Age | Commit message (Collapse) | Author |
|
With this patch, all the states updates are enqueued in the
tx_queue. Thus, there's a single output path. This patch adds a
simple refcounting mechanism to note when an object is sitting in
the txqueue. This patch also removes the alarm that is required by
the ftfw approach.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds a generic tx queue for all synchronization modes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch moves the helloing logic into ftfw_xmit. Still, the
helloing is kept in ftfw_send as we still have two possible paths
for messages. This will be removed in the next patches to make all
message go over a single txqueue.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch unifies the tx_list and the tx_queue to have only one
transmission queue. Since the tx_list hold state objects and
tx_queue control messages, I have introduced a queue node type
that can be used to differenciate the kind of information that
the node stores: object or control message.
This patch also reworks the existing queue class to include a
file descriptor that can be used to know if there are new data
added to the queue (see QUEUE_F_EVFD flag).
In this change, I have also modified the current evfd to make the
file descriptor to make read operations non-blocking. Moreover,
it keeps a counter that is used to know how many messages are
inserted in the queue.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch relaxes the current approach when netlink reports
overruns. There are two situations that can trigger a
resynchronization with the kernel conntrack table:
a) Netlink overruns because the receiver buffer is too small:
increasing the netlink buffer size and schedule a resync with the
kernel table conntrack to resolve the inconsistency. The sysadmin
would notice in the logs and will try to set a bigger buffer in
the configuration file.
b) The system is under heavy workload (CPU is too busy): we should
avoid resync with the kernel table since this is an expensive
operation. We do our best here and keep replicating as much states
as possible. If CPU consumption lowers at some point, the we will
try to resync ourselves.
This patch reduces the chances to resynchronize with the kernel
conntrack table unless that two overruns do not happen in an
internal of 30 seconds.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the status field to the cache object. This avoids
the (ab)use of the alarm to check if an entry is active or dead.
This is the first step to possibly move the alarm to the cache_extra
memory space of the ftfw (which is the only use by now).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Currently, the caching system is implemented in a two layer
architecture: hashtable (inner layer) and cache (upper layer).
This patch reworks the hash-cache infrastructure to solve some
initial design problems to make it more flexible, the main strong
points of this patch are:
* Memory handling is done in the cache layer, not in the inner
hashtable layer. This removes one of the main dependencies between
the hashtable and the cache classes.
* Remove excessive encapsulation: the former cache used to hide a
lot of details of the inner hashtable implementation.
* Fix over-hashing of some operations: lookup-delete-add required
three hash calculations. Similarly, the update-or-add operation
required two hash calculations. Now, we calculate the hash once
and re-use the value how many times as we need.
This patch simplifies the caching system. As a result, we save ~130
lines of code. Small code means and less complexity means less
chance to have bugs.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Currently, the event handling can starve other event file
descriptors. This patch limits the number of event handling
iterations. The parameter is tunable via configuration file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the prefix ct_filter_ to the hash and compare
functions. This is useful to disambiguate when interpreting the
oprofile reports. Note that without this patch there are two
functions called hash and compare in the source tree.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch is a cleanup. Check NULL instead of using ! for null
pointers.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch is a cleanup, use calloc instead of malloc + memset.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch constifies the hashtable parameter that is passed to the
hash callbacks registered when the hashtable is created.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
The Linux kernel doubles the the size of the buffer by default.
See sock_setsockopt() in net/core/sock.c. We don't need to multiply
the current size by two.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch shows the current netlink buffer size via `-s runtime'.
# conntrackd -s ru
...
current buffer size (in bytes): 204800
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a bug that may result in wrong filtering of
destroy events which usually don't contain the state information.
In that case, skip the filtering.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a problem that can result in cache over-population
with inactive entries due to mismatching in the comparison. This
may result in lots of ENOSPC errors while trying to add new entries
to the internal cache.
We may have entries in the internal cache that with the same
original tuple, but different reply tuple due to NAT port
adjustment. Thus, the comparison that happens during the entry
hashtable lookup fails and we add a new entry while keeping
the old one.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the total number of entries currently living in the
cache. Currently, we have two type of entries, active and inactive.
The inactive ones talk about an ended connection. This is useful for
trouble-shooting if we hit enospc when adding new entries.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch reports to the logfile the time taken to commit the
entries. The output is expressed in seconds.microseconds.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a missing \n in the help message displayed with
conntrackd -h.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes unnecessary split lines in several log messages.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds run-time statistics that you can check via
`conntrackd -s runtime'. This information is useful for
trouble-shooting.
This patch replaces several log messages that can be triggered in
runtime. The idea behind this patch is to avoid log message flooding
under errors.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds cache statistics that you can check via
`conntrackd -s cache'. This information is useful for
trouble-shooting.
This patch replaces several log messages that can be triggered in
runtime. The idea behind this patch is to avoid log message flooding
under errors.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds networks statistics that you can check via
`conntrackd -s network'. This information is useful for
trouble-shooting.
This patch replaces several log messages that can be triggered in
runtime. The idea behind this patch is to avoid log message flooding
under errors.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch deletes three unused flags SYNC_MODE_ALARM,
SYNC_MODE_FTFW_BIT and DONT_CHECKSUM. They were replaced by
the CTD_* flags at some point of the development.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds cidr.h to Makefile.am in include/
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch bumps the version of the conntrack-tools to 0.9.9.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a type in a warning message.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds a note on the impact of having small values for
the McastSndSocketBuffer and McastRcvSocketBuffer clauses.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
This patch replaces "destroy" by "control" messages. Actually, the
resend queue contains the maximum amount of control messages that
we store to resend them in case of message omission. This patch also
clarifies which is a good size to have.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch documents the SocketBufferSize and SocketBufferSizeGrowth
clause. It also rises the default values which are fairly small for
busy firewalls.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch replaces SocketBufferSizeMaxGrown by
SocketBufferSizeMaxGrowth. Both clauses are still valid but better
to use the one that has no typos in the configuration files.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds an initial log message to report the initial netlink
event socket buffer size.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch renames __del2() by __del(). The name of this function
is a reminiscent of a removed __del() function time ago.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch renames the function hashtable_test() by
hashtable_find() which is a better name IMO to describe this
function.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds a message-type checking before we parse the message.
Thus, we skip the parsing of messages with bad types.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch reduces the size of alive messages by removing the
"from" and "to" fields which are not of any help. This patch also
removes the IS_CTL() macro since it does not return true for
the control messages anymore but only for IS_ACK(), IS_NACK() and
IS_RESYNC().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds more strict checking in the message type. We add a
new message type NET_T_CTL for control messages.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch includes resync messages in the tx queue. Thus, if a
resync message gets lost, it is resent.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes a IS_DATA(net) in tx_queue_xmit which is not
possible to happen anymore since there are no chances to have
data in the transmission queue (instead it is all in the
transmission list).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch replaces the use of NFCT_Q_* in the message type by
specific network message type NET_T_*. The query types are reserved
for libnetfilter_conntrack operations.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch updates the dependency between conntrack-tools and
libnetfilter_conntrack. This is required because of commit
2473a408abdd79fb4b24c5c56f769791203c0cd8 in libnetfilter_conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
We do not need to include the reply tuple in the update messages.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch includes the TCP flag/mask attributes in update messages
if this is a TCP connection.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch includes the TCP flag/mask attributes if this is a TCP
connection, otherwise do not include.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch uses a clone object that includes the original tuple and
the new timer to be set. This fixes EINVAL and EBUSY errors reporting
while trying to update the timer of some conntrack entries.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a race condition that triggers EILSEQ errors
(wrong sequence message). The problems is triggered when the child
process resets the timers at the same time that the parent process
requests a resync. Since both the child and the parent process use
the same descriptors, the sequence tracking code in libnfnetlink
gets confused as it considers that it is receiving out of sequence
netlink messages.
This patch introduces internal handlers to commit and reset timers
so that the parent and the child do not use the same descriptors
to operate with the kernel.
This patch changes the prototype of all nf_*_conntrack() functions.
Now, the nfct handler is passed as first parameter, this change is
required to fix this problem. The rest of the changes on the API
is done for consistency.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
The current wait() error handling was insufficient. This patch
introduce more verbose error reporting.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch recovers the option -F for conntrackd. This will be
particularly useful to flush the kernel conntrack table without
getting the event notification of the conntrack deletions
(that will happen with Linux kernel >= 2.6.29).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|