From 735a6fc681809beb52c160b09507aa0999fbc6ba Mon Sep 17 00:00:00 2001 From: "Ayuso/emailAddress=pablo@netfilter.org" Date: Fri, 21 Dec 2007 18:15:04 +0000 Subject: rename `examples' directory to `doc' --- doc/stats/conntrackd.conf | 76 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 doc/stats/conntrackd.conf (limited to 'doc/stats') diff --git a/doc/stats/conntrackd.conf b/doc/stats/conntrackd.conf new file mode 100644 index 0000000..07deaa8 --- /dev/null +++ b/doc/stats/conntrackd.conf @@ -0,0 +1,76 @@ +# +# General settings +# +General { + # + # Number of buckets in the caches: hash table + # + HashSize 8192 + + # + # Maximum number of conntracks: + # it must be >= $ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max + # + HashLimit 65535 + + # + # Logfile: on, off, or a filename + # Default: on (/var/log/conntrackd.log) + # + #LogFile off + + # + # Syslog: on, off or a facility name (daemon (default) or local0..7) + # Default: off + # + #Syslog on + + # + # Lockfile + # + LockFile /var/lock/conntrack.lock + + # + # Unix socket configuration + # + UNIX { + Path /tmp/sync.sock + Backlog 20 + } + + # + # Netlink socket buffer size + # + SocketBufferSize 262142 + + # + # Increase the socket buffer up to maximun if required + # + SocketBufferSizeMaxGrown 655355 +} + +# +# Ignore traffic for a certain set of IP's: Usually +# all the IP assigned to the firewall since local +# traffic must be ignored, just forwarded connections +# are worth to replicate +# +IgnoreTrafficFor { + IPv4_address 127.0.0.1 # loopback +} + +# +# Do not replicate certain protocol traffic +# +IgnoreProtocol { + UDP +# ICMP +# IGMP +# VRRP + # numeric numbers also valid +} + +# +# Strip NAT traffic +# +StripNAT -- cgit v1.2.3 From c41a0d3efc957505e72067e99a873ce66be0834a Mon Sep 17 00:00:00 2001 From: "/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org" Date: Thu, 3 Jan 2008 15:51:48 +0000 Subject: o add support for connection logging to the statistics mode via Logfile o minor irrelevant fixes for uncommon error paths and fix several typos o use LOG_INFO for connection logging, use LOG_NOTICE for other information o minor error handling updates --- ChangeLog | 2 ++ doc/stats/conntrackd.conf | 22 +++++++++++---- include/conntrackd.h | 6 ++++ include/log.h | 7 ++--- src/cache_iterators.c | 10 +++---- src/ignore_pool.c | 4 +-- src/log.c | 56 +++++++++++++++++++++++++++++-------- src/main.c | 14 ++++------ src/netlink.c | 6 ++-- src/network.c | 4 +-- src/read_config_yy.y | 70 +++++++++++++++++++++++++++++++++++++++++++++-- src/run.c | 26 +++++++++--------- src/stats-mode.c | 9 ++++++ src/sync-mode.c | 5 ++-- 14 files changed, 182 insertions(+), 59 deletions(-) (limited to 'doc/stats') diff --git a/ChangeLog b/ChangeLog index bf79b6a..83e1524 100644 --- a/ChangeLog +++ b/ChangeLog @@ -25,6 +25,8 @@ o rename `examples' directory to `doc' o add support for related conntracks (requires Linux kernel >= 2.6.22) o show error and warning messages to stderr o hash lookup speedups based on comments from netdev's discussions +o add support for connection logging to the statistics mode via Logfile +o minor irrelevant fixes for uncommon error paths and fix several typos version 0.9.5 (2007/07/29) ------------------------------ diff --git a/doc/stats/conntrackd.conf b/doc/stats/conntrackd.conf index 07deaa8..198b8a3 100644 --- a/doc/stats/conntrackd.conf +++ b/doc/stats/conntrackd.conf @@ -49,6 +49,23 @@ General { SocketBufferSizeMaxGrown 655355 } +Stats { + # + # Enable connection logging. Default is off. + # Logfile: on, off, or a filename + # Default file: (/var/log/conntrackd-stats.log) + # + LogFile on + + # + # Enable connection logging via Syslog. Default is off. + # Syslog: on, off or a facility name (daemon (default) or local0..7) + # If you set the facility, use the same as in the General clause, + # otherwise you'll get a warning message. + # + #Syslog on +} + # # Ignore traffic for a certain set of IP's: Usually # all the IP assigned to the firewall since local @@ -69,8 +86,3 @@ IgnoreProtocol { # VRRP # numeric numbers also valid } - -# -# Strip NAT traffic -# -StripNAT diff --git a/include/conntrackd.h b/include/conntrackd.h index 1bb3879..e5b8a4e 100644 --- a/include/conntrackd.h +++ b/include/conntrackd.h @@ -31,6 +31,7 @@ #define DEFAULT_CONFIGFILE "/etc/conntrackd/conntrackd.conf" #define DEFAULT_LOCKFILE "/var/lock/conntrackd.lock" #define DEFAULT_LOGFILE "/var/log/conntrackd.log" +#define DEFAULT_STATS_LOGFILE "/var/log/conntrackd-stats.log" #define DEFAULT_SYSLOG_FACILITY LOG_DAEMON enum { @@ -87,6 +88,10 @@ struct ct_conf { unsigned int resend_buffer_size;/* FTFW protocol */ unsigned int window_size; int cache_write_through; + struct { + char logfile[FILENAME_MAXLEN]; + int syslog_facility; + } stats; }; #define STATE(x) st.x @@ -94,6 +99,7 @@ struct ct_conf { struct ct_general_state { sigset_t block; FILE *log; + FILE *stats_log; int local; struct ct_mode *mode; struct ignore_pool *ignore_pool; diff --git a/include/log.h b/include/log.h index f6f450c..467ae8f 100644 --- a/include/log.h +++ b/include/log.h @@ -1,10 +1,9 @@ #ifndef _LOG_H_ #define _LOG_H_ -#include - -FILE *init_log(char *filename); +int init_log(); void dlog(FILE *fd, int priority, char *format, ...); -void close_log(FILE *fd); +void dlog_ct(FILE *fd, struct nf_conntrack *ct); +void close_log(); #endif diff --git a/src/cache_iterators.c b/src/cache_iterators.c index c29100c..85f87ab 100644 --- a/src/cache_iterators.c +++ b/src/cache_iterators.c @@ -120,14 +120,14 @@ void cache_commit(struct cache *c) commit_exist = c->commit_exist - commit_exist; /* log results */ - dlog(STATE(log), LOG_INFO, "Committed %u new entries", commit_ok); + dlog(STATE(log), LOG_NOTICE, "Committed %u new entries", commit_ok); if (commit_exist) - dlog(STATE(log), LOG_INFO, "%u entries ignored, " - "already exist", commit_exist); + dlog(STATE(log), LOG_NOTICE, "%u entries ignored, " + "already exist", commit_exist); if (commit_fail) - dlog(STATE(log), LOG_INFO, "%u entries can't be " - "committed", commit_fail); + dlog(STATE(log), LOG_NOTICE, "%u entries can't be " + "committed", commit_fail); } static int do_flush(void *data1, void *data2) diff --git a/src/ignore_pool.c b/src/ignore_pool.c index 619c2fa..ee457ba 100644 --- a/src/ignore_pool.c +++ b/src/ignore_pool.c @@ -118,7 +118,7 @@ int __ignore_pool_test_ipv6(struct ignore_pool *ip, struct nf_conntrack *ct) int ignore_pool_test(struct ignore_pool *ip, struct nf_conntrack *ct) { - int ret; + int ret = 0; switch(nfct_get_attr_u8(ct, ATTR_ORIG_L3PROTO)) { case AF_INET: @@ -128,7 +128,7 @@ int ignore_pool_test(struct ignore_pool *ip, struct nf_conntrack *ct) ret = __ignore_pool_test_ipv6(ip, ct); break; default: - dlog(STATE(log), "unknown conntrack layer 3 protocol?"); + dlog(STATE(log), LOG_WARNING, "unknown layer 3 protocol?"); break; } diff --git a/src/log.c b/src/log.c index 5fea1c3..e3f2102 100644 --- a/src/log.c +++ b/src/log.c @@ -24,22 +24,31 @@ #include #include "conntrackd.h" -FILE *init_log(char *filename) +int init_log(void) { - FILE *fd = NULL; + if (CONFIG(logfile)[0]) { + STATE(log) = fopen(CONFIG(logfile), "a+"); + if (STATE(log) == NULL) { + fprintf(stderr, "can't open log file `%s'\n", + CONFIG(logfile)); + return -1; + } + } - if (filename[0]) { - fd = fopen(filename, "a+"); - if (fd == NULL) { - fprintf(stderr, "can't open log file `%s'\n", filename); - return NULL; + if (CONFIG(stats).logfile[0]) { + STATE(stats_log) = fopen(CONFIG(stats).logfile, "a+"); + if (STATE(stats_log) == NULL) { + fprintf(stderr, "can't open log file `%s'\n", + CONFIG(stats).logfile); + return -1; } } - if (CONFIG(syslog_facility) != -1) + if (CONFIG(syslog_facility) != -1 || + CONFIG(stats).syslog_facility != -1) openlog(PACKAGE, LOG_PID, CONFIG(syslog_facility)); - return fd; + return 0; } void dlog(FILE *fd, int priority, char *format, ...) @@ -85,10 +94,33 @@ void dlog(FILE *fd, int priority, char *format, ...) } } -void close_log(FILE *fd) +void dlog_ct(FILE *fd, struct nf_conntrack *ct) +{ + time_t t; + char buf[1024]; + char *tmp; + + if (fd) { + t = time(NULL); + ctime_r(&t, buf); + tmp = buf + strlen(buf); + buf[strlen(buf)-1]='\t'; + nfct_snprintf(buf+strlen(buf), 1024-strlen(buf), ct, 0, 0, 0); + fprintf(fd, "%s\n", buf); + fflush(fd); + } + + if (CONFIG(stats).syslog_facility != -1) + syslog(LOG_INFO, "%s", tmp); +} + +void close_log(void) { - if (fd != NULL) - fclose(fd); + if (STATE(log) != NULL) + fclose(STATE(log)); + + if (STATE(stats_log) != NULL) + fclose(STATE(stats_log)); if (CONFIG(syslog_facility) != -1) closelog(); diff --git a/src/main.c b/src/main.c index 3a54911..e0ca46d 100644 --- a/src/main.c +++ b/src/main.c @@ -246,8 +246,7 @@ int main(int argc, char *argv[]) /* * Setting up logging */ - STATE(log) = init_log(CONFIG(logfile)); - if (config_set && !STATE(log)) { + if (config_set && init_log() == -1) { fprintf(stderr, "can't open logfile `%s\n'", CONFIG(logfile)); exit(EXIT_FAILURE); } @@ -255,7 +254,7 @@ int main(int argc, char *argv[]) if (type == REQUEST) { if (do_local_request(action, &conf.local, local_step) == -1) { fprintf(stderr, "can't connect: is conntrackd " - "running? appropiate permissions?\n"); + "running? appropriate permissions?\n"); exit(EXIT_FAILURE); } exit(EXIT_SUCCESS); @@ -276,22 +275,21 @@ int main(int argc, char *argv[]) pid_t pid; if ((pid = fork()) == -1) { - dlog(STATE(log), LOG_ERR, "fork() failed: " - "%s", strerror(errno)); + perror("fork has failed: "); exit(EXIT_FAILURE); } else if (pid) exit(EXIT_SUCCESS); - dlog(STATE(log), LOG_INFO, "--- starting in daemon mode ---"); + dlog(STATE(log), LOG_NOTICE, "-- starting in daemon mode --"); } else - dlog(STATE(log), LOG_INFO, "--- starting in console mode ---"); + dlog(STATE(log), LOG_NOTICE, "-- starting in console mode --"); /* * initialization process */ if (init(mode) == -1) { - close_log(STATE(log)); + close_log(); fprintf(stderr, "ERROR: conntrackd cannot start, please " "check the logfile for more info\n"); unlink(CONFIG(lockfile)); diff --git a/src/netlink.c b/src/netlink.c index d453fe1..ab945d8 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -185,9 +185,9 @@ void nl_resize_socket_buffer(struct nfct_handle *h) CONFIG(netlink_buffer_size) = nfnl_rcvbufsiz(nfct_nfnlh(h), s); /* notify the sysadmin */ - dlog(STATE(log), LOG_INFO, "netlink socket buffer size " - "has been set to %u bytes", - CONFIG(netlink_buffer_size)); + dlog(STATE(log), LOG_NOTICE, "netlink socket buffer size " + "has been set to %u bytes", + CONFIG(netlink_buffer_size)); } int nl_dump_conntrack_table(void) diff --git a/src/network.c b/src/network.c index 9bd3469..a20c1e0 100644 --- a/src/network.c +++ b/src/network.c @@ -221,8 +221,8 @@ int mcast_track_seq(u_int32_t seq, u_int32_t *exp_seq) /* out of sequence: replayed/delayed packet? */ if (before(seq, STATE_SYNC(last_seq_recv)+1)) - dlog(STATE(log), "delayed packet? exp=%u rcv=%u", - STATE_SYNC(last_seq_recv)+1, seq); + dlog(STATE(log), LOG_WARNING, "delayed packet? exp=%u rcv=%u", + STATE_SYNC(last_seq_recv)+1, seq); out: *exp_seq = STATE_SYNC(last_seq_recv)+1; diff --git a/src/read_config_yy.y b/src/read_config_yy.y index 92806f8..ebb1c73 100644 --- a/src/read_config_yy.y +++ b/src/read_config_yy.y @@ -123,6 +123,11 @@ syslog_facility : T_SYSLOG T_STRING "ignoring.\n", $2); return; } + + if (conf.stats.syslog_facility != -1 && + conf.syslog_facility != conf.stats.syslog_facility) + fprintf(stderr, "WARNING: Conflicting Syslog facility " + "values, defaulting to General.\n"); }; lock : T_LOCK T_PATH_VAL @@ -549,16 +554,74 @@ family : T_FAMILY T_STRING conf.family = AF_INET; }; -stats: T_SYNC '{' stats_list '}'; +stats: T_STATS '{' stats_list '}'; stats_list: | stats_list stat_line ; -stat_line: - | +stat_line: stat_logfile_bool + | stat_logfile_path + | stat_syslog_bool + | stat_syslog_facility ; +stat_logfile_bool : T_LOG T_ON +{ + strncpy(conf.stats.logfile, DEFAULT_STATS_LOGFILE, FILENAME_MAXLEN); +}; + +stat_logfile_bool : T_LOG T_OFF +{ +}; + +stat_logfile_path : T_LOG T_PATH_VAL +{ + strncpy(conf.stats.logfile, $2, FILENAME_MAXLEN); +}; + +stat_syslog_bool : T_SYSLOG T_ON +{ + conf.stats.syslog_facility = DEFAULT_SYSLOG_FACILITY; +}; + +stat_syslog_bool : T_SYSLOG T_OFF +{ + conf.stats.syslog_facility = -1; +} + +stat_syslog_facility : T_SYSLOG T_STRING +{ + if (!strcmp($2, "daemon")) + conf.stats.syslog_facility = LOG_DAEMON; + else if (!strcmp($2, "local0")) + conf.stats.syslog_facility = LOG_LOCAL0; + else if (!strcmp($2, "local1")) + conf.stats.syslog_facility = LOG_LOCAL1; + else if (!strcmp($2, "local2")) + conf.stats.syslog_facility = LOG_LOCAL2; + else if (!strcmp($2, "local3")) + conf.stats.syslog_facility = LOG_LOCAL3; + else if (!strcmp($2, "local4")) + conf.stats.syslog_facility = LOG_LOCAL4; + else if (!strcmp($2, "local5")) + conf.stats.syslog_facility = LOG_LOCAL5; + else if (!strcmp($2, "local6")) + conf.stats.syslog_facility = LOG_LOCAL6; + else if (!strcmp($2, "local7")) + conf.stats.syslog_facility = LOG_LOCAL7; + else { + fprintf(stderr, "'%s' is not a known syslog facility, " + "ignoring.\n", $2); + return; + } + + if (conf.syslog_facility != -1 && + conf.stats.syslog_facility != conf.syslog_facility) + fprintf(stderr, "WARNING: Conflicting Syslog facility " + "values, defaulting to General.\n"); +}; + %% int @@ -580,6 +643,7 @@ init_config(char *filename) /* Zero may be a valid facility */ CONFIG(syslog_facility) = -1; + CONFIG(stats).syslog_facility = -1; yyrestart(fp); yyparse(); diff --git a/src/run.c b/src/run.c index 9ce9923..0411fcb 100644 --- a/src/run.c +++ b/src/run.c @@ -40,7 +40,7 @@ void killer(int foo) STATE(mode)->kill(); destroy_alarm_scheduler(); unlink(CONFIG(lockfile)); - dlog(STATE(log), LOG_INFO, "------- shutdown received ----"); + dlog(STATE(log), LOG_NOTICE, "---- shutdown received ----"); close_log(STATE(log)); sigprocmask(SIG_UNBLOCK, &STATE(block), NULL); @@ -60,18 +60,16 @@ void local_handler(int fd, void *data) ret = read(fd, &type, sizeof(type)); if (ret == -1) { - dlog(STATE(log), LOG_INFO, "can't read from unix socket"); + dlog(STATE(log), LOG_ERR, "can't read from unix socket"); return; } - if (ret == 0) { - dlog(STATE(log), LOG_INFO, "local request: nothing received?"); + if (ret == 0) return; - } switch(type) { case FLUSH_MASTER: - dlog(STATE(log), LOG_NOTICE, "`conntrackd -F' is deprecated. " - "Use conntrack -F instead."); + dlog(STATE(log), LOG_WARNING, "`conntrackd -F' is deprecated. " + "Use conntrack -F instead."); if (fork() == 0) { execlp("conntrack", "conntrack", "-F", NULL); exit(EXIT_SUCCESS); @@ -84,7 +82,7 @@ void local_handler(int fd, void *data) } if (!STATE(mode)->local(fd, type, data)) - dlog(STATE(log), LOG_ERR, "unknown local request %d", type); + dlog(STATE(log), LOG_WARNING, "unknown local request %d", type); } int init(int mode) @@ -152,7 +150,7 @@ int init(int mode) if (signal(SIGCHLD, child) == SIG_ERR) return -1; - dlog(STATE(log), LOG_INFO, "initialization completed"); + dlog(STATE(log), LOG_NOTICE, "initialization completed"); return 0; } @@ -181,7 +179,8 @@ static void __run(long credit, int step) if (errno == EINTR) return; - dlog(STATE(log), "select() failed: %s", strerror(errno)); + dlog(STATE(log), LOG_WARNING, + "select failed: %s", strerror(errno)); return; } @@ -218,8 +217,8 @@ static void __run(long credit, int step) case EAGAIN: break; default: - dlog(STATE(log), "event catch says: %s", - strerror(errno)); + dlog(STATE(log), LOG_WARNING, + "event catch says: %s", strerror(errno)); break; } } @@ -251,7 +250,8 @@ void run(void) timer_stop(&timer); if (timer_adjust_credit(&timer)) - dlog(STATE(log), "alarm run takes too long!"); + dlog(STATE(log), LOG_WARNING, + "alarm run takes too long!"); step = (step + 1) < STEPS_PER_SECONDS ? step + 1 : 0; } diff --git a/src/stats-mode.c b/src/stats-mode.c index 1d68e02..e817c4e 100644 --- a/src/stats-mode.c +++ b/src/stats-mode.c @@ -88,6 +88,8 @@ static int local_handler_stats(int fd, int type, void *data) static void dump_stats(struct nf_conntrack *ct) { + nfct_attr_unset(ct, ATTR_TIMEOUT); + if (cache_update_force(STATE_STATS(cache), ct)) debug_ct(ct, "resync entry"); } @@ -140,6 +142,8 @@ static void overrun_stats() static void event_new_stats(struct nf_conntrack *ct) { + nfct_attr_unset(ct, ATTR_TIMEOUT); + if (cache_add(STATE_STATS(cache), ct)) { debug_ct(ct, "cache new"); } else { @@ -153,6 +157,8 @@ static void event_new_stats(struct nf_conntrack *ct) static void event_update_stats(struct nf_conntrack *ct) { + nfct_attr_unset(ct, ATTR_TIMEOUT); + if (!cache_update_force(STATE_STATS(cache), ct)) { debug_ct(ct, "can't update"); return; @@ -162,8 +168,11 @@ static void event_update_stats(struct nf_conntrack *ct) static int event_destroy_stats(struct nf_conntrack *ct) { + nfct_attr_unset(ct, ATTR_TIMEOUT); + if (cache_del(STATE_STATS(cache), ct)) { debug_ct(ct, "cache destroy"); + dlog_ct(STATE(stats_log), ct); return 1; } else { debug_ct(ct, "can't destroy!"); diff --git a/src/sync-mode.c b/src/sync-mode.c index 7cd2b84..7c42c78 100644 --- a/src/sync-mode.c +++ b/src/sync-mode.c @@ -273,13 +273,14 @@ static int local_handler_sync(int fd, int type, void *data) case COMMIT: ret = fork(); if (ret == 0) { - dlog(STATE(log), LOG_INFO, "committing external cache"); + dlog(STATE(log), LOG_NOTICE, + "committing external cache"); cache_commit(STATE_SYNC(external)); exit(EXIT_SUCCESS); } break; case FLUSH_CACHE: - dlog(STATE(log), LOG_INFO, "flushing caches"); + dlog(STATE(log), LOG_NOTICE, "flushing caches"); cache_flush(STATE_SYNC(internal)); cache_flush(STATE_SYNC(external)); break; -- cgit v1.2.3 From 0afa1f2651baa3b24a9ae2166366f5c234716c82 Mon Sep 17 00:00:00 2001 From: "/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org" Date: Thu, 3 Jan 2008 16:21:16 +0000 Subject: add more descriptive information to the conntrackd.conf example file for the stats mode --- doc/stats/conntrackd.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'doc/stats') diff --git a/doc/stats/conntrackd.conf b/doc/stats/conntrackd.conf index 198b8a3..4bc5642 100644 --- a/doc/stats/conntrackd.conf +++ b/doc/stats/conntrackd.conf @@ -51,7 +51,8 @@ General { Stats { # - # Enable connection logging. Default is off. + # If you enable this option, the daemon writes the information about + # destroyed connections to a logfile. Default is off. # Logfile: on, off, or a filename # Default file: (/var/log/conntrackd-stats.log) # -- cgit v1.2.3 From 1102a95296e39f671efe51bb6bd9b30e5c14c91e Mon Sep 17 00:00:00 2001 From: "/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org" Date: Sat, 5 Jan 2008 16:41:15 +0000 Subject: implement buffered connection logging to improve performance --- ChangeLog | 1 + doc/stats/conntrackd.conf | 10 +++++++ include/buffer.h | 18 +++++++++++++ include/conntrackd.h | 3 +++ include/log.h | 8 +++++- src/Makefile.am | 2 +- src/buffer.c | 67 +++++++++++++++++++++++++++++++++++++++++++++++ src/log.c | 28 +++++++++++++++++--- src/read_config_lex.l | 1 + src/read_config_yy.y | 8 +++++- src/stats-mode.c | 12 ++++++++- 11 files changed, 151 insertions(+), 7 deletions(-) create mode 100644 include/buffer.h create mode 100644 src/buffer.c (limited to 'doc/stats') diff --git a/ChangeLog b/ChangeLog index 82072f4..ed21d7f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -26,6 +26,7 @@ o add support for related conntracks (requires Linux kernel >= 2.6.22) o show error and warning messages to stderr o hash lookup speedups based on comments from netdev's discussions o add support for connection logging to the statistics mode via Logfile +o implement buffered connection logging to improve performance o minor irrelevant fixes for uncommon error paths and fix several typos o detach daemon from its terminal (Ben Lenitz ) o obsolete `-S' option: Use information provided by the config file diff --git a/doc/stats/conntrackd.conf b/doc/stats/conntrackd.conf index 4bc5642..8f899b4 100644 --- a/doc/stats/conntrackd.conf +++ b/doc/stats/conntrackd.conf @@ -58,6 +58,16 @@ Stats { # LogFile on + # + # Set Logfile buffer size. Default is 0. + # You can set the size of the connection logging buffer size. This + # value determines how often the logging information is written to + # the harddisk. High values improves performances. If your firewall + # is very busy and you need connection logging, use a big buffer. + # Default buffer size is 0 that means direct write through. + # + #LogFileBufferSize 4096 + # # Enable connection logging via Syslog. Default is off. # Syslog: on, off or a facility name (daemon (default) or local0..7) diff --git a/include/buffer.h b/include/buffer.h new file mode 100644 index 0000000..5b854f3 --- /dev/null +++ b/include/buffer.h @@ -0,0 +1,18 @@ +#ifndef _BUFFER_H_ +#define _BUFFER_H_ + +struct buffer { + unsigned char *data; + unsigned int size; + unsigned int cur_size; +}; + +struct buffer *buffer_create(unsigned int size); +int buffer_add(struct buffer *b, void *data, unsigned int size); +void buffer_flush(struct buffer *b, + void (*cb)(void *buffer_data, + void *data), + void *data); +unsigned int buffer_size(struct buffer *b); + +#endif diff --git a/include/conntrackd.h b/include/conntrackd.h index a4a91ea..3bfcf18 100644 --- a/include/conntrackd.h +++ b/include/conntrackd.h @@ -7,6 +7,7 @@ #include #include #include "cache.h" +#include "buffer.h" #include "debug.h" #include #include "state_helper.h" @@ -93,6 +94,7 @@ struct ct_conf { struct { char logfile[FILENAME_MAXLEN]; int syslog_facility; + unsigned int buffer_size; } stats; }; @@ -136,6 +138,7 @@ struct ct_sync_state { struct ct_stats_state { struct cache *cache; /* internal events cache (netlink) */ + struct buffer *buffer_log; }; union ct_state { diff --git a/include/log.h b/include/log.h index 467ae8f..b5bbddb 100644 --- a/include/log.h +++ b/include/log.h @@ -1,9 +1,15 @@ #ifndef _LOG_H_ #define _LOG_H_ +#include + +struct buffer; +struct nf_conntrack; + int init_log(); void dlog(FILE *fd, int priority, char *format, ...); -void dlog_ct(FILE *fd, struct nf_conntrack *ct); +void dlog_buffered_ct(FILE *fd, struct buffer *b, struct nf_conntrack *ct); +void dlog_buffered_ct_flush(void *buffer_data, void *data); void close_log(); #endif diff --git a/src/Makefile.am b/src/Makefile.am index 62a7467..a7e82cf 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -10,7 +10,7 @@ conntrack_SOURCES = conntrack.c conntrack_LDADD = ../extensions/libct_proto_tcp.la ../extensions/libct_proto_udp.la ../extensions/libct_proto_icmp.la conntrack_LDFLAGS = $(all_libraries) @LIBNETFILTER_CONNTRACK_LIBS@ -conntrackd_SOURCES = alarm.c main.c run.c hash.c queue.c \ +conntrackd_SOURCES = alarm.c main.c run.c hash.c queue.c buffer.c \ local.c log.c mcast.c netlink.c \ ignore_pool.c \ cache.c cache_iterators.c \ diff --git a/src/buffer.c b/src/buffer.c new file mode 100644 index 0000000..3283c15 --- /dev/null +++ b/src/buffer.c @@ -0,0 +1,67 @@ +/* + * (C) 2006-2008 by Pablo Neira Ayuso + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ +#include +#include +#include +#include "buffer.h" + +struct buffer *buffer_create(unsigned int size) +{ + struct buffer *b; + + b = malloc(sizeof(struct buffer)); + if (b == NULL) + return NULL; + memset(b, 0, sizeof(struct buffer)); + + b->size = size; + + b->data = malloc(size); + if (b->data == NULL) { + free(b); + return NULL; + } + memset(b->data, 0, size); + + return b; +} + +int buffer_add(struct buffer *b, void *data, unsigned int size) +{ + if (b->size - b->cur_size < size) { + errno = ENOSPC; + return -1; + } + + memcpy(b->data + b->cur_size, data, size); + b->cur_size += size; +} + +void buffer_flush(struct buffer *b, + void (*cb)(void *buffer_data, void *data), + void *data) +{ + cb(b->data, data); + b->cur_size = 0; + memset(b->data, 0, b->size); +} + +unsigned int buffer_size(struct buffer *b) +{ + return b->size; +} diff --git a/src/log.c b/src/log.c index a4d51ec..3e3dd12 100644 --- a/src/log.c +++ b/src/log.c @@ -22,6 +22,7 @@ #include #include #include +#include "buffer.h" #include "conntrackd.h" int init_log(void) @@ -94,7 +95,15 @@ void dlog(FILE *fd, int priority, char *format, ...) } } -void dlog_ct(FILE *fd, struct nf_conntrack *ct) +void dlog_buffered_ct_flush(void *buffer_data, void *data) +{ + FILE *fd = data; + + fprintf(fd, "%s", buffer_data); + fflush(fd); +} + +void dlog_buffered_ct(FILE *fd, struct buffer *b, struct nf_conntrack *ct) { time_t t; char buf[1024]; @@ -107,8 +116,21 @@ void dlog_ct(FILE *fd, struct nf_conntrack *ct) nfct_snprintf(buf+strlen(buf), 1024-strlen(buf), ct, 0, 0, 0); if (fd) { - fprintf(fd, "%s\n", buf); - fflush(fd); + snprintf(buf+strlen(buf), 1024-strlen(buf), "\n"); + /* zero size buffer: force fflush */ + if (buffer_size(b) == 0) { + fprintf(fd, "%s", buf); + fflush(fd); + } + + if (buffer_add(b, buf, strlen(buf)) == -1) { + buffer_flush(b, dlog_buffered_ct_flush, fd); + if (buffer_add(b, buf, strlen(buf)) == -1) { + /* buffer too small, catacrocket! */ + fprintf(fd, "%s", buf); + fflush(fd); + } + } } if (CONFIG(stats).syslog_facility != -1) diff --git a/src/read_config_lex.l b/src/read_config_lex.l index 847ec74..0acd98c 100644 --- a/src/read_config_lex.l +++ b/src/read_config_lex.l @@ -102,6 +102,7 @@ ftfw [F|f][T|t][F|f][W|w] "TIME_WAIT" { return T_TIME_WAIT; } "CLOSE" { return T_CLOSE; } "LISTEN" { return T_LISTEN; } +"LogFileBufferSize" { return T_STAT_BUFFER_SIZE; } {is_on} { return T_ON; } {is_off} { return T_OFF; } diff --git a/src/read_config_yy.y b/src/read_config_yy.y index 9cb304a..bbc5115 100644 --- a/src/read_config_yy.y +++ b/src/read_config_yy.y @@ -49,7 +49,7 @@ struct ct_conf conf; %token T_REPLICATE T_FOR T_IFACE %token T_ESTABLISHED T_SYN_SENT T_SYN_RECV T_FIN_WAIT %token T_CLOSE_WAIT T_LAST_ACK T_TIME_WAIT T_CLOSE T_LISTEN -%token T_SYSLOG T_WRITE_THROUGH +%token T_SYSLOG T_WRITE_THROUGH T_STAT_BUFFER_SIZE %token T_IP T_PATH_VAL @@ -580,6 +580,7 @@ stat_line: stat_logfile_bool | stat_logfile_path | stat_syslog_bool | stat_syslog_facility + | buffer_size ; stat_logfile_bool : T_LOG T_ON @@ -638,6 +639,11 @@ stat_syslog_facility : T_SYSLOG T_STRING "values, defaulting to General.\n"); }; +buffer_size: T_STAT_BUFFER_SIZE T_NUMBER +{ + conf.stats.buffer_size = $2; +}; + %% int diff --git a/src/stats-mode.c b/src/stats-mode.c index e817c4e..05a1b2c 100644 --- a/src/stats-mode.c +++ b/src/stats-mode.c @@ -18,6 +18,7 @@ #include #include "cache.h" +#include "log.h" #include "conntrackd.h" #include #include @@ -37,6 +38,12 @@ static int init_stats(void) } memset(state.stats, 0, sizeof(struct ct_stats_state)); + STATE_STATS(buffer_log) = buffer_create(CONFIG(stats).buffer_size); + if (!STATE_STATS(buffer_log)) { + dlog(STATE(log), LOG_ERR, "can't allocate stats buffer"); + return -1; + } + STATE_STATS(cache) = cache_create("stats", LIFETIME, CONFIG(family), @@ -53,6 +60,9 @@ static int init_stats(void) static void kill_stats() { cache_destroy(STATE_STATS(cache)); + buffer_flush(STATE_STATS(buffer_log), + dlog_buffered_ct_flush, + STATE(stats_log)); } /* handler for requests coming via UNIX socket */ @@ -172,7 +182,7 @@ static int event_destroy_stats(struct nf_conntrack *ct) if (cache_del(STATE_STATS(cache), ct)) { debug_ct(ct, "cache destroy"); - dlog_ct(STATE(stats_log), ct); + dlog_buffered_ct(STATE(stats_log), STATE_STATS(buffer_log), ct); return 1; } else { debug_ct(ct, "can't destroy!"); -- cgit v1.2.3 From 91d431dacd79d93d671ace690e2e9c7fbb0f2877 Mon Sep 17 00:00:00 2001 From: "/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org" Date: Fri, 18 Jan 2008 13:09:49 +0000 Subject: Max Kellermann : Simplify logging infrastructure --- ChangeLog | 4 +-- doc/stats/conntrackd.conf | 10 ------- include/Makefile.am | 2 +- include/buffer.h | 22 -------------- include/conntrackd.h | 1 - include/log.h | 6 ++-- src/Makefile.am | 2 +- src/buffer.c | 76 ----------------------------------------------- src/cache_iterators.c | 10 +++---- src/ignore_pool.c | 2 +- src/log.c | 34 ++++++--------------- src/main.c | 4 +-- src/netlink.c | 28 ++++++++--------- src/network.c | 2 +- src/read_config_yy.y | 2 +- src/run.c | 24 +++++++-------- src/stats-mode.c | 30 +++++-------------- src/sync-ftfw.c | 8 ++--- src/sync-mode.c | 32 ++++++++++---------- 19 files changed, 78 insertions(+), 221 deletions(-) delete mode 100644 include/buffer.h delete mode 100644 src/buffer.c (limited to 'doc/stats') diff --git a/ChangeLog b/ChangeLog index a9dfd8b..25c8c38 100644 --- a/ChangeLog +++ b/ChangeLog @@ -31,7 +31,6 @@ o add support for related conntracks (requires Linux kernel >= 2.6.22) o show error and warning messages to stderr o hash lookup speedups based on comments from netdev's discussions o add support for connection logging to the statistics mode via Logfile -o implement buffered connection logging to improve performance o minor irrelevant fixes for uncommon error paths and fix several typos o detach daemon from its terminal (Ben Lenitz ) o obsolete `-S' option: Use information provided by the config file @@ -81,13 +80,12 @@ o always close stdin - even in non-daemon mode, it is of no use o chdir("/") to release the cwd inode o ignore setsid() failure, because there is only one possible and o fix harmless error condition -o add buffer_destroy() to buffer.c o fix memory leaks in several error output paths -o use size_t for buffer sizes o import only required C headers and put local headers on top to check o fix double free() bug in the error output path of mcast_create() o eliminate unsed cache_get_conntrack() in rs_list_to_tx() o remove capability code and rely on the error returned by the syscall +o major simplification of the logging infrastructure o use fputs() instead of fprintf() in log.c version 0.9.5 (2007/07/29) diff --git a/doc/stats/conntrackd.conf b/doc/stats/conntrackd.conf index 8f899b4..4bc5642 100644 --- a/doc/stats/conntrackd.conf +++ b/doc/stats/conntrackd.conf @@ -58,16 +58,6 @@ Stats { # LogFile on - # - # Set Logfile buffer size. Default is 0. - # You can set the size of the connection logging buffer size. This - # value determines how often the logging information is written to - # the harddisk. High values improves performances. If your firewall - # is very busy and you need connection logging, use a big buffer. - # Default buffer size is 0 that means direct write through. - # - #LogFileBufferSize 4096 - # # Enable connection logging via Syslog. Default is off. # Syslog: on, off or a facility name (daemon (default) or local0..7) diff --git a/include/Makefile.am b/include/Makefile.am index ff8611f..e8e7f81 100644 --- a/include/Makefile.am +++ b/include/Makefile.am @@ -1,7 +1,7 @@ noinst_HEADERS = alarm.h jhash.h slist.h cache.h linux_list.h \ sync.h conntrackd.h local.h us-conntrack.h \ - debug.h log.h hash.h mcast.h buffer.h conntrack.h \ + debug.h log.h hash.h mcast.h conntrack.h \ state_helper.h network.h ignore.h queue.h \ traffic_stats.h netlink.h diff --git a/include/buffer.h b/include/buffer.h deleted file mode 100644 index ab1ccd3..0000000 --- a/include/buffer.h +++ /dev/null @@ -1,22 +0,0 @@ -#ifndef _BUFFER_H_ -#define _BUFFER_H_ - -#include - -struct buffer { - unsigned char *data; - size_t size; - size_t cur_size; -}; - -struct buffer *buffer_create(size_t size); -void buffer_destroy(struct buffer *b); - -int buffer_add(struct buffer *b, void *data, size_t size); -void buffer_flush(struct buffer *b, - void (*cb)(void *buffer_data, - void *data), - void *data); -size_t buffer_size(const struct buffer *b); - -#endif diff --git a/include/conntrackd.h b/include/conntrackd.h index c16d3d7..b223a17 100644 --- a/include/conntrackd.h +++ b/include/conntrackd.h @@ -132,7 +132,6 @@ struct ct_sync_state { struct ct_stats_state { struct cache *cache; /* internal events cache (netlink) */ - struct buffer *buffer_log; }; union ct_state { diff --git a/include/log.h b/include/log.h index 64bf1ce..b258633 100644 --- a/include/log.h +++ b/include/log.h @@ -3,13 +3,11 @@ #include -struct buffer; struct nf_conntrack; int init_log(void); -void dlog(FILE *fd, int priority, const char *format, ...); -void dlog_buffered_ct(FILE *fd, struct buffer *b, struct nf_conntrack *ct); -void dlog_buffered_ct_flush(void *buffer_data, void *data); +void dlog(int priority, const char *format, ...); +void dlog_ct(struct nf_conntrack *ct); void close_log(void); #endif diff --git a/src/Makefile.am b/src/Makefile.am index fafb5ff..15628b7 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -10,7 +10,7 @@ conntrack_SOURCES = conntrack.c conntrack_LDADD = ../extensions/libct_proto_tcp.la ../extensions/libct_proto_udp.la ../extensions/libct_proto_icmp.la conntrack_LDFLAGS = $(all_libraries) @LIBNETFILTER_CONNTRACK_LIBS@ -conntrackd_SOURCES = alarm.c main.c run.c hash.c queue.c buffer.c \ +conntrackd_SOURCES = alarm.c main.c run.c hash.c queue.c \ local.c log.c mcast.c netlink.c \ ignore_pool.c \ cache.c cache_iterators.c \ diff --git a/src/buffer.c b/src/buffer.c deleted file mode 100644 index 739174a..0000000 --- a/src/buffer.c +++ /dev/null @@ -1,76 +0,0 @@ -/* - * (C) 2006-2008 by Pablo Neira Ayuso - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - */ - -#include "buffer.h" - -#include -#include -#include - -struct buffer *buffer_create(size_t size) -{ - struct buffer *b; - - b = malloc(sizeof(struct buffer)); - if (b == NULL) - return NULL; - memset(b, 0, sizeof(struct buffer)); - - b->size = size; - - b->data = malloc(size); - if (b->data == NULL) { - free(b); - return NULL; - } - memset(b->data, 0, size); - - return b; -} - -void buffer_destroy(struct buffer *b) -{ - free(b->data); - free(b); -} - -int buffer_add(struct buffer *b, void *data, size_t size) -{ - if (b->size - b->cur_size < size) { - errno = ENOSPC; - return -1; - } - - memcpy(b->data + b->cur_size, data, size); - b->cur_size += size; - return 0; -} - -void buffer_flush(struct buffer *b, - void (*cb)(void *buffer_data, void *data), - void *data) -{ - cb(b->data, data); - b->cur_size = 0; - memset(b->data, 0, b->size); -} - -size_t buffer_size(const struct buffer *b) -{ - return b->size; -} diff --git a/src/cache_iterators.c b/src/cache_iterators.c index bf70dd1..92b7b7f 100644 --- a/src/cache_iterators.c +++ b/src/cache_iterators.c @@ -123,14 +123,14 @@ void cache_commit(struct cache *c) commit_exist = c->commit_exist - commit_exist; /* log results */ - dlog(STATE(log), LOG_NOTICE, "Committed %u new entries", commit_ok); + dlog(LOG_NOTICE, "Committed %u new entries", commit_ok); if (commit_exist) - dlog(STATE(log), LOG_NOTICE, "%u entries ignored, " - "already exist", commit_exist); + dlog(LOG_NOTICE, "%u entries ignored, " + "already exist", commit_exist); if (commit_fail) - dlog(STATE(log), LOG_NOTICE, "%u entries can't be " - "committed", commit_fail); + dlog(LOG_NOTICE, "%u entries can't be " + "committed", commit_fail); } static int do_flush(void *data1, void *data2) diff --git a/src/ignore_pool.c b/src/ignore_pool.c index c77a55b..2d898d1 100644 --- a/src/ignore_pool.c +++ b/src/ignore_pool.c @@ -133,7 +133,7 @@ int ignore_pool_test(struct ignore_pool *ip, struct nf_conntrack *ct) ret = __ignore_pool_test_ipv6(ip, ct); break; default: - dlog(STATE(log), LOG_WARNING, "unknown layer 3 protocol?"); + dlog(LOG_WARNING, "unknown layer 3 protocol?"); break; } diff --git a/src/log.c b/src/log.c index 41b2057..51e757f 100644 --- a/src/log.c +++ b/src/log.c @@ -19,7 +19,6 @@ */ #include "log.h" -#include "buffer.h" #include "conntrackd.h" #include @@ -38,6 +37,8 @@ int init_log(void) strerror(errno)); return -1; } + + setlinebuf(STATE(log)); } if (CONFIG(stats).logfile[0]) { @@ -48,6 +49,8 @@ int init_log(void) strerror(errno)); return -1; } + + setlinebuf(STATE(stats_log)); } if (CONFIG(syslog_facility) != -1 || @@ -57,8 +60,9 @@ int init_log(void) return 0; } -void dlog(FILE *fd, int priority, const char *format, ...) +void dlog(int priority, const char *format, ...) { + FILE *fd = STATE(log); time_t t; char *buf; const char *prio; @@ -100,16 +104,9 @@ void dlog(FILE *fd, int priority, const char *format, ...) } } -void dlog_buffered_ct_flush(void *buffer_data, void *data) -{ - FILE *fd = data; - - fputs((const char*)buffer_data, fd); - fflush(fd); -} - -void dlog_buffered_ct(FILE *fd, struct buffer *b, struct nf_conntrack *ct) +void dlog_ct(struct nf_conntrack *ct) { + FILE *fd = STATE(stats_log); time_t t; char buf[1024]; char *tmp; @@ -122,20 +119,7 @@ void dlog_buffered_ct(FILE *fd, struct buffer *b, struct nf_conntrack *ct) if (fd) { snprintf(buf+strlen(buf), 1024-strlen(buf), "\n"); - /* zero size buffer: force fflush */ - if (buffer_size(b) == 0) { - fputs(buf, fd); - fflush(fd); - } - - if (buffer_add(b, buf, strlen(buf)) == -1) { - buffer_flush(b, dlog_buffered_ct_flush, fd); - if (buffer_add(b, buf, strlen(buf)) == -1) { - /* buffer too small, catacrocket! */ - fputs(buf, fd); - fflush(fd); - } - } + fputs(buf, fd); } if (CONFIG(stats).syslog_facility != -1) diff --git a/src/main.c b/src/main.c index 0aa5317..8221564 100644 --- a/src/main.c +++ b/src/main.c @@ -250,9 +250,9 @@ int main(int argc, char *argv[]) close(STDOUT_FILENO); close(STDERR_FILENO); - dlog(STATE(log), LOG_NOTICE, "-- starting in daemon mode --"); + dlog(LOG_NOTICE, "-- starting in daemon mode --"); } else - dlog(STATE(log), LOG_NOTICE, "-- starting in console mode --"); + dlog(LOG_NOTICE, "-- starting in console mode --"); /* * run main process diff --git a/src/netlink.c b/src/netlink.c index 0457e8a..bb94001 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -73,7 +73,7 @@ static int event_handler(enum nf_conntrack_msg_type type, update_traffic_stats(ct); break; default: - dlog(STATE(log), LOG_WARNING, "unknown msg from ctnetlink\n"); + dlog(LOG_WARNING, "unknown msg from ctnetlink\n"); break; } @@ -134,7 +134,7 @@ static int dump_handler(enum nf_conntrack_msg_type type, STATE(mode)->dump(ct); break; default: - dlog(STATE(log), LOG_WARNING, "unknown msg from ctnetlink"); + dlog(LOG_WARNING, "unknown msg from ctnetlink"); break; } return NFCT_CB_CONTINUE; @@ -167,15 +167,15 @@ void nl_resize_socket_buffer(struct nfct_handle *h) return; if (s > CONFIG(netlink_buffer_size_max_grown)) { - dlog(STATE(log), LOG_WARNING, - "maximum netlink socket buffer " - "size has been reached. We are likely to " - "be losing events, this may lead to " - "unsynchronized replicas. Please, consider " - "increasing netlink socket buffer size via " - "SocketBufferSize and " - "SocketBufferSizeMaxGrown clauses in " - "conntrackd.conf"); + dlog(LOG_WARNING, + "maximum netlink socket buffer " + "size has been reached. We are likely to " + "be losing events, this may lead to " + "unsynchronized replicas. Please, consider " + "increasing netlink socket buffer size via " + "SocketBufferSize and " + "SocketBufferSizeMaxGrown clauses in " + "conntrackd.conf"); s = CONFIG(netlink_buffer_size_max_grown); warned = 1; } @@ -183,9 +183,9 @@ void nl_resize_socket_buffer(struct nfct_handle *h) CONFIG(netlink_buffer_size) = nfnl_rcvbufsiz(nfct_nfnlh(h), s); /* notify the sysadmin */ - dlog(STATE(log), LOG_NOTICE, "netlink socket buffer size " - "has been set to %u bytes", - CONFIG(netlink_buffer_size)); + dlog(LOG_NOTICE, "netlink socket buffer size " + "has been set to %u bytes", + CONFIG(netlink_buffer_size)); } int nl_dump_conntrack_table(void) diff --git a/src/network.c b/src/network.c index 7c7a08a..da26545 100644 --- a/src/network.c +++ b/src/network.c @@ -222,7 +222,7 @@ int mcast_track_seq(uint32_t seq, uint32_t *exp_seq) /* out of sequence: replayed/delayed packet? */ if (before(seq, STATE_SYNC(last_seq_recv)+1)) - dlog(STATE(log), LOG_WARNING, "delayed packet? exp=%u rcv=%u", + dlog(LOG_WARNING, "delayed packet? exp=%u rcv=%u", STATE_SYNC(last_seq_recv)+1, seq); out: diff --git a/src/read_config_yy.y b/src/read_config_yy.y index 531b1fe..0ba5331 100644 --- a/src/read_config_yy.y +++ b/src/read_config_yy.y @@ -635,7 +635,7 @@ stat_syslog_facility : T_SYSLOG T_STRING buffer_size: T_STAT_BUFFER_SIZE T_NUMBER { - conf.stats.buffer_size = $2; + fprintf(stderr, "WARNING: LogFileBufferSize is deprecated.\n"); }; %% diff --git a/src/run.c b/src/run.c index 9076028..a5b6a79 100644 --- a/src/run.c +++ b/src/run.c @@ -43,7 +43,7 @@ void killer(int foo) local_server_destroy(STATE(local), CONFIG(local).path); STATE(mode)->kill(); unlink(CONFIG(lockfile)); - dlog(STATE(log), LOG_NOTICE, "---- shutdown received ----"); + dlog(LOG_NOTICE, "---- shutdown received ----"); close_log(); sigprocmask(SIG_UNBLOCK, &STATE(block), NULL); @@ -63,7 +63,7 @@ void local_handler(int fd, void *data) ret = read(fd, &type, sizeof(type)); if (ret == -1) { - dlog(STATE(log), LOG_ERR, "can't read from unix socket"); + dlog(LOG_ERR, "can't read from unix socket"); return; } if (ret == 0) @@ -71,7 +71,7 @@ void local_handler(int fd, void *data) switch(type) { case FLUSH_MASTER: - dlog(STATE(log), LOG_WARNING, "`conntrackd -F' is deprecated. " + dlog(LOG_WARNING, "`conntrackd -F' is deprecated. " "Use conntrack -F instead."); if (fork() == 0) { execlp("conntrack", "conntrack", "-F", NULL); @@ -79,13 +79,13 @@ void local_handler(int fd, void *data) } return; case RESYNC_MASTER: - dlog(STATE(log), LOG_NOTICE, "resync with master table"); + dlog(LOG_NOTICE, "resync with master table"); nl_dump_conntrack_table(); return; } if (!STATE(mode)->local(fd, type, data)) - dlog(STATE(log), LOG_WARNING, "unknown local request %d", type); + dlog(LOG_WARNING, "unknown local request %d", type); } int @@ -104,25 +104,25 @@ init(void) /* Initialization */ if (STATE(mode)->init() == -1) { - dlog(STATE(log), LOG_ERR, "initialization failed"); + dlog(LOG_ERR, "initialization failed"); return -1; } /* local UNIX socket */ STATE(local) = local_server_create(&CONFIG(local)); if (!STATE(local)) { - dlog(STATE(log), LOG_ERR, "can't open unix socket!"); + dlog(LOG_ERR, "can't open unix socket!"); return -1; } if (nl_init_event_handler() == -1) { - dlog(STATE(log), LOG_ERR, "can't open netlink handler! " + dlog(LOG_ERR, "can't open netlink handler! " "no ctnetlink kernel support?"); return -1; } if (nl_init_dump_handler() == -1) { - dlog(STATE(log), LOG_ERR, "can't open netlink handler! " + dlog(LOG_ERR, "can't open netlink handler! " "no ctnetlink kernel support?"); return -1; } @@ -146,7 +146,7 @@ init(void) if (signal(SIGCHLD, child) == SIG_ERR) return -1; - dlog(STATE(log), LOG_NOTICE, "initialization completed"); + dlog(LOG_NOTICE, "initialization completed"); return 0; } @@ -171,7 +171,7 @@ static int __run(struct timeval *next_alarm) if (errno == EINTR) return 0; - dlog(STATE(log), LOG_WARNING, + dlog(LOG_WARNING, "select failed: %s", strerror(errno)); return 0; } @@ -213,7 +213,7 @@ static int __run(struct timeval *next_alarm) case EAGAIN: break; default: - dlog(STATE(log), LOG_WARNING, + dlog(LOG_WARNING, "event catch says: %s", strerror(errno)); break; } diff --git a/src/stats-mode.c b/src/stats-mode.c index 0ecb2b0..9e6089c 100644 --- a/src/stats-mode.c +++ b/src/stats-mode.c @@ -18,7 +18,6 @@ #include "netlink.h" #include "traffic_stats.h" -#include "buffer.h" #include "debug.h" #include "cache.h" #include "log.h" @@ -32,27 +31,19 @@ static int init_stats(void) { state.stats = malloc(sizeof(struct ct_stats_state)); if (!state.stats) { - dlog(STATE(log), LOG_ERR, "can't allocate memory for stats"); + dlog(LOG_ERR, "can't allocate memory for stats"); return -1; } memset(state.stats, 0, sizeof(struct ct_stats_state)); - STATE_STATS(buffer_log) = buffer_create(CONFIG(stats).buffer_size); - if (!STATE_STATS(buffer_log)) { - dlog(STATE(log), LOG_ERR, "can't allocate stats buffer"); - free(state.stats); - return -1; - } - STATE_STATS(cache) = cache_create("stats", LIFETIME, CONFIG(family), NULL); if (!STATE_STATS(cache)) { - dlog(STATE(log), LOG_ERR, "can't allocate memory for the " - "external cache"); + dlog(LOG_ERR, "can't allocate memory for the " + "external cache"); free(state.stats); - buffer_destroy(STATE_STATS(buffer_log)); return -1; } @@ -62,11 +53,6 @@ static int init_stats(void) static void kill_stats(void) { cache_destroy(STATE_STATS(cache)); - /* flush the buffer before exiting */ - if (STATE(stats_log) != NULL) - buffer_flush(STATE_STATS(buffer_log), - dlog_buffered_ct_flush, - STATE(stats_log)); } /* handler for requests coming via UNIX socket */ @@ -82,7 +68,7 @@ static int local_handler_stats(int fd, int type, void *data) cache_dump(STATE_STATS(cache), fd, NFCT_O_XML); break; case FLUSH_CACHE: - dlog(STATE(log), LOG_NOTICE, "flushing caches"); + dlog(LOG_NOTICE, "flushing caches"); cache_flush(STATE_STATS(cache)); break; case KILL: @@ -138,7 +124,7 @@ static void overrun_stats(void) h = nfct_open(CONNTRACK, 0); if (!h) { - dlog(STATE(log), LOG_ERR, "can't open overrun handler"); + dlog(LOG_ERR, "can't open overrun handler"); return; } @@ -148,7 +134,7 @@ static void overrun_stats(void) ret = nfct_query(h, NFCT_Q_DUMP, &family); if (ret == -1) - dlog(STATE(log), LOG_ERR, + dlog(LOG_ERR, "overrun query error %s", strerror(errno)); nfct_close(h); @@ -162,7 +148,7 @@ static void event_new_stats(struct nf_conntrack *ct) debug_ct(ct, "cache new"); } else { if (errno != EEXIST) { - dlog(STATE(log), LOG_ERR, + dlog(LOG_ERR, "can't add to cache cache: %s\n", strerror(errno)); debug_ct(ct, "can't add"); } @@ -186,7 +172,7 @@ static int event_destroy_stats(struct nf_conntrack *ct) if (cache_del(STATE_STATS(cache), ct)) { debug_ct(ct, "cache destroy"); - dlog_buffered_ct(STATE(stats_log), STATE_STATS(buffer_log), ct); + dlog_ct(ct); return 1; } else { debug_ct(ct, "can't destroy!"); diff --git a/src/sync-ftfw.c b/src/sync-ftfw.c index f6d2ed3..94df5f9 100644 --- a/src/sync-ftfw.c +++ b/src/sync-ftfw.c @@ -98,13 +98,13 @@ static int ftfw_init(void) { tx_queue = queue_create(CONFIG(resend_queue_size)); if (tx_queue == NULL) { - dlog(STATE(log), LOG_ERR, "cannot create tx queue"); + dlog(LOG_ERR, "cannot create tx queue"); return -1; } rs_queue = queue_create(CONFIG(resend_queue_size)); if (rs_queue == NULL) { - dlog(STATE(log), LOG_ERR, "cannot create rs queue"); + dlog(LOG_ERR, "cannot create rs queue"); return -1; } @@ -143,11 +143,11 @@ static int ftfw_local(int fd, int type, void *data) switch(type) { case REQUEST_DUMP: - dlog(STATE(log), LOG_NOTICE, "request resync"); + dlog(LOG_NOTICE, "request resync"); tx_queue_add_ctlmsg(NET_F_RESYNC, 0, 0); break; case SEND_BULK: - dlog(STATE(log), LOG_NOTICE, "sending bulk update"); + dlog(LOG_NOTICE, "sending bulk update"); cache_iterate(STATE_SYNC(internal), NULL, do_cache_to_tx); break; default: diff --git a/src/sync-mode.c b/src/sync-mode.c index dc8e782..4b2fad7 100644 --- a/src/sync-mode.c +++ b/src/sync-mode.c @@ -80,7 +80,7 @@ retry: debug_ct(ct, "can't destroy"); break; default: - dlog(STATE(log), LOG_ERR, "mcast unknown query %d\n", query); + dlog(LOG_ERR, "mcast unknown query %d\n", query); break; } } @@ -100,7 +100,7 @@ static void mcast_handler(void) struct nethdr *net = (struct nethdr *) ptr; if (ntohs(net->len) > remain) { - dlog(STATE(log), LOG_ERR, "fragmented messages"); + dlog(LOG_ERR, "fragmented messages"); break; } @@ -122,7 +122,7 @@ static int init_sync(void) { state.sync = malloc(sizeof(struct ct_sync_state)); if (!state.sync) { - dlog(STATE(log), LOG_ERR, "can't allocate memory for sync"); + dlog(LOG_ERR, "can't allocate memory for sync"); return -1; } memset(state.sync, 0, sizeof(struct ct_sync_state)); @@ -148,8 +148,8 @@ static int init_sync(void) STATE_SYNC(sync)->internal_cache_extra); if (!STATE_SYNC(internal)) { - dlog(STATE(log), LOG_ERR, "can't allocate memory for " - "the internal cache"); + dlog(LOG_ERR, "can't allocate memory for " + "the internal cache"); return -1; } @@ -164,28 +164,28 @@ static int init_sync(void) NULL); if (!STATE_SYNC(external)) { - dlog(STATE(log), LOG_ERR, "can't allocate memory for the " - "external cache"); + dlog(LOG_ERR, "can't allocate memory for the " + "external cache"); return -1; } /* multicast server to receive events from the wire */ STATE_SYNC(mcast_server) = mcast_server_create(&CONFIG(mcast)); if (STATE_SYNC(mcast_server) == NULL) { - dlog(STATE(log), LOG_ERR, "can't open multicast server!"); + dlog(LOG_ERR, "can't open multicast server!"); return -1; } /* multicast client to send events on the wire */ STATE_SYNC(mcast_client) = mcast_client_create(&CONFIG(mcast)); if (STATE_SYNC(mcast_client) == NULL) { - dlog(STATE(log), LOG_ERR, "can't open client multicast socket"); + dlog(LOG_ERR, "can't open client multicast socket"); mcast_server_destroy(STATE_SYNC(mcast_server)); return -1; } if (mcast_buffered_init(&CONFIG(mcast)) == -1) { - dlog(STATE(log), LOG_ERR, "can't init tx buffer!"); + dlog(LOG_ERR, "can't init tx buffer!"); mcast_server_destroy(STATE_SYNC(mcast_server)); mcast_client_destroy(STATE_SYNC(mcast_client)); return -1; @@ -282,14 +282,14 @@ static int local_handler_sync(int fd, int type, void *data) case COMMIT: ret = fork(); if (ret == 0) { - dlog(STATE(log), LOG_NOTICE, + dlog(LOG_NOTICE, "committing external cache"); cache_commit(STATE_SYNC(external)); exit(EXIT_SUCCESS); } break; case FLUSH_CACHE: - dlog(STATE(log), LOG_NOTICE, "flushing caches"); + dlog(LOG_NOTICE, "flushing caches"); cache_flush(STATE_SYNC(internal)); cache_flush(STATE_SYNC(external)); break; @@ -416,7 +416,7 @@ static void overrun_sync(void) h = nfct_open(CONNTRACK, 0); if (!h) { - dlog(STATE(log), LOG_ERR, "can't open overrun handler"); + dlog(LOG_ERR, "can't open overrun handler"); return; } @@ -424,7 +424,7 @@ static void overrun_sync(void) ret = nfct_query(h, NFCT_Q_DUMP, &family); if (ret == -1) - dlog(STATE(log), LOG_ERR, + dlog(LOG_ERR, "overrun query error %s", strerror(errno)); nfct_callback_unregister(h); @@ -457,8 +457,8 @@ retry: goto retry; } - dlog(STATE(log), LOG_ERR, "can't add to internal cache: " - "%s\n", strerror(errno)); + dlog(LOG_ERR, "can't add to internal cache: " + "%s\n", strerror(errno)); debug_ct(ct, "can't add"); } } -- cgit v1.2.3 From 77b1fdb824eb45213df4f57224e8e799fed43ded Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 22 Jul 2008 12:13:43 +0200 Subject: Major rework of the user-space event filtering This patch reworks the user-space filtering. Although we have kernel-space filtering since Linux kernel >= 2.6.26, we keep userspace filtering to ensure backward compatibility. Moreover, this patch prepares the implementation of the kernel-space filtering via libnetfilter_conntrack's high-level berkeley socket filter API. Signed-off-by: Pablo Neira Ayuso --- doc/stats/conntrackd.conf | 54 ++++--- doc/sync/alarm/node1/conntrackd.conf | 65 +++++---- doc/sync/alarm/node2/conntrackd.conf | 65 +++++---- doc/sync/ftfw/node1/conntrackd.conf | 65 +++++---- doc/sync/ftfw/node2/conntrackd.conf | 65 +++++---- doc/sync/notrack/node1/conntrackd.conf | 65 +++++---- doc/sync/notrack/node2/conntrackd.conf | 65 +++++---- include/Makefile.am | 4 +- include/bitops.h | 36 +++++ include/conntrackd.h | 4 +- include/filter.h | 31 ++++ include/ignore.h | 18 --- include/state_helper.h | 22 --- src/Makefile.am | 3 +- src/filter.c | 250 ++++++++++++++++++++++++++++++++ src/ignore_pool.c | 155 -------------------- src/netlink.c | 16 +-- src/read_config_lex.l | 14 +- src/read_config_yy.y | 255 +++++++++++++++++++++++++-------- src/run.c | 4 +- src/state_helper.c | 44 ------ src/state_helper_tcp.c | 35 ----- src/sync-mode.c | 4 - 23 files changed, 807 insertions(+), 532 deletions(-) create mode 100644 include/bitops.h create mode 100644 include/filter.h delete mode 100644 include/ignore.h delete mode 100644 include/state_helper.h create mode 100644 src/filter.c delete mode 100644 src/ignore_pool.c delete mode 100644 src/state_helper.c delete mode 100644 src/state_helper_tcp.c (limited to 'doc/stats') diff --git a/doc/stats/conntrackd.conf b/doc/stats/conntrackd.conf index 4bc5642..b63c2c3 100644 --- a/doc/stats/conntrackd.conf +++ b/doc/stats/conntrackd.conf @@ -47,6 +47,39 @@ General { # Increase the socket buffer up to maximun if required # SocketBufferSizeMaxGrown 655355 + + # + # Event filtering: This clause allows you to filter certain traffic, + # There are currently three filter-sets: Protocol, Address and + # State. The filter is attached to an action that can be: Accept or + # Ignore. Thus, you can define the event filtering policy of the + # filter-sets in positive or negative logic depending on your needs. + # + Filter { + # + # Accept only certain protocols: You may want to log the + # state of flows depending on their layer 4 protocol. + # + Protocol Accept { + TCP + } + + # + # Ignore traffic for a certain set of IP's. + # + Address Ignore { + IPv4_address 127.0.0.1 # loopback + } + + # + # Uncomment this line below if you want to filter by flow state. + # The existing TCP states are: SYN_SENT, SYN_RECV, ESTABLISHED, + # FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSED, LISTEN. + # + # State Accept { + # ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP + # } + } } Stats { @@ -66,24 +99,3 @@ Stats { # #Syslog on } - -# -# Ignore traffic for a certain set of IP's: Usually -# all the IP assigned to the firewall since local -# traffic must be ignored, just forwarded connections -# are worth to replicate -# -IgnoreTrafficFor { - IPv4_address 127.0.0.1 # loopback -} - -# -# Do not replicate certain protocol traffic -# -IgnoreProtocol { - UDP -# ICMP -# IGMP -# VRRP - # numeric numbers also valid -} diff --git a/doc/sync/alarm/node1/conntrackd.conf b/doc/sync/alarm/node1/conntrackd.conf index 56bef0c..c3c4da4 100644 --- a/doc/sync/alarm/node1/conntrackd.conf +++ b/doc/sync/alarm/node1/conntrackd.conf @@ -133,30 +133,47 @@ General { # Increase the socket buffer up to maximum if required # SocketBufferSizeMaxGrown 655355 -} -# -# Ignore traffic for a certain set of IP's: Usually -# all the IP assigned to the firewall since local -# traffic must be ignored, just forwarded connections -# are worth to replicate -# -IgnoreTrafficFor { - IPv4_address 127.0.0.1 # loopback - IPv4_address 192.168.0.1 - IPv4_address 192.168.1.1 - IPv4_address 192.168.100.100 # dedicated link ip - IPv4_address 192.168.0.100 # virtual IP 1 - IPv4_address 192.168.1.100 # virtual IP 2 -} + # + # Event filtering: This clause allows you to filter certain traffic, + # There are currently three filter-sets: Protocol, Address and + # State. The filter is attached to an action that can be: Accept or + # Ignore. Thus, you can define the event filtering policy of the + # filter-sets in positive or negative logic depending on your needs. + # + Filter { + # + # Accept only certain protocols: You may want to replicate + # the state of flows depending on their layer 4 protocol. + # + Protocol Accept { + TCP + } -# -# Do not replicate certain protocol traffic -# -IgnoreProtocol { - UDP - ICMP - IGMP - VRRP - # numeric numbers also valid + # + # Ignore traffic for a certain set of IP's: Usually all the + # IP assigned to the firewall since local traffic must be + # ignored, only forwarded connections are worth to replicate. + # + Address Ignore { + IPv4_address 127.0.0.1 # loopback + IPv4_address 192.168.0.1 + IPv4_address 192.168.1.1 + IPv4_address 192.168.100.100 # dedicated link ip + IPv4_address 192.168.0.100 # virtual IP 1 + IPv4_address 192.168.1.100 # virtual IP 2 + } + + # + # Uncomment this line below if you want to filter by flow state. + # This option introduces a trade-off in the replication: it + # reduces CPU consumption at the cost of having lazy backup + # firewall replicas. The existing TCP states are: SYN_SENT, + # SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK, + # TIME_WAIT, CLOSED, LISTEN. + # + # State Accept { + # ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP + # } + } } diff --git a/doc/sync/alarm/node2/conntrackd.conf b/doc/sync/alarm/node2/conntrackd.conf index e0cb375..e61e76a 100644 --- a/doc/sync/alarm/node2/conntrackd.conf +++ b/doc/sync/alarm/node2/conntrackd.conf @@ -133,30 +133,47 @@ General { # Increase the socket buffer up to maximum if required # SocketBufferSizeMaxGrown 655355 -} -# -# Ignore traffic for a certain set of IP's: Usually -# all the IP assigned to the firewall since local -# traffic must be ignored, just forwarded connections -# are worth to replicate -# -IgnoreTrafficFor { - IPv4_address 127.0.0.1 # loopback - IPv4_address 192.168.0.2 - IPv4_address 192.168.1.2 - IPv4_address 192.168.100.200 # dedicated link ip - IPv4_address 192.168.0.200 # virtual IP 1 - IPv4_address 192.168.1.200 # virtual IP 2 -} + # + # Event filtering: This clause allows you to filter certain traffic, + # There are currently three filter-sets: Protocol, Address and + # State. The filter is attached to an action that can be: Accept or + # Ignore. Thus, you can define the event filtering policy of the + # filter-sets in positive or negative logic depending on your needs. + # + Filter { + # + # Accept only certain protocols: You may want to replicate + # the state of flows depending on their layer 4 protocol. + # + Protocol Accept { + TCP + } -# -# Do not replicate certain protocol traffic -# -IgnoreProtocol { - UDP - ICMP - IGMP - VRRP - # numeric numbers also valid + # + # Ignore traffic for a certain set of IP's: Usually all the + # IP assigned to the firewall since local traffic must be + # ignored, only forwarded connections are worth to replicate. + # + Address Ignore { + IPv4_address 127.0.0.1 # loopback + IPv4_address 192.168.0.2 + IPv4_address 192.168.1.2 + IPv4_address 192.168.100.200 # dedicated link ip + IPv4_address 192.168.0.100 # virtual IP 1 + IPv4_address 192.168.1.100 # virtual IP 2 + } + + # + # Uncomment this line below if you want to filter by flow state. + # This option introduces a trade-off in the replication: it + # reduces CPU consumption at the cost of having lazy backup + # firewall replicas. The existing TCP states are: SYN_SENT, + # SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK, + # TIME_WAIT, CLOSED, LISTEN. + # + # State Accept { + # ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP + # } + } } diff --git a/doc/sync/ftfw/node1/conntrackd.conf b/doc/sync/ftfw/node1/conntrackd.conf index f3211db..98ad581 100644 --- a/doc/sync/ftfw/node1/conntrackd.conf +++ b/doc/sync/ftfw/node1/conntrackd.conf @@ -128,30 +128,47 @@ General { # Increase the socket buffer up to maximum if required # SocketBufferSizeMaxGrown 655355 -} -# -# Ignore traffic for a certain set of IP's: Usually -# all the IP assigned to the firewall since local -# traffic must be ignored, just forwarded connections -# are worth to replicate -# -IgnoreTrafficFor { - IPv4_address 127.0.0.1 # loopback - IPv4_address 192.168.0.1 - IPv4_address 192.168.1.1 - IPv4_address 192.168.100.100 # dedicated link ip - IPv4_address 192.168.0.100 # virtual IP 1 - IPv4_address 192.168.1.100 # virtual IP 2 -} + # + # Event filtering: This clause allows you to filter certain traffic, + # There are currently three filter-sets: Protocol, Address and + # State. The filter is attached to an action that can be: Accept or + # Ignore. Thus, you can define the event filtering policy of the + # filter-sets in positive or negative logic depending on your needs. + # + Filter { + # + # Accept only certain protocols: You may want to replicate + # the state of flows depending on their layer 4 protocol. + # + Protocol Accept { + TCP + } -# -# Do not replicate certain protocol traffic -# -IgnoreProtocol { - UDP - ICMP - IGMP - VRRP - # numeric numbers also valid + # + # Ignore traffic for a certain set of IP's: Usually all the + # IP assigned to the firewall since local traffic must be + # ignored, only forwarded connections are worth to replicate. + # + Address Ignore { + IPv4_address 127.0.0.1 # loopback + IPv4_address 192.168.0.1 + IPv4_address 192.168.1.1 + IPv4_address 192.168.100.100 # dedicated link ip + IPv4_address 192.168.0.100 # virtual IP 1 + IPv4_address 192.168.1.100 # virtual IP 2 + } + + # + # Uncomment this line below if you want to filter by flow state. + # This option introduces a trade-off in the replication: it + # reduces CPU consumption at the cost of having lazy backup + # firewall replicas. The existing TCP states are: SYN_SENT, + # SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK, + # TIME_WAIT, CLOSED, LISTEN. + # + # State Accept { + # ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP + # } + } } diff --git a/doc/sync/ftfw/node2/conntrackd.conf b/doc/sync/ftfw/node2/conntrackd.conf index 9c26ff5..2fab830 100644 --- a/doc/sync/ftfw/node2/conntrackd.conf +++ b/doc/sync/ftfw/node2/conntrackd.conf @@ -127,30 +127,47 @@ General { # Increase the socket buffer up to maximum if required # SocketBufferSizeMaxGrown 655355 -} -# -# Ignore traffic for a certain set of IP's: Usually -# all the IP assigned to the firewall since local -# traffic must be ignored, just forwarded connections -# are worth to replicate -# -IgnoreTrafficFor { - IPv4_address 127.0.0.1 # loopback - IPv4_address 192.168.0.2 - IPv4_address 192.168.1.2 - IPv4_address 192.168.100.200 # dedicated link ip - IPv4_address 192.168.0.200 # virtual IP 1 - IPv4_address 192.168.1.200 # virtual IP 2 -} + # + # Event filtering: This clause allows you to filter certain traffic, + # There are currently three filter-sets: Protocol, Address and + # State. The filter is attached to an action that can be: Accept or + # Ignore. Thus, you can define the event filtering policy of the + # filter-sets in positive or negative logic depending on your needs. + # + Filter { + # + # Accept only certain protocols: You may want to replicate + # the state of flows depending on their layer 4 protocol. + # + Protocol Accept { + TCP + } -# -# Do not replicate certain protocol traffic -# -IgnoreProtocol { - UDP - ICMP - IGMP - VRRP - # numeric numbers also valid + # + # Ignore traffic for a certain set of IP's: Usually all the + # IP assigned to the firewall since local traffic must be + # ignored, only forwarded connections are worth to replicate. + # + Address Ignore { + IPv4_address 127.0.0.1 # loopback + IPv4_address 192.168.0.2 + IPv4_address 192.168.1.2 + IPv4_address 192.168.100.200 # dedicated link ip + IPv4_address 192.168.0.100 # virtual IP 1 + IPv4_address 192.168.1.100 # virtual IP 2 + } + + # + # Uncomment this line below if you want to filter by flow state. + # This option introduces a trade-off in the replication: it + # reduces CPU consumption at the cost of having lazy backup + # firewall replicas. The existing TCP states are: SYN_SENT, + # SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK, + # TIME_WAIT, CLOSED, LISTEN. + # + # State Accept { + # ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP + # } + } } diff --git a/doc/sync/notrack/node1/conntrackd.conf b/doc/sync/notrack/node1/conntrackd.conf index 1185351..724183a 100644 --- a/doc/sync/notrack/node1/conntrackd.conf +++ b/doc/sync/notrack/node1/conntrackd.conf @@ -121,30 +121,47 @@ General { # Increase the socket buffer up to maximum if required # SocketBufferSizeMaxGrown 655355 -} -# -# Ignore traffic for a certain set of IP's: Usually -# all the IP assigned to the firewall since local -# traffic must be ignored, just forwarded connections -# are worth to replicate -# -IgnoreTrafficFor { - IPv4_address 127.0.0.1 # loopback - IPv4_address 192.168.0.1 - IPv4_address 192.168.1.1 - IPv4_address 192.168.100.100 # dedicated link ip - IPv4_address 192.168.0.100 # virtual IP 1 - IPv4_address 192.168.1.100 # virtual IP 2 -} + # + # Event filtering: This clause allows you to filter certain traffic, + # There are currently three filter-sets: Protocol, Address and + # State. The filter is attached to an action that can be: Accept or + # Ignore. Thus, you can define the event filtering policy of the + # filter-sets in positive or negative logic depending on your needs. + # + Filter { + # + # Accept only certain protocols: You may want to replicate + # the state of flows depending on their layer 4 protocol. + # + Protocol Accept { + TCP + } -# -# Do not replicate certain protocol traffic -# -IgnoreProtocol { - UDP - ICMP - IGMP - VRRP - # numeric numbers also valid + # + # Ignore traffic for a certain set of IP's: Usually all the + # IP assigned to the firewall since local traffic must be + # ignored, only forwarded connections are worth to replicate. + # + Address Ignore { + IPv4_address 127.0.0.1 # loopback + IPv4_address 192.168.0.1 + IPv4_address 192.168.1.1 + IPv4_address 192.168.100.100 # dedicated link ip + IPv4_address 192.168.0.100 # virtual IP 1 + IPv4_address 192.168.1.100 # virtual IP 2 + } + + # + # Uncomment this line below if you want to filter by flow state. + # This option introduces a trade-off in the replication: it + # reduces CPU consumption at the cost of having lazy backup + # firewall replicas. The existing TCP states are: SYN_SENT, + # SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK, + # TIME_WAIT, CLOSED, LISTEN. + # + # State Accept { + # ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP + # } + } } diff --git a/doc/sync/notrack/node2/conntrackd.conf b/doc/sync/notrack/node2/conntrackd.conf index 7881d46..cbf5cee 100644 --- a/doc/sync/notrack/node2/conntrackd.conf +++ b/doc/sync/notrack/node2/conntrackd.conf @@ -120,30 +120,47 @@ General { # Increase the socket buffer up to maximum if required # SocketBufferSizeMaxGrown 655355 -} -# -# Ignore traffic for a certain set of IP's: Usually -# all the IP assigned to the firewall since local -# traffic must be ignored, just forwarded connections -# are worth to replicate -# -IgnoreTrafficFor { - IPv4_address 127.0.0.1 # loopback - IPv4_address 192.168.0.2 - IPv4_address 192.168.1.2 - IPv4_address 192.168.100.200 # dedicated link ip - IPv4_address 192.168.0.200 # virtual IP 1 - IPv4_address 192.168.1.200 # virtual IP 2 -} + # + # Event filtering: This clause allows you to filter certain traffic, + # There are currently three filter-sets: Protocol, Address and + # State. The filter is attached to an action that can be: Accept or + # Ignore. Thus, you can define the event filtering policy of the + # filter-sets in positive or negative logic depending on your needs. + # + Filter { + # + # Accept only certain protocols: You may want to replicate + # the state of flows depending on their layer 4 protocol. + # + Protocol Accept { + TCP + } -# -# Do not replicate certain protocol traffic -# -IgnoreProtocol { - UDP - ICMP - IGMP - VRRP - # numeric numbers also valid + # + # Ignore traffic for a certain set of IP's: Usually all the + # IP assigned to the firewall since local traffic must be + # ignored, only forwarded connections are worth to replicate. + # + Address Ignore { + IPv4_address 127.0.0.1 # loopback + IPv4_address 192.168.0.2 + IPv4_address 192.168.1.2 + IPv4_address 192.168.100.200 # dedicated link ip + IPv4_address 192.168.0.100 # virtual IP 1 + IPv4_address 192.168.1.100 # virtual IP 2 + } + + # + # Uncomment this line below if you want to filter by flow state. + # This option introduces a trade-off in the replication: it + # reduces CPU consumption at the cost of having lazy backup + # firewall replicas. The existing TCP states are: SYN_SENT, + # SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK, + # TIME_WAIT, CLOSED, LISTEN. + # + # State Accept { + # ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP + # } + } } diff --git a/include/Makefile.am b/include/Makefile.am index 01be0df..3287a0c 100644 --- a/include/Makefile.am +++ b/include/Makefile.am @@ -2,6 +2,6 @@ noinst_HEADERS = alarm.h jhash.h slist.h cache.h linux_list.h linux_rbtree.h \ sync.h conntrackd.h local.h us-conntrack.h \ debug.h log.h hash.h mcast.h conntrack.h \ - state_helper.h network.h ignore.h queue.h \ - traffic_stats.h netlink.h fds.h event.h + network.h filter.h queue.h \ + traffic_stats.h netlink.h fds.h event.h bitops.h diff --git a/include/bitops.h b/include/bitops.h new file mode 100644 index 0000000..51f4289 --- /dev/null +++ b/include/bitops.h @@ -0,0 +1,36 @@ +#ifndef _BITOPS_H_ +#define _BITOPS_H_ + +#include + +static inline void set_bit_u32(int nr, u_int32_t *addr) +{ + addr[nr >> 5] |= (1UL << (nr & 31)); +} + +static inline void unset_bit_u32(int nr, u_int32_t *addr) +{ + addr[nr >> 5] &= ~(1UL << (nr & 31)); +} + +static inline int test_bit_u32(int nr, const u_int32_t *addr) +{ + return ((1UL << (nr & 31)) & (addr[nr >> 5])) != 0; +} + +static inline void set_bit_u16(int nr, u_int16_t *addr) +{ + addr[nr >> 4] |= (1UL << (nr & 15)); +} + +static inline void unset_bit_u16(int nr, u_int16_t *addr) +{ + addr[nr >> 4] &= ~(1UL << (nr & 15)); +} + +static inline int test_bit_u16(int nr, const u_int16_t *addr) +{ + return ((1UL << (nr & 15)) & (addr[nr >> 4])) != 0; +} + +#endif diff --git a/include/conntrackd.h b/include/conntrackd.h index 8a6e8d2..cd02f1f 100644 --- a/include/conntrackd.h +++ b/include/conntrackd.h @@ -4,6 +4,7 @@ #include "mcast.h" #include "local.h" #include "alarm.h" +#include "filter.h" #include #include @@ -80,7 +81,6 @@ struct ct_conf { int del_timeout; unsigned int netlink_buffer_size; unsigned int netlink_buffer_size_max_grown; - unsigned char ignore_protocol[IPPROTO_MAX]; union inet_address *listen_to; unsigned int listen_to_len; unsigned int flags; @@ -103,7 +103,7 @@ struct ct_general_state { FILE *stats_log; struct local_server local; struct ct_mode *mode; - struct ignore_pool *ignore_pool; + struct ct_filter *us_filter; struct nfct_handle *event; /* event handler */ struct nfct_handle *dump; /* dump handler */ diff --git a/include/filter.h b/include/filter.h new file mode 100644 index 0000000..de0754e --- /dev/null +++ b/include/filter.h @@ -0,0 +1,31 @@ +#ifndef _FILTER_H_ +#define _FILTER_H_ + +#include + +enum ct_filter_type { + CT_FILTER_L4PROTO, + CT_FILTER_STATE, + CT_FILTER_ADDRESS, + CT_FILTER_MAX +}; + +enum ct_filter_logic { + CT_FILTER_NEGATIVE = 0, + CT_FILTER_POSITIVE = 1, +}; + +struct nf_conntrack; +struct ct_filter; + +struct ct_filter *ct_filter_create(void); +void ct_filter_destroy(struct ct_filter *filter); +int ct_filter_add_ip(struct ct_filter *filter, void *data, uint8_t family); +void ct_filter_add_proto(struct ct_filter *filter, int protonum); +void ct_filter_add_state(struct ct_filter *f, int protonum, int state); +void ct_filter_set_logic(struct ct_filter *f, + enum ct_filter_type type, + enum ct_filter_logic logic); +int ct_filter_check(struct ct_filter *filter, struct nf_conntrack *ct); + +#endif diff --git a/include/ignore.h b/include/ignore.h deleted file mode 100644 index e5e96ff..0000000 --- a/include/ignore.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef _IGNORE_H_ -#define _IGNORE_H_ - -#include - -struct nf_conntrack; - -struct ignore_pool { - struct hashtable *h; - struct hashtable *h6; -}; - -struct ignore_pool *ignore_pool_create(void); -void ignore_pool_destroy(struct ignore_pool *ip); -int ignore_pool_add(struct ignore_pool *ip, void *data, uint8_t family); -int ignore_pool_test(struct ignore_pool *ip, struct nf_conntrack *ct); - -#endif diff --git a/include/state_helper.h b/include/state_helper.h deleted file mode 100644 index 1a68b04..0000000 --- a/include/state_helper.h +++ /dev/null @@ -1,22 +0,0 @@ -#ifndef _STATE_HELPER_H_ -#define _STATE_HELPER_H_ - -#include - -enum { - ST_H_SKIP, - ST_H_REPLICATE -}; - -struct state_replication_helper { - uint8_t proto; - unsigned int state; - - int (*verdict)(const struct state_replication_helper *h, - const struct nf_conntrack *ct); -}; - -int state_helper_verdict(int type, struct nf_conntrack *ct); -void state_helper_register(struct state_replication_helper *h, int h_state); - -#endif diff --git a/src/Makefile.am b/src/Makefile.am index 69ddcfd..805e50d 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -12,13 +12,12 @@ conntrack_LDFLAGS = $(all_libraries) @LIBNETFILTER_CONNTRACK_LIBS@ conntrackd_SOURCES = alarm.c main.c run.c hash.c queue.c rbtree.c \ local.c log.c mcast.c netlink.c \ - ignore_pool.c fds.c event.c \ + filter.c fds.c event.c \ cache.c cache_iterators.c \ cache_lifetime.c cache_timer.c cache_wt.c \ sync-mode.c sync-alarm.c sync-ftfw.c sync-notrack.c \ traffic_stats.c stats-mode.c \ network.c \ - state_helper.c state_helper_tcp.c \ build.c parse.c \ read_config_yy.y read_config_lex.l diff --git a/src/filter.c b/src/filter.c new file mode 100644 index 0000000..6e4d64a --- /dev/null +++ b/src/filter.c @@ -0,0 +1,250 @@ +/* + * (C) 2006-2008 by Pablo Neira Ayuso + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ + +#include "filter.h" +#include "bitops.h" +#include "jhash.h" +#include "hash.h" +#include "conntrackd.h" +#include "log.h" + +#include +#include +#include +#include + +struct ct_filter { + int logic[CT_FILTER_MAX]; + u_int32_t l4protomap[IPPROTO_MAX/32]; + u_int16_t statemap[IPPROTO_MAX]; + struct hashtable *h; + struct hashtable *h6; +}; + +/* XXX: These should be configurable, better use a rb-tree */ +#define FILTER_POOL_SIZE 128 +#define FILTER_POOL_LIMIT INT_MAX + +static uint32_t hash(const void *data, struct hashtable *table) +{ + const uint32_t *f = data; + + return jhash_1word(*f, 0) % table->hashsize; +} + +static uint32_t hash6(const void *data, struct hashtable *table) +{ + return jhash(data, sizeof(uint32_t)*4, 0) % table->hashsize; +} + +static int compare(const void *data1, const void *data2) +{ + const uint32_t *f1 = data1; + const uint32_t *f2 = data2; + + return *f1 == *f2; +} + +static int compare6(const void *data1, const void *data2) +{ + return memcmp(data1, data2, sizeof(uint32_t)*4) == 0; +} + +struct ct_filter *ct_filter_create(void) +{ + int i; + struct ct_filter *filter; + + filter = calloc(sizeof(struct ct_filter), 1); + if (!filter) + return NULL; + + filter->h = hashtable_create(FILTER_POOL_SIZE, + FILTER_POOL_LIMIT, + sizeof(uint32_t), + hash, + compare); + if (!filter->h) { + free(filter); + return NULL; + } + + filter->h6 = hashtable_create(FILTER_POOL_SIZE, + FILTER_POOL_LIMIT, + sizeof(uint32_t)*4, + hash6, + compare6); + if (!filter->h6) { + free(filter->h); + free(filter); + return NULL; + } + + for (i=0; ilogic[i] = -1; + + return filter; +} + +void ct_filter_destroy(struct ct_filter *filter) +{ + hashtable_destroy(filter->h); + hashtable_destroy(filter->h6); + free(filter); +} + +/* this is ugly, but it simplifies read_config_yy.y */ +static struct ct_filter *__filter_alloc(struct ct_filter *filter) +{ + if (!STATE(us_filter)) { + STATE(us_filter) = ct_filter_create(); + if (!STATE(us_filter)) { + fprintf(stderr, "Can't create ignore pool!\n"); + exit(EXIT_FAILURE); + } + } + + return STATE(us_filter); +} + +void ct_filter_set_logic(struct ct_filter *filter, + enum ct_filter_type type, + enum ct_filter_logic logic) +{ + filter = __filter_alloc(filter); + filter->logic[type] = logic; +} + +int ct_filter_add_ip(struct ct_filter *filter, void *data, uint8_t family) +{ + filter = __filter_alloc(filter); + + switch(family) { + case AF_INET: + if (!hashtable_add(filter->h, data)) + return 0; + break; + case AF_INET6: + if (!hashtable_add(filter->h6, data)) + return 0; + break; + } + return 1; +} + +void ct_filter_add_proto(struct ct_filter *f, int protonum) +{ + f = __filter_alloc(f); + + set_bit_u32(protonum, f->l4protomap); +} + +void ct_filter_add_state(struct ct_filter *f, int protonum, int val) +{ + f = __filter_alloc(f); + + set_bit_u16(val, &f->statemap[protonum]); +} + +static int +__ct_filter_test_ipv4(struct ct_filter *f, struct nf_conntrack *ct) +{ + if (!f->h) + return 0; + + return (hashtable_test(f->h, nfct_get_attr(ct, ATTR_ORIG_IPV4_SRC)) || + hashtable_test(f->h, nfct_get_attr(ct, ATTR_ORIG_IPV4_DST)) || + hashtable_test(f->h, nfct_get_attr(ct, ATTR_REPL_IPV4_SRC)) || + hashtable_test(f->h, nfct_get_attr(ct, ATTR_REPL_IPV4_DST))); +} + +static int +__ct_filter_test_ipv6(struct ct_filter *f, struct nf_conntrack *ct) +{ + if (!f->h6) + return 0; + + return (hashtable_test(f->h6, nfct_get_attr(ct, ATTR_ORIG_IPV6_SRC)) || + hashtable_test(f->h6, nfct_get_attr(ct, ATTR_ORIG_IPV6_DST)) || + hashtable_test(f->h6, nfct_get_attr(ct, ATTR_REPL_IPV6_SRC)) || + hashtable_test(f->h6, nfct_get_attr(ct, ATTR_REPL_IPV6_DST))); +} + +static int __ct_filter_test_state(struct ct_filter *f, struct nf_conntrack *ct) +{ + uint16_t val = 0; + uint8_t protonum = nfct_get_attr_u8(ct, ATTR_L4PROTO); + + switch(protonum) { + case IPPROTO_TCP: + val = nfct_get_attr_u8(ct, ATTR_TCP_STATE); + break; + default: + return -1; + } + + return test_bit_u16(val, &f->statemap[protonum]); +} + +int ct_filter_check(struct ct_filter *f, struct nf_conntrack *ct) +{ + int ret, protonum = nfct_get_attr_u8(ct, ATTR_L4PROTO); + + /* no event filtering at all */ + if (f == NULL) + return 1; + + if (f->logic[CT_FILTER_L4PROTO] != -1) { + ret = test_bit_u32(protonum, f->l4protomap); + if (ret == 0 && f->logic[CT_FILTER_L4PROTO]) + return 0; + else if (ret == 1 && !f->logic[CT_FILTER_L4PROTO]) + return 0; + } + + if (f->logic[CT_FILTER_ADDRESS] != -1) { + switch(nfct_get_attr_u8(ct, ATTR_L3PROTO)) { + case AF_INET: + ret = __ct_filter_test_ipv4(f, ct); + if (ret == 0 && f->logic[CT_FILTER_ADDRESS]) + return 0; + else if (ret == 1 && !f->logic[CT_FILTER_ADDRESS]) + return 0; + break; + case AF_INET6: + ret = __ct_filter_test_ipv6(f, ct); + if (ret == 0 && f->logic[CT_FILTER_ADDRESS]) + return 0; + else if (ret == 1 && !f->logic[CT_FILTER_ADDRESS]) + return 0; + break; + default: + break; + } + } + + if (f->logic[CT_FILTER_STATE] != -1) { + ret = __ct_filter_test_state(f, ct); + if (ret == 0 && f->logic[CT_FILTER_STATE]) + return 0; + else if (ret == 1 && !f->logic[CT_FILTER_STATE]) + return 0; + } + + return 1; +} diff --git a/src/ignore_pool.c b/src/ignore_pool.c deleted file mode 100644 index 2f951e8..0000000 --- a/src/ignore_pool.c +++ /dev/null @@ -1,155 +0,0 @@ -/* - * (C) 2006-2007 by Pablo Neira Ayuso - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - */ - -#include "ignore.h" -#include "jhash.h" -#include "hash.h" -#include "conntrackd.h" -#include "log.h" - -#include -#include -#include -#include - -/* XXX: These should be configurable, better use a rb-tree */ -#define IGNORE_POOL_SIZE 128 -#define IGNORE_POOL_LIMIT INT_MAX - -static uint32_t hash(const void *data, struct hashtable *table) -{ - const uint32_t *ip = data; - - return jhash_1word(*ip, 0) % table->hashsize; -} - -static uint32_t hash6(const void *data, struct hashtable *table) -{ - return jhash(data, sizeof(uint32_t)*4, 0) % table->hashsize; -} - -static int compare(const void *data1, const void *data2) -{ - const uint32_t *ip1 = data1; - const uint32_t *ip2 = data2; - - return *ip1 == *ip2; -} - -static int compare6(const void *data1, const void *data2) -{ - return memcmp(data1, data2, sizeof(uint32_t)*4) == 0; -} - -struct ignore_pool *ignore_pool_create(void) -{ - struct ignore_pool *ip; - - ip = malloc(sizeof(struct ignore_pool)); - if (!ip) - return NULL; - memset(ip, 0, sizeof(struct ignore_pool)); - - ip->h = hashtable_create(IGNORE_POOL_SIZE, - IGNORE_POOL_LIMIT, - sizeof(uint32_t), - hash, - compare); - if (!ip->h) { - free(ip); - return NULL; - } - - ip->h6 = hashtable_create(IGNORE_POOL_SIZE, - IGNORE_POOL_LIMIT, - sizeof(uint32_t)*4, - hash6, - compare6); - if (!ip->h6) { - free(ip->h); - free(ip); - return NULL; - } - - return ip; -} - -void ignore_pool_destroy(struct ignore_pool *ip) -{ - hashtable_destroy(ip->h); - hashtable_destroy(ip->h6); - free(ip); -} - -int ignore_pool_add(struct ignore_pool *ip, void *data, uint8_t family) -{ - switch(family) { - case AF_INET: - if (!hashtable_add(ip->h, data)) - return 0; - break; - case AF_INET6: - if (!hashtable_add(ip->h6, data)) - return 0; - break; - } - return 1; -} - -static int -__ignore_pool_test_ipv4(struct ignore_pool *ip, struct nf_conntrack *ct) -{ - if (!ip->h) - return 0; - - return (hashtable_test(ip->h, nfct_get_attr(ct, ATTR_ORIG_IPV4_SRC)) || - hashtable_test(ip->h, nfct_get_attr(ct, ATTR_ORIG_IPV4_DST)) || - hashtable_test(ip->h, nfct_get_attr(ct, ATTR_REPL_IPV4_SRC)) || - hashtable_test(ip->h, nfct_get_attr(ct, ATTR_REPL_IPV4_DST))); -} - -static int -__ignore_pool_test_ipv6(struct ignore_pool *ip, struct nf_conntrack *ct) -{ - if (!ip->h6) - return 0; - - return (hashtable_test(ip->h6, nfct_get_attr(ct, ATTR_ORIG_IPV6_SRC)) || - hashtable_test(ip->h6, nfct_get_attr(ct, ATTR_ORIG_IPV6_DST)) || - hashtable_test(ip->h6, nfct_get_attr(ct, ATTR_REPL_IPV6_SRC)) || - hashtable_test(ip->h6, nfct_get_attr(ct, ATTR_REPL_IPV6_DST))); -} - -int ignore_pool_test(struct ignore_pool *ip, struct nf_conntrack *ct) -{ - int ret = 0; - - switch(nfct_get_attr_u8(ct, ATTR_ORIG_L3PROTO)) { - case AF_INET: - ret = __ignore_pool_test_ipv4(ip, ct); - break; - case AF_INET6: - ret = __ignore_pool_test_ipv6(ip, ct); - break; - default: - dlog(LOG_WARNING, "unknown layer 3 protocol?"); - break; - } - - return ret; -} diff --git a/src/netlink.c b/src/netlink.c index 387062d..1823280 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -19,7 +19,7 @@ #include "netlink.h" #include "conntrackd.h" #include "traffic_stats.h" -#include "ignore.h" +#include "filter.h" #include "log.h" #include "debug.h" @@ -28,10 +28,6 @@ int ignore_conntrack(struct nf_conntrack *ct) { - /* ignore a certain protocol */ - if (CONFIG(ignore_protocol)[nfct_get_attr_u8(ct, ATTR_ORIG_L4PROTO)]) - return 1; - /* Accept DNAT'ed traffic: not really coming to the local machine */ if (nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT)) { debug_ct(ct, "DNAT"); @@ -45,7 +41,7 @@ int ignore_conntrack(struct nf_conntrack *ct) } /* Ignore traffic */ - if (ignore_pool_test(STATE(ignore_pool), ct)) { + if (!ct_filter_check(STATE(us_filter), ct)) { debug_ct(ct, "ignore traffic"); return 1; } @@ -57,10 +53,6 @@ static int event_handler(enum nf_conntrack_msg_type type, struct nf_conntrack *ct, void *data) { - /* - * Ignore this conntrack: it talks about a - * connection that is not interesting for us. - */ if (ignore_conntrack(ct)) return NFCT_CB_STOP; @@ -125,10 +117,6 @@ static int dump_handler(enum nf_conntrack_msg_type type, struct nf_conntrack *ct, void *data) { - /* - * Ignore this conntrack: it talks about a - * connection that is not interesting for us. - */ if (ignore_conntrack(ct)) return NFCT_CB_CONTINUE; diff --git a/src/read_config_lex.l b/src/read_config_lex.l index bdde3b6..584a4a3 100644 --- a/src/read_config_lex.l +++ b/src/read_config_lex.l @@ -68,11 +68,6 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k] "HashLimit" { return T_HASHLIMIT; } "Path" { return T_PATH; } "IgnoreProtocol" { return T_IGNORE_PROTOCOL; } -"UDP" { return T_UDP; } -"ICMP" { return T_ICMP; } -"VRRP" { return T_VRRP; } -"IGMP" { return T_IGMP; } -"TCP" { return T_TCP; } "IgnoreTrafficFor" { return T_IGNORE_TRAFFIC; } "StripNAT" { return T_STRIP_NAT; } "Backlog" { return T_BACKLOG; } @@ -103,12 +98,19 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k] "CLOSE_WAIT" { return T_CLOSE_WAIT; } "LAST_ACK" { return T_LAST_ACK; } "TIME_WAIT" { return T_TIME_WAIT; } -"CLOSE" { return T_CLOSE; } +"CLOSE" { return T_CLOSE; /* alias of CLOSED */ } +"CLOSED" { return T_CLOSE; } "LISTEN" { return T_LISTEN; } "LogFileBufferSize" { return T_STAT_BUFFER_SIZE; } "DestroyTimeout" { return T_DESTROY_TIMEOUT; } "McastSndSocketBuffer" { return T_MCAST_SNDBUFF; } "McastRcvSocketBuffer" { return T_MCAST_RCVBUFF; } +"Filter" { return T_FILTER; } +"Protocol" { return T_PROTOCOL; } +"Address" { return T_ADDRESS; } +"State" { return T_STATE; } +"Accept" { return T_ACCEPT; } +"Ignore" { return T_IGNORE; } {is_on} { return T_ON; } {is_off} { return T_OFF; } diff --git a/src/read_config_yy.y b/src/read_config_yy.y index b9c53be..2a1c88c 100644 --- a/src/read_config_yy.y +++ b/src/read_config_yy.y @@ -22,14 +22,13 @@ #include #include #include +#include #include #include "conntrackd.h" -#include "ignore.h" +#include "bitops.h" #include #include -extern struct state_replication_helper tcp_state_helper; - extern char *yytext; extern int yylineno; @@ -44,7 +43,7 @@ struct ct_conf conf; %token T_IPV4_ADDR T_IPV4_IFACE T_PORT T_HASHSIZE T_HASHLIMIT T_MULTICAST %token T_PATH T_UNIX T_REFRESH T_IPV6_ADDR T_IPV6_IFACE %token T_IGNORE_UDP T_IGNORE_ICMP T_IGNORE_TRAFFIC T_BACKLOG T_GROUP -%token T_LOG T_UDP T_ICMP T_IGMP T_VRRP T_TCP T_IGNORE_PROTOCOL +%token T_LOG T_UDP T_ICMP T_IGMP T_VRRP T_IGNORE_PROTOCOL %token T_LOCK T_STRIP_NAT T_BUFFER_SIZE_MAX_GROWN T_EXPIRE T_TIMEOUT %token T_GENERAL T_SYNC T_STATS T_RELAX_TRANSITIONS T_BUFFER_SIZE T_DELAY %token T_SYNC_MODE T_LISTEN_TO T_FAMILY T_RESEND_BUFFER_SIZE @@ -54,6 +53,7 @@ struct ct_conf conf; %token T_CLOSE_WAIT T_LAST_ACK T_TIME_WAIT T_CLOSE T_LISTEN %token T_SYSLOG T_WRITE_THROUGH T_STAT_BUFFER_SIZE T_DESTROY_TIMEOUT %token T_MCAST_RCVBUFF T_MCAST_SNDBUFF T_NOTRACK +%token T_FILTER T_ADDRESS T_PROTOCOL T_STATE T_ACCEPT T_IGNORE %token T_IP T_PATH_VAL %token T_NUMBER @@ -169,7 +169,15 @@ checksum: T_CHECKSUM T_OFF conf.mcast.checksum = 1; }; -ignore_traffic : T_IGNORE_TRAFFIC '{' ignore_traffic_options '}'; +ignore_traffic : T_IGNORE_TRAFFIC '{' ignore_traffic_options '}' +{ + ct_filter_set_logic(STATE(us_filter), + CT_FILTER_ADDRESS, + CT_FILTER_NEGATIVE); + + fprintf(stderr, "WARNING: The clause `IgnoreTrafficFor' is obsolete. " + "Use `Filter' instead.\n"); +}; ignore_traffic_options : | ignore_traffic_options ignore_traffic_option; @@ -185,15 +193,7 @@ ignore_traffic_option : T_IPV4_ADDR T_IP break; } - if (!STATE(ignore_pool)) { - STATE(ignore_pool) = ignore_pool_create(); - if (!STATE(ignore_pool)) { - fprintf(stderr, "Can't create ignore pool!\n"); - exit(EXIT_FAILURE); - } - } - - if (!ignore_pool_add(STATE(ignore_pool), &ip, AF_INET)) { + if (!ct_filter_add_ip(STATE(us_filter), &ip, AF_INET)) { if (errno == EEXIST) fprintf(stderr, "IP %s is repeated " "in the ignore pool\n", $2); @@ -218,15 +218,7 @@ ignore_traffic_option : T_IPV6_ADDR T_IP break; #endif - if (!STATE(ignore_pool)) { - STATE(ignore_pool) = ignore_pool_create(); - if (!STATE(ignore_pool)) { - fprintf(stderr, "Can't create ignore pool!\n"); - exit(EXIT_FAILURE); - } - } - - if (!ignore_pool_add(STATE(ignore_pool), &ip, AF_INET6)) { + if (!ct_filter_add_ip(STATE(us_filter), &ip, AF_INET6)) { if (errno == EEXIST) fprintf(stderr, "IP %s is repeated " "in the ignore pool\n", $2); @@ -380,7 +372,15 @@ unix_option : T_BACKLOG T_NUMBER conf.local.backlog = $2; }; -ignore_protocol: T_IGNORE_PROTOCOL '{' ignore_proto_list '}'; +ignore_protocol: T_IGNORE_PROTOCOL '{' ignore_proto_list '}' +{ + ct_filter_set_logic(STATE(us_filter), + CT_FILTER_L4PROTO, + CT_FILTER_NEGATIVE); + + fprintf(stderr, "WARNING: The clause `IgnoreProtocol' is obsolete. " + "Use `Filter' instead.\n"); +}; ignore_proto_list: | ignore_proto_list ignore_proto @@ -389,29 +389,22 @@ ignore_proto_list: ignore_proto: T_NUMBER { if ($1 < IPPROTO_MAX) - conf.ignore_protocol[$1] = 1; + ct_filter_add_proto(STATE(us_filter), $1); else fprintf(stderr, "Protocol number `%d' is freak\n", $1); }; -ignore_proto: T_UDP +ignore_proto: T_STRING { - conf.ignore_protocol[IPPROTO_UDP] = 1; -}; + struct protoent *pent; -ignore_proto: T_ICMP -{ - conf.ignore_protocol[IPPROTO_ICMP] = 1; -}; - -ignore_proto: T_VRRP -{ - conf.ignore_protocol[IPPROTO_VRRP] = 1; -}; - -ignore_proto: T_IGMP -{ - conf.ignore_protocol[IPPROTO_IGMP] = 1; + pent = getprotobyname($1); + if (pent == NULL) { + fprintf(stderr, "getprotobyname() cannot find " + "protocol `%s' in /etc/protocols.\n", $1); + break; + } + ct_filter_add_proto(STATE(us_filter), pent->p_proto); }; sync: T_SYNC '{' sync_list '}' @@ -538,49 +531,81 @@ listen_to: T_LISTEN_TO T_IP } }; -state_replication: T_REPLICATE states T_FOR state_proto; +state_replication: T_REPLICATE states T_FOR state_proto +{ + ct_filter_set_logic(STATE(us_filter), + CT_FILTER_STATE, + CT_FILTER_POSITIVE); + + fprintf(stderr, "WARNING: The clause `Replicate' is obsolete. " + "Use `Filter' instead.\n"); +}; states: | states state; -state_proto: T_TCP; +state_proto: T_STRING +{ + if (strncmp($1, "TCP", strlen("TCP")) != 0) { + fprintf(stderr, "Unsupported protocol `%s' in line %d.\n", + $1, yylineno); + } +}; state: tcp_state; tcp_state: T_SYN_SENT { - state_helper_register(&tcp_state_helper, TCP_CONNTRACK_SYN_SENT); + ct_filter_add_state(STATE(us_filter), + IPPROTO_TCP, + TCP_CONNTRACK_SYN_SENT); }; tcp_state: T_SYN_RECV { - state_helper_register(&tcp_state_helper, TCP_CONNTRACK_SYN_RECV); + ct_filter_add_state(STATE(us_filter), + IPPROTO_TCP, + TCP_CONNTRACK_SYN_RECV); }; tcp_state: T_ESTABLISHED { - state_helper_register(&tcp_state_helper, TCP_CONNTRACK_ESTABLISHED); + ct_filter_add_state(STATE(us_filter), + IPPROTO_TCP, + TCP_CONNTRACK_ESTABLISHED); }; tcp_state: T_FIN_WAIT { - state_helper_register(&tcp_state_helper, TCP_CONNTRACK_FIN_WAIT); + ct_filter_add_state(STATE(us_filter), + IPPROTO_TCP, + TCP_CONNTRACK_FIN_WAIT); }; tcp_state: T_CLOSE_WAIT { - state_helper_register(&tcp_state_helper, TCP_CONNTRACK_CLOSE_WAIT); + ct_filter_add_state(STATE(us_filter), + IPPROTO_TCP, + TCP_CONNTRACK_CLOSE_WAIT); }; tcp_state: T_LAST_ACK { - state_helper_register(&tcp_state_helper, TCP_CONNTRACK_LAST_ACK); + ct_filter_add_state(STATE(us_filter), + IPPROTO_TCP, + TCP_CONNTRACK_LAST_ACK); }; tcp_state: T_TIME_WAIT { - state_helper_register(&tcp_state_helper, TCP_CONNTRACK_TIME_WAIT); + ct_filter_add_state(STATE(us_filter), + IPPROTO_TCP, + TCP_CONNTRACK_TIME_WAIT); }; tcp_state: T_CLOSE { - state_helper_register(&tcp_state_helper, TCP_CONNTRACK_CLOSE); + ct_filter_add_state(STATE(us_filter), + IPPROTO_TCP, + TCP_CONNTRACK_CLOSE); }; tcp_state: T_LISTEN { - state_helper_register(&tcp_state_helper, TCP_CONNTRACK_LISTEN); + ct_filter_add_state(STATE(us_filter), + IPPROTO_TCP, + TCP_CONNTRACK_LISTEN); }; cache_writethrough: T_WRITE_THROUGH T_ON @@ -610,6 +635,7 @@ general_line: hashsize | netlink_buffer_size | netlink_buffer_size_max_grown | family + | filter ; netlink_buffer_size: T_BUFFER_SIZE T_NUMBER @@ -630,6 +656,122 @@ family : T_FAMILY T_STRING conf.family = AF_INET; }; +filter : T_FILTER '{' filter_list '}'; + +filter_list : + | filter_list filter_item; + +filter_item : T_PROTOCOL T_ACCEPT '{' filter_protocol_list '}' +{ + ct_filter_set_logic(STATE(us_filter), + CT_FILTER_L4PROTO, + CT_FILTER_POSITIVE); +}; + +filter_item : T_PROTOCOL T_IGNORE '{' filter_protocol_list '}' +{ + ct_filter_set_logic(STATE(us_filter), + CT_FILTER_L4PROTO, + CT_FILTER_NEGATIVE); +}; + +filter_protocol_list : + | filter_protocol_list filter_protocol_item; + +filter_protocol_item : T_STRING +{ + struct protoent *pent; + + pent = getprotobyname($1); + if (pent == NULL) { + fprintf(stderr, "getprotobyname() cannot find " + "protocol `%s' in /etc/protocols.\n", $1); + break; + } + ct_filter_add_proto(STATE(us_filter), pent->p_proto); +}; + +filter_item : T_ADDRESS T_ACCEPT '{' filter_address_list '}' +{ + ct_filter_set_logic(STATE(us_filter), + CT_FILTER_ADDRESS, + CT_FILTER_POSITIVE); +}; + +filter_item : T_ADDRESS T_IGNORE '{' filter_address_list '}' +{ + ct_filter_set_logic(STATE(us_filter), + CT_FILTER_ADDRESS, + CT_FILTER_NEGATIVE); +}; + +filter_address_list : + | filter_address_list filter_address_item; + +filter_address_item : T_IPV4_ADDR T_IP +{ + union inet_address ip; + + memset(&ip, 0, sizeof(union inet_address)); + + if (!inet_aton($2, &ip.ipv4)) { + fprintf(stderr, "%s is not a valid IPv4, ignoring", $2); + break; + } + + if (!ct_filter_add_ip(STATE(us_filter), &ip, AF_INET)) { + if (errno == EEXIST) + fprintf(stderr, "IP %s is repeated " + "in the ignore pool\n", $2); + if (errno == ENOSPC) + fprintf(stderr, "Too many IP in the ignore pool!\n"); + } +}; + +filter_address_item : T_IPV6_ADDR T_IP +{ + union inet_address ip; + + memset(&ip, 0, sizeof(union inet_address)); + +#ifdef HAVE_INET_PTON_IPV6 + if (inet_pton(AF_INET6, $2, &ip.ipv6) <= 0) { + fprintf(stderr, "%s is not a valid IPv6, ignoring", $2); + break; + } +#else + fprintf(stderr, "Cannot find inet_pton(), IPv6 unsupported!"); + break; +#endif + + if (!ct_filter_add_ip(STATE(us_filter), &ip, AF_INET6)) { + if (errno == EEXIST) + fprintf(stderr, "IP %s is repeated " + "in the ignore pool\n", $2); + if (errno == ENOSPC) + fprintf(stderr, "Too many IP in the ignore pool!\n"); + } +}; + +filter_item : T_STATE T_ACCEPT '{' filter_state_list '}' +{ + ct_filter_set_logic(STATE(us_filter), + CT_FILTER_STATE, + CT_FILTER_POSITIVE); +}; + +filter_item : T_STATE T_IGNORE '{' filter_state_list '}' +{ + ct_filter_set_logic(STATE(us_filter), + CT_FILTER_STATE, + CT_FILTER_NEGATIVE); +}; + +filter_state_list : + | filter_state_list filter_state_item; + +filter_state_item : states T_FOR state_proto ; + stats: T_STATS '{' stats_list '}' { if (conf.flags & CTD_SYNC_MODE) { @@ -762,15 +904,6 @@ init_config(char *filename) if (CONFIG(resend_queue_size) == 0) CONFIG(resend_queue_size) = 262144; - /* create empty pool */ - if (!STATE(ignore_pool)) { - STATE(ignore_pool) = ignore_pool_create(); - if (!STATE(ignore_pool)) { - fprintf(stderr, "Can't create ignore pool!\n"); - exit(EXIT_FAILURE); - } - } - /* default to a window size of 20 packets */ if (CONFIG(window_size) == 0) CONFIG(window_size) = 20; diff --git a/src/run.c b/src/run.c index cadcb4d..cf570d8 100644 --- a/src/run.c +++ b/src/run.c @@ -20,7 +20,7 @@ #include "conntrackd.h" #include "netlink.h" -#include "ignore.h" +#include "filter.h" #include "log.h" #include "alarm.h" #include "fds.h" @@ -39,7 +39,7 @@ void killer(int foo) nfct_close(STATE(event)); - ignore_pool_destroy(STATE(ignore_pool)); + ct_filter_destroy(STATE(us_filter)); local_server_destroy(&STATE(local)); STATE(mode)->kill(); diff --git a/src/state_helper.c b/src/state_helper.c deleted file mode 100644 index 9034864..0000000 --- a/src/state_helper.c +++ /dev/null @@ -1,44 +0,0 @@ -/* - * (C) 2006-2007 by Pablo Neira Ayuso - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - */ - -#include "conntrackd.h" -#include "state_helper.h" - -static struct state_replication_helper *helper[IPPROTO_MAX]; - -int state_helper_verdict(int type, struct nf_conntrack *ct) -{ - uint8_t l4proto; - - if (type == NFCT_Q_DESTROY) - return ST_H_REPLICATE; - - l4proto = nfct_get_attr_u8(ct, ATTR_ORIG_L4PROTO); - if (helper[l4proto]) - return helper[l4proto]->verdict(helper[l4proto], ct); - - return ST_H_REPLICATE; -} - -void state_helper_register(struct state_replication_helper *h, int h_state) -{ - if (helper[h->proto] == NULL) - helper[h->proto] = h; - - helper[h->proto]->state |= (1 << h_state); -} diff --git a/src/state_helper_tcp.c b/src/state_helper_tcp.c deleted file mode 100644 index 88af35e..0000000 --- a/src/state_helper_tcp.c +++ /dev/null @@ -1,35 +0,0 @@ -/* - * (C) 2006-2007 by Pablo Neira Ayuso - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - */ - -#include "conntrackd.h" -#include "state_helper.h" - -static int tcp_verdict(const struct state_replication_helper *h, - const struct nf_conntrack *ct) -{ - uint8_t t_state = nfct_get_attr_u8(ct, ATTR_TCP_STATE); - if (h->state & (1 << t_state)) - return ST_H_REPLICATE; - - return ST_H_SKIP; -} - -struct state_replication_helper tcp_state_helper = { - .proto = IPPROTO_TCP, - .verdict = tcp_verdict, -}; diff --git a/src/sync-mode.c b/src/sync-mode.c index 4b36935..0f3760e 100644 --- a/src/sync-mode.c +++ b/src/sync-mode.c @@ -20,7 +20,6 @@ #include "netlink.h" #include "traffic_stats.h" #include "log.h" -#include "state_helper.h" #include "cache.h" #include "conntrackd.h" #include "us-conntrack.h" @@ -390,9 +389,6 @@ static void mcast_send_sync(struct us_conntrack *u, int query) size_t len; struct nethdr *net; - if (!state_helper_verdict(query, u->ct)) - return; - net = BUILD_NETMSG(u->ct, query); len = prepare_send_netmsg(STATE_SYNC(mcast_client), net); -- cgit v1.2.3 From 9ad0b747e0a2f433192235fb04e4d291ce07b7e6 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Fri, 1 Aug 2008 11:59:55 +0200 Subject: fix: wrong information related to default logging action Logging is set off by default instead of what the example files state. Signed-off-by: Pablo Neira Ayuso --- doc/stats/conntrackd.conf | 6 +++--- doc/sync/alarm/node1/conntrackd.conf | 6 +++--- doc/sync/alarm/node2/conntrackd.conf | 6 +++--- doc/sync/ftfw/node1/conntrackd.conf | 6 +++--- doc/sync/ftfw/node2/conntrackd.conf | 6 +++--- doc/sync/notrack/node1/conntrackd.conf | 6 +++--- doc/sync/notrack/node2/conntrackd.conf | 6 +++--- 7 files changed, 21 insertions(+), 21 deletions(-) (limited to 'doc/stats') diff --git a/doc/stats/conntrackd.conf b/doc/stats/conntrackd.conf index b63c2c3..4f0a6e2 100644 --- a/doc/stats/conntrackd.conf +++ b/doc/stats/conntrackd.conf @@ -14,10 +14,10 @@ General { HashLimit 65535 # - # Logfile: on, off, or a filename - # Default: on (/var/log/conntrackd.log) + # Logfile: on (/var/log/conntrackd.log), off, or a filename + # Default: off # - #LogFile off + #LogFile on # # Syslog: on, off or a facility name (daemon (default) or local0..7) diff --git a/doc/sync/alarm/node1/conntrackd.conf b/doc/sync/alarm/node1/conntrackd.conf index ff86918..ffd6b4a 100644 --- a/doc/sync/alarm/node1/conntrackd.conf +++ b/doc/sync/alarm/node1/conntrackd.conf @@ -91,10 +91,10 @@ General { HashLimit 65535 # - # Logfile: on, off, or a filename - # Default: on (/var/log/conntrackd.log) + # Logfile: on (/var/log/conntrackd.log), off, or a filename + # Default: off # - #LogFile off + #LogFile on # # Syslog: on, off or a facility name (daemon (default) or local0..7) diff --git a/doc/sync/alarm/node2/conntrackd.conf b/doc/sync/alarm/node2/conntrackd.conf index ab34f70..8f7abb2 100644 --- a/doc/sync/alarm/node2/conntrackd.conf +++ b/doc/sync/alarm/node2/conntrackd.conf @@ -91,10 +91,10 @@ General { HashLimit 65535 # - # Logfile: on, off, or a filename - # Default: on (/var/log/conntrackd.log) + # Logfile: on (/var/log/conntrackd.log), off, or a filename + # Default: off # - #LogFile off + #LogFile on # # Syslog: on, off or a facility name (daemon (default) or local0..7) diff --git a/doc/sync/ftfw/node1/conntrackd.conf b/doc/sync/ftfw/node1/conntrackd.conf index e256f67..2da2e5f 100644 --- a/doc/sync/ftfw/node1/conntrackd.conf +++ b/doc/sync/ftfw/node1/conntrackd.conf @@ -86,10 +86,10 @@ General { HashLimit 65535 # - # Logfile: on, off, or a filename - # Default: on (/var/log/conntrackd.log) + # Logfile: on (/var/log/conntrackd.log), off, or a filename + # Default: off # - #LogFile off + #LogFile on # # Syslog: on, off or a facility name (daemon (default) or local0..7) diff --git a/doc/sync/ftfw/node2/conntrackd.conf b/doc/sync/ftfw/node2/conntrackd.conf index b22ab06..8a7c214 100644 --- a/doc/sync/ftfw/node2/conntrackd.conf +++ b/doc/sync/ftfw/node2/conntrackd.conf @@ -85,10 +85,10 @@ General { HashLimit 65535 # - # Logfile: on, off, or a filename - # Default: on (/var/log/conntrackd.log) + # Logfile: on (/var/log/conntrackd.log), off, or a filename + # Default: off # - #LogFile off + #LogFile on # # Syslog: on, off or a facility name (daemon (default) or local0..7) diff --git a/doc/sync/notrack/node1/conntrackd.conf b/doc/sync/notrack/node1/conntrackd.conf index 6c5ec3d..15781a5 100644 --- a/doc/sync/notrack/node1/conntrackd.conf +++ b/doc/sync/notrack/node1/conntrackd.conf @@ -79,10 +79,10 @@ General { HashLimit 65535 # - # Logfile: on, off, or a filename - # Default: on (/var/log/conntrackd.log) + # Logfile: on (/var/log/conntrackd.log), off, or a filename + # Default: off # - #LogFile off + #LogFile on # # Syslog: on, off or a facility name (daemon (default) or local0..7) diff --git a/doc/sync/notrack/node2/conntrackd.conf b/doc/sync/notrack/node2/conntrackd.conf index ba83e5a..0257ddc 100644 --- a/doc/sync/notrack/node2/conntrackd.conf +++ b/doc/sync/notrack/node2/conntrackd.conf @@ -78,10 +78,10 @@ General { HashLimit 65535 # - # Logfile: on, off, or a filename - # Default: on (/var/log/conntrackd.log) + # Logfile: on (/var/log/conntrackd.log), off, or a filename + # Default: off # - #LogFile off + #LogFile on # # Syslog: on, off or a facility name (daemon (default) or local0..7) -- cgit v1.2.3 From ce7c1553d7720188447d0ae7f7f80ce033b5a8d8 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Thu, 18 Sep 2008 18:44:23 +0200 Subject: config: use /var/run to create the UNIX socket file This patch removes the use of /tmp to create the UNIX socket file to communicate with conntrackd in the example configuration files. This was OK in the early alpha days, but not anymore. Signed-off-by: Pablo Neira Ayuso --- doc/stats/conntrackd.conf | 2 +- doc/sync/alarm/conntrackd.conf | 2 +- doc/sync/ftfw/conntrackd.conf | 2 +- doc/sync/notrack/conntrackd.conf | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) (limited to 'doc/stats') diff --git a/doc/stats/conntrackd.conf b/doc/stats/conntrackd.conf index 4f0a6e2..1fc21af 100644 --- a/doc/stats/conntrackd.conf +++ b/doc/stats/conntrackd.conf @@ -34,7 +34,7 @@ General { # Unix socket configuration # UNIX { - Path /tmp/sync.sock + Path /var/run/conntrackd.ctl Backlog 20 } diff --git a/doc/sync/alarm/conntrackd.conf b/doc/sync/alarm/conntrackd.conf index d6f7a2a..9fc9d03 100644 --- a/doc/sync/alarm/conntrackd.conf +++ b/doc/sync/alarm/conntrackd.conf @@ -148,7 +148,7 @@ General { # Unix socket configuration # UNIX { - Path /tmp/sync.sock + Path /var/run/conntrackd.ctl Backlog 20 } diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf index 8f4d952..010ff03 100644 --- a/doc/sync/ftfw/conntrackd.conf +++ b/doc/sync/ftfw/conntrackd.conf @@ -143,7 +143,7 @@ General { # Unix socket configuration # UNIX { - Path /tmp/sync.sock + Path /var/run/conntrackd.ctl Backlog 20 } diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf index 3ce1fa0..0d05e17 100644 --- a/doc/sync/notrack/conntrackd.conf +++ b/doc/sync/notrack/conntrackd.conf @@ -136,7 +136,7 @@ General { # Unix socket configuration # UNIX { - Path /tmp/sync.sock + Path /var/run/conntrackd.ctl Backlog 20 } -- cgit v1.2.3 From 746f7031f4d1e3bccdd6db3c53835d8b85b73c90 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sat, 17 Jan 2009 18:03:53 +0100 Subject: src: add state polling support (oppossed to current event-driven) This patch adds the clause PollSecs that changes the normal behaviour of conntrackd. With PollSecs set to > 0, conntrackd polls every N seconds the entries. This is the opposed behaviour of an event-driven behaviour but may be useful for those that have really strong limitations in terms of CPU consumption and want to perform a relaxed replication. Signed-off-by: Pablo Neira Ayuso --- doc/stats/conntrackd.conf | 12 ++++++++++++ doc/sync/alarm/conntrackd.conf | 12 ++++++++++++ doc/sync/ftfw/conntrackd.conf | 12 ++++++++++++ doc/sync/notrack/conntrackd.conf | 12 ++++++++++++ include/conntrackd.h | 2 ++ src/read_config_lex.l | 1 + src/read_config_yy.y | 13 ++++++++++++- src/run.c | 41 ++++++++++++++++++++++++++++------------ 8 files changed, 92 insertions(+), 13 deletions(-) (limited to 'doc/stats') diff --git a/doc/stats/conntrackd.conf b/doc/stats/conntrackd.conf index 1fc21af..889d387 100644 --- a/doc/stats/conntrackd.conf +++ b/doc/stats/conntrackd.conf @@ -91,6 +91,18 @@ Stats { # LogFile on + # + # By default, the daemon receives state updates following an + # event-driven model. You can modify this behaviour by switching to + # polling mode with the PollSecs clause. This clause tells conntrackd + # to dump the states in the kernel every N seconds. With regards to + # synchronization mode, the polling mode can only guarantee that + # long-lifetime states are recovered. The main advantage of this method + # is the reduction in the state replication at the cost of reducing the + # chances of recovering connections. + # + # PollSecs 15 + # # Enable connection logging via Syslog. Default is off. # Syslog: on, off or a facility name (daemon (default) or local0..7) diff --git a/doc/sync/alarm/conntrackd.conf b/doc/sync/alarm/conntrackd.conf index 528ff8f..3479a83 100644 --- a/doc/sync/alarm/conntrackd.conf +++ b/doc/sync/alarm/conntrackd.conf @@ -183,6 +183,18 @@ General { # SocketBufferSizeMaxGrowth 8388608 + # + # By default, the daemon receives state updates following an + # event-driven model. You can modify this behaviour by switching to + # polling mode with the PollSecs clause. This clause tells conntrackd + # to dump the states in the kernel every N seconds. With regards to + # synchronization mode, the polling mode can only guarantee that + # long-lifetime states are recovered. The main advantage of this method + # is the reduction in the state replication at the cost of reducing the + # chances of recovering connections. + # + # PollSecs 15 + # # The daemon prioritizes the handling of state-change events coming # from the core. With this clause, you can set the maximum number of diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf index 2e60f2c..77ef76c 100644 --- a/doc/sync/ftfw/conntrackd.conf +++ b/doc/sync/ftfw/conntrackd.conf @@ -191,6 +191,18 @@ General { # SocketBufferSizeMaxGrowth 8388608 + # + # By default, the daemon receives state updates following an + # event-driven model. You can modify this behaviour by switching to + # polling mode with the PollSecs clause. This clause tells conntrackd + # to dump the states in the kernel every N seconds. With regards to + # synchronization mode, the polling mode can only guarantee that + # long-lifetime states are recovered. The main advantage of this method + # is the reduction in the state replication at the cost of reducing the + # chances of recovering connections. + # + # PollSecs 15 + # # The daemon prioritizes the handling of state-change events coming # from the core. With this clause, you can set the maximum number of diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf index 7f8c8a3..5abf589 100644 --- a/doc/sync/notrack/conntrackd.conf +++ b/doc/sync/notrack/conntrackd.conf @@ -173,6 +173,18 @@ General { # SocketBufferSizeMaxGrowth 8388608 + # + # By default, the daemon receives state updates following an + # event-driven model. You can modify this behaviour by switching to + # polling mode with the PollSecs clause. This clause tells conntrackd + # to dump the states in the kernel every N seconds. With regards to + # synchronization mode, the polling mode can only guarantee that + # long-lifetime states are recovered. The main advantage of this method + # is the reduction in the state replication at the cost of reducing the + # chances of recovering connections. + # + # PollSecs 15 + # # The daemon prioritizes the handling of state-change events coming # from the core. With this clause, you can set the maximum number of diff --git a/include/conntrackd.h b/include/conntrackd.h index fbf126a..acf907c 100644 --- a/include/conntrackd.h +++ b/include/conntrackd.h @@ -48,6 +48,7 @@ #define CTD_SYNC_FTFW (1UL << 2) #define CTD_SYNC_ALARM (1UL << 3) #define CTD_SYNC_NOTRACK (1UL << 4) +#define CTD_POLL (1UL << 5) /* FILENAME_MAX is 4096 on my system, perhaps too much? */ #ifndef FILENAME_MAXLEN @@ -85,6 +86,7 @@ struct ct_conf { int family; /* protocol family */ unsigned int resend_queue_size; /* FTFW protocol */ unsigned int window_size; + int poll_kernel_secs; int cache_write_through; int filter_from_kernelspace; int event_iterations_limit; diff --git a/src/read_config_lex.l b/src/read_config_lex.l index e9e5d43..4953974 100644 --- a/src/read_config_lex.l +++ b/src/read_config_lex.l @@ -119,6 +119,7 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k] "Kernelspace" { return T_KERNELSPACE; } "EventIterationLimit" { return T_EVENT_ITER_LIMIT; } "Default" { return T_DEFAULT; } +"PollSecs" { return T_POLL_SECS; } {is_on} { return T_ON; } {is_off} { return T_OFF; } diff --git a/src/read_config_yy.y b/src/read_config_yy.y index de6cef3..ce604d9 100644 --- a/src/read_config_yy.y +++ b/src/read_config_yy.y @@ -58,7 +58,7 @@ static void __max_mcast_dedicated_links_reached(void); %token T_ESTABLISHED T_SYN_SENT T_SYN_RECV T_FIN_WAIT %token T_CLOSE_WAIT T_LAST_ACK T_TIME_WAIT T_CLOSE T_LISTEN %token T_SYSLOG T_WRITE_THROUGH T_STAT_BUFFER_SIZE T_DESTROY_TIMEOUT -%token T_MCAST_RCVBUFF T_MCAST_SNDBUFF T_NOTRACK +%token T_MCAST_RCVBUFF T_MCAST_SNDBUFF T_NOTRACK T_POLL_SECS %token T_FILTER T_ADDRESS T_PROTOCOL T_STATE T_ACCEPT T_IGNORE %token T_FROM T_USERSPACE T_KERNELSPACE T_EVENT_ITER_LIMIT T_DEFAULT @@ -715,6 +715,7 @@ general_line: hashsize | netlink_buffer_size_max_grown | family | event_iterations_limit + | poll_secs | filter ; @@ -741,6 +742,16 @@ event_iterations_limit : T_EVENT_ITER_LIMIT T_NUMBER CONFIG(event_iterations_limit) = $2; }; +poll_secs: T_POLL_SECS T_NUMBER +{ + conf.flags |= CTD_POLL; + conf.poll_kernel_secs = $2; + if (conf.poll_kernel_secs == 0) { + fprintf(stderr, "ERROR: `PollSecs' clause must be > 0\n"); + exit(EXIT_FAILURE); + } +}; + filter : T_FILTER '{' filter_list '}' { CONFIG(filter_from_kernelspace) = 0; diff --git a/src/run.c b/src/run.c index a6dfe15..a483ab3 100644 --- a/src/run.c +++ b/src/run.c @@ -39,7 +39,8 @@ void killer(int foo) /* no signals while handling signals */ sigprocmask(SIG_BLOCK, &STATE(block), NULL); - nfct_close(STATE(event)); + if (!(CONFIG(flags) & CTD_POLL)) + nfct_close(STATE(event)); nfct_close(STATE(request)); if (STATE(us_filter)) @@ -204,12 +205,18 @@ void local_handler(int fd, void *data) STATE(stats).local_unknown_request++; } -static void do_resync_alarm(struct alarm_block *a, void *data) +static void do_overrun_resync_alarm(struct alarm_block *a, void *data) { nl_send_resync(STATE(resync)); STATE(stats).nl_kernel_table_resync++; } +static void do_poll_resync_alarm(struct alarm_block *a, void *data) +{ + nl_send_resync(STATE(resync)); + add_alarm(&STATE(resync_alarm), CONFIG(poll_kernel_secs), 0); +} + static int event_handler(enum nf_conntrack_msg_type type, struct nf_conntrack *ct, void *data) @@ -297,15 +304,18 @@ init(void) } register_fd(STATE(local).fd, STATE(fds)); - STATE(event) = nl_init_event_handler(); - if (STATE(event) == NULL) { - dlog(LOG_ERR, "can't open netlink handler: %s", - strerror(errno)); - dlog(LOG_ERR, "no ctnetlink kernel support?"); - return -1; + if (!(CONFIG(flags) & CTD_POLL)) { + STATE(event) = nl_init_event_handler(); + if (STATE(event) == NULL) { + dlog(LOG_ERR, "can't open netlink handler: %s", + strerror(errno)); + dlog(LOG_ERR, "no ctnetlink kernel support?"); + return -1; + } + nfct_callback_register(STATE(event), NFCT_T_ALL, + event_handler, NULL); + register_fd(nfct_fd(STATE(event)), STATE(fds)); } - nfct_callback_register(STATE(event), NFCT_T_ALL, event_handler, NULL); - register_fd(nfct_fd(STATE(event)), STATE(fds)); STATE(dump) = nl_init_dump_handler(); if (STATE(dump) == NULL) { @@ -343,7 +353,13 @@ init(void) return -1; } - init_alarm(&STATE(resync_alarm), NULL, do_resync_alarm); + if (CONFIG(flags) & CTD_POLL) { + init_alarm(&STATE(resync_alarm), NULL, do_poll_resync_alarm); + add_alarm(&STATE(resync_alarm), CONFIG(poll_kernel_secs), 0); + dlog(LOG_NOTICE, "running in polling mode"); + } else { + init_alarm(&STATE(resync_alarm), NULL, do_overrun_resync_alarm); + } /* Signals handling */ sigemptyset(&STATE(block)); @@ -397,7 +413,8 @@ static void __run(struct timeval *next_alarm) do_local_server_step(&STATE(local), NULL, local_handler); /* conntrack event has happened */ - if (FD_ISSET(nfct_fd(STATE(event)), &readfds)) { + if (!(CONFIG(flags) & CTD_POLL) && + FD_ISSET(nfct_fd(STATE(event)), &readfds)) { ret = nfct_catch(STATE(event)); if (ret == -1) { switch(errno) { -- cgit v1.2.3 From 7f902c8419c891ec3ec83d40fb30afccb2a150c6 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sun, 8 Feb 2009 20:55:34 +0100 Subject: src: add Nice clause to set the nice value Signed-off-by: Pablo Neira Ayuso --- doc/stats/conntrackd.conf | 8 ++++++++ doc/sync/alarm/conntrackd.conf | 8 ++++++++ doc/sync/ftfw/conntrackd.conf | 8 ++++++++ doc/sync/notrack/conntrackd.conf | 8 ++++++++ include/conntrackd.h | 1 + src/main.c | 1 + src/read_config_lex.l | 3 +++ src/read_config_yy.y | 11 +++++++++-- 8 files changed, 46 insertions(+), 2 deletions(-) (limited to 'doc/stats') diff --git a/doc/stats/conntrackd.conf b/doc/stats/conntrackd.conf index 889d387..54e2322 100644 --- a/doc/stats/conntrackd.conf +++ b/doc/stats/conntrackd.conf @@ -2,6 +2,14 @@ # General settings # General { + # + # Set the nice value of the daemon. This value goes from -20 + # (most favorable scheduling) to 19 (least favorable). Using a + # negative value reduces the chances to lose state-change events. + # Default is 0. See man nice(1) for more information. + # + Nice -1 + # # Number of buckets in the caches: hash table # diff --git a/doc/sync/alarm/conntrackd.conf b/doc/sync/alarm/conntrackd.conf index 5e44d0d..aa87541 100644 --- a/doc/sync/alarm/conntrackd.conf +++ b/doc/sync/alarm/conntrackd.conf @@ -134,6 +134,14 @@ Sync { # General settings # General { + # + # Set the nice value of the daemon, this value goes from -20 + # (most favorable scheduling) to 19 (least favorable). Using a + # negative value reduces the chances to lose state-change events. + # Default is 0. See man nice(1) for more information. + # + Nice -1 + # # Number of buckets in the cache hashtable. The bigger it is, # the closer it gets to O(1) at the cost of consuming more memory. diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf index 92cd9d1..a3f42a2 100644 --- a/doc/sync/ftfw/conntrackd.conf +++ b/doc/sync/ftfw/conntrackd.conf @@ -143,6 +143,14 @@ Sync { # General settings # General { + # + # Set the nice value of the daemon, this value goes from -20 + # (most favorable scheduling) to 19 (least favorable). Using a + # negative value reduces the chances to lose state-change events. + # Default is 0. See man nice(1) for more information. + # + Nice -1 + # # Number of buckets in the cache hashtable. The bigger it is, # the closer it gets to O(1) at the cost of consuming more memory. diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf index c64291b..755b08b 100644 --- a/doc/sync/notrack/conntrackd.conf +++ b/doc/sync/notrack/conntrackd.conf @@ -124,6 +124,14 @@ Sync { # General settings # General { + # + # Set the nice value of the daemon, this value goes from -20 + # (most favorable scheduling) to 19 (least favorable). Using a + # negative value reduces the chances to lose state-change events. + # Default is 0. See man nice(1) for more information. + # + Nice -1 + # # Number of buckets in the cache hashtable. The bigger it is, # the closer it gets to O(1) at the cost of consuming more memory. diff --git a/include/conntrackd.h b/include/conntrackd.h index 4051e94..2aaa6e6 100644 --- a/include/conntrackd.h +++ b/include/conntrackd.h @@ -73,6 +73,7 @@ struct ct_conf { int mcast_default_link; struct mcast_conf mcast[MCAST_LINKS_MAX]; struct local_conf local; /* unix socket facilities */ + int nice; int limit; int refresh; int cache_timeout; /* cache entries timeout */ diff --git a/src/main.c b/src/main.c index c3271fe..8f75904 100644 --- a/src/main.c +++ b/src/main.c @@ -279,6 +279,7 @@ int main(int argc, char *argv[]) chdir("/"); close(STDIN_FILENO); + nice(CONFIG(nice)); /* Daemonize conntrackd */ if (type == DAEMON) { diff --git a/src/read_config_lex.l b/src/read_config_lex.l index 26c6124..a1830fd 100644 --- a/src/read_config_lex.l +++ b/src/read_config_lex.l @@ -35,6 +35,7 @@ nl [\n\r] is_on [o|O][n|N] is_off [o|O][f|F][f|F] integer [0-9]+ +signed_integer [\-\+][0-9]+ path \/[^\"\n ]* ip4_cidr \/[0-2]*[0-9]+ ip4_end [0-9]*[0-9]+ @@ -122,10 +123,12 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k] "Default" { return T_DEFAULT; } "PollSecs" { return T_POLL_SECS; } "NetlinkOverrunResync" { return T_NETLINK_OVERRUN_RESYNC; } +"Nice" { return T_NICE; } {is_on} { return T_ON; } {is_off} { return T_OFF; } {integer} { yylval.val = atoi(yytext); return T_NUMBER; } +{signed_integer} { yylval.val = atoi(yytext); return T_SIGNED_NUMBER; } {ip4} { yylval.string = strdup(yytext); return T_IP; } {ip6} { yylval.string = strdup(yytext); return T_IP; } {path} { yylval.string = strdup(yytext); return T_PATH_VAL; } diff --git a/src/read_config_yy.y b/src/read_config_yy.y index 1bea865..b9a37f7 100644 --- a/src/read_config_yy.y +++ b/src/read_config_yy.y @@ -61,10 +61,11 @@ static void __max_mcast_dedicated_links_reached(void); %token T_MCAST_RCVBUFF T_MCAST_SNDBUFF T_NOTRACK T_POLL_SECS %token T_FILTER T_ADDRESS T_PROTOCOL T_STATE T_ACCEPT T_IGNORE %token T_FROM T_USERSPACE T_KERNELSPACE T_EVENT_ITER_LIMIT T_DEFAULT -%token T_NETLINK_OVERRUN_RESYNC +%token T_NETLINK_OVERRUN_RESYNC T_NICE %token T_IP T_PATH_VAL %token T_NUMBER +%token T_SIGNED_NUMBER %token T_STRING %% @@ -727,6 +728,7 @@ general_line: hashsize | poll_secs | filter | netlink_overrun_resync + | nice ; netlink_buffer_size: T_BUFFER_SIZE T_NUMBER @@ -752,7 +754,12 @@ netlink_overrun_resync : T_NETLINK_OVERRUN_RESYNC T_OFF netlink_overrun_resync : T_NETLINK_OVERRUN_RESYNC T_NUMBER { conf.nl_overrun_resync = $2; -} +}; + +nice : T_NICE T_SIGNED_NUMBER +{ + conf.nice = $2; +}; family : T_FAMILY T_STRING { -- cgit v1.2.3 From ae94864dee8596fcaf19ffe5670d192a0efd5fd6 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sat, 21 Feb 2009 14:18:56 +0100 Subject: config: add NetlinkBufferSize and NetlinkBufferSizeMaxGrowth This patch adds two alias that removes an inconsistency in the configuration file names. Now, the clauses that refers to Netlink starts by the prefix "Netlink". Signed-off-by: Pablo Neira Ayuso --- doc/stats/conntrackd.conf | 4 ++-- doc/sync/alarm/conntrackd.conf | 4 ++-- doc/sync/ftfw/conntrackd.conf | 4 ++-- doc/sync/notrack/conntrackd.conf | 4 ++-- src/read_config_lex.l | 8 +++++--- 5 files changed, 13 insertions(+), 11 deletions(-) (limited to 'doc/stats') diff --git a/doc/stats/conntrackd.conf b/doc/stats/conntrackd.conf index 54e2322..1f1a697 100644 --- a/doc/stats/conntrackd.conf +++ b/doc/stats/conntrackd.conf @@ -49,12 +49,12 @@ General { # # Netlink socket buffer size # - SocketBufferSize 262142 + NetlinkBufferSize 262142 # # Increase the socket buffer up to maximun if required # - SocketBufferSizeMaxGrown 655355 + NetlinkBufferSizeMaxGrowth 655355 # # Event filtering: This clause allows you to filter certain traffic, diff --git a/doc/sync/alarm/conntrackd.conf b/doc/sync/alarm/conntrackd.conf index aa87541..cefda00 100644 --- a/doc/sync/alarm/conntrackd.conf +++ b/doc/sync/alarm/conntrackd.conf @@ -190,7 +190,7 @@ General { # and high CPU consumption. This example configuration file sets the # size to 2 MBytes to avoid this sort of problems. # - SocketBufferSize 2097152 + NetlinkBufferSize 2097152 # # The daemon doubles the size of the netlink event socket buffer size @@ -198,7 +198,7 @@ General { # maximum buffer size growth that can be reached. This example file # sets the size to 8 MBytes. # - SocketBufferSizeMaxGrowth 8388608 + NetlinkBufferSizeMaxGrowth 8388608 # # If the daemon detects that Netlink is dropping state-change events, diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf index 790026b..d7e4123 100644 --- a/doc/sync/ftfw/conntrackd.conf +++ b/doc/sync/ftfw/conntrackd.conf @@ -199,7 +199,7 @@ General { # and high CPU consumption. This example configuration file sets the # size to 2 MBytes to avoid this sort of problems. # - SocketBufferSize 2097152 + NetlinkBufferSize 2097152 # # The daemon doubles the size of the netlink event socket buffer size @@ -207,7 +207,7 @@ General { # maximum buffer size growth that can be reached. This example file # sets the size to 8 MBytes. # - SocketBufferSizeMaxGrowth 8388608 + NetlinkBufferSizeMaxGrowth 8388608 # # If the daemon detects that Netlink is dropping state-change events, diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf index 755b08b..884d536 100644 --- a/doc/sync/notrack/conntrackd.conf +++ b/doc/sync/notrack/conntrackd.conf @@ -180,7 +180,7 @@ General { # and high CPU consumption. This example configuration file sets the # size to 2 MBytes to avoid this sort of problems. # - SocketBufferSize 2097152 + NetlinkBufferSize 2097152 # # The daemon doubles the size of the netlink event socket buffer size @@ -188,7 +188,7 @@ General { # maximum buffer size growth that can be reached. This example file # sets the size to 8 MBytes. # - SocketBufferSizeMaxGrowth 8388608 + NetlinkBufferSizeMaxGrowth 8388608 # # If the daemon detects that Netlink is dropping state-change events, diff --git a/src/read_config_lex.l b/src/read_config_lex.l index a1830fd..d75e299 100644 --- a/src/read_config_lex.l +++ b/src/read_config_lex.l @@ -82,9 +82,11 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k] "Sync" { return T_SYNC; } "Stats" { return T_STATS; } "RelaxTransitions" { return T_RELAX_TRANSITIONS; } -"SocketBufferSize" { return T_BUFFER_SIZE; } -"SocketBufferSizeMaxGrown" { return T_BUFFER_SIZE_MAX_GROWN; } -"SocketBufferSizeMaxGrowth" { return T_BUFFER_SIZE_MAX_GROWN; } +"SocketBufferSize" { return T_BUFFER_SIZE; /* alias */ } +"SocketBufferSizeMaxGrown" { return T_BUFFER_SIZE_MAX_GROWN; /* alias */ } +"SocketBufferSizeMaxGrowth" { return T_BUFFER_SIZE_MAX_GROWN; /* alias */ } +"NetlinkBufferSize" { return T_BUFFER_SIZE; } +"NetlinkBufferSizeMaxGrowth" { return T_BUFFER_SIZE_MAX_GROWN; } "Mode" { return T_SYNC_MODE; } "ListenTo" { return T_LISTEN_TO; } "Family" { return T_FAMILY; } -- cgit v1.2.3 From dfb88dae65fbdc37d72483ddff23171ef4070dae Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 14 Apr 2009 10:43:16 +0200 Subject: conntrackd: change scheduler and priority via configuration file With this patch, you can change the scheduler policy and priority for conntrackd. Using a RT scheduler policy reduces the chances to hit ENOBUFS in Netlink. Signed-off-by: Pablo Neira Ayuso --- doc/stats/conntrackd.conf | 11 +++++++++++ doc/sync/alarm/conntrackd.conf | 11 +++++++++++ doc/sync/ftfw/conntrackd.conf | 11 +++++++++++ doc/sync/notrack/conntrackd.conf | 11 +++++++++++ include/conntrackd.h | 4 ++++ src/main.c | 19 ++++++++++++++++++- src/read_config_lex.l | 3 +++ src/read_config_yy.y | 30 ++++++++++++++++++++++++++++++ 8 files changed, 99 insertions(+), 1 deletion(-) (limited to 'doc/stats') diff --git a/doc/stats/conntrackd.conf b/doc/stats/conntrackd.conf index 1f1a697..8945293 100644 --- a/doc/stats/conntrackd.conf +++ b/doc/stats/conntrackd.conf @@ -10,6 +10,17 @@ General { # Nice -1 + # + # Select a different scheduler for the daemon, you can select between + # RR and FIFO and the process priority (minimum is 0, maximum is 99). + # See man sched_setscheduler(2) for more information. Using a RT + # scheduler reduces the chances to overrun the Netlink buffer. + # + # Scheduler { + # Type FIFO + # Priority 99 + # } + # # Number of buckets in the caches: hash table # diff --git a/doc/sync/alarm/conntrackd.conf b/doc/sync/alarm/conntrackd.conf index ca6e661..793e953 100644 --- a/doc/sync/alarm/conntrackd.conf +++ b/doc/sync/alarm/conntrackd.conf @@ -196,6 +196,17 @@ General { # Nice -20 + # + # Select a different scheduler for the daemon, you can select between + # RR and FIFO and the process priority (minimum is 0, maximum is 99). + # See man sched_setscheduler(2) for more information. Using a RT + # scheduler reduces the chances to overrun the Netlink buffer. + # + # Scheduler { + # Type FIFO + # Priority 99 + # } + # # Number of buckets in the cache hashtable. The bigger it is, # the closer it gets to O(1) at the cost of consuming more memory. diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf index 33c6fce..6eb4475 100644 --- a/doc/sync/ftfw/conntrackd.conf +++ b/doc/sync/ftfw/conntrackd.conf @@ -205,6 +205,17 @@ General { # Nice -20 + # + # Select a different scheduler for the daemon, you can select between + # RR and FIFO and the process priority (minimum is 0, maximum is 99). + # See man sched_setscheduler(2) for more information. Using a RT + # scheduler reduces the chances to overrun the Netlink buffer. + # + # Scheduler { + # Type FIFO + # Priority 99 + # } + # # Number of buckets in the cache hashtable. The bigger it is, # the closer it gets to O(1) at the cost of consuming more memory. diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf index 6175284..e2085f7 100644 --- a/doc/sync/notrack/conntrackd.conf +++ b/doc/sync/notrack/conntrackd.conf @@ -186,6 +186,17 @@ General { # Nice -20 + # + # Select a different scheduler for the daemon, you can select between + # RR and FIFO and the process priority (minimum is 0, maximum is 99). + # See man sched_setscheduler(2) for more information. Using a RT + # scheduler reduces the chances to overrun the Netlink buffer. + # + # Scheduler { + # Type FIFO + # Priority 99 + # } + # # Number of buckets in the cache hashtable. The bigger it is, # the closer it gets to O(1) at the cost of consuming more memory. diff --git a/include/conntrackd.h b/include/conntrackd.h index 737c7fd..013ec4f 100644 --- a/include/conntrackd.h +++ b/include/conntrackd.h @@ -94,6 +94,10 @@ struct ct_conf { int cache_write_through; int filter_from_kernelspace; int event_iterations_limit; + struct { + int type; + int prio; + } sched; struct { char logfile[FILENAME_MAXLEN]; int syslog_facility; diff --git a/src/main.c b/src/main.c index 62ae599..7507ae5 100644 --- a/src/main.c +++ b/src/main.c @@ -26,6 +26,7 @@ #include #include #include +#include #include struct ct_general_state st; @@ -295,6 +296,23 @@ int main(int argc, char *argv[]) } close(ret); + /* + * Setting process priority and scheduler + */ + nice(CONFIG(nice)); + + if (CONFIG(sched).type != SCHED_OTHER) { + struct sched_param schedparam = { + .sched_priority = CONFIG(sched).prio, + }; + + ret = sched_setscheduler(0, CONFIG(sched).type, &schedparam); + if (ret == -1) { + perror("sched"); + exit(EXIT_FAILURE); + } + } + /* * initialization process */ @@ -309,7 +327,6 @@ int main(int argc, char *argv[]) chdir("/"); close(STDIN_FILENO); - nice(CONFIG(nice)); /* Daemonize conntrackd */ if (type == DAEMON) { diff --git a/src/read_config_lex.l b/src/read_config_lex.l index 44ccf0b..3d5913e 100644 --- a/src/read_config_lex.l +++ b/src/read_config_lex.l @@ -132,6 +132,9 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k] "PollSecs" { return T_POLL_SECS; } "NetlinkOverrunResync" { return T_NETLINK_OVERRUN_RESYNC; } "Nice" { return T_NICE; } +"Scheduler" { return T_SCHEDULER; } +"Type" { return T_TYPE; } +"Priority" { return T_PRIO; } {is_on} { return T_ON; } {is_off} { return T_OFF; } diff --git a/src/read_config_yy.y b/src/read_config_yy.y index 152f33e..56fd2f8 100644 --- a/src/read_config_yy.y +++ b/src/read_config_yy.y @@ -29,6 +29,7 @@ #include "bitops.h" #include "cidr.h" #include +#include #include #include @@ -70,6 +71,7 @@ static void __max_dedicated_links_reached(void); %token T_FILTER T_ADDRESS T_PROTOCOL T_STATE T_ACCEPT T_IGNORE %token T_FROM T_USERSPACE T_KERNELSPACE T_EVENT_ITER_LIMIT T_DEFAULT %token T_NETLINK_OVERRUN_RESYNC T_NICE T_IPV4_DEST_ADDR T_IPV6_DEST_ADDR +%token T_SCHEDULER T_TYPE T_PRIO %token T_IP T_PATH_VAL %token T_NUMBER @@ -870,6 +872,7 @@ general_line: hashsize | filter | netlink_overrun_resync | nice + | scheduler ; netlink_buffer_size: T_BUFFER_SIZE T_NUMBER @@ -902,6 +905,33 @@ nice : T_NICE T_SIGNED_NUMBER conf.nice = $2; }; +scheduler : T_SCHEDULER '{' scheduler_options '}'; + +scheduler_options : + | scheduler_options scheduler_line + ; + +scheduler_line : T_TYPE T_STRING +{ + if (strcasecmp($2, "rr") == 0) { + conf.sched.type = SCHED_RR; + } else if (strcasecmp($2, "fifo") == 0) { + conf.sched.type = SCHED_FIFO; + } else { + print_err(CTD_CFG_ERROR, "unknown scheduler `%s'", $2); + exit(EXIT_FAILURE); + } +}; + +scheduler_line : T_PRIO T_NUMBER +{ + conf.sched.prio = $2; + if (conf.sched.prio < 0 || conf.sched.prio > 99) { + print_err(CTD_CFG_ERROR, "`Priority' must be [0, 99]\n", $2); + exit(EXIT_FAILURE); + } +}; + family : T_FAMILY T_STRING { if (strncmp($2, "IPv6", strlen("IPv6")) == 0) -- cgit v1.2.3 From 0521db731c0daa417a3dfb67fba7c6f80596e553 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 21 Jul 2009 14:36:18 +0200 Subject: conntrackd: add clause to enable ctnetlink reliable event delivery This patch adds the NetlinkEventsReliable clause, this is useful to turn on reliable Netlink event delivery. This features requires a Linux kernel >= 2.6.31. Signed-off-by: Pablo Neira Ayuso --- doc/stats/conntrackd.conf | 7 +++++++ doc/sync/alarm/conntrackd.conf | 7 +++++++ doc/sync/ftfw/conntrackd.conf | 8 ++++++++ doc/sync/notrack/conntrackd.conf | 7 +++++++ include/conntrackd.h | 3 +++ src/netlink.c | 12 ++++++++++++ src/read_config_lex.l | 1 + src/read_config_yy.y | 13 ++++++++++++- 8 files changed, 57 insertions(+), 1 deletion(-) (limited to 'doc/stats') diff --git a/doc/stats/conntrackd.conf b/doc/stats/conntrackd.conf index 8945293..ef6a698 100644 --- a/doc/stats/conntrackd.conf +++ b/doc/stats/conntrackd.conf @@ -110,6 +110,13 @@ Stats { # LogFile on + # If you want reliable event reporting over Netlink, set on this + # option. If you set on this clause, it is a good idea to set off + # NetlinkOverrunResync. This option is off by default and you need + # a Linux kernel >= 2.6.31. + # + # NetlinkEventsReliable Off + # # By default, the daemon receives state updates following an # event-driven model. You can modify this behaviour by switching to diff --git a/doc/sync/alarm/conntrackd.conf b/doc/sync/alarm/conntrackd.conf index a108569..805a531 100644 --- a/doc/sync/alarm/conntrackd.conf +++ b/doc/sync/alarm/conntrackd.conf @@ -278,6 +278,13 @@ General { # # NetlinkOverrunResync On + # If you want reliable event reporting over Netlink, set on this + # option. If you set on this clause, it is a good idea to set off + # NetlinkOverrunResync. This option is off by default and you need + # a Linux kernel >= 2.6.31. + # + # NetlinkEventsReliable Off + # # By default, the daemon receives state updates following an # event-driven model. You can modify this behaviour by switching to diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf index c1208f9..ceca224 100644 --- a/doc/sync/ftfw/conntrackd.conf +++ b/doc/sync/ftfw/conntrackd.conf @@ -287,6 +287,14 @@ General { # # NetlinkOverrunResync On + # + # If you want reliable event reporting over Netlink, set on this + # option. If you set on this clause, it is a good idea to set off + # NetlinkOverrunResync. This option is off by default and you need + # a Linux kernel >= 2.6.31. + # + # NetlinkEventsReliable Off + # # By default, the daemon receives state updates following an # event-driven model. You can modify this behaviour by switching to diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf index b528fab..1efeb81 100644 --- a/doc/sync/notrack/conntrackd.conf +++ b/doc/sync/notrack/conntrackd.conf @@ -268,6 +268,13 @@ General { # # NetlinkOverrunResync On + # If you want reliable event reporting over Netlink, set on this + # option. If you set on this clause, it is a good idea to set off + # NetlinkOverrunResync. This option is off by default and you need + # a Linux kernel >= 2.6.31. + # + # NetlinkEventsReliable Off + # # By default, the daemon receives state updates following an # event-driven model. You can modify this behaviour by switching to diff --git a/include/conntrackd.h b/include/conntrackd.h index 12fd17f..907ce33 100644 --- a/include/conntrackd.h +++ b/include/conntrackd.h @@ -95,6 +95,9 @@ struct ct_conf { int poll_kernel_secs; int filter_from_kernelspace; int event_iterations_limit; + struct { + int events_reliable; + } netlink; struct { int commit_steps; } general; diff --git a/src/netlink.c b/src/netlink.c index 5c07201..a43f782 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -75,6 +75,18 @@ struct nfct_handle *nl_init_event_handler(void) CONFIG(netlink_buffer_size_max_grown) = CONFIG(netlink_buffer_size); + if (CONFIG(netlink).events_reliable) { + int on = 1; + + setsockopt(nfct_fd(h), SOL_NETLINK, + NETLINK_BROADCAST_SEND_ERROR, &on, sizeof(int)); + + setsockopt(nfct_fd(h), SOL_NETLINK, + NETLINK_NO_ENOBUFS, &on, sizeof(int)); + + dlog(LOG_NOTICE, "reliable ctnetlink event delivery " + "is ENABLED."); + } return h; } diff --git a/src/read_config_lex.l b/src/read_config_lex.l index cd03ad4..dad7555 100644 --- a/src/read_config_lex.l +++ b/src/read_config_lex.l @@ -134,6 +134,7 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k] "Scheduler" { return T_SCHEDULER; } "Type" { return T_TYPE; } "Priority" { return T_PRIO; } +"NetlinkEventsReliable" { return T_NETLINK_EVENTS_RELIABLE; } {is_on} { return T_ON; } {is_off} { return T_OFF; } diff --git a/src/read_config_yy.y b/src/read_config_yy.y index 0e9b99b..87f99b6 100644 --- a/src/read_config_yy.y +++ b/src/read_config_yy.y @@ -71,7 +71,7 @@ static void __max_dedicated_links_reached(void); %token T_FILTER T_ADDRESS T_PROTOCOL T_STATE T_ACCEPT T_IGNORE %token T_FROM T_USERSPACE T_KERNELSPACE T_EVENT_ITER_LIMIT T_DEFAULT %token T_NETLINK_OVERRUN_RESYNC T_NICE T_IPV4_DEST_ADDR T_IPV6_DEST_ADDR -%token T_SCHEDULER T_TYPE T_PRIO +%token T_SCHEDULER T_TYPE T_PRIO T_NETLINK_EVENTS_RELIABLE %token T_IP T_PATH_VAL %token T_NUMBER @@ -873,6 +873,7 @@ general_line: hashsize | poll_secs | filter | netlink_overrun_resync + | netlink_events_reliable | nice | scheduler ; @@ -902,6 +903,16 @@ netlink_overrun_resync : T_NETLINK_OVERRUN_RESYNC T_NUMBER conf.nl_overrun_resync = $2; }; +netlink_events_reliable : T_NETLINK_EVENTS_RELIABLE T_ON +{ + conf.netlink.events_reliable = 1; +}; + +netlink_events_reliable : T_NETLINK_EVENTS_RELIABLE T_OFF +{ + conf.netlink.events_reliable = 0; +}; + nice : T_NICE T_SIGNED_NUMBER { conf.nice = $2; -- cgit v1.2.3 From e55321739fa5e04920feeb2a25b02073d8eb9e10 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 21 Jul 2009 16:57:54 +0200 Subject: conntrackd: add support for IPv6 kernel-space filtering via BSF This patch adds the missing support to filter IPv6 from kernel-space by means of the BSF API that libnetfilter_conntrack provides. Signed-off-by: Pablo Neira Ayuso --- doc/stats/conntrackd.conf | 1 + doc/sync/alarm/conntrackd.conf | 3 +++ doc/sync/ftfw/conntrackd.conf | 3 +++ doc/sync/notrack/conntrackd.conf | 3 +++ include/cidr.h | 1 + src/cidr.c | 11 +++++++++++ src/read_config_yy.y | 17 ++++++++++++++++- 7 files changed, 38 insertions(+), 1 deletion(-) (limited to 'doc/stats') diff --git a/doc/stats/conntrackd.conf b/doc/stats/conntrackd.conf index ef6a698..0941f64 100644 --- a/doc/stats/conntrackd.conf +++ b/doc/stats/conntrackd.conf @@ -88,6 +88,7 @@ General { # Address Ignore { IPv4_address 127.0.0.1 # loopback + # IPv6_address ::1 } # diff --git a/doc/sync/alarm/conntrackd.conf b/doc/sync/alarm/conntrackd.conf index 805a531..800012f 100644 --- a/doc/sync/alarm/conntrackd.conf +++ b/doc/sync/alarm/conntrackd.conf @@ -351,6 +351,9 @@ General { # # You can also specify networks in format IP/cidr. # IPv4_address 192.168.0.0/24 + # + # You can also specify an IPv6 address + # IPv6_address ::1 } # diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf index ceca224..602c3d1 100644 --- a/doc/sync/ftfw/conntrackd.conf +++ b/doc/sync/ftfw/conntrackd.conf @@ -361,6 +361,9 @@ General { # # You can also specify networks in format IP/cidr. # IPv4_address 192.168.0.0/24 + # + # You can also specify an IPv6 address + # IPv6_address ::1 } # diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf index 1efeb81..6968025 100644 --- a/doc/sync/notrack/conntrackd.conf +++ b/doc/sync/notrack/conntrackd.conf @@ -341,6 +341,9 @@ General { # # You can also specify networks in format IP/cidr. # IPv4_address 192.168.0.0/24 + # + # You can also specify an IPv6 address + # IPv6_address ::1 } # diff --git a/include/cidr.h b/include/cidr.h index f8a4e2a..413c321 100644 --- a/include/cidr.h +++ b/include/cidr.h @@ -4,5 +4,6 @@ uint32_t ipv4_cidr2mask_host(uint8_t cidr); uint32_t ipv4_cidr2mask_net(uint8_t cidr); void ipv6_cidr2mask_host(uint8_t cidr, uint32_t *res); void ipv6_cidr2mask_net(uint8_t cidr, uint32_t *res); +void ipv6_addr2addr_host(uint32_t *addr, uint32_t *res); #endif diff --git a/src/cidr.c b/src/cidr.c index d43dabc..91025b6 100644 --- a/src/cidr.c +++ b/src/cidr.c @@ -57,3 +57,14 @@ void ipv6_cidr2mask_net(uint8_t cidr, uint32_t *res) res[i] = htonl(res[i]); } +/* I need this function because I initially defined an IPv6 address as + * uint32 u[4]. Using char u[16] instead would allow to remove this. */ +void ipv6_addr2addr_host(uint32_t *addr, uint32_t *res) +{ + int i; + + memset(res, 0, sizeof(uint32_t)*4); + for (i = 0; i < 4; i++) { + res[i] = ntohl(addr[i]); + } +} diff --git a/src/read_config_yy.y b/src/read_config_yy.y index 87f99b6..f3f4730 100644 --- a/src/read_config_yy.y +++ b/src/read_config_yy.y @@ -1053,6 +1053,12 @@ filter_item : T_ADDRESS T_IGNORE '{' filter_address_list '}' nfct_filter_set_logic(STATE(filter), NFCT_FILTER_DST_IPV4, NFCT_FILTER_LOGIC_NEGATIVE); + nfct_filter_set_logic(STATE(filter), + NFCT_FILTER_SRC_IPV6, + NFCT_FILTER_LOGIC_NEGATIVE); + nfct_filter_set_logic(STATE(filter), + NFCT_FILTER_DST_IPV6, + NFCT_FILTER_LOGIC_NEGATIVE); }; filter_address_list : @@ -1121,7 +1127,8 @@ filter_address_item : T_IPV6_ADDR T_IP { union inet_address ip; char *slash; - int cidr; + int cidr = 128; + struct nfct_filter_ipv6 filter_ipv6; memset(&ip, 0, sizeof(union inet_address)); @@ -1166,6 +1173,14 @@ filter_address_item : T_IPV6_ADDR T_IP "ignore pool!"); } } + __kernel_filter_start(); + + /* host byte order */ + ipv6_addr2addr_host(ip.ipv6, filter_ipv6.addr); + ipv6_cidr2mask_host(cidr, filter_ipv6.mask); + + nfct_filter_add_attr(STATE(filter), NFCT_FILTER_SRC_IPV6, &filter_ipv6); + nfct_filter_add_attr(STATE(filter), NFCT_FILTER_DST_IPV6, &filter_ipv6); }; filter_item : T_STATE T_ACCEPT '{' filter_state_list '}' -- cgit v1.2.3 From 73da80df0c3cf4175662b3da4dfbd3574d34f96a Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Thu, 11 Feb 2010 11:56:37 +0100 Subject: conntrackd: fix UDP filtering in configuration file UDP filtering was broken during the addition of the UDP-based synchronization protocol that was introduced in 0.9.14. This patch fixes the problem. Signed-off-by: Pablo Neira Ayuso --- doc/stats/conntrackd.conf | 1 + doc/sync/alarm/conntrackd.conf | 1 + doc/sync/ftfw/conntrackd.conf | 1 + doc/sync/notrack/conntrackd.conf | 1 + src/read_config_yy.y | 19 +++++++++++++++++++ 5 files changed, 23 insertions(+) (limited to 'doc/stats') diff --git a/doc/stats/conntrackd.conf b/doc/stats/conntrackd.conf index 0941f64..22556a0 100644 --- a/doc/stats/conntrackd.conf +++ b/doc/stats/conntrackd.conf @@ -81,6 +81,7 @@ General { # Protocol Accept { TCP + # UDP } # diff --git a/doc/sync/alarm/conntrackd.conf b/doc/sync/alarm/conntrackd.conf index 3424e39..9b7d8c6 100644 --- a/doc/sync/alarm/conntrackd.conf +++ b/doc/sync/alarm/conntrackd.conf @@ -332,6 +332,7 @@ General { TCP SCTP DCCP + # UDP # ICMP # This requires a Linux kernel >= 2.6.31 } diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf index df10aca..877ed68 100644 --- a/doc/sync/ftfw/conntrackd.conf +++ b/doc/sync/ftfw/conntrackd.conf @@ -357,6 +357,7 @@ General { TCP SCTP DCCP + # UDP # ICMP # This requires a Linux kernel >= 2.6.31 } diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf index f8bccc4..693209a 100644 --- a/doc/sync/notrack/conntrackd.conf +++ b/doc/sync/notrack/conntrackd.conf @@ -394,6 +394,7 @@ General { TCP SCTP DCCP + # UDP # ICMP # This requires a Linux kernel >= 2.6.31 } diff --git a/src/read_config_yy.y b/src/read_config_yy.y index 6dfca98..5f4e6be 100644 --- a/src/read_config_yy.y +++ b/src/read_config_yy.y @@ -1221,6 +1221,25 @@ filter_protocol_item : T_TCP pent->p_proto); }; +filter_protocol_item : T_UDP +{ + struct protoent *pent; + + pent = getprotobyname("udp"); + if (pent == NULL) { + print_err(CTD_CFG_WARN, "getprotobyname() cannot find " + "protocol `udp' in /etc/protocols"); + break; + } + ct_filter_add_proto(STATE(us_filter), pent->p_proto); + + __kernel_filter_start(); + + nfct_filter_add_attr_u32(STATE(filter), + NFCT_FILTER_L4PROTO, + pent->p_proto); +}; + filter_item : T_ADDRESS T_ACCEPT '{' filter_address_list '}' { ct_filter_set_logic(STATE(us_filter), -- cgit v1.2.3 From 929c2a77ba3e9e6c72c08cdded99b0ecccf2fc62 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sun, 28 Feb 2010 16:19:13 +0100 Subject: conntrackd: PollSecs goes in the General clause for statistics This patch fixes the configuration file that includes an example of the PollSecs clause in Stats. This is wrong since it should go in the General clause. Signed-off-by: Pablo Neira Ayuso --- doc/stats/conntrackd.conf | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) (limited to 'doc/stats') diff --git a/doc/stats/conntrackd.conf b/doc/stats/conntrackd.conf index 22556a0..16d7a80 100644 --- a/doc/stats/conntrackd.conf +++ b/doc/stats/conntrackd.conf @@ -67,6 +67,18 @@ General { # NetlinkBufferSizeMaxGrowth 655355 + # + # By default, the daemon receives state updates following an + # event-driven model. You can modify this behaviour by switching to + # polling mode with the PollSecs clause. This clause tells conntrackd + # to dump the states in the kernel every N seconds. With regards to + # synchronization mode, the polling mode can only guarantee that + # long-lifetime states are recovered. The main advantage of this method + # is the reduction in the state replication at the cost of reducing the + # chances of recovering connections. + # + # PollSecs 15 + # # Event filtering: This clause allows you to filter certain traffic, # There are currently three filter-sets: Protocol, Address and @@ -119,18 +131,6 @@ Stats { # # NetlinkEventsReliable Off - # - # By default, the daemon receives state updates following an - # event-driven model. You can modify this behaviour by switching to - # polling mode with the PollSecs clause. This clause tells conntrackd - # to dump the states in the kernel every N seconds. With regards to - # synchronization mode, the polling mode can only guarantee that - # long-lifetime states are recovered. The main advantage of this method - # is the reduction in the state replication at the cost of reducing the - # chances of recovering connections. - # - # PollSecs 15 - # # Enable connection logging via Syslog. Default is off. # Syslog: on, off or a facility name (daemon (default) or local0..7) -- cgit v1.2.3