[conntrack-tools] conntrackd: flush operation use the child process and origin infrastructure

Pablo Neira netfilter-cvslog-bounces at lists.netfilter.org
Sat May 23 20:44:54 CEST 2009 

Gitweb:		http://git.netfilter.org/cgi-bin/gitweb.cgi?p=conntrack-tools.git;a=commit;h=6f5666a29cb7cbff08ce926ee1edb84a311ff6ee
commit 6f5666a29cb7cbff08ce926ee1edb84a311ff6ee
Author:     Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sat May 23 20:34:41 2009 +0200
Commit:     Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sat May 23 20:34:41 2009 +0200

    conntrackd: flush operation use the child process and origin infrastructure
    
    With this patch, the flush operation is performed by a child process.
    Thus, the parent process digests destroy events that ctnetlink reports
    back and, thanks to the origin infrastructure, we skip the messy
    implicit synchronization that are triggered by such events.
    
    This patch requires a Linux kernel >= 2.6.29 to benefit from this
    change, otherwise it has no effect.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
       via  6f5666a29cb7cbff08ce926ee1edb84a311ff6ee (commit)
      from  ef047d03613bf9fa105db009773136817e2ec4c6 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 6f5666a29cb7cbff08ce926ee1edb84a311ff6ee
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Sat May 23 20:34:41 2009 +0200

    conntrackd: flush operation use the child process and origin infrastructure
    
    With this patch, the flush operation is performed by a child process.
    Thus, the parent process digests destroy events that ctnetlink reports
    back and, thanks to the origin infrastructure, we skip the messy
    implicit synchronization that are triggered by such events.
    
    This patch requires a Linux kernel >= 2.6.29 to benefit from this
    change, otherwise it has no effect.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

-----------------------------------------------------------------------

 include/origin.h |    1 +
 src/run.c        |   29 +++++++++++++++++++++++++++--
 src/sync-mode.c  |   28 +++++++++++++++++++++++++++-
 3 files changed, 55 insertions(+), 3 deletions(-)
With this patch, the flush operation is performed by a child process.
Thus, the parent process digests destroy events that ctnetlink reports
back and, thanks to the origin infrastructure, we skip the messy
implicit synchronization that are triggered by such events.

This patch requires a Linux kernel >= 2.6.29 to benefit from this
change, otherwise it has no effect.

Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

diff --git a/include/origin.h b/include/origin.h
index b2d1823..89308f3 100644
--- a/include/origin.h
+++ b/include/origin.h
@@ -5,6 +5,7 @@ enum {
 	CTD_ORIGIN_NOT_ME = 0,		/* this event comes from the kernel or
 					   any process, but not conntrackd */
 	CTD_ORIGIN_COMMIT,		/* event comes from committer */
+	CTD_ORIGIN_FLUSH,		/* event comes from flush */
 };
 
 int origin_register(struct nfct_handle *h, int origin_type);
diff --git a/src/run.c b/src/run.c
index e54764c..990b202 100644
--- a/src/run.c
+++ b/src/run.c
@@ -181,6 +181,13 @@ static void dump_stats_runtime(int fd)
 	send(fd, buf, size, 0);
 }
 
+static void flush_done_cb(void *data)
+{
+	struct nfct_handle *h = data;
+	origin_unregister(h);
+	nfct_close(h);
+}
+
 void local_handler(int fd, void *data)
 {
 	int ret;
@@ -195,11 +202,29 @@ void local_handler(int fd, void *data)
 		return;
 
 	switch(type) {
-	case FLUSH_MASTER:
+	case FLUSH_MASTER: {
+		struct nfct_handle *h;
+
+		/* disposable flusher handler */
+		h = nfct_open(CONNTRACK, 0);
+		if (h == NULL) {
+			dlog(LOG_ERR, "cannot open flusher handler");
+			return;
+		}
+		/* register this handler as the origin of a flush operation */
+	        origin_register(h, CTD_ORIGIN_FLUSH);
+
 		STATE(stats).nl_kernel_table_flush++;
 		dlog(LOG_NOTICE, "flushing kernel conntrack table");
-		nl_flush_conntrack_table(STATE(request));
+
+		/* fork a child process that performs the flush operation,
+		 * meanwhile the parent process handles events. */
+		if (fork_process_new(flush_done_cb, h) == 0) {
+			nl_flush_conntrack_table(h);
+			exit(EXIT_SUCCESS);
+		}
 		return;
+	}
 	case RESYNC_MASTER:
 		STATE(stats).nl_kernel_table_resync++;
 		dlog(LOG_NOTICE, "resync with master table");
diff --git a/src/sync-mode.c b/src/sync-mode.c
index 91e028e..a0ba830 100644
--- a/src/sync-mode.c
+++ b/src/sync-mode.c
@@ -203,11 +203,37 @@ static void interface_handler(void)
 		interface_candidate();
 }
 
+/* this is called once the flusher process has finished */
+static void flush_done_cb(void *data)
+{
+	struct nfct_handle *h = data;
+	origin_unregister(h);
+	nfct_close(h);
+}
+
 static void do_reset_cache_alarm(struct alarm_block *a, void *data)
 {
+	struct nfct_handle *h;
+
+	/* disposable flusher handler */
+	h = nfct_open(CONNTRACK, 0);
+	if (h == NULL) {
+		dlog(LOG_ERR, "cannot open flusher handler");
+		return;
+	}
+	/* register this handler as the origin of a flush operation */
+	origin_register(h, CTD_ORIGIN_FLUSH);
+
 	STATE(stats).nl_kernel_table_flush++;
 	dlog(LOG_NOTICE, "flushing kernel conntrack table (scheduled)");
-	nl_flush_conntrack_table(STATE(request));
+
+	/* fork a child process that performs the flush operation,
+	 * meanwhile the parent process handles events. */
+	if (fork_process_new(flush_done_cb, h) == 0) {
+		nl_flush_conntrack_table(h);
+		exit(EXIT_SUCCESS);
+	}
+	/* this is not required if events don't get lost */
 	cache_flush(STATE_SYNC(internal));
 }

More information about the netfilter-cvslog mailing list