[ulogd2] NFCT: improve netlink overrun handling

Pablo Neira netfilter-cvslog-bounces at lists.netfilter.org
Wed Jul 22 19:39:43 CEST 2009


Gitweb:		http://git.netfilter.org/cgi-bin/gitweb.cgi?p=ulogd2.git;a=commit;h=de30adc389621c49e7b77bfdf550d0b1c0804448
commit de30adc389621c49e7b77bfdf550d0b1c0804448
Author:     Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Wed Jul 22 19:36:26 2009 +0200
Commit:     Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Wed Jul 22 19:36:26 2009 +0200

    NFCT: improve netlink overrun handling
    
    With this patch, we schedule one resynchronization against the
    kernel conntrack table that will occur in two seconds (still
    we need a patch to make this configurable). Before this, we
    scheduled a resynchronization for every overrun, that is very
    bad in a scenario in which overruns occurs very frequently.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
       via  de30adc389621c49e7b77bfdf550d0b1c0804448 (commit)
      from  e664524e05ad555cfb0e7851a7cfeb573fcc27b5 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit de30adc389621c49e7b77bfdf550d0b1c0804448
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Wed Jul 22 19:36:26 2009 +0200

    NFCT: improve netlink overrun handling
    
    With this patch, we schedule one resynchronization against the
    kernel conntrack table that will occur in two seconds (still
    we need a patch to make this configurable). Before this, we
    scheduled a resynchronization for every overrun, that is very
    bad in a scenario in which overruns occurs very frequently.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

-----------------------------------------------------------------------

 input/flow/ulogd_inpflow_NFCT.c |   24 ++++++++++++------------
 1 files changed, 12 insertions(+), 12 deletions(-)
With this patch, we schedule one resynchronization against the
kernel conntrack table that will occur in two seconds (still
we need a patch to make this configurable). Before this, we
scheduled a resynchronization for every overrun, that is very
bad in a scenario in which overruns occurs very frequently.

Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

diff --git a/input/flow/ulogd_inpflow_NFCT.c b/input/flow/ulogd_inpflow_NFCT.c
index b16687e..deaf887 100644
--- a/input/flow/ulogd_inpflow_NFCT.c
+++ b/input/flow/ulogd_inpflow_NFCT.c
@@ -669,8 +669,6 @@ static int read_cb_nfct(int fd, unsigned int what, void *param)
 
 	if (nfct_catch(cpi->cth) == -1) {
 		if (errno == ENOBUFS) {
-			int family = AF_UNSPEC;
-
 			if (nlsockbufmaxsize_ce(upi->config_kset).u.value) {
 				int s = cpi->nlbufsiz * 2;
 				if (setnlbufsiz(upi, s)) {
@@ -689,9 +687,14 @@ static int read_cb_nfct(int fd, unsigned int what, void *param)
 
 			/* internal hash can deal with refresh */
 			if (usehash_ce(upi->config_kset).u.value != 0) {
-				nfct_send(cpi->ovh, NFCT_Q_DUMP, &family);
-				/* TODO: configurable retry timer */
-				ulogd_add_timer(&cpi->ov_timer, 2);
+				/* TODO: schedule a resynchronization in
+				 * two seconds, this parameter should be
+				 * configurable via config. Note that we
+				 * don't re-schedule a resync if it's
+				 * already in progress. */
+				if (!ulogd_timer_pending(&cpi->ov_timer)) {
+					ulogd_add_timer(&cpi->ov_timer, 2);
+				}
 			}
 		}
 	}
@@ -764,11 +767,10 @@ static int read_cb_ovh(int fd, unsigned int what, void *param)
 	if (nfct_catch(cpi->ovh) == -1) {
 		/* enobufs in the overrun buffer? very rare */
 		if (errno == ENOBUFS) {
-			int family = AF_UNSPEC;
-
-			nfct_send(cpi->ovh, NFCT_Q_DUMP, &family);
-			/* TODO: configurable retry timer */
-			ulogd_add_timer(&cpi->ov_timer, 2);
+			/* TODO: configurable resync timer */
+			if (!ulogd_timer_pending(&cpi->ov_timer)) {
+				ulogd_add_timer(&cpi->ov_timer, 2);
+			}
 		}
 	}
 
@@ -824,8 +826,6 @@ static void overrun_timeout(struct ulogd_timer *a, void *data)
 			(struct nfct_pluginstance *)upi->private;
 
 	nfct_send(cpi->ovh, NFCT_Q_DUMP, &family);
-	/* TODO: configurable retry timer */
-	ulogd_add_timer(&cpi->ov_timer, 2);
 }
 
 static int constructor_nfct(struct ulogd_pluginstance *upi)



More information about the netfilter-cvslog mailing list