackd.h b/include/conntrackd.h
index 34c7629..4051e94 100644
--- a/include/conntrackd.h
+++ b/include/conntrackd.h
@@ -80,6 +80,7 @@ struct ct_conf {
unsigned int purge_timeout; /* purge kernel entries timeout */
unsigned int netlink_buffer_size;
unsigned int netlink_buffer_size_max_grown;
+ unsigned int nl_overrun_resync;
union inet_address *listen_to;
unsigned int listen_to_len;
unsigned int flags;
diff --git a/src/read_config_lex.l b/src/read_config_lex.l
index 9bc4c18..26c6124 100644
--- a/src/read_config_lex.l
+++ b/src/read_config_lex.l
@@ -121,6 +121,7 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k]
"EventIterationLimit" { return T_EVENT_ITER_LIMIT; }
"Default" { return T_DEFAULT; }
"PollSecs" { return T_POLL_SECS; }
+"NetlinkOverrunResync" { return T_NETLINK_OVERRUN_RESYNC; }
{is_on} { return T_ON; }
{is_off} { return T_OFF; }
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index 049896e..1bea865 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -1,6 +1,6 @@
%{
/*
- * (C) 2006-2007 by Pablo Neira Ayuso <pablo@netfilter.org>
+ * (C) 2006-2009 by Pablo Neira Ayuso <pablo@netfilter.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -61,6 +61,7 @@ static void __max_mcast_dedicated_links_reached(void);
%token T_MCAST_RCVBUFF T_MCAST_SNDBUFF T_NOTRACK T_POLL_SECS
%token T_FILTER T_ADDRESS T_PROTOCOL T_STATE T_ACCEPT T_IGNORE
%token T_FROM T_USERSPACE T_KERNELSPACE T_EVENT_ITER_LIMIT T_DEFAULT
+%token T_NETLINK_OVERRUN_RESYNC
%token <string> T_IP T_PATH_VAL
%token <val> T_NUMBER
@@ -725,6 +726,7 @@ general_line: hashsize
| event_iterations_limit
| poll_secs
| filter
+ | netlink_overrun_resync
;
netlink_buffer_size: T_BUFFER_SIZE T_NUMBER
@@ -737,6 +739,21 @@ netlink_buffer_size_max_grown : T_BUFFER_SIZE_MAX_GROWN T_NUMBER
conf.netlink_buffer_size_max_grown = $2;
};
+netlink_overrun_resync : T_NETLINK_OVERRUN_RESYNC T_ON
+{
+ conf.nl_overrun_resync = 30;
+};
+
+netlink_overrun_resync : T_NETLINK_OVERRUN_RESYNC T_OFF
+{
+ conf.nl_overrun_resync = -1;
+};
+
+netlink_overrun_resync : T_NETLINK_OVERRUN_RESYNC T_NUMBER
+{
+ conf.nl_overrun_resync = $2;
+}
+
family : T_FAMILY T_STRING
{
if (strncmp($2, "IPv6", strlen("IPv6")) == 0)
@@ -1159,5 +1176,9 @@ init_config(char *filename)
if (CONFIG(event_iterations_limit) == 0)
CONFIG(event_iterations_limit) = 100;
+ /* if overrun, automatically resync with kernel after 30 seconds */
+ if (CONFIG(nl_overrun_resync) == 0)
+ CONFIG(nl_overrun_resync) = 30;
+
return 0;
}
diff --git a/src/run.c b/src/run.c
index 81f2590..5c2a3e7 100644
--- a/src/run.c
+++ b/src/run.c
@@ -417,9 +417,6 @@ init(void)
return 0;
}
-/* interval of 30s. for between two overrun */
-#define OVRUN_INT 30
-
static void __run(struct timeval *next_alarm)
{
int ret;
@@ -475,7 +472,10 @@ static void __run(struct timeval *next_alarm)
* we resync ourselves.
*/
nl_resize_socket_buffer(STATE(event));
- add_alarm(&STATE(resync_alarm), OVRUN_INT, 0);
+ if (CONFIG(nl_overrun_resync) > 0) {
+ add_alarm(&STATE(resync_alarm),
+ CONFIG(nl_overrun_resync),0);
+ }
STATE(stats).nl_catch_event_failed++;
STATE(stats).nl_overrun++;
break;