diff options
-rw-r--r-- | doc/sync/alarm/conntrackd.conf | 13 | ||||
-rw-r--r-- | doc/sync/ftfw/conntrackd.conf | 13 | ||||
-rw-r--r-- | doc/sync/notrack/conntrackd.conf | 13 | ||||
-rw-r--r-- | include/conntrackd.h | 1 | ||||
-rw-r--r-- | src/read_config_lex.l | 1 | ||||
-rw-r--r-- | src/read_config_yy.y | 23 | ||||
-rw-r--r-- | src/run.c | 8 |
7 files changed, 67 insertions, 5 deletions
diff --git a/doc/sync/alarm/conntrackd.conf b/doc/sync/alarm/conntrackd.conf index ad9bcd9..5e44d0d 100644 --- a/doc/sync/alarm/conntrackd.conf +++ b/doc/sync/alarm/conntrackd.conf @@ -192,6 +192,19 @@ General { # SocketBufferSizeMaxGrowth 8388608 + # + # If the daemon detects that Netlink is dropping state-change events, + # it automatically schedules a resynchronization against the Kernel + # after 30 seconds (default value). Resynchronizations are expensive + # in terms of CPU consumption since the daemon has to get the full + # kernel state-table and purge state-entries that do not exist anymore. + # Be careful of setting a very small value here. You have the following + # choices: On (enabled, use default 30 seconds value), Off (disabled) + # or Value (in seconds, to set a specific amount of time). If not + # specified, the daemon assumes that this option is enabled. + # + # NetlinkOverrunResync On + # # By default, the daemon receives state updates following an # event-driven model. You can modify this behaviour by switching to diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf index 0021ea8..92cd9d1 100644 --- a/doc/sync/ftfw/conntrackd.conf +++ b/doc/sync/ftfw/conntrackd.conf @@ -201,6 +201,19 @@ General { # SocketBufferSizeMaxGrowth 8388608 + # + # If the daemon detects that Netlink is dropping state-change events, + # it automatically schedules a resynchronization against the Kernel + # after 30 seconds (default value). Resynchronizations are expensive + # in terms of CPU consumption since the daemon has to get the full + # kernel state-table and purge state-entries that do not exist anymore. + # Be careful of setting a very small value here. You have the following + # choices: On (enabled, use default 30 seconds value), Off (disabled) + # or Value (in seconds, to set a specific amount of time). If not + # specified, the daemon assumes that this option is enabled. + # + # NetlinkOverrunResync On + # # By default, the daemon receives state updates following an # event-driven model. You can modify this behaviour by switching to diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf index b77d589..c64291b 100644 --- a/doc/sync/notrack/conntrackd.conf +++ b/doc/sync/notrack/conntrackd.conf @@ -182,6 +182,19 @@ General { # SocketBufferSizeMaxGrowth 8388608 + # + # If the daemon detects that Netlink is dropping state-change events, + # it automatically schedules a resynchronization against the Kernel + # after 30 seconds (default value). Resynchronizations are expensive + # in terms of CPU consumption since the daemon has to get the full + # kernel state-table and purge state-entries that do not exist anymore. + # Be careful of setting a very small value here. You have the following + # choices: On (enabled, use default 30 seconds value), Off (disabled) + # or Value (in seconds, to set a specific amount of time). If not + # specified, the daemon assumes that this option is enabled. + # + # NetlinkOverrunResync On + # # By default, the daemon receives state updates following an # event-driven model. You can modify this behaviour by switching to diff --git a/include/conntrackd.h b/include/conntrackd.h index 34c7629..4051e94 100644 --- a/include/conntrackd.h +++ b/include/conntrackd.h @@ -80,6 +80,7 @@ struct ct_conf { unsigned int purge_timeout; /* purge kernel entries timeout */ unsigned int netlink_buffer_size; unsigned int netlink_buffer_size_max_grown; + unsigned int nl_overrun_resync; union inet_address *listen_to; unsigned int listen_to_len; unsigned int flags; diff --git a/src/read_config_lex.l b/src/read_config_lex.l index 9bc4c18..26c6124 100644 --- a/src/read_config_lex.l +++ b/src/read_config_lex.l @@ -121,6 +121,7 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k] "EventIterationLimit" { return T_EVENT_ITER_LIMIT; } "Default" { return T_DEFAULT; } "PollSecs" { return T_POLL_SECS; } +"NetlinkOverrunResync" { return T_NETLINK_OVERRUN_RESYNC; } {is_on} { return T_ON; } {is_off} { return T_OFF; } diff --git a/src/read_config_yy.y b/src/read_config_yy.y index 049896e..1bea865 100644 --- a/src/read_config_yy.y +++ b/src/read_config_yy.y @@ -1,6 +1,6 @@ %{ /* - * (C) 2006-2007 by Pablo Neira Ayuso <pablo@netfilter.org> + * (C) 2006-2009 by Pablo Neira Ayuso <pablo@netfilter.org> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -61,6 +61,7 @@ static void __max_mcast_dedicated_links_reached(void); %token T_MCAST_RCVBUFF T_MCAST_SNDBUFF T_NOTRACK T_POLL_SECS %token T_FILTER T_ADDRESS T_PROTOCOL T_STATE T_ACCEPT T_IGNORE %token T_FROM T_USERSPACE T_KERNELSPACE T_EVENT_ITER_LIMIT T_DEFAULT +%token T_NETLINK_OVERRUN_RESYNC %token <string> T_IP T_PATH_VAL %token <val> T_NUMBER @@ -725,6 +726,7 @@ general_line: hashsize | event_iterations_limit | poll_secs | filter + | netlink_overrun_resync ; netlink_buffer_size: T_BUFFER_SIZE T_NUMBER @@ -737,6 +739,21 @@ netlink_buffer_size_max_grown : T_BUFFER_SIZE_MAX_GROWN T_NUMBER conf.netlink_buffer_size_max_grown = $2; }; +netlink_overrun_resync : T_NETLINK_OVERRUN_RESYNC T_ON +{ + conf.nl_overrun_resync = 30; +}; + +netlink_overrun_resync : T_NETLINK_OVERRUN_RESYNC T_OFF +{ + conf.nl_overrun_resync = -1; +}; + +netlink_overrun_resync : T_NETLINK_OVERRUN_RESYNC T_NUMBER +{ + conf.nl_overrun_resync = $2; +} + family : T_FAMILY T_STRING { if (strncmp($2, "IPv6", strlen("IPv6")) == 0) @@ -1159,5 +1176,9 @@ init_config(char *filename) if (CONFIG(event_iterations_limit) == 0) CONFIG(event_iterations_limit) = 100; + /* if overrun, automatically resync with kernel after 30 seconds */ + if (CONFIG(nl_overrun_resync) == 0) + CONFIG(nl_overrun_resync) = 30; + return 0; } @@ -417,9 +417,6 @@ init(void) return 0; } -/* interval of 30s. for between two overrun */ -#define OVRUN_INT 30 - static void __run(struct timeval *next_alarm) { int ret; @@ -475,7 +472,10 @@ static void __run(struct timeval *next_alarm) * we resync ourselves. */ nl_resize_socket_buffer(STATE(event)); - add_alarm(&STATE(resync_alarm), OVRUN_INT, 0); + if (CONFIG(nl_overrun_resync) > 0) { + add_alarm(&STATE(resync_alarm), + CONFIG(nl_overrun_resync),0); + } STATE(stats).nl_catch_event_failed++; STATE(stats).nl_overrun++; break; |