[conntrack-tools] cache iterators: commit master entries before related ones

Pablo Neira netfilter-cvslog-bounces at lists.netfilter.org
Thu Aug 7 14:56:29 CEST 2008


Gitweb:		http://git.netfilter.org/cgi-bin/gitweb.cgi?p=conntrack-tools.git;a=commit;h=8a78dda3e6676286f09f5c78cca60a8178186930
commit 8a78dda3e6676286f09f5c78cca60a8178186930
Author:     Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Thu Aug 7 14:53:29 2008 +0200
Commit:     Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Thu Aug 7 14:53:29 2008 +0200

    cache iterators: commit master entries before related ones
    
    Commit master entries before related ones to avoid ENOENT errors.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

commit 6cb33c62c8007593d8a85aa202fa173043877135
Author:     Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Thu Aug 7 14:53:12 2008 +0200
Commit:     Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Thu Aug 7 14:53:12 2008 +0200

    cache iterators: rework cache_reset_timers
    
    This patch adds the clause PurgeTimeout that sets the new timer
    when conntrackd -t is called. This command is particularly useful
    when the sysadmin triggers hand-overs between several nodes without
    rebooting as it reduces the timers of the remaining entries in
    the kernel. Thus, avoiding clashes between new and old entries that
    may trigger INVALID packets.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

commit a4f4647b4b7f32f2d1caab98544802c8cdd7b4d6
Author:     Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Thu Aug 7 14:52:41 2008 +0200
Commit:     Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Thu Aug 7 14:52:41 2008 +0200

    netlink: add getter and check existence functions
    
    This patch adds nl_get_conntrack and it changes the behaviour of
    nl_exist_conntrack. Now, nl_get_conntrack requests the kernel for
    a conntrack and updates the cached entry. On the other hand,
    nl_exist_conntrack only inquiries for the existence of the
    entry.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
       via  8a78dda3e6676286f09f5c78cca60a8178186930 (commit)
       via  6cb33c62c8007593d8a85aa202fa173043877135 (commit)
       via  a4f4647b4b7f32f2d1caab98544802c8cdd7b4d6 (commit)
      from  ba0b4bc3d49cebf3ef69c7bc5b6dfd8decb6c8ca (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 8a78dda3e6676286f09f5c78cca60a8178186930
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Thu Aug 7 14:53:29 2008 +0200

    cache iterators: commit master entries before related ones
    
    Commit master entries before related ones to avoid ENOENT errors.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

commit 6cb33c62c8007593d8a85aa202fa173043877135
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Thu Aug 7 14:53:12 2008 +0200

    cache iterators: rework cache_reset_timers
    
    This patch adds the clause PurgeTimeout that sets the new timer
    when conntrackd -t is called. This command is particularly useful
    when the sysadmin triggers hand-overs between several nodes without
    rebooting as it reduces the timers of the remaining entries in
    the kernel. Thus, avoiding clashes between new and old entries that
    may trigger INVALID packets.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

commit a4f4647b4b7f32f2d1caab98544802c8cdd7b4d6
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Thu Aug 7 14:52:41 2008 +0200

    netlink: add getter and check existence functions
    
    This patch adds nl_get_conntrack and it changes the behaviour of
    nl_exist_conntrack. Now, nl_get_conntrack requests the kernel for
    a conntrack and updates the cached entry. On the other hand,
    nl_exist_conntrack only inquiries for the existence of the
    entry.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

-----------------------------------------------------------------------

 doc/sync/alarm/conntrackd.conf   |   11 +++++++++
 doc/sync/ftfw/conntrackd.conf    |   11 +++++++++
 doc/sync/keepalived.conf         |    1 +
 doc/sync/notrack/conntrackd.conf |   11 +++++++++
 doc/sync/primary-backup.sh       |   12 +++++++++-
 include/conntrackd.h             |    2 +
 include/netlink.h                |   18 ++++++++++++++
 src/cache_iterators.c            |   46 ++++++++++++++++++++++++++++++-------
 src/netlink.c                    |   37 ++++++++++++++++++++++++++++-
 src/read_config_lex.l            |    1 +
 src/read_config_yy.y             |   12 +++++++++-
 src/run.c                        |    8 ++++++
 src/sync-mode.c                  |   15 ------------
 13 files changed, 157 insertions(+), 28 deletions(-)
This patch adds nl_get_conntrack and it changes the behaviour of
nl_exist_conntrack. Now, nl_get_conntrack requests the kernel for
a conntrack and updates the cached entry. On the other hand,
nl_exist_conntrack only inquiries for the existence of the
entry.

Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

diff --git a/include/conntrackd.h b/include/conntrackd.h
index 2f0d7e5..60bb2de 100644
--- a/include/conntrackd.h
+++ b/include/conntrackd.h
@@ -110,6 +110,7 @@ struct ct_general_state {
 	struct nfct_filter		*filter;	/* event filter */
 
 	struct nfct_handle		*dump;		/* dump handler */
+	struct nfct_handle		*request;	/* request handler */
 	struct nfct_handle		*overrun;	/* overrun handler */
 	struct alarm_block		overrun_alarm;
 
diff --git a/include/netlink.h b/include/netlink.h
index a46fe11..a7b7dda 100644
--- a/include/netlink.h
+++ b/include/netlink.h
@@ -10,6 +10,8 @@ int nl_init_event_handler(void);
 
 int nl_init_dump_handler(void);
 
+int nl_init_request_handler(void);
+
 int nl_init_overrun_handler(void);
 
 int nl_overrun_request_resync(void);
@@ -20,6 +22,8 @@ int nl_dump_conntrack_table(void);
 
 int nl_exist_conntrack(struct nf_conntrack *ct);
 
+int nl_get_conntrack(struct nf_conntrack *ct);
+
 int nl_create_conntrack(struct nf_conntrack *ct);
 
 int nl_update_conntrack(struct nf_conntrack *ct);
diff --git a/src/netlink.c b/src/netlink.c
index a8a5503..0d9b7db 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -214,6 +214,16 @@ int nl_init_overrun_handler(void)
 	return 0;
 }
 
+/* no callback, it does not do anything with the output */
+int nl_init_request_handler(void)
+{
+	STATE(request) = nfct_open(CONNTRACK, 0);
+	if (!STATE(request))
+		return -1;
+
+	return 0;
+}
+
 static int warned = 0;
 
 void nl_resize_socket_buffer(struct nfct_handle *h)
@@ -257,7 +267,7 @@ int nl_overrun_request_resync(void)
 	return nfct_send(STATE(overrun), NFCT_Q_DUMP, &family);
 }
 
-int nl_exist_conntrack(struct nf_conntrack *ct)
+static int __nl_get_conntrack(struct nfct_handle *h, struct nf_conntrack *ct)
 {
 	int ret;
 	char __tmp[nfct_maxsize()];
@@ -268,13 +278,24 @@ int nl_exist_conntrack(struct nf_conntrack *ct)
 	/* use the original tuple to check if it is there */
 	nfct_copy(tmp, ct, NFCT_CP_ORIG);
 
-	ret = nfct_query(STATE(dump), NFCT_Q_GET, tmp);
+	ret = nfct_query(h, NFCT_Q_GET, tmp);
 	if (ret == -1)
 		return errno == ENOENT ? 0 : -1;
 
 	return 1;
 }
 
+int nl_exist_conntrack(struct nf_conntrack *ct)
+{
+	return __nl_get_conntrack(STATE(request), ct);
+}
+
+/* get the conntrack and update the cache */
+int nl_get_conntrack(struct nf_conntrack *ct)
+{
+	return __nl_get_conntrack(STATE(dump), ct);
+}
+
 /* This function modifies the conntrack passed as argument! */
 int nl_create_conntrack(struct nf_conntrack *ct)
 {
diff --git a/src/run.c b/src/run.c
index cf570d8..b7da18c 100644
--- a/src/run.c
+++ b/src/run.c
@@ -38,6 +38,7 @@ void killer(int foo)
 	sigprocmask(SIG_BLOCK, &STATE(block), NULL);
 
 	nfct_close(STATE(event));
+	nfct_close(STATE(request));
 
 	ct_filter_destroy(STATE(us_filter));
 	local_server_destroy(&STATE(local));
@@ -144,6 +145,13 @@ init(void)
 		return -1;
 	}
 
+	if (nl_init_request_handler() == -1) {
+		dlog(LOG_ERR, "can't open netlink handler: %s",
+		     strerror(errno));
+		dlog(LOG_ERR, "no ctnetlink kernel support?");
+		return -1;
+	}
+
 	init_alarm(&STATE(overrun_alarm), NULL, do_overrun_alarm);
 
 	STATE(fds) = create_fds();



More information about the netfilter-cvslog mailing list