[conntrack-tools] netlink: set IP_CT_TCP_FLAG_CLOSE_INIT for TIME_WAIT states
Pablo Neira
netfilter-cvslog-bounces at lists.netfilter.org
Sun Jan 25 18:03:49 CET 2009
Gitweb: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=conntrack-tools.git;a=commit;h=30ab4eae6a196102285fd649119fa2d9afe35a32
commit 30ab4eae6a196102285fd649119fa2d9afe35a32
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sun Jan 25 17:53:21 2009 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sun Jan 25 17:53:21 2009 +0100
netlink: set IP_CT_TCP_FLAG_CLOSE_INIT for TIME_WAIT states
This patch sets IP_CT_TCP_FLAG_CLOSE_INIT if the entry is in TCP
TIME_WAIT state. This patch is a workaround, the daemon should
propagate the internal TCP flags to make it fully independent of
possible changes in the TCP tracking code.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit cced587d766b9194b698a156d241766d5bad8a9d
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sun Jan 25 17:53:14 2009 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sun Jan 25 17:53:14 2009 +0100
src: increase default PurgeTimeout value
This patch increases the default PurgeTimeout value to 60 seconds.
The former 15 seconds provides good real-time reaction in terms of
user-side expected behaviour, but it is too small if you trigger
random failure in a firewall cluster.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 50c09dec9ad0261d8fcc18d69b2c9ec74052955c
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sun Jan 25 17:53:05 2009 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sun Jan 25 17:53:05 2009 +0100
src: add support for approximate timeout calculation during commit
During the commit phase, the entries in the external cache entries
are inserted in the kernel conntrack table. Currently, we use a
fixed timeout that is specified in the config file. With this patch,
if you don't specify the fixed timeout value via CommitTimeout, the
daemon calculates the real timeout value during the commit phase.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 1c9faf8c218bc7ff4617557383e4116f1adb11e5
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sun Jan 25 17:53:02 2009 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sun Jan 25 17:53:02 2009 +0100
cache: move lifetime feature to main cache code
The lifetime feature is used by all working modes, it is useful to
know how long it has been an entry living in the cache. This patch
moves the lifetime feature to the main caching code.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit eec8fdf57f34fe0d80b884ad0e376ed24c63ffcc
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sun Jan 25 17:52:56 2009 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sun Jan 25 17:52:56 2009 +0100
src: change behaviour of `-t' option
With this patch, the `-t' option adds an alarm that will flush the
cache after CONFIG(purge_timeout) seconds specified in the config
file. This looks much cleaner and more performance that looping
on the entire conntrack table to set the new timeout of every single
entry.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit b9ee88a0fdb20ed847f05efce1b0abdc8afbabaf
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sun Jan 25 17:51:23 2009 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sun Jan 25 17:51:23 2009 +0100
src: don't clone when calling nl_*_conntrack functions
This patch removes the clone conntrack objects created before
calling nl_*_conntrack functions since they are not required
anymore (the previous patch guarantees that objects passed as
parameter are not modified).
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 8d689ebb67c511f5c03acdfc2226156d5f87c319
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sun Jan 25 17:51:18 2009 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sun Jan 25 17:51:18 2009 +0100
cache: mangle timeout inside nl_*_conntrack() functions
This patch moves the timeout mangling inside nl_*_conntrack().
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit e6732c96ffd9baaaa84dab763ff6e600bf6abc95
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sun Jan 25 17:51:09 2009 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sun Jan 25 17:51:09 2009 +0100
cache: remove nl_exist_conntrack() function
This function is a synonimous of nl_get_conntrack(), use the get
function instead.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 61d976838ee0c3eeda295818ff44f44327b0596d
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sun Jan 25 13:44:22 2009 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sun Jan 25 13:44:22 2009 +0100
cache_iterators: start a clean session if commit finds an entry
The current commit code updates an entry it still exists in the
kernel. With this patch, we delete the entry and create a new one
to make sure that we start a clean session.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
via 30ab4eae6a196102285fd649119fa2d9afe35a32 (commit)
via cced587d766b9194b698a156d241766d5bad8a9d (commit)
via 50c09dec9ad0261d8fcc18d69b2c9ec74052955c (commit)
via 1c9faf8c218bc7ff4617557383e4116f1adb11e5 (commit)
via eec8fdf57f34fe0d80b884ad0e376ed24c63ffcc (commit)
via b9ee88a0fdb20ed847f05efce1b0abdc8afbabaf (commit)
via 8d689ebb67c511f5c03acdfc2226156d5f87c319 (commit)
via e6732c96ffd9baaaa84dab763ff6e600bf6abc95 (commit)
via 61d976838ee0c3eeda295818ff44f44327b0596d (commit)
from ccb54b5f240d3bb014938057c39b24699ff07bfa (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 30ab4eae6a196102285fd649119fa2d9afe35a32
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sun Jan 25 17:53:21 2009 +0100
netlink: set IP_CT_TCP_FLAG_CLOSE_INIT for TIME_WAIT states
This patch sets IP_CT_TCP_FLAG_CLOSE_INIT if the entry is in TCP
TIME_WAIT state. This patch is a workaround, the daemon should
propagate the internal TCP flags to make it fully independent of
possible changes in the TCP tracking code.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit cced587d766b9194b698a156d241766d5bad8a9d
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sun Jan 25 17:53:14 2009 +0100
src: increase default PurgeTimeout value
This patch increases the default PurgeTimeout value to 60 seconds.
The former 15 seconds provides good real-time reaction in terms of
user-side expected behaviour, but it is too small if you trigger
random failure in a firewall cluster.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 50c09dec9ad0261d8fcc18d69b2c9ec74052955c
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sun Jan 25 17:53:05 2009 +0100
src: add support for approximate timeout calculation during commit
During the commit phase, the entries in the external cache entries
are inserted in the kernel conntrack table. Currently, we use a
fixed timeout that is specified in the config file. With this patch,
if you don't specify the fixed timeout value via CommitTimeout, the
daemon calculates the real timeout value during the commit phase.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 1c9faf8c218bc7ff4617557383e4116f1adb11e5
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sun Jan 25 17:53:02 2009 +0100
cache: move lifetime feature to main cache code
The lifetime feature is used by all working modes, it is useful to
know how long it has been an entry living in the cache. This patch
moves the lifetime feature to the main caching code.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit eec8fdf57f34fe0d80b884ad0e376ed24c63ffcc
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sun Jan 25 17:52:56 2009 +0100
src: change behaviour of `-t' option
With this patch, the `-t' option adds an alarm that will flush the
cache after CONFIG(purge_timeout) seconds specified in the config
file. This looks much cleaner and more performance that looping
on the entire conntrack table to set the new timeout of every single
entry.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit b9ee88a0fdb20ed847f05efce1b0abdc8afbabaf
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sun Jan 25 17:51:23 2009 +0100
src: don't clone when calling nl_*_conntrack functions
This patch removes the clone conntrack objects created before
calling nl_*_conntrack functions since they are not required
anymore (the previous patch guarantees that objects passed as
parameter are not modified).
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 8d689ebb67c511f5c03acdfc2226156d5f87c319
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sun Jan 25 17:51:18 2009 +0100
cache: mangle timeout inside nl_*_conntrack() functions
This patch moves the timeout mangling inside nl_*_conntrack().
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit e6732c96ffd9baaaa84dab763ff6e600bf6abc95
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sun Jan 25 17:51:09 2009 +0100
cache: remove nl_exist_conntrack() function
This function is a synonimous of nl_get_conntrack(), use the get
function instead.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 61d976838ee0c3eeda295818ff44f44327b0596d
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sun Jan 25 13:44:22 2009 +0100
cache_iterators: start a clean session if commit finds an entry
The current commit code updates an entry it still exists in the
kernel. With this patch, we delete the entry and create a new one
to make sure that we start a clean session.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
-----------------------------------------------------------------------
doc/sync/alarm/conntrackd.conf | 11 ++--
doc/sync/ftfw/conntrackd.conf | 11 ++--
doc/sync/notrack/conntrackd.conf | 11 ++--
include/cache.h | 9 +--
include/conntrackd.h | 2 +
include/netlink.h | 5 +-
include/network.h | 2 +-
src/Makefile.am | 2 +-
src/build.c | 3 +
src/cache.c | 4 +-
src/cache_iterators.c | 145 +++++++++----------------------------
src/cache_lifetime.c | 65 -----------------
src/cache_wt.c | 17 +----
src/netlink.c | 42 +++++++----
src/read_config_yy.y | 8 +--
src/stats-mode.c | 4 +-
src/sync-alarm.c | 4 +-
src/sync-ftfw.c | 4 +-
src/sync-mode.c | 23 +++++--
src/sync-notrack.c | 4 +-
20 files changed, 124 insertions(+), 252 deletions(-)
delete mode 100644 src/cache_lifetime.c
The current commit code updates an entry it still exists in the
kernel. With this patch, we delete the entry and create a new one
to make sure that we start a clean session.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
diff --git a/include/cache.h b/include/cache.h
index 697a64b..bb0ca4d 100644
--- a/include/cache.h
+++ b/include/cache.h
@@ -83,7 +83,6 @@ struct cache {
uint32_t upd_fail_enoent;
uint32_t commit_ok;
- uint32_t commit_exist;
uint32_t commit_fail;
uint32_t flush;
diff --git a/src/cache_iterators.c b/src/cache_iterators.c
index ab6a461..379deed 100644
--- a/src/cache_iterators.c
+++ b/src/cache_iterators.c
@@ -111,57 +111,26 @@ __do_commit_step(struct __commit_container *tmp, struct cache_object *obj)
*/
nfct_set_attr_u32(ct, ATTR_TIMEOUT, CONFIG(commit_timeout));
-try_again:
- ret = nl_exist_conntrack(tmp->h, ct);
- switch (ret) {
- case -1:
- dlog(LOG_ERR, "commit-exist: %s", strerror(errno));
- dlog_ct(STATE(log), ct, NFCT_O_PLAIN);
- break;
- case 0:
- if (nl_create_conntrack(tmp->h, ct) == -1) {
- if (errno == ENOMEM) {
+retry:
+ if (nl_create_conntrack(tmp->h, ct) == -1) {
+ if (errno == EEXIST && retry == 1) {
+ ret = nl_destroy_conntrack(tmp->h, ct);
+ if (ret == 0 || (ret == -1 && errno == ENOENT)) {
if (retry) {
retry = 0;
- sched_yield();
- goto try_again;
+ goto retry;
}
}
- dlog(LOG_ERR, "commit-create: %s", strerror(errno));
+ dlog(LOG_ERR, "commit-destroy: %s", strerror(errno));
dlog_ct(STATE(log), ct, NFCT_O_PLAIN);
tmp->c->stats.commit_fail++;
- } else
- tmp->c->stats.commit_ok++;
- break;
- case 1:
- tmp->c->stats.commit_exist++;
- if (nl_update_conntrack(tmp->h, ct) == -1) {
- if (errno == ENOMEM || errno == ETIME) {
- if (retry) {
- retry = 0;
- sched_yield();
- goto try_again;
- }
- }
- /* try harder, delete the entry and retry */
- if (retry) {
- ret = nl_destroy_conntrack(tmp->h, ct);
- if (ret == 0 ||
- (ret == -1 && errno == ENOENT)) {
- retry = 0;
- goto try_again;
- }
- dlog(LOG_ERR, "commit-rm: %s", strerror(errno));
- dlog_ct(STATE(log), ct, NFCT_O_PLAIN);
- tmp->c->stats.commit_fail++;
- break;
- }
- dlog(LOG_ERR, "commit-update: %s", strerror(errno));
+ } else {
+ dlog(LOG_ERR, "commit-create: %s", strerror(errno));
dlog_ct(STATE(log), ct, NFCT_O_PLAIN);
tmp->c->stats.commit_fail++;
- } else
- tmp->c->stats.commit_ok++;
- break;
+ }
+ } else {
+ tmp->c->stats.commit_ok++;
}
}
@@ -191,7 +160,6 @@ static int do_commit_master(void *data, struct hashtable_node *n)
void cache_commit(struct cache *c)
{
unsigned int commit_ok = c->stats.commit_ok;
- unsigned int commit_exist = c->stats.commit_exist;
unsigned int commit_fail = c->stats.commit_fail;
struct __commit_container tmp;
struct timeval commit_start, commit_stop, res;
@@ -213,14 +181,10 @@ void cache_commit(struct cache *c)
/* calculate new entries committed */
commit_ok = c->stats.commit_ok - commit_ok;
commit_fail = c->stats.commit_fail - commit_fail;
- commit_exist = c->stats.commit_exist - commit_exist;
/* log results */
dlog(LOG_NOTICE, "Committed %u new entries", commit_ok);
- if (commit_exist)
- dlog(LOG_NOTICE, "%u entries updated, "
- "already exist", commit_exist);
if (commit_fail)
dlog(LOG_NOTICE, "%u entries can't be "
"committed", commit_fail);
More information about the netfilter-cvslog
mailing list