[conntrack-tools] ftfw: show consistent information to users for problem diagnosing

Pablo Neira netfilter-cvslog-bounces at lists.netfilter.org
Fri Aug 1 17:53:09 CEST 2008


Gitweb:		http://git.netfilter.org/cgi-bin/gitweb.cgi?p=conntrack-tools.git;a=commit;h=9de87ff1c675f7ae5f463c4820bffb502e7ce852
commit 9de87ff1c675f7ae5f463c4820bffb502e7ce852
Author:     Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Fri Aug 1 17:52:54 2008 +0200
Commit:     Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Fri Aug 1 17:52:54 2008 +0200

    ftfw: show consistent information to users for problem diagnosing
    
    This patch hides information that may confuse users while they are
    diagnosing problems in their setup. For example, we hide entries
    that are schedule to expire - from the user side, they are already
    destroyed entries; and we show in the counters the real active entries,
    not all that are stored in the caches.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
       via  9de87ff1c675f7ae5f463c4820bffb502e7ce852 (commit)
      from  6356d191a6d97483ad904fa1c8279a30564220cf (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 9de87ff1c675f7ae5f463c4820bffb502e7ce852
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Fri Aug 1 17:52:54 2008 +0200

    ftfw: show consistent information to users for problem diagnosing
    
    This patch hides information that may confuse users while they are
    diagnosing problems in their setup. For example, we hide entries
    that are schedule to expire - from the user side, they are already
    destroyed entries; and we show in the counters the real active entries,
    not all that are stored in the caches.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

-----------------------------------------------------------------------

 include/cache.h       |    2 ++
 src/cache.c           |   14 ++++++++++++--
 src/cache_iterators.c |   13 +++++++++++++
 src/cache_lifetime.c  |    8 +-------
 4 files changed, 28 insertions(+), 9 deletions(-)
This patch hides information that may confuse users while they are
diagnosing problems in their setup. For example, we hide entries
that are schedule to expire - from the user side, they are already
destroyed entries; and we show in the counters the real active entries,
not all that are stored in the caches.

Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

diff --git a/include/cache.h b/include/cache.h
index e2e2e34..ba8d3aa 100644
--- a/include/cache.h
+++ b/include/cache.h
@@ -50,6 +50,8 @@ struct cache {
 	unsigned int extra_offset;
 
         /* statistics */
+	unsigned int active;
+
 	unsigned int add_ok;
 	unsigned int del_ok;
 	unsigned int upd_ok;
diff --git a/src/cache.c b/src/cache.c
index 7cd5ac7..820a385 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -208,6 +208,7 @@ static struct us_conntrack *__add(struct cache *c, struct nf_conntrack *ct)
 		if (c->extra && c->extra->add)
 			c->extra->add(u, ((char *) u) + c->extra_offset);
 
+		c->active++;
 		return u;
 	}
 	free(newct);
@@ -323,6 +324,15 @@ static void __del2(struct cache *c, struct us_conntrack *u)
 
 static void __cache_del(struct cache *c, struct us_conntrack *u)
 {
+	/*
+	 * Do not increase stats if we are trying to
+	 * kill an entry was previously deleted via
+	 * __cache_del_timer.
+	 */
+	if (!alarm_pending(&u->alarm)) {
+		c->del_ok++;
+		c->active--;
+	}
 	del_alarm(&u->alarm);
 	__del2(c, u);
 }
@@ -338,7 +348,6 @@ int cache_del(struct cache *c, struct nf_conntrack *ct)
 	u = (struct us_conntrack *) hashtable_test(c->h, u);
 	if (u) {
 		__cache_del(c, u);
-		c->del_ok++;
 		return 1;
 	}
 	c->del_fail++;
@@ -369,6 +378,7 @@ __cache_del_timer(struct cache *c, struct us_conntrack *u, int timeout)
 		 * properly.
 		 */
 		c->del_ok++;
+		c->active--;
 		return 1;
 	}
 	return 0;
@@ -406,7 +416,7 @@ void cache_stats(const struct cache *c, int fd)
 			    "connections updated:\t\t%12u\tfailed:\t%12u\n"
 			    "connections destroyed:\t\t%12u\tfailed:\t%12u\n\n",
 			    			 c->name,
-			    			 hashtable_counter(c->h),
+						 c->active,
 			    			 c->add_ok, 
 			    			 c->add_fail,
 						 c->upd_ok,
diff --git a/src/cache_iterators.c b/src/cache_iterators.c
index e9ddbc0..407db0b 100644
--- a/src/cache_iterators.c
+++ b/src/cache_iterators.c
@@ -42,6 +42,19 @@ static int do_dump(void *data1, void *data2)
 	char *data = u->data;
 	unsigned i;
 
+	/*
+	 * XXX: Do not dump the entries that are scheduled to expire.
+	 * 	These entries talk about already destroyed connections
+	 * 	that we keep for some time just in case that we have to
+	 * 	resent some lost messages. We do not show them to the
+	 * 	user as he may think that the firewall replicas are not
+	 * 	in sync. The branch below is a hack as it is quite
+	 * 	specific and it breaks conntrackd modularity. Probably
+	 * 	there's a nicer way to do this but until I come up with it...
+	 */
+	if (CONFIG(flags) & CTD_SYNC_FTFW && alarm_pending(&u->alarm))
+		return 0;
+
 	memset(buf, 0, sizeof(buf));
 	size = nfct_snprintf(buf, 
 			     sizeof(buf), 
diff --git a/src/cache_lifetime.c b/src/cache_lifetime.c
index cf84d20..ad3416a 100644
--- a/src/cache_lifetime.c
+++ b/src/cache_lifetime.c
@@ -53,13 +53,7 @@ static int lifetime_dump(struct us_conntrack *u,
 
 	gettimeofday(&tv, NULL);
 
-	if (alarm_pending(&u->alarm))
-		return sprintf(buf, " [active since %lds] [expires in %lds]",
-			       tv.tv_sec - *lifetime, 
-			       u->alarm.tv.tv_sec - tv.tv_sec);
-	else
-		return sprintf(buf, " [active since %lds]", 
-			       tv.tv_sec - *lifetime);
+	return sprintf(buf, " [active since %lds]", tv.tv_sec - *lifetime);
 }
 
 struct cache_feature lifetime_feature = {



More information about the netfilter-cvslog mailing list