diff options
Diffstat (limited to 'src/run.c')
-rw-r--r-- | src/run.c | 477 |
1 files changed, 14 insertions, 463 deletions
@@ -45,24 +45,12 @@ void killer(int foo) /* no signals while handling signals */ sigprocmask(SIG_BLOCK, &STATE(block), NULL); - if (!(CONFIG(flags) & CTD_POLL)) - nfct_close(STATE(event)); - - nfct_close(STATE(resync)); - nfct_close(STATE(get)); - origin_unregister(STATE(flush)); - nfct_close(STATE(flush)); - - if (STATE(us_filter)) - ct_filter_destroy(STATE(us_filter)); local_server_destroy(&STATE(local)); - STATE(mode)->kill(); - if (STATE(mode)->internal->flags & INTERNAL_F_POPULATE) { - nfct_close(STATE(dump)); - } - destroy_fds(STATE(fds)); + if (CONFIG(flags) & (CTD_SYNC_MODE | CTD_STATS_MODE)) + ctnl_kill(); + destroy_fds(STATE(fds)); unlink(CONFIG(lockfile)); dlog(LOG_NOTICE, "---- shutdown received ----"); close_log(); @@ -187,62 +175,6 @@ static void dump_stats_runtime(int fd) send(fd, buf, size, 0); } -static void local_flush_master(void) -{ - STATE(stats).nl_kernel_table_flush++; - dlog(LOG_NOTICE, "flushing kernel conntrack table"); - - /* fork a child process that performs the flush operation, - * meanwhile the parent process handles events. */ - if (fork_process_new(CTD_PROC_FLUSH, CTD_PROC_F_EXCL, - NULL, NULL) == 0) { - nl_flush_conntrack_table(STATE(flush)); - exit(EXIT_SUCCESS); - } -} - -static void local_resync_master(void) -{ - if (STATE(mode)->internal->flags & INTERNAL_F_POPULATE) { - STATE(stats).nl_kernel_table_resync++; - dlog(LOG_NOTICE, "resync with master conntrack table"); - nl_dump_conntrack_table(STATE(dump)); - } else { - dlog(LOG_NOTICE, "resync is unsupported in this mode"); - } -} - -static void local_exp_flush_master(void) -{ - if (!(CONFIG(flags) & CTD_EXPECT)) - return; - - STATE(stats).nl_kernel_table_flush++; - dlog(LOG_NOTICE, "flushing kernel expect table"); - - /* fork a child process that performs the flush operation, - * meanwhile the parent process handles events. */ - if (fork_process_new(CTD_PROC_FLUSH, CTD_PROC_F_EXCL, - NULL, NULL) == 0) { - nl_flush_expect_table(STATE(flush)); - exit(EXIT_SUCCESS); - } -} - -static void local_exp_resync_master(void) -{ - if (!(CONFIG(flags) & CTD_EXPECT)) - return; - - if (STATE(mode)->internal->flags & INTERNAL_F_POPULATE) { - STATE(stats).nl_kernel_table_resync++; - dlog(LOG_NOTICE, "resync with master expect table"); - nl_dump_expect_table(STATE(dump)); - } else { - dlog(LOG_NOTICE, "resync is unsupported in this mode"); - } -} - static int local_handler(int fd, void *data) { int ret = LOCAL_RET_OK; @@ -253,26 +185,9 @@ static int local_handler(int fd, void *data) return LOCAL_RET_OK; } switch(type) { - case CT_FLUSH_MASTER: - local_flush_master(); - break; - case CT_RESYNC_MASTER: - local_resync_master(); - break; - case EXP_FLUSH_MASTER: - local_exp_flush_master(); - break; - case EXP_RESYNC_MASTER: - local_exp_resync_master(); - break; - case ALL_FLUSH_MASTER: - local_flush_master(); - local_exp_flush_master(); - break; - case ALL_RESYNC_MASTER: - local_resync_master(); - local_exp_resync_master(); - break; + case KILL: + killer(0); + break; case STATS_RUNTIME: dump_stats_runtime(fd); break; @@ -281,183 +196,10 @@ static int local_handler(int fd, void *data) break; } - ret = STATE(mode)->local(fd, type, data); - if (ret == LOCAL_RET_ERROR) { - STATE(stats).local_unknown_request++; - return LOCAL_RET_ERROR; - } - return ret; -} - -static void do_overrun_resync_alarm(struct alarm_block *a, void *data) -{ - nl_send_resync(STATE(resync)); - STATE(stats).nl_kernel_table_resync++; -} - -static void do_polling_alarm(struct alarm_block *a, void *data) -{ - if (STATE(mode)->internal->ct.purge) - STATE(mode)->internal->ct.purge(); - - if (STATE(mode)->internal->exp.purge) - STATE(mode)->internal->exp.purge(); - - nl_send_resync(STATE(resync)); - nl_send_expect_resync(STATE(resync)); - add_alarm(&STATE(polling_alarm), CONFIG(poll_kernel_secs), 0); -} - -static int event_handler(const struct nlmsghdr *nlh, - enum nf_conntrack_msg_type type, - struct nf_conntrack *ct, - void *data) -{ - int origin_type; - - STATE(stats).nl_events_received++; - - /* skip user-space filtering if already do it in the kernel */ - if (ct_filter_conntrack(ct, !CONFIG(filter_from_kernelspace))) { - STATE(stats).nl_events_filtered++; - goto out; - } - - origin_type = origin_find(nlh); - - switch(type) { - case NFCT_T_NEW: - STATE(mode)->internal->ct.new(ct, origin_type); - break; - case NFCT_T_UPDATE: - STATE(mode)->internal->ct.upd(ct, origin_type); - break; - case NFCT_T_DESTROY: - if (STATE(mode)->internal->ct.del(ct, origin_type)) - update_traffic_stats(ct); - break; - default: - STATE(stats).nl_events_unknown_type++; - break; - } - -out: - /* we reset the iteration limiter in the main select loop. */ - if (STATE(event_iterations_limit)-- <= 0) - return NFCT_CB_STOP; - else - return NFCT_CB_CONTINUE; -} - -static int exp_event_handler(const struct nlmsghdr *nlh, - enum nf_conntrack_msg_type type, - struct nf_expect *exp, - void *data) -{ - int origin_type; - const struct nf_conntrack *master = - nfexp_get_attr(exp, ATTR_EXP_MASTER); - - STATE(stats).nl_events_received++; - - if (!exp_filter_find(STATE(exp_filter), exp)) { - STATE(stats).nl_events_filtered++; - goto out; - } - if (ct_filter_conntrack(master, 1)) - return NFCT_CB_CONTINUE; - - origin_type = origin_find(nlh); - - switch(type) { - case NFCT_T_NEW: - STATE(mode)->internal->exp.new(exp, origin_type); - break; - case NFCT_T_UPDATE: - STATE(mode)->internal->exp.upd(exp, origin_type); - break; - case NFCT_T_DESTROY: - STATE(mode)->internal->exp.del(exp, origin_type); - break; - default: - STATE(stats).nl_events_unknown_type++; - break; - } - -out: - /* we reset the iteration limiter in the main select loop. */ - if (STATE(event_iterations_limit)-- <= 0) - return NFCT_CB_STOP; - else - return NFCT_CB_CONTINUE; -} + if (CONFIG(flags) & (CTD_SYNC_MODE | CTD_STATS_MODE)) + return ctnl_local(fd, type, data); -static int dump_handler(enum nf_conntrack_msg_type type, - struct nf_conntrack *ct, - void *data) -{ - if (ct_filter_conntrack(ct, 1)) - return NFCT_CB_CONTINUE; - - switch(type) { - case NFCT_T_UPDATE: - STATE(mode)->internal->ct.populate(ct); - break; - default: - STATE(stats).nl_dump_unknown_type++; - break; - } - return NFCT_CB_CONTINUE; -} - -static int exp_dump_handler(enum nf_conntrack_msg_type type, - struct nf_expect *exp, void *data) -{ - const struct nf_conntrack *master = - nfexp_get_attr(exp, ATTR_EXP_MASTER); - - if (!exp_filter_find(STATE(exp_filter), exp)) - return NFCT_CB_CONTINUE; - - if (ct_filter_conntrack(master, 1)) - return NFCT_CB_CONTINUE; - - switch(type) { - case NFCT_T_UPDATE: - STATE(mode)->internal->exp.populate(exp); - break; - default: - STATE(stats).nl_dump_unknown_type++; - break; - } - return NFCT_CB_CONTINUE; -} - -static int get_handler(enum nf_conntrack_msg_type type, - struct nf_conntrack *ct, - void *data) -{ - if (ct_filter_conntrack(ct, 1)) - return NFCT_CB_CONTINUE; - - STATE(get_retval) = 1; - return NFCT_CB_CONTINUE; -} - -static int exp_get_handler(enum nf_conntrack_msg_type type, - struct nf_expect *exp, void *data) -{ - const struct nf_conntrack *master = - nfexp_get_attr(exp, ATTR_EXP_MASTER); - - if (!exp_filter_find(STATE(exp_filter), exp)) - return NFCT_CB_CONTINUE; - - if (ct_filter_conntrack(master, 1)) - return NFCT_CB_CONTINUE; - - STATE(get_retval) = 1; - return NFCT_CB_CONTINUE; + return ret; } /* order received via UNIX socket */ @@ -466,109 +208,17 @@ static void local_cb(void *data) do_local_server_step(&STATE(local), NULL, local_handler); } -/* we have received an event from ctnetlink */ -static void event_cb(void *data) -{ - int ret; - - ret = nfct_catch(STATE(event)); - /* reset event iteration limit counter */ - STATE(event_iterations_limit) = CONFIG(event_iterations_limit); - if (ret == -1) { - switch(errno) { - case ENOBUFS: - /* We have hit ENOBUFS, it's likely that we are - * losing events. Two possible situations may - * trigger this error: - * - * 1) The netlink receiver buffer is too small: - * increasing the netlink buffer size should - * be enough. However, some event messages - * got lost. We have to resync ourselves - * with the kernel table conntrack table to - * resolve the inconsistency. - * - * 2) The receiver is too slow to process the - * netlink messages so that the queue gets - * full quickly. This generally happens - * if the system is under heavy workload - * (busy CPU). In this case, increasing the - * size of the netlink receiver buffer - * would not help anymore since we would - * be delaying the overrun. Moreover, we - * should avoid resynchronizations. We - * should do our best here and keep - * replicating as much states as possible. - * If workload lowers at some point, - * we resync ourselves. - */ - nl_resize_socket_buffer(STATE(event)); - if (CONFIG(nl_overrun_resync) > 0 && - STATE(mode)->internal->flags & INTERNAL_F_RESYNC) { - add_alarm(&STATE(resync_alarm), - CONFIG(nl_overrun_resync),0); - } - STATE(stats).nl_catch_event_failed++; - STATE(stats).nl_overrun++; - break; - case ENOENT: - /* - * We received a message from another - * netfilter subsystem that we are not - * interested in. Just ignore it. - */ - break; - case EAGAIN: - /* No more events to receive, try later. */ - break; - default: - STATE(stats).nl_catch_event_failed++; - break; - } - } -} - -/* we previously requested a resync due to buffer overrun. */ -static void resync_cb(void *data) -{ - nfct_catch(STATE(resync)); - if (STATE(mode)->internal->ct.purge) - STATE(mode)->internal->ct.purge(); -} - -static void poll_cb(void *data) -{ - nfct_catch(STATE(resync)); -} - int init(void) { do_gettimeofday(); - if (CONFIG(flags) & CTD_STATS_MODE) - STATE(mode) = &stats_mode; - else if (CONFIG(flags) & CTD_SYNC_MODE) - STATE(mode) = &sync_mode; - else { - fprintf(stderr, "WARNING: No running mode specified. " - "Defaulting to statistics mode.\n"); - CONFIG(flags) |= CTD_STATS_MODE; - STATE(mode) = &stats_mode; - } - STATE(fds) = create_fds(); if (STATE(fds) == NULL) { dlog(LOG_ERR, "can't create file descriptor pool"); return -1; } - /* Initialization */ - if (STATE(mode)->init() == -1) { - dlog(LOG_ERR, "initialization failed"); - return -1; - } - /* local UNIX socket */ if (local_server_create(&STATE(local), &CONFIG(local)) == -1) { dlog(LOG_ERR, "can't open unix socket!"); @@ -576,110 +226,6 @@ init(void) } register_fd(STATE(local).fd, local_cb, NULL, STATE(fds)); - /* resynchronize (like 'dump' socket) but it also purges old entries */ - STATE(resync) = nfct_open(CONFIG(netlink).subsys_id, 0); - if (STATE(resync)== NULL) { - dlog(LOG_ERR, "can't open netlink handler: %s", - strerror(errno)); - dlog(LOG_ERR, "no ctnetlink kernel support?"); - return -1; - } - nfct_callback_register(STATE(resync), - NFCT_T_ALL, - STATE(mode)->internal->ct.resync, - NULL); - if (CONFIG(flags) & CTD_POLL) { - register_fd(nfct_fd(STATE(resync)), poll_cb, - NULL, STATE(fds)); - } else { - register_fd(nfct_fd(STATE(resync)), resync_cb, - NULL, STATE(fds)); - } - fcntl(nfct_fd(STATE(resync)), F_SETFL, O_NONBLOCK); - - if (STATE(mode)->internal->flags & INTERNAL_F_POPULATE) { - STATE(dump) = nfct_open(CONFIG(netlink).subsys_id, 0); - if (STATE(dump) == NULL) { - dlog(LOG_ERR, "can't open netlink handler: %s", - strerror(errno)); - dlog(LOG_ERR, "no ctnetlink kernel support?"); - return -1; - } - nfct_callback_register(STATE(dump), NFCT_T_ALL, - dump_handler, NULL); - - if (CONFIG(flags) & CTD_EXPECT) { - nfexp_callback_register(STATE(dump), NFCT_T_ALL, - exp_dump_handler, NULL); - } - - if (nl_dump_conntrack_table(STATE(dump)) == -1) { - dlog(LOG_ERR, "can't get kernel conntrack table"); - return -1; - } - - if (CONFIG(flags) & CTD_EXPECT) { - if (nl_dump_expect_table(STATE(dump)) == -1) { - dlog(LOG_ERR, "can't get kernel " - "expect table"); - return -1; - } - } - } - - STATE(get) = nfct_open(CONFIG(netlink).subsys_id, 0); - if (STATE(get) == NULL) { - dlog(LOG_ERR, "can't open netlink handler: %s", - strerror(errno)); - dlog(LOG_ERR, "no ctnetlink kernel support?"); - return -1; - } - nfct_callback_register(STATE(get), NFCT_T_ALL, get_handler, NULL); - - if (CONFIG(flags) & CTD_EXPECT) { - nfexp_callback_register(STATE(get), NFCT_T_ALL, - exp_get_handler, NULL); - } - - STATE(flush) = nfct_open(CONFIG(netlink).subsys_id, 0); - if (STATE(flush) == NULL) { - dlog(LOG_ERR, "cannot open flusher handler"); - return -1; - } - /* register this handler as the origin of a flush operation */ - origin_register(STATE(flush), CTD_ORIGIN_FLUSH); - - if (CONFIG(flags) & CTD_POLL) { - init_alarm(&STATE(polling_alarm), NULL, do_polling_alarm); - add_alarm(&STATE(polling_alarm), CONFIG(poll_kernel_secs), 0); - dlog(LOG_NOTICE, "running in polling mode"); - } else { - init_alarm(&STATE(resync_alarm), NULL, do_overrun_resync_alarm); - /* - * The last nfct handler that we register is the event handler. - * The reason to do this is that we may receive events while - * populating the internal cache. Thus, we hit ENOBUFS - * prematurely. However, if we open the event handler before - * populating the internal cache, we may still lose events - * that have occured during the population. - */ - STATE(event) = nl_init_event_handler(); - if (STATE(event) == NULL) { - dlog(LOG_ERR, "can't open netlink handler: %s", - strerror(errno)); - dlog(LOG_ERR, "no ctnetlink kernel support?"); - return -1; - } - nfct_callback_register2(STATE(event), NFCT_T_ALL, - event_handler, NULL); - - if (CONFIG(flags) & CTD_EXPECT) { - nfexp_callback_register2(STATE(event), NFCT_T_ALL, - exp_event_handler, NULL); - } - register_fd(nfct_fd(STATE(event)), event_cb, NULL, STATE(fds)); - } - /* Signals handling */ sigemptyset(&STATE(block)); sigaddset(&STATE(block), SIGTERM); @@ -699,6 +245,11 @@ init(void) if (signal(SIGCHLD, child) == SIG_ERR) return -1; + /* Initialization */ + if (CONFIG(flags) & (CTD_SYNC_MODE | CTD_STATS_MODE)) + if (ctnl_init() < 0) + return -1; + time(&STATE(stats).daemon_start_time); dlog(LOG_NOTICE, "initialization completed"); |