From be2450f37f2ce56eadc78793efc4a54ced4315c6 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Fri, 16 May 2008 17:05:17 +0200 Subject: - remove (misleading) counters and use information from the statistics mode - use generic nfct_copy() from libnetfilter_conntrack to update objects - use generic nfct_cmp() to compare objects --- ChangeLog | 3 +++ configure.in | 4 +-- src/cache.c | 75 ++------------------------------------------------------ src/stats-mode.c | 5 ++++ 4 files changed, 12 insertions(+), 75 deletions(-) diff --git a/ChangeLog b/ChangeLog index 02ac75a..d67ad30 100644 --- a/ChangeLog +++ b/ChangeLog @@ -26,6 +26,9 @@ o improve netlink overrun handling o add more verbose error notification when we fail to inject a conntrack o rework of the FT-FW approach o minor fix of the manpage (Max Wilhelm) +o remove (misleading) counters and use information from the statistics mode +o use generic nfct_copy() from libnetfilter_conntrack to update objects +o use generic nfct_cmp() to compare objects version 0.9.6 (2008/03/08) ------------------------------ diff --git a/configure.in b/configure.in index 17101e9..f3b8785 100644 --- a/configure.in +++ b/configure.in @@ -17,8 +17,8 @@ case $target in esac dnl Dependencies -LIBNFNETLINK_REQUIRED=0.0.32 -LIBNETFILTER_CONNTRACK_REQUIRED=0.0.92 +LIBNFNETLINK_REQUIRED=0.0.33 +LIBNETFILTER_CONNTRACK_REQUIRED=0.0.94 AC_CHECK_PROG(HAVE_PKG_CONFIG, pkg-config, yes) if test "x$HAVE_PKG_CONFIG" = "x" diff --git a/src/cache.c b/src/cache.c index eac9a78..4162661 100644 --- a/src/cache.c +++ b/src/cache.c @@ -85,75 +85,12 @@ static uint32_t hash(const void *data, struct hashtable *table) return ret; } -static int __compare(const struct nf_conntrack *ct1, - const struct nf_conntrack *ct2) -{ - return ((nfct_get_attr_u8(ct1, ATTR_ORIG_L4PROTO) == - nfct_get_attr_u8(ct2, ATTR_ORIG_L4PROTO)) && - (nfct_get_attr_u16(ct1, ATTR_ORIG_PORT_SRC) == - nfct_get_attr_u16(ct2, ATTR_ORIG_PORT_SRC)) && - (nfct_get_attr_u16(ct1, ATTR_ORIG_PORT_DST) == - nfct_get_attr_u16(ct2, ATTR_ORIG_PORT_DST)) && - (nfct_get_attr_u16(ct1, ATTR_REPL_PORT_SRC) == - nfct_get_attr_u16(ct2, ATTR_REPL_PORT_SRC)) && - (nfct_get_attr_u16(ct1, ATTR_REPL_PORT_DST) == - nfct_get_attr_u16(ct2, ATTR_REPL_PORT_DST))); -} - -static int -__compare4(const struct us_conntrack *u1, const struct us_conntrack *u2) -{ - return ((nfct_get_attr_u32(u1->ct, ATTR_ORIG_IPV4_SRC) == - nfct_get_attr_u32(u2->ct, ATTR_ORIG_IPV4_SRC)) && - (nfct_get_attr_u32(u1->ct, ATTR_ORIG_IPV4_DST) == - nfct_get_attr_u32(u2->ct, ATTR_ORIG_IPV4_DST)) && - (nfct_get_attr_u32(u1->ct, ATTR_REPL_IPV4_SRC) == - nfct_get_attr_u32(u2->ct, ATTR_REPL_IPV4_SRC)) && - (nfct_get_attr_u32(u1->ct, ATTR_REPL_IPV4_DST) == - nfct_get_attr_u32(u2->ct, ATTR_REPL_IPV4_DST)) && - __compare(u1->ct, u2->ct)); -} - -static int -__compare6(const struct us_conntrack *u1, const struct us_conntrack *u2) -{ - return ((memcmp(nfct_get_attr(u1->ct, ATTR_ORIG_IPV6_SRC), - nfct_get_attr(u2->ct, ATTR_ORIG_IPV6_SRC), - sizeof(uint32_t)*4) == 0) && - (memcmp(nfct_get_attr(u1->ct, ATTR_ORIG_IPV6_DST), - nfct_get_attr(u2->ct, ATTR_ORIG_IPV6_DST), - sizeof(uint32_t)*4) == 0) && - (memcmp(nfct_get_attr(u1->ct, ATTR_REPL_IPV6_SRC), - nfct_get_attr(u2->ct, ATTR_REPL_IPV6_SRC), - sizeof(uint32_t)*4) == 0) && - (memcmp(nfct_get_attr(u1->ct, ATTR_REPL_IPV6_DST), - nfct_get_attr(u2->ct, ATTR_REPL_IPV6_DST), - sizeof(uint32_t)*4) == 0) && - __compare(u1->ct, u2->ct)); -} - static int compare(const void *data1, const void *data2) { - int ret = 0; const struct us_conntrack *u1 = data1; const struct us_conntrack *u2 = data2; - if (nfct_get_attr_u8(u1->ct, ATTR_L3PROTO) != - nfct_get_attr_u8(u2->ct, ATTR_L3PROTO)) - return ret; - - switch(nfct_get_attr_u8(u1->ct, ATTR_L3PROTO)) { - case AF_INET: - ret = __compare4(u1, u2); - break; - case AF_INET6: - ret = __compare6(u1, u2); - break; - default: - dlog(LOG_ERR, "unknown layer 3 in compare"); - break; - } - return ret; + return nfct_cmp(u1->ct, u2->ct, NFCT_CMP_ORIG | NFCT_CMP_REPL); } struct cache_feature *cache_feature[CACHE_MAX_FEATURE] = { @@ -305,15 +242,7 @@ static struct us_conntrack *__update(struct cache *c, struct nf_conntrack *ct) unsigned i; char *data = u->data; - if (nfct_attr_is_set(ct, ATTR_STATUS)) - nfct_set_attr_u32(u->ct, ATTR_STATUS, - nfct_get_attr_u32(ct, ATTR_STATUS)); - if (nfct_attr_is_set(ct, ATTR_TCP_STATE)) - nfct_set_attr_u8(u->ct, ATTR_TCP_STATE, - nfct_get_attr_u8(ct, ATTR_TCP_STATE)); - if (nfct_attr_is_set(ct, ATTR_TIMEOUT)) - nfct_set_attr_u32(u->ct, ATTR_TIMEOUT, - nfct_get_attr_u32(ct, ATTR_TIMEOUT)); + nfct_copy(u->ct, ct, NFCT_CP_META); for (i = 0; i < c->num_features; i++) { c->features[i]->update(u, data); diff --git a/src/stats-mode.c b/src/stats-mode.c index 5808320..1650d5d 100644 --- a/src/stats-mode.c +++ b/src/stats-mode.c @@ -89,7 +89,12 @@ static int local_handler_stats(int fd, int type, void *data) static void dump_stats(struct nf_conntrack *ct) { + nfct_attr_unset(ct, ATTR_ORIG_COUNTER_BYTES); + nfct_attr_unset(ct, ATTR_ORIG_COUNTER_PACKETS); + nfct_attr_unset(ct, ATTR_REPL_COUNTER_BYTES); + nfct_attr_unset(ct, ATTR_REPL_COUNTER_PACKETS); nfct_attr_unset(ct, ATTR_TIMEOUT); + nfct_attr_unset(ct, ATTR_USE); if (cache_update_force(STATE_STATS(cache), ct)) debug_ct(ct, "resync entry"); -- cgit v1.2.3