| Age | Commit message (Collapse) | Author |
|---|
|
This patch adds NetlinkOverrunResync. This option can be used to
set the amount of time after which the daemon resynchronizes itself
with the kernel state-table if it detects a Netlink overrun.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch improves the polling support included in 0.9.10. The
polling now consists of getting the state table, wait for PollSecs,
then purge obsolete entries, and so on.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes:
* nl_init_dump_handler()
* nl_init_request_handler()
* nl_init_resync_handler()
since they all look very similar.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the clause PollSecs that changes the normal
behaviour of conntrackd. With PollSecs set to > 0, conntrackd
polls every N seconds the entries.
This is the opposed behaviour of an event-driven behaviour but may
be useful for those that have really strong limitations in terms of
CPU consumption and want to perform a relaxed replication.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch moves the file descriptor registration after the
initialization instead of having a specific hook for this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch is a cleanup. The overrun handler is actually a way to
resynchronize against the conntrack kernel table. The name overrun
was used because it was initially its purpose. The new naming shows
its genericity.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch relaxes the current approach when netlink reports
overruns. There are two situations that can trigger a
resynchronization with the kernel conntrack table:
a) Netlink overruns because the receiver buffer is too small:
increasing the netlink buffer size and schedule a resync with the
kernel table conntrack to resolve the inconsistency. The sysadmin
would notice in the logs and will try to set a bigger buffer in
the configuration file.
b) The system is under heavy workload (CPU is too busy): we should
avoid resync with the kernel table since this is an expensive
operation. We do our best here and keep replicating as much states
as possible. If CPU consumption lowers at some point, the we will
try to resync ourselves.
This patch reduces the chances to resynchronize with the kernel
conntrack table unless that two overruns do not happen in an
internal of 30 seconds.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Currently, the event handling can starve other event file
descriptors. This patch limits the number of event handling
iterations. The parameter is tunable via configuration file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch shows the current netlink buffer size via `-s runtime'.
# conntrackd -s ru
...
current buffer size (in bytes): 204800
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds run-time statistics that you can check via
`conntrackd -s runtime'. This information is useful for
trouble-shooting.
This patch replaces several log messages that can be triggered in
runtime. The idea behind this patch is to avoid log message flooding
under errors.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a race condition that triggers EILSEQ errors
(wrong sequence message). The problems is triggered when the child
process resets the timers at the same time that the parent process
requests a resync. Since both the child and the parent process use
the same descriptors, the sequence tracking code in libnfnetlink
gets confused as it considers that it is receiving out of sequence
netlink messages.
This patch introduces internal handlers to commit and reset timers
so that the parent and the child do not use the same descriptors
to operate with the kernel.
This patch changes the prototype of all nf_*_conntrack() functions.
Now, the nfct handler is passed as first parameter, this change is
required to fix this problem. The rest of the changes on the API
is done for consistency.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
The current wait() error handling was insufficient. This patch
introduce more verbose error reporting.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch recovers the option -F for conntrackd. This will be
particularly useful to flush the kernel conntrack table without
getting the event notification of the conntrack deletions
(that will happen with Linux kernel >= 2.6.29).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch is a cleanup. It moves the callbacks from netlink.c to
run.c where they are actually invoked. This is better for code
readability as I usually have to switch from run.c to netlink.c
to remember what the callbacks actually do.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the missing destroy_fds() in the exit path.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a segfault when conntrackd -k is invoked for an
instance of conntrackd with no use of the Filter clause.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds nl_get_conntrack and it changes the behaviour of
nl_exist_conntrack. Now, nl_get_conntrack requests the kernel for
a conntrack and updates the cached entry. On the other hand,
nl_exist_conntrack only inquiries for the existence of the
entry.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch reworks the user-space filtering. Although we have
kernel-space filtering since Linux kernel >= 2.6.26, we keep userspace
filtering to ensure backward compatibility. Moreover, this patch
prepares the implementation of the kernel-space filtering via
libnetfilter_conntrack's high-level berkeley socket filter API.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
only which is incompatible AFAIK
|
|
has been Max Kellermann and has no issues with relicensing their contributions.
|
|
|
|
whitespace cleanups
|
|
|
|
added struct local_server, several cleanups in local socket infrastructure
This patch include minor changes by the comitter
|
|
fix error checking of local_create_server()
|
|
|
|
- Save initialization stage in the __run() loop
|
|
- Pass next_alarm to __run() only if there is an alarm
- Eliminate the "timeout" parameter
- the alarm functions get_next_alarm_run() and do_alarm_run() return an timeval pointer instead of a boolean
|
|
|
|
|
|
improve error message if netlink initialization fails
|
|
Simplify logging infrastructure
|
|
import only required C headers and put local headers on top to check
|
|
|
|
Fix tons of gcc warnings
|
|
add missing function prototypes
|
|
|
|
|
|
|
|
|
|
(Based on comments from Max Kellerman)
|
|
|
|
|
|
o minor irrelevant fixes for uncommon error paths and fix several typos
o use LOG_INFO for connection logging, use LOG_NOTICE for other information
o minor error handling updates
|
|
|
|
- add len field to nethdr
- implement buffered send/recv to batch messages
- stop using netlink format for network messages: use similar TLV-based format
- reduce synchronization messages size up to 60%
- introduce periodic alive messages for sync-nack protocol
- timeslice alarm implementation: remove alarm pthread, remove locking
- simplify debugging functions: use nfct_snprintf instead
- remove major use of libnfnetlink functions: use libnetfilter_conntrack API
- deprecate conntrackd -F, use conntrack -F instead
- major rework of the network infrastructure: much simple, less messy
|
|
- remove several debug calls
- create a child to dispatch dump requests: this will help to simplify the
current locking schema. Later.
|
|
- empty debug_ct function if DEBUG_CT is not set
- revisit overrun handler: this is a hard battle, just try to do our best here, call Patrick :)
- explicit warning message when netlink_buffer_max_growth is reached
- fix silly bug in stats-mode when dumping in XML format
- fix UDP handler for conntrack
|
