From 3e6852f806c4368eda451b39f12b2ac2f2b5d33b Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 19 Aug 2009 16:59:38 +0200 Subject: conntrackd: add `DisableExternalCache' clause This patch adds the clause `DisableExternalCache' that allows you to disable the external cache and to directly inject the entries into the kernel conntrack table. As a result, the CPU consumption of conntrackd increases. This clause can only be used with the FT-FW and the notrack synchronization modes, but not with the alarm mode. Signed-off-by: Pablo Neira Ayuso --- doc/sync/ftfw/conntrackd.conf | 13 ++++ doc/sync/notrack/conntrackd.conf | 13 ++++ include/Makefile.am | 2 +- include/conntrackd.h | 5 +- include/external.h | 24 +++++++ include/origin.h | 1 + src/Makefile.am | 1 + src/external_cache.c | 122 +++++++++++++++++++++++++++++++ src/external_inject.c | 150 +++++++++++++++++++++++++++++++++++++++ src/read_config_lex.l | 1 + src/read_config_yy.y | 13 ++++ src/sync-mode.c | 73 +++++++++---------- 12 files changed, 375 insertions(+), 43 deletions(-) create mode 100644 include/external.h create mode 100644 src/external_cache.c create mode 100644 src/external_inject.c diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf index 602c3d1..76c3aef 100644 --- a/doc/sync/ftfw/conntrackd.conf +++ b/doc/sync/ftfw/conntrackd.conf @@ -189,6 +189,19 @@ Sync { # # Checksum on # } + + # + # This clause allows you to disable the external cache. Thus, the + # state entries are directly injected into the kernel conntrack + # table. As a result, you save memory in user-space but you consume + # slots in the kernel conntrack table for backup state entries. + # Moreover, disabling the external cache means more CPU consumption. + # You need a Linux kernel >= 2.6.29 to use this feature. By default, + # this clause is set off. If you are installing conntrackd for first + # time, please read the user manual and I encourage you to consider + # using the fail-over scripts instead of enabling this option! + # + # DisableExternalCache Off } # diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf index 6968025..9cdb2c7 100644 --- a/doc/sync/notrack/conntrackd.conf +++ b/doc/sync/notrack/conntrackd.conf @@ -170,6 +170,19 @@ Sync { # # Checksum on # } + + # + # This clause allows you to disable the external cache. Thus, the + # state entries are directly injected into the kernel conntrack + # table. As a result, you save memory in user-space but you consume + # slots in the kernel conntrack table for backup state entries. + # Moreover, disabling the external cache means more CPU consumption. + # You need a Linux kernel >= 2.6.29 to use this feature. By default, + # this clause is set off. If you are installing conntrackd for first + # time, please read the user manual and I encourage you to consider + # using the fail-over scripts instead of enabling this option! + # + # DisableExternalCache Off } # diff --git a/include/Makefile.am b/include/Makefile.am index b72fb36..0fa76af 100644 --- a/include/Makefile.am +++ b/include/Makefile.am @@ -4,5 +4,5 @@ noinst_HEADERS = alarm.h jhash.h cache.h linux_list.h linux_rbtree.h \ debug.h log.h hash.h mcast.h conntrack.h \ network.h filter.h queue.h vector.h cidr.h \ traffic_stats.h netlink.h fds.h event.h bitops.h channel.h \ - process.h origin.h + process.h origin.h external.h diff --git a/include/conntrackd.h b/include/conntrackd.h index 907ce33..ce8f9d4 100644 --- a/include/conntrackd.h +++ b/include/conntrackd.h @@ -95,6 +95,9 @@ struct ct_conf { int poll_kernel_secs; int filter_from_kernelspace; int event_iterations_limit; + struct { + int external_cache_disable; + } sync; struct { int events_reliable; } netlink; @@ -172,7 +175,7 @@ struct ct_general_state { struct ct_sync_state { struct cache *internal; /* internal events cache (netlink) */ - struct cache *external; /* external events cache (mcast) */ + struct external_handler *external; struct multichannel *channel; struct nlif_handle *interface; diff --git a/include/external.h b/include/external.h new file mode 100644 index 0000000..938941a --- /dev/null +++ b/include/external.h @@ -0,0 +1,24 @@ +#ifndef _EXTERNAL_H_ +#define _EXTERNAL_H_ + +struct nf_conntrack; + +struct external_handler { + int (*init)(void); + void (*close)(void); + + void (*new)(struct nf_conntrack *ct); + void (*update)(struct nf_conntrack *ct); + void (*destroy)(struct nf_conntrack *ct); + + void (*dump)(int fd, int type); + void (*flush)(void); + void (*commit)(struct nfct_handle *h, int fd); + void (*stats)(int fd); + void (*stats_ext)(int fd); +}; + +extern struct external_handler external_cache; +extern struct external_handler external_inject; + +#endif diff --git a/include/origin.h b/include/origin.h index 89308f3..1b974e9 100644 --- a/include/origin.h +++ b/include/origin.h @@ -6,6 +6,7 @@ enum { any process, but not conntrackd */ CTD_ORIGIN_COMMIT, /* event comes from committer */ CTD_ORIGIN_FLUSH, /* event comes from flush */ + CTD_ORIGIN_INJECT, /* event comes from direct inject */ }; int origin_register(struct nfct_handle *h, int origin_type); diff --git a/src/Makefile.am b/src/Makefile.am index 1c8b34f..753c809 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -20,6 +20,7 @@ conntrackd_SOURCES = alarm.c main.c run.c hash.c queue.c rbtree.c \ network.c cidr.c \ build.c parse.c \ channel.c multichannel.c channel_mcast.c channel_udp.c \ + external_cache.c external_inject.c \ read_config_yy.y read_config_lex.l # yacc and lex generate dirty code diff --git a/src/external_cache.c b/src/external_cache.c new file mode 100644 index 0000000..c70c818 --- /dev/null +++ b/src/external_cache.c @@ -0,0 +1,122 @@ +/* + * (C) 2006-2009 by Pablo Neira Ayuso + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ +#include "conntrackd.h" +#include "sync.h" +#include "log.h" +#include "cache.h" +#include "external.h" + +#include +#include + +static struct cache *external; + +static int external_cache_init(void) +{ + external = cache_create("external", + STATE_SYNC(sync)->external_cache_flags, + NULL); + if (external == NULL) { + dlog(LOG_ERR, "can't allocate memory for the external cache"); + return -1; + } + return 0; +} + +static void external_cache_close(void) +{ + cache_destroy(external); +} + +static void external_cache_new(struct nf_conntrack *ct) +{ + struct cache_object *obj; + int id; + + obj = cache_find(external, ct, &id); + if (obj == NULL) { +retry: + obj = cache_object_new(external, ct); + if (obj == NULL) + return; + + if (cache_add(external, obj, id) == -1) { + cache_object_free(obj); + return; + } + } else { + cache_del(external, obj); + cache_object_free(obj); + goto retry; + } +} + +static void external_cache_upd(struct nf_conntrack *ct) +{ + cache_update_force(external, ct); +} + +static void external_cache_del(struct nf_conntrack *ct) +{ + struct cache_object *obj; + int id; + + obj = cache_find(external, ct, &id); + if (obj) { + cache_del(external, obj); + cache_object_free(obj); + } +} + +static void external_cache_dump(int fd, int type) +{ + cache_dump(external, fd, type); +} + +static void external_cache_commit(struct nfct_handle *h, int fd) +{ + cache_commit(external, h, fd); +} + +static void external_cache_flush(void) +{ + cache_flush(external); +} + +static void external_cache_stats(int fd) +{ + cache_stats(external, fd); +} + +static void external_cache_stats_ext(int fd) +{ + cache_stats_extended(external, fd); +} + +struct external_handler external_cache = { + .init = external_cache_init, + .close = external_cache_close, + .new = external_cache_new, + .update = external_cache_upd, + .destroy = external_cache_del, + .dump = external_cache_dump, + .commit = external_cache_commit, + .flush = external_cache_flush, + .stats = external_cache_stats, + .stats_ext = external_cache_stats_ext, +}; diff --git a/src/external_inject.c b/src/external_inject.c new file mode 100644 index 0000000..ec1cb16 --- /dev/null +++ b/src/external_inject.c @@ -0,0 +1,150 @@ +/* + * (C) 2009 by Pablo Neira Ayuso + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ +#include "conntrackd.h" +#include "sync.h" +#include "log.h" +#include "cache.h" +#include "origin.h" +#include "external.h" +#include "netlink.h" + +#include +#include +#include + +static struct nfct_handle *inject; + +static int external_inject_init(void) +{ + /* handler to directly inject conntracks into kernel-space */ + inject = nfct_open(CONNTRACK, 0); + if (inject == NULL) { + dlog(LOG_ERR, "can't open netlink handler: %s", + strerror(errno)); + dlog(LOG_ERR, "no ctnetlink kernel support?"); + return -1; + } + /* we are directly injecting the entries into the kernel */ + origin_register(inject, CTD_ORIGIN_INJECT); + return 0; +} + +static void external_inject_close(void) +{ + origin_unregister(inject); + nfct_close(inject); +} + +static void external_inject_new(struct nf_conntrack *ct) +{ + int ret, retry = 1; + +retry: + if (nl_create_conntrack(inject, ct, 0) == -1) { + /* if the state entry exists, we delete and try again */ + if (errno == EEXIST && retry == 1) { + ret = nl_destroy_conntrack(inject, ct); + if (ret == 0 || (ret == -1 && errno == ENOENT)) { + if (retry) { + retry = 0; + goto retry; + } + } + dlog(LOG_ERR, "inject-add1: %s", strerror(errno)); + dlog_ct(STATE(log), ct, NFCT_O_PLAIN); + return; + } + dlog(LOG_ERR, "inject-add2: %s", strerror(errno)); + dlog_ct(STATE(log), ct, NFCT_O_PLAIN); + } +} + +static void external_inject_upd(struct nf_conntrack *ct) +{ + int ret; + + /* if we successfully update the entry, everything is OK */ + if (nl_update_conntrack(inject, ct, 0) != -1) + return; + + /* state entries does not exist, we have to create it */ + if (errno == ENOENT) { + if (nl_create_conntrack(inject, ct, 0) == -1) { + dlog(LOG_ERR, "inject-upd1: %s", strerror(errno)); + dlog_ct(STATE(log), ct, NFCT_O_PLAIN); + } + return; + } + + /* we failed to update the entry, there are some operations that + * may trigger this error, eg. unset some status bits. Try harder, + * delete the existing entry and create a new one. */ + ret = nl_destroy_conntrack(inject, ct); + if (ret == 0 || (ret == -1 && errno == ENOENT)) { + if (nl_create_conntrack(inject, ct, 0) == -1) { + dlog(LOG_ERR, "inject-upd2: %s", strerror(errno)); + dlog_ct(STATE(log), ct, NFCT_O_PLAIN); + } + return; + } + dlog(LOG_ERR, "inject-upd3: %s", strerror(errno)); + dlog_ct(STATE(log), ct, NFCT_O_PLAIN); +} + +static void external_inject_del(struct nf_conntrack *ct) +{ + if (nl_destroy_conntrack(inject, ct) == -1) { + if (errno != ENOENT) { + dlog(LOG_ERR, "inject-del: %s", strerror(errno)); + dlog_ct(STATE(log), ct, NFCT_O_PLAIN); + } + } +} + +static void external_inject_dump(int fd, int type) +{ +} + +static void external_inject_commit(struct nfct_handle *h, int fd) +{ +} + +static void external_inject_flush(void) +{ +} + +static void external_inject_stats(int fd) +{ +} + +static void external_inject_stats_ext(int fd) +{ +} + +struct external_handler external_inject = { + .init = external_inject_init, + .close = external_inject_close, + .new = external_inject_new, + .update = external_inject_upd, + .destroy = external_inject_del, + .dump = external_inject_dump, + .commit = external_inject_commit, + .flush = external_inject_flush, + .stats = external_inject_stats, + .stats_ext = external_inject_stats_ext, +}; diff --git a/src/read_config_lex.l b/src/read_config_lex.l index dad7555..d3f83aa 100644 --- a/src/read_config_lex.l +++ b/src/read_config_lex.l @@ -135,6 +135,7 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k] "Type" { return T_TYPE; } "Priority" { return T_PRIO; } "NetlinkEventsReliable" { return T_NETLINK_EVENTS_RELIABLE; } +"DisableExternalCache" { return T_DISABLE_EXTERNAL_CACHE; } {is_on} { return T_ON; } {is_off} { return T_OFF; } diff --git a/src/read_config_yy.y b/src/read_config_yy.y index f3f4730..38c5929 100644 --- a/src/read_config_yy.y +++ b/src/read_config_yy.y @@ -72,6 +72,7 @@ static void __max_dedicated_links_reached(void); %token T_FROM T_USERSPACE T_KERNELSPACE T_EVENT_ITER_LIMIT T_DEFAULT %token T_NETLINK_OVERRUN_RESYNC T_NICE T_IPV4_DEST_ADDR T_IPV6_DEST_ADDR %token T_SCHEDULER T_TYPE T_PRIO T_NETLINK_EVENTS_RELIABLE +%token T_DISABLE_EXTERNAL_CACHE %token T_IP T_PATH_VAL %token T_NUMBER @@ -698,6 +699,7 @@ sync_mode_ftfw_line: resend_queue_size | timeout | purge | window_size + | disable_external_cache ; sync_mode_notrack_list: @@ -705,8 +707,19 @@ sync_mode_notrack_list: sync_mode_notrack_line: timeout | purge + | disable_external_cache ; +disable_external_cache: T_DISABLE_EXTERNAL_CACHE T_ON +{ + conf.sync.external_cache_disable = 1; +}; + +disable_external_cache: T_DISABLE_EXTERNAL_CACHE T_OFF +{ + conf.sync.external_cache_disable = 0; +}; + resend_buffer_size: T_RESEND_BUFFER_SIZE T_NUMBER { print_err(CTD_CFG_WARN, "`ResendBufferSize' is deprecated. " diff --git a/src/sync-mode.c b/src/sync-mode.c index 9e3ac39..174df80 100644 --- a/src/sync-mode.c +++ b/src/sync-mode.c @@ -28,6 +28,7 @@ #include "queue.h" #include "process.h" #include "origin.h" +#include "external.h" #include #include @@ -43,8 +44,6 @@ do_channel_handler_step(int i, struct nethdr *net, size_t remain) { char __ct[nfct_maxsize()]; struct nf_conntrack *ct = (struct nf_conntrack *)(void*) __ct; - struct cache_object *obj; - int id; if (net->version != CONNTRACKD_PROTOCOL_VERSION) { STATE_SYNC(error).msg_rcv_malformed++; @@ -84,32 +83,13 @@ do_channel_handler_step(int i, struct nethdr *net, size_t remain) switch(net->type) { case NET_T_STATE_NEW: - obj = cache_find(STATE_SYNC(external), ct, &id); - if (obj == NULL) { -retry: - obj = cache_object_new(STATE_SYNC(external), ct); - if (obj == NULL) - return; - - if (cache_add(STATE_SYNC(external), obj, id) == -1) { - cache_object_free(obj); - return; - } - } else { - cache_del(STATE_SYNC(external), obj); - cache_object_free(obj); - goto retry; - } + STATE_SYNC(external)->new(ct); break; case NET_T_STATE_UPD: - cache_update_force(STATE_SYNC(external), ct); + STATE_SYNC(external)->update(ct); break; case NET_T_STATE_DEL: - obj = cache_find(STATE_SYNC(external), ct, &id); - if (obj) { - cache_del(STATE_SYNC(external), obj); - cache_object_free(obj); - } + STATE_SYNC(external)->destroy(ct); break; default: STATE_SYNC(error).msg_rcv_malformed++; @@ -275,15 +255,14 @@ static int init_sync(void) return -1; } - STATE_SYNC(external) = - cache_create("external", - STATE_SYNC(sync)->external_cache_flags, - NULL); - - if (!STATE_SYNC(external)) { - dlog(LOG_ERR, "can't allocate memory for the external cache"); - return -1; + if (CONFIG(sync).external_cache_disable == 0) { + STATE_SYNC(external) = &external_cache; + } else { + STATE_SYNC(external) = &external_inject; + dlog(LOG_NOTICE, "disabling external cache"); } + if (STATE_SYNC(external)->init() == -1) + return -1; channel_init(); @@ -361,7 +340,7 @@ static void run_sync(fd_set *readfds) if (FD_ISSET(get_read_evfd(STATE_SYNC(commit).evfd), readfds)) { read_evfd(STATE_SYNC(commit).evfd); - cache_commit(STATE_SYNC(external), STATE_SYNC(commit).h, 0); + STATE_SYNC(external)->commit(STATE_SYNC(commit).h, 0); } /* flush pending messages */ @@ -371,7 +350,7 @@ static void run_sync(fd_set *readfds) static void kill_sync(void) { cache_destroy(STATE_SYNC(internal)); - cache_destroy(STATE_SYNC(external)); + STATE_SYNC(external)->close(); multichannel_close(STATE_SYNC(channel)); @@ -452,7 +431,7 @@ static int local_handler_sync(int fd, int type, void *data) case DUMP_EXTERNAL: ret = fork_process_new(CTD_PROC_ANY, 0, NULL, NULL); if (ret == 0) { - cache_dump(STATE_SYNC(external), fd, NFCT_O_PLAIN); + STATE_SYNC(external)->dump(fd, NFCT_O_PLAIN); exit(EXIT_SUCCESS); } break; @@ -466,7 +445,7 @@ static int local_handler_sync(int fd, int type, void *data) case DUMP_EXT_XML: ret = fork_process_new(CTD_PROC_ANY, 0, NULL, NULL); if (ret == 0) { - cache_dump(STATE_SYNC(external), fd, NFCT_O_XML); + STATE_SYNC(external)->dump(fd, NFCT_O_XML); exit(EXIT_SUCCESS); } break; @@ -475,7 +454,7 @@ static int local_handler_sync(int fd, int type, void *data) del_alarm(&STATE_SYNC(reset_cache_alarm)); dlog(LOG_NOTICE, "committing external cache"); - cache_commit(STATE_SYNC(external), STATE_SYNC(commit).h, fd); + STATE_SYNC(external)->commit(STATE_SYNC(commit).h, fd); /* Keep the client socket open, we want synchronous commits. */ ret = LOCAL_RET_STOLEN; break; @@ -492,7 +471,7 @@ static int local_handler_sync(int fd, int type, void *data) del_alarm(&STATE_SYNC(reset_cache_alarm)); dlog(LOG_NOTICE, "flushing caches"); cache_flush(STATE_SYNC(internal)); - cache_flush(STATE_SYNC(external)); + STATE_SYNC(external)->flush(); break; case FLUSH_INT_CACHE: /* inmediate flush, remove pending flush scheduled if any */ @@ -502,14 +481,14 @@ static int local_handler_sync(int fd, int type, void *data) break; case FLUSH_EXT_CACHE: dlog(LOG_NOTICE, "flushing external cache"); - cache_flush(STATE_SYNC(external)); + STATE_SYNC(external)->flush(); break; case KILL: killer(0); break; case STATS: cache_stats(STATE_SYNC(internal), fd); - cache_stats(STATE_SYNC(external), fd); + STATE_SYNC(external)->stats(fd); dump_traffic_stats(fd); multichannel_stats(STATE_SYNC(channel), fd); dump_stats_sync(fd); @@ -520,7 +499,7 @@ static int local_handler_sync(int fd, int type, void *data) break; case STATS_CACHE: cache_stats_extended(STATE_SYNC(internal), fd); - cache_stats_extended(STATE_SYNC(external), fd); + STATE_SYNC(external)->stats_ext(fd); break; case STATS_LINK: multichannel_stats_extended(STATE_SYNC(channel), @@ -616,6 +595,10 @@ event_new_sync(struct nf_conntrack *ct, int origin) struct cache_object *obj; int id; + /* this event has been triggered by a direct inject, skip */ + if (origin == CTD_ORIGIN_INJECT) + return; + /* required by linux kernel <= 2.6.20 */ nfct_attr_unset(ct, ATTR_ORIG_COUNTER_BYTES); nfct_attr_unset(ct, ATTR_ORIG_COUNTER_PACKETS); @@ -649,6 +632,10 @@ event_update_sync(struct nf_conntrack *ct, int origin) { struct cache_object *obj; + /* this event has been triggered by a direct inject, skip */ + if (origin == CTD_ORIGIN_INJECT) + return; + obj = cache_update_force(STATE_SYNC(internal), ct); if (obj == NULL) return; @@ -663,6 +650,10 @@ event_destroy_sync(struct nf_conntrack *ct, int origin) struct cache_object *obj; int id; + /* this event has been triggered by a direct inject, skip */ + if (origin == CTD_ORIGIN_INJECT) + return 0; + /* we don't synchronize events for objects that are not in the cache */ obj = cache_find(STATE_SYNC(internal), ct, &id); if (obj == NULL) -- cgit v1.2.3