diff options
| -rw-r--r-- | doc/sync/alarm/conntrackd.conf | 12 | ||||
| -rw-r--r-- | doc/sync/ftfw/conntrackd.conf | 12 | ||||
| -rw-r--r-- | doc/sync/notrack/conntrackd.conf | 12 | ||||
| -rw-r--r-- | include/conntrackd.h | 2 | ||||
| -rw-r--r-- | src/main.c | 4 | ||||
| -rw-r--r-- | src/netlink.c | 8 | ||||
| -rw-r--r-- | src/read_config_lex.l | 3 | ||||
| -rw-r--r-- | src/read_config_yy.y | 16 |
8 files changed, 54 insertions, 15 deletions
diff --git a/doc/sync/alarm/conntrackd.conf b/doc/sync/alarm/conntrackd.conf index 8d34697..6995d6c 100644 --- a/doc/sync/alarm/conntrackd.conf +++ b/doc/sync/alarm/conntrackd.conf @@ -159,8 +159,16 @@ General { # State. The filter is attached to an action that can be: Accept or # Ignore. Thus, you can define the event filtering policy of the # filter-sets in positive or negative logic depending on your needs. - # - Filter { + # You can select if conntrackd filters the event messages from + # user-space or kernel-space. The kernel-space event filtering + # saves some CPU cycles by avoiding the copy of the event message + # from kernel-space to user-space. The kernel-space event filtering + # is prefered, however, you require a Linux kernel >= 2.6.29 to + # filter from kernel-space. If you want to select kernel-space + # event filtering, use the keyword 'Kernelspace' instead of + # 'Userspace'. + # + Filter from Userspace { # # Accept only certain protocols: You may want to replicate # the state of flows depending on their layer 4 protocol. diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf index 06c3d15..3a2ed0e 100644 --- a/doc/sync/ftfw/conntrackd.conf +++ b/doc/sync/ftfw/conntrackd.conf @@ -163,8 +163,16 @@ General { # State. The filter is attached to an action that can be: Accept or # Ignore. Thus, you can define the event filtering policy of the # filter-sets in positive or negative logic depending on your needs. - # - Filter { + # You can select if conntrackd filters the event messages from + # user-space or kernel-space. The kernel-space event filtering + # saves some CPU cycles by avoiding the copy of the event message + # from kernel-space to user-space. The kernel-space event filtering + # is prefered, however, you require a Linux kernel >= 2.6.29 to + # filter from kernel-space. If you want to select kernel-space + # event filtering, use the keyword 'Kernelspace' instead of + # 'Userspace'. + # + Filter from Userspace { # # Accept only certain protocols: You may want to replicate # the state of flows depending on their layer 4 protocol. diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf index 446e981..e9835e8 100644 --- a/doc/sync/notrack/conntrackd.conf +++ b/doc/sync/notrack/conntrackd.conf @@ -147,8 +147,16 @@ General { # State. The filter is attached to an action that can be: Accept or # Ignore. Thus, you can define the event filtering policy of the # filter-sets in positive or negative logic depending on your needs. - # - Filter { + # You can select if conntrackd filters the event messages from + # user-space or kernel-space. The kernel-space event filtering + # saves some CPU cycles by avoiding the copy of the event message + # from kernel-space to user-space. The kernel-space event filtering + # is prefered, however, you require a Linux kernel >= 2.6.29 to + # filter from kernel-space. If you want to select kernel-space + # event filtering, use the keyword 'Kernelspace' instead of + # 'Userspace'. + # + Filter from Userspace { # # Accept only certain protocols: You may want to replicate # the state of flows depending on their layer 4 protocol. diff --git a/include/conntrackd.h b/include/conntrackd.h index 448d594..dc992db 100644 --- a/include/conntrackd.h +++ b/include/conntrackd.h @@ -91,7 +91,7 @@ struct ct_conf { unsigned int resend_queue_size; /* FTFW protocol */ unsigned int window_size; int cache_write_through; - int kernel_support_netlink_bsf; + int filter_from_kernelspace; struct { char logfile[FILENAME_MAXLEN]; int syslog_facility; @@ -97,10 +97,6 @@ int main(int argc, char *argv[]) exit(EXIT_FAILURE); } - /* BSF filter attaching does not report unsupported operations */ - if (version >= 2 && major >= 6 && minor >= 26) - CONFIG(kernel_support_netlink_bsf) = 1; - for (i=1; i<argc; i++) { switch(argv[i][1]) { case 'd': diff --git a/src/netlink.c b/src/netlink.c index 89a4ebc..b8a2a02 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -80,7 +80,7 @@ static int event_handler(enum nf_conntrack_msg_type type, void *data) { /* skip user-space filtering if already do it in the kernel */ - if (ignore_conntrack(ct, !CONFIG(kernel_support_netlink_bsf))) + if (ignore_conntrack(ct, !CONFIG(filter_from_kernelspace))) return NFCT_CB_STOP; switch(type) { @@ -113,14 +113,16 @@ int nl_init_event_handler(void) return -1; if (STATE(filter)) { - if (CONFIG(kernel_support_netlink_bsf)) { + if (CONFIG(filter_from_kernelspace)) { if (nfct_filter_attach(nfct_fd(STATE(event)), STATE(filter)) == -1) { dlog(LOG_ERR, "cannot set event filtering: %s", strerror(errno)); } dlog(LOG_NOTICE, "using kernel-space event filtering"); - } + } else + dlog(LOG_NOTICE, "using user-space event filtering"); + nfct_filter_destroy(STATE(filter)); } diff --git a/src/read_config_lex.l b/src/read_config_lex.l index 79d5b89..cbb6ca8 100644 --- a/src/read_config_lex.l +++ b/src/read_config_lex.l @@ -112,6 +112,9 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k] "Accept" { return T_ACCEPT; } "Ignore" { return T_IGNORE; } "PurgeTimeout" { return T_PURGE; } +"From" { return T_FROM; } +"Userspace" { return T_USERSPACE; } +"Kernelspace" { return T_KERNELSPACE; } {is_on} { return T_ON; } {is_off} { return T_OFF; } diff --git a/src/read_config_yy.y b/src/read_config_yy.y index 0f6ffdc..06ada52 100644 --- a/src/read_config_yy.y +++ b/src/read_config_yy.y @@ -58,6 +58,7 @@ static void __kernel_filter_add_state(int value); %token T_SYSLOG T_WRITE_THROUGH T_STAT_BUFFER_SIZE T_DESTROY_TIMEOUT %token T_MCAST_RCVBUFF T_MCAST_SNDBUFF T_NOTRACK %token T_FILTER T_ADDRESS T_PROTOCOL T_STATE T_ACCEPT T_IGNORE +%token T_FROM T_USERSPACE T_KERNELSPACE %token <string> T_IP T_PATH_VAL %token <val> T_NUMBER @@ -686,7 +687,20 @@ family : T_FAMILY T_STRING conf.family = AF_INET; }; -filter : T_FILTER '{' filter_list '}'; +filter : T_FILTER '{' filter_list '}' +{ + CONFIG(filter_from_kernelspace) = 0; +}; + +filter : T_FILTER T_FROM T_USERSPACE '{' filter_list '}' +{ + CONFIG(filter_from_kernelspace) = 0; +}; + +filter : T_FILTER T_FROM T_KERNELSPACE '{' filter_list '}' +{ + CONFIG(filter_from_kernelspace) = 1; +}; filter_list : | filter_list filter_item; |