[conntrack-tools] notrack: fix double receival of resync requests
Pablo Neira
netfilter-cvslog-bounces at lists.netfilter.org
Mon Oct 20 14:18:42 CEST 2008
Gitweb: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=conntrack-tools.git;a=commit;h=5000afe7e1a3ae4a14995e051d3ee716d8a6c784
commit 5000afe7e1a3ae4a14995e051d3ee716d8a6c784
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Mon Oct 20 14:17:13 2008 +0200
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Mon Oct 20 14:17:13 2008 +0200
notrack: fix double receival of resync requests
This patch fixes double insertion in the tx_list if we receive
two (or more) consecutive resync request in short time.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 9c2fd73489f516eb56f8fe216913ea70e3b4a76a
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Mon Oct 20 14:15:46 2008 +0200
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Mon Oct 20 14:15:46 2008 +0200
config: fix usage of 'PurgeTimeout' in Sync NOTRACK
This patch fixes a problem that is reported by conntrackd while
trying to parse the example configuration file. We fix this
instead of the example file to make it consistent with other
replication approaches.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit a7c245bafd98a04414903787448ac17bb0922b70
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Mon Oct 20 14:13:51 2008 +0200
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Mon Oct 20 14:13:51 2008 +0200
cache-iterators: improve committing
This patches fixes two problems:
- If we failt to update an entry, we remove it and try again. This
happens when we still have an entry in a final state like TIME_WAIT
while we see a new connection (SYN_SENT) with the same tuple. In
this particular case, we fail to update since some status bits are
only settable, but not unsettable.
- If we hit ETIME in an update, we have to go over the creation
patch, otherwise we hit ENOENT in the next run.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 8509a878c0df580b7496c7fd0afd961c4c3c771d
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Mon Oct 20 14:09:04 2008 +0200
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Mon Oct 20 14:09:04 2008 +0200
cache: fix update of scheduled-to-timeout entries
This patch fixes a problem that allows the update of entries that
are scheduled to be removed.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
via 5000afe7e1a3ae4a14995e051d3ee716d8a6c784 (commit)
via 9c2fd73489f516eb56f8fe216913ea70e3b4a76a (commit)
via a7c245bafd98a04414903787448ac17bb0922b70 (commit)
via 8509a878c0df580b7496c7fd0afd961c4c3c771d (commit)
from b8ed29727d24862523d57066ede86635d8dbacbf (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 5000afe7e1a3ae4a14995e051d3ee716d8a6c784
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Mon Oct 20 14:17:13 2008 +0200
notrack: fix double receival of resync requests
This patch fixes double insertion in the tx_list if we receive
two (or more) consecutive resync request in short time.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 9c2fd73489f516eb56f8fe216913ea70e3b4a76a
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Mon Oct 20 14:15:46 2008 +0200
config: fix usage of 'PurgeTimeout' in Sync NOTRACK
This patch fixes a problem that is reported by conntrackd while
trying to parse the example configuration file. We fix this
instead of the example file to make it consistent with other
replication approaches.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit a7c245bafd98a04414903787448ac17bb0922b70
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Mon Oct 20 14:13:51 2008 +0200
cache-iterators: improve committing
This patches fixes two problems:
- If we failt to update an entry, we remove it and try again. This
happens when we still have an entry in a final state like TIME_WAIT
while we see a new connection (SYN_SENT) with the same tuple. In
this particular case, we fail to update since some status bits are
only settable, but not unsettable.
- If we hit ETIME in an update, we have to go over the creation
patch, otherwise we hit ENOENT in the next run.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 8509a878c0df580b7496c7fd0afd961c4c3c771d
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Mon Oct 20 14:09:04 2008 +0200
cache: fix update of scheduled-to-timeout entries
This patch fixes a problem that allows the update of entries that
are scheduled to be removed.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
-----------------------------------------------------------------------
src/cache.c | 99 +++++++++++++++++++++++++++----------------------
src/cache_iterators.c | 20 ++++++++--
src/read_config_yy.y | 6 ++-
src/sync-notrack.c | 21 ++++++++++
4 files changed, 96 insertions(+), 50 deletions(-)
This patch fixes a problem that allows the update of entries that
are scheduled to be removed.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
diff --git a/src/cache.c b/src/cache.c
index 820a385..63a8cff 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -231,6 +231,23 @@ struct us_conntrack *cache_add(struct cache *c, struct nf_conntrack *ct)
return NULL;
}
+static void
+__cache_update(struct cache *c, struct us_conntrack *u, struct nf_conntrack *ct)
+{
+ unsigned i;
+ char *data = u->data;
+
+ nfct_copy(u->ct, ct, NFCT_CP_META);
+
+ for (i = 0; i < c->num_features; i++) {
+ c->features[i]->update(u, data);
+ data += c->features[i]->size;
+ }
+
+ if (c->extra && c->extra->update)
+ c->extra->update(u, ((char *) u) + c->extra_offset);
+}
+
static struct us_conntrack *__update(struct cache *c, struct nf_conntrack *ct)
{
size_t size = c->h->datasize;
@@ -241,19 +258,7 @@ static struct us_conntrack *__update(struct cache *c, struct nf_conntrack *ct)
u = (struct us_conntrack *) hashtable_test(c->h, u);
if (u) {
- unsigned i;
- char *data = u->data;
-
- nfct_copy(u->ct, ct, NFCT_CP_META);
-
- for (i = 0; i < c->num_features; i++) {
- c->features[i]->update(u, data);
- data += c->features[i]->size;
- }
-
- if (c->extra && c->extra->update)
- c->extra->update(u, ((char *) u) + c->extra_offset);
-
+ __cache_update(c, u, ct);
return u;
}
return NULL;
@@ -273,37 +278,6 @@ struct us_conntrack *cache_update(struct cache *c, struct nf_conntrack *ct)
return NULL;
}
-struct us_conntrack *cache_update_force(struct cache *c,
- struct nf_conntrack *ct)
-{
- struct us_conntrack *u;
-
- if ((u = __update(c, ct)) != NULL) {
- c->upd_ok++;
- return u;
- }
- if ((u = __add(c, ct)) != NULL) {
- c->add_ok++;
- return u;
- }
- c->add_fail++;
- return NULL;
-}
-
-int cache_test(struct cache *c, struct nf_conntrack *ct)
-{
- size_t size = c->h->datasize;
- char buf[size];
- struct us_conntrack *u = (struct us_conntrack *) buf;
- void *ret;
-
- u->ct = ct;
-
- ret = hashtable_test(c->h, u);
-
- return ret != NULL;
-}
-
static void __del2(struct cache *c, struct us_conntrack *u)
{
unsigned i;
@@ -337,6 +311,43 @@ static void __cache_del(struct cache *c, struct us_conntrack *u)
__del2(c, u);
}
+struct us_conntrack *cache_update_force(struct cache *c,
+ struct nf_conntrack *ct)
+{
+ struct us_conntrack *u;
+
+ u = cache_find(c, ct);
+ if (u) {
+ if (!alarm_pending(&u->alarm)) {
+ c->upd_ok++;
+ __cache_update(c, u, ct);
+ return u;
+ } else {
+ __cache_del(c, u);
+ }
+ }
+ if ((u = __add(c, ct)) != NULL) {
+ c->add_ok++;
+ return u;
+ }
+ c->add_fail++;
+ return NULL;
+}
+
+int cache_test(struct cache *c, struct nf_conntrack *ct)
+{
+ size_t size = c->h->datasize;
+ char buf[size];
+ struct us_conntrack *u = (struct us_conntrack *) buf;
+ void *ret;
+
+ u->ct = ct;
+
+ ret = hashtable_test(c->h, u);
+
+ return ret != NULL;
+}
+
int cache_del(struct cache *c, struct nf_conntrack *ct)
{
size_t size = c->h->datasize;
More information about the netfilter-cvslog
mailing list