[conntrack-tools] conntrack: add -C command to display the counter
Pablo Neira
netfilter-cvslog-bounces at lists.netfilter.org
Sat Jan 17 20:40:05 CET 2009
Gitweb: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=conntrack-tools.git;a=commit;h=4fb9c22f6e4ec2fadd22c0863137f211d9b392c4
commit 4fb9c22f6e4ec2fadd22c0863137f211d9b392c4
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sat Jan 17 20:34:13 2009 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sat Jan 17 20:34:13 2009 +0100
conntrack: add -C command to display the counter
This patch adds the -C command, to display the table counter. In the
case of `-C conntrack' the tool reads the proc interface. For
expectation, it loops on the table to count the number of entries
(as there is not proc interface to display the number of
expectations).
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit d05f05e21be0cca59ca67ac19ef2b73c467b8250
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sat Jan 17 20:33:30 2009 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sat Jan 17 20:33:30 2009 +0100
src: add `-s queue' and change `-v' behaviour
This patch moves the existing `-v' behaviour to `-s queue' where it
really belongs. The `-v' option is now left to display the version
which is the common use of it.
# conntrackd -v
Connection tracking userspace daemon v0.9.9. Licensed under GPLv2.
(C) 2006-2009 Pablo Neira Ayuso <pablo at netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit a63f5181807803ffdd879edca9fd4d73c4be35f3
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sat Jan 17 18:24:57 2009 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sat Jan 17 18:24:57 2009 +0100
ftfw: add ResendQueueSize and deprecate ResendBufferSize clauses
This patch adds ResendQueueSize, which sets the number of objects
that can be stored in the resend queue waiting to be confirmed.
The ResendBufferSize clause has been deprecated.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 7f5a53998abfc9b199b713244fe8baf0a7c2b2fe
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sat Jan 17 18:03:53 2009 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sat Jan 17 18:03:53 2009 +0100
cache: add objects statistics
This patch adds the object counter to `conntrackd -s cache'. This
is useful to detect object leaks in runtime. This patch also changes
the layout of the output to fit the display in less than 24 lines
(assuming 24x80 terminal).
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 746f7031f4d1e3bccdd6db3c53835d8b85b73c90
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sat Jan 17 18:03:53 2009 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sat Jan 17 18:03:53 2009 +0100
src: add state polling support (oppossed to current event-driven)
This patch adds the clause PollSecs that changes the normal
behaviour of conntrackd. With PollSecs set to > 0, conntrackd
polls every N seconds the entries.
This is the opposed behaviour of an event-driven behaviour but may
be useful for those that have really strong limitations in terms of
CPU consumption and want to perform a relaxed replication.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 05194422ee8fa038d99fe77a2e9d776d25623fd2
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sat Jan 17 18:03:53 2009 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sat Jan 17 18:03:53 2009 +0100
src: remove register_fds hooks
This patch moves the file descriptor registration after the
initialization instead of having a specific hook for this.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit c54c8c9287fc87177daf9b51933f92c7e6402904
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sat Jan 17 18:03:52 2009 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sat Jan 17 18:03:52 2009 +0100
src: rename overrun handler to resync handler
This patch is a cleanup. The overrun handler is actually a way to
resynchronize against the conntrack kernel table. The name overrun
was used because it was initially its purpose. The new naming shows
its genericity.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 7ae054f8aae252ee9c57e26327675e466fc1d15d
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sat Jan 17 18:03:52 2009 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sat Jan 17 18:03:52 2009 +0100
src: support for redundant dedicated links
This patch adds support for redundant dedicated links. You can add
a pool of dedicated links that can be used if the current active
fails.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit d581381870486687586dea4ebf4b7065ae408cd0
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sat Jan 17 18:03:52 2009 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sat Jan 17 18:03:52 2009 +0100
network: do not re-set the message type in nethdr_set* functions
The network headers already contain the message type set. It is not
necessary to set it up again.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit b1d00262f999a597fa24af3298195db9cf52b790
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sat Jan 17 18:03:50 2009 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sat Jan 17 18:03:50 2009 +0100
sync: enqueue state updates to tx_queue
With this patch, all the states updates are enqueued in the
tx_queue. Thus, there's a single output path. This patch adds a
simple refcounting mechanism to note when an object is sitting in
the txqueue. This patch also removes the alarm that is required by
the ftfw approach.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 786f37040cdcb64b24eb0b437307ed5e208f717f
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sat Jan 17 17:54:57 2009 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sat Jan 17 17:54:57 2009 +0100
sync: add generic tx_queue for all synchronization modes
This patch adds a generic tx queue for all synchronization modes.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 4ec9fc2bcceb4e609c43af1a2ecf8d1d87b55d5c
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sat Jan 17 17:54:15 2009 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sat Jan 17 17:54:15 2009 +0100
ftfw: move helloing to ftfw_xmit()
This patch moves the helloing logic into ftfw_xmit. Still, the
helloing is kept in ftfw_send as we still have two possible paths
for messages. This will be removed in the next patches to make all
message go over a single txqueue.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit e2af183ea7e5ea35a1582f40a01a7c49e83b31be
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Thu Jan 15 23:19:58 2009 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Thu Jan 15 23:19:58 2009 +0100
sync: unify tx_list and tx_queue into one single tx_queue
This patch unifies the tx_list and the tx_queue to have only one
transmission queue. Since the tx_list hold state objects and
tx_queue control messages, I have introduced a queue node type
that can be used to differenciate the kind of information that
the node stores: object or control message.
This patch also reworks the existing queue class to include a
file descriptor that can be used to know if there are new data
added to the queue (see QUEUE_F_EVFD flag).
In this change, I have also modified the current evfd to make the
file descriptor to make read operations non-blocking. Moreover,
it keeps a counter that is used to know how many messages are
inserted in the queue.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 2cacd3a802510bde43e23cf4c7d39f51a2eaf460
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Thu Jan 15 23:19:58 2009 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Thu Jan 15 23:19:58 2009 +0100
run: relax resynchronization algorithm when netlink overruns
This patch relaxes the current approach when netlink reports
overruns. There are two situations that can trigger a
resynchronization with the kernel conntrack table:
a) Netlink overruns because the receiver buffer is too small:
increasing the netlink buffer size and schedule a resync with the
kernel table conntrack to resolve the inconsistency. The sysadmin
would notice in the logs and will try to set a bigger buffer in
the configuration file.
b) The system is under heavy workload (CPU is too busy): we should
avoid resync with the kernel table since this is an expensive
operation. We do our best here and keep replicating as much states
as possible. If CPU consumption lowers at some point, the we will
try to resync ourselves.
This patch reduces the chances to resynchronize with the kernel
conntrack table unless that two overruns do not happen in an
internal of 30 seconds.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 8dce3504fde7da933dc6e7ecfeb99b4b45125f32
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Thu Jan 15 23:19:58 2009 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Thu Jan 15 23:19:58 2009 +0100
cache: add status field to store the object status
This patch adds the status field to the cache object. This avoids
the (ab)use of the alarm to check if an entry is active or dead.
This is the first step to possibly move the alarm to the cache_extra
memory space of the ftfw (which is the only use by now).
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 50339f96638eed35dac2b673b64cc6f1eb96406c
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Thu Jan 15 23:19:57 2009 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Thu Jan 15 23:19:57 2009 +0100
src: rework of the hash-cache infrastructure
Currently, the caching system is implemented in a two layer
architecture: hashtable (inner layer) and cache (upper layer).
This patch reworks the hash-cache infrastructure to solve some
initial design problems to make it more flexible, the main strong
points of this patch are:
* Memory handling is done in the cache layer, not in the inner
hashtable layer. This removes one of the main dependencies between
the hashtable and the cache classes.
* Remove excessive encapsulation: the former cache used to hide a
lot of details of the inner hashtable implementation.
* Fix over-hashing of some operations: lookup-delete-add required
three hash calculations. Similarly, the update-or-add operation
required two hash calculations. Now, we calculate the hash once
and re-use the value how many times as we need.
This patch simplifies the caching system. As a result, we save ~130
lines of code. Small code means and less complexity means less
chance to have bugs.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit b28224b0326636ff5832b38817b7720f48070ee7
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Thu Jan 15 23:19:35 2009 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Thu Jan 15 23:19:35 2009 +0100
run: limit the number of iterations over the event handling
Currently, the event handling can starve other event file
descriptors. This patch limits the number of event handling
iterations. The parameter is tunable via configuration file.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
via 4fb9c22f6e4ec2fadd22c0863137f211d9b392c4 (commit)
via d05f05e21be0cca59ca67ac19ef2b73c467b8250 (commit)
via a63f5181807803ffdd879edca9fd4d73c4be35f3 (commit)
via 7f5a53998abfc9b199b713244fe8baf0a7c2b2fe (commit)
via 746f7031f4d1e3bccdd6db3c53835d8b85b73c90 (commit)
via 05194422ee8fa038d99fe77a2e9d776d25623fd2 (commit)
via c54c8c9287fc87177daf9b51933f92c7e6402904 (commit)
via 7ae054f8aae252ee9c57e26327675e466fc1d15d (commit)
via d581381870486687586dea4ebf4b7065ae408cd0 (commit)
via b1d00262f999a597fa24af3298195db9cf52b790 (commit)
via 786f37040cdcb64b24eb0b437307ed5e208f717f (commit)
via 4ec9fc2bcceb4e609c43af1a2ecf8d1d87b55d5c (commit)
via e2af183ea7e5ea35a1582f40a01a7c49e83b31be (commit)
via 2cacd3a802510bde43e23cf4c7d39f51a2eaf460 (commit)
via 8dce3504fde7da933dc6e7ecfeb99b4b45125f32 (commit)
via 50339f96638eed35dac2b673b64cc6f1eb96406c (commit)
via b28224b0326636ff5832b38817b7720f48070ee7 (commit)
from 4556b3fb39dd80e958ff70f3496d06ec04f3839d (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 4fb9c22f6e4ec2fadd22c0863137f211d9b392c4
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sat Jan 17 20:34:13 2009 +0100
conntrack: add -C command to display the counter
This patch adds the -C command, to display the table counter. In the
case of `-C conntrack' the tool reads the proc interface. For
expectation, it loops on the table to count the number of entries
(as there is not proc interface to display the number of
expectations).
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit d05f05e21be0cca59ca67ac19ef2b73c467b8250
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sat Jan 17 20:33:30 2009 +0100
src: add `-s queue' and change `-v' behaviour
This patch moves the existing `-v' behaviour to `-s queue' where it
really belongs. The `-v' option is now left to display the version
which is the common use of it.
# conntrackd -v
Connection tracking userspace daemon v0.9.9. Licensed under GPLv2.
(C) 2006-2009 Pablo Neira Ayuso <pablo at netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit a63f5181807803ffdd879edca9fd4d73c4be35f3
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sat Jan 17 18:24:57 2009 +0100
ftfw: add ResendQueueSize and deprecate ResendBufferSize clauses
This patch adds ResendQueueSize, which sets the number of objects
that can be stored in the resend queue waiting to be confirmed.
The ResendBufferSize clause has been deprecated.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 7f5a53998abfc9b199b713244fe8baf0a7c2b2fe
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sat Jan 17 18:03:53 2009 +0100
cache: add objects statistics
This patch adds the object counter to `conntrackd -s cache'. This
is useful to detect object leaks in runtime. This patch also changes
the layout of the output to fit the display in less than 24 lines
(assuming 24x80 terminal).
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 746f7031f4d1e3bccdd6db3c53835d8b85b73c90
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sat Jan 17 18:03:53 2009 +0100
src: add state polling support (oppossed to current event-driven)
This patch adds the clause PollSecs that changes the normal
behaviour of conntrackd. With PollSecs set to > 0, conntrackd
polls every N seconds the entries.
This is the opposed behaviour of an event-driven behaviour but may
be useful for those that have really strong limitations in terms of
CPU consumption and want to perform a relaxed replication.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 05194422ee8fa038d99fe77a2e9d776d25623fd2
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sat Jan 17 18:03:53 2009 +0100
src: remove register_fds hooks
This patch moves the file descriptor registration after the
initialization instead of having a specific hook for this.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit c54c8c9287fc87177daf9b51933f92c7e6402904
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sat Jan 17 18:03:52 2009 +0100
src: rename overrun handler to resync handler
This patch is a cleanup. The overrun handler is actually a way to
resynchronize against the conntrack kernel table. The name overrun
was used because it was initially its purpose. The new naming shows
its genericity.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 7ae054f8aae252ee9c57e26327675e466fc1d15d
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sat Jan 17 18:03:52 2009 +0100
src: support for redundant dedicated links
This patch adds support for redundant dedicated links. You can add
a pool of dedicated links that can be used if the current active
fails.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit d581381870486687586dea4ebf4b7065ae408cd0
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sat Jan 17 18:03:52 2009 +0100
network: do not re-set the message type in nethdr_set* functions
The network headers already contain the message type set. It is not
necessary to set it up again.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit b1d00262f999a597fa24af3298195db9cf52b790
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sat Jan 17 18:03:50 2009 +0100
sync: enqueue state updates to tx_queue
With this patch, all the states updates are enqueued in the
tx_queue. Thus, there's a single output path. This patch adds a
simple refcounting mechanism to note when an object is sitting in
the txqueue. This patch also removes the alarm that is required by
the ftfw approach.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 786f37040cdcb64b24eb0b437307ed5e208f717f
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sat Jan 17 17:54:57 2009 +0100
sync: add generic tx_queue for all synchronization modes
This patch adds a generic tx queue for all synchronization modes.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 4ec9fc2bcceb4e609c43af1a2ecf8d1d87b55d5c
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sat Jan 17 17:54:15 2009 +0100
ftfw: move helloing to ftfw_xmit()
This patch moves the helloing logic into ftfw_xmit. Still, the
helloing is kept in ftfw_send as we still have two possible paths
for messages. This will be removed in the next patches to make all
message go over a single txqueue.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit e2af183ea7e5ea35a1582f40a01a7c49e83b31be
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Thu Jan 15 23:19:58 2009 +0100
sync: unify tx_list and tx_queue into one single tx_queue
This patch unifies the tx_list and the tx_queue to have only one
transmission queue. Since the tx_list hold state objects and
tx_queue control messages, I have introduced a queue node type
that can be used to differenciate the kind of information that
the node stores: object or control message.
This patch also reworks the existing queue class to include a
file descriptor that can be used to know if there are new data
added to the queue (see QUEUE_F_EVFD flag).
In this change, I have also modified the current evfd to make the
file descriptor to make read operations non-blocking. Moreover,
it keeps a counter that is used to know how many messages are
inserted in the queue.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 2cacd3a802510bde43e23cf4c7d39f51a2eaf460
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Thu Jan 15 23:19:58 2009 +0100
run: relax resynchronization algorithm when netlink overruns
This patch relaxes the current approach when netlink reports
overruns. There are two situations that can trigger a
resynchronization with the kernel conntrack table:
a) Netlink overruns because the receiver buffer is too small:
increasing the netlink buffer size and schedule a resync with the
kernel table conntrack to resolve the inconsistency. The sysadmin
would notice in the logs and will try to set a bigger buffer in
the configuration file.
b) The system is under heavy workload (CPU is too busy): we should
avoid resync with the kernel table since this is an expensive
operation. We do our best here and keep replicating as much states
as possible. If CPU consumption lowers at some point, the we will
try to resync ourselves.
This patch reduces the chances to resynchronize with the kernel
conntrack table unless that two overruns do not happen in an
internal of 30 seconds.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 8dce3504fde7da933dc6e7ecfeb99b4b45125f32
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Thu Jan 15 23:19:58 2009 +0100
cache: add status field to store the object status
This patch adds the status field to the cache object. This avoids
the (ab)use of the alarm to check if an entry is active or dead.
This is the first step to possibly move the alarm to the cache_extra
memory space of the ftfw (which is the only use by now).
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 50339f96638eed35dac2b673b64cc6f1eb96406c
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Thu Jan 15 23:19:57 2009 +0100
src: rework of the hash-cache infrastructure
Currently, the caching system is implemented in a two layer
architecture: hashtable (inner layer) and cache (upper layer).
This patch reworks the hash-cache infrastructure to solve some
initial design problems to make it more flexible, the main strong
points of this patch are:
* Memory handling is done in the cache layer, not in the inner
hashtable layer. This removes one of the main dependencies between
the hashtable and the cache classes.
* Remove excessive encapsulation: the former cache used to hide a
lot of details of the inner hashtable implementation.
* Fix over-hashing of some operations: lookup-delete-add required
three hash calculations. Similarly, the update-or-add operation
required two hash calculations. Now, we calculate the hash once
and re-use the value how many times as we need.
This patch simplifies the caching system. As a result, we save ~130
lines of code. Small code means and less complexity means less
chance to have bugs.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit b28224b0326636ff5832b38817b7720f48070ee7
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Thu Jan 15 23:19:35 2009 +0100
run: limit the number of iterations over the event handling
Currently, the event handling can starve other event file
descriptors. This patch limits the number of event handling
iterations. The parameter is tunable via configuration file.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
-----------------------------------------------------------------------
conntrack.8 | 3 +
doc/stats/conntrackd.conf | 12 +
doc/sync/alarm/conntrackd.conf | 42 ++++
doc/sync/ftfw/conntrackd.conf | 57 ++++-
doc/sync/notrack/conntrackd.conf | 42 ++++
include/Makefile.am | 4 +-
include/cache.h | 54 +++--
include/conntrack.h | 8 +-
include/conntrackd.h | 30 ++-
include/filter.h | 11 +
include/hash.h | 22 +--
include/mcast.h | 28 ++-
include/netlink.h | 5 +-
include/network.h | 8 +-
include/queue.h | 52 +++-
include/slist.h | 41 ----
include/sync.h | 9 +-
include/us-conntrack.h | 14 --
src/cache.c | 332 +++++++++++----------------
src/cache_iterators.c | 65 +++---
src/cache_lifetime.c | 10 +-
src/cache_timer.c | 36 ++--
src/cache_wt.c | 33 ++--
src/conntrack.c | 50 ++++-
src/event.c | 20 +-
src/filter.c | 57 ++++-
src/hash.c | 136 +++--------
src/main.c | 26 ++-
src/mcast.c | 231 +++++++++++++++++--
src/netlink.c | 20 ++-
src/network.c | 32 ++-
src/queue.c | 131 ++++++-----
src/read_config_lex.l | 4 +
src/read_config_yy.y | 140 +++++++++---
src/run.c | 125 +++++++----
src/stats-mode.c | 64 +++---
src/sync-alarm.c | 86 ++++++--
src/sync-ftfw.c | 478 ++++++++++++++++++--------------------
src/sync-mode.c | 271 +++++++++++++--------
src/sync-notrack.c | 142 +++++-------
40 files changed, 1752 insertions(+), 1179 deletions(-)
delete mode 100644 include/slist.h
delete mode 100644 include/us-conntrack.h
Currently, the event handling can starve other event file
descriptors. This patch limits the number of event handling
iterations. The parameter is tunable via configuration file.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
diff --git a/doc/sync/alarm/conntrackd.conf b/doc/sync/alarm/conntrackd.conf
index f42a799..f16f439 100644
--- a/doc/sync/alarm/conntrackd.conf
+++ b/doc/sync/alarm/conntrackd.conf
@@ -165,6 +165,17 @@ General {
SocketBufferSizeMaxGrowth 8388608
#
+ # The daemon prioritizes the handling of state-change events coming
+ # from the core. With this clause, you can set the maximum number of
+ # state-change events (those coming from kernel-space) that the daemon
+ # will handle after which it will handle other events coming from the
+ # network or userspace. A low value improves interactivity (in terms of
+ # real-time behaviour) at the cost of extra CPU consumption.
+ # Default (if not set) is 100.
+ #
+ # EventIterationLimit 100
+
+ #
# Event filtering: This clause allows you to filter certain traffic,
# There are currently three filter-sets: Protocol, Address and
# State. The filter is attached to an action that can be: Accept or
diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf
index e12a745..d85fc28 100644
--- a/doc/sync/ftfw/conntrackd.conf
+++ b/doc/sync/ftfw/conntrackd.conf
@@ -173,6 +173,17 @@ General {
SocketBufferSizeMaxGrowth 8388608
#
+ # The daemon prioritizes the handling of state-change events coming
+ # from the core. With this clause, you can set the maximum number of
+ # state-change events (those coming from kernel-space) that the daemon
+ # will handle after which it will handle other events coming from the
+ # network or userspace. A low value improves interactivity (in terms of
+ # real-time behaviour) at the cost of extra CPU consumption.
+ # Default (if not set) is 100.
+ #
+ # EventIterationLimit 100
+
+ #
# Event filtering: This clause allows you to filter certain traffic,
# There are currently three filter-sets: Protocol, Address and
# State. The filter is attached to an action that can be: Accept or
diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf
index cbc26ee..4d03234 100644
--- a/doc/sync/notrack/conntrackd.conf
+++ b/doc/sync/notrack/conntrackd.conf
@@ -155,6 +155,17 @@ General {
SocketBufferSizeMaxGrowth 8388608
#
+ # The daemon prioritizes the handling of state-change events coming
+ # from the core. With this clause, you can set the maximum number of
+ # state-change events (those coming from kernel-space) that the daemon
+ # will handle after which it will handle other events coming from the
+ # network or userspace. A low value improves interactivity (in terms of
+ # real-time behaviour) at the cost of extra CPU consumption.
+ # Default (if not set) is 100.
+ #
+ # EventIterationLimit 100
+
+ #
# Event filtering: This clause allows you to filter certain traffic,
# There are currently three filter-sets: Protocol, Address and
# State. The filter is attached to an action that can be: Accept or
diff --git a/include/conntrackd.h b/include/conntrackd.h
index df36ec4..67397b8 100644
--- a/include/conntrackd.h
+++ b/include/conntrackd.h
@@ -84,6 +84,7 @@ struct ct_conf {
unsigned int window_size;
int cache_write_through;
int filter_from_kernelspace;
+ int event_iterations_limit;
struct {
char logfile[FILENAME_MAXLEN];
int syslog_facility;
@@ -103,6 +104,7 @@ struct ct_general_state {
struct nfct_handle *event; /* event handler */
struct nfct_filter *filter; /* event filter */
+ int event_iterations_limit;
struct nfct_handle *dump; /* dump handler */
struct nfct_handle *request; /* request handler */
diff --git a/src/read_config_lex.l b/src/read_config_lex.l
index 67c95d3..f8b0ba1 100644
--- a/src/read_config_lex.l
+++ b/src/read_config_lex.l
@@ -117,6 +117,7 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k]
"From" { return T_FROM; }
"Userspace" { return T_USERSPACE; }
"Kernelspace" { return T_KERNELSPACE; }
+"EventIterationLimit" { return T_EVENT_ITER_LIMIT; }
{is_on} { return T_ON; }
{is_off} { return T_OFF; }
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index 69a7eff..274bfc3 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -59,7 +59,7 @@ static void __kernel_filter_add_state(int value);
%token T_SYSLOG T_WRITE_THROUGH T_STAT_BUFFER_SIZE T_DESTROY_TIMEOUT
%token T_MCAST_RCVBUFF T_MCAST_SNDBUFF T_NOTRACK
%token T_FILTER T_ADDRESS T_PROTOCOL T_STATE T_ACCEPT T_IGNORE
-%token T_FROM T_USERSPACE T_KERNELSPACE
+%token T_FROM T_USERSPACE T_KERNELSPACE T_EVENT_ITER_LIMIT
%token <string> T_IP T_PATH_VAL
%token <val> T_NUMBER
@@ -681,6 +681,7 @@ general_line: hashsize
| netlink_buffer_size
| netlink_buffer_size_max_grown
| family
+ | event_iterations_limit
| filter
;
@@ -702,6 +703,11 @@ family : T_FAMILY T_STRING
conf.family = AF_INET;
};
+event_iterations_limit : T_EVENT_ITER_LIMIT T_NUMBER
+{
+ CONFIG(event_iterations_limit) = $2;
+};
+
filter : T_FILTER '{' filter_list '}'
{
CONFIG(filter_from_kernelspace) = 0;
@@ -1096,5 +1102,8 @@ init_config(char *filename)
if (conf.flags & CTD_SYNC_FTFW && CONFIG(del_timeout) == 0)
CONFIG(del_timeout) = 240;
+ if (CONFIG(event_iterations_limit) == 0)
+ CONFIG(event_iterations_limit) = 100;
+
return 0;
}
diff --git a/src/run.c b/src/run.c
index 7958665..caf0b38 100644
--- a/src/run.c
+++ b/src/run.c
@@ -219,7 +219,7 @@ static int event_handler(enum nf_conntrack_msg_type type,
/* skip user-space filtering if already do it in the kernel */
if (ct_filter_conntrack(ct, !CONFIG(filter_from_kernelspace))) {
STATE(stats).nl_events_filtered++;
- return NFCT_CB_STOP;
+ goto out;
}
switch(type) {
@@ -238,7 +238,12 @@ static int event_handler(enum nf_conntrack_msg_type type,
break;
}
- return NFCT_CB_CONTINUE;
+out:
+ if (STATE(event_iterations_limit)-- <= 0) {
+ STATE(event_iterations_limit) = CONFIG(event_iterations_limit);
+ return NFCT_CB_STOP;
+ } else
+ return NFCT_CB_CONTINUE;
}
static int dump_handler(enum nf_conntrack_msg_type type,
@@ -397,7 +402,7 @@ static void __run(struct timeval *next_alarm)
/* conntrack event has happened */
if (FD_ISSET(nfct_fd(STATE(event)), &readfds)) {
- while ((ret = nfct_catch(STATE(event))) != -1);
+ ret = nfct_catch(STATE(event));
if (ret == -1) {
switch(errno) {
case ENOBUFS:
More information about the netfilter-cvslog
mailing list