[conntrack-tools] conntrackd: add alive control messages to notrack mode

Pablo Neira netfilter-cvslog-bounces at lists.netfilter.org
Wed Sep 23 18:15:17 CEST 2009 

Gitweb:		http://git.netfilter.org/cgi-bin/gitweb.cgi?p=conntrack-tools.git;a=commit;h=84ebcb1c96cd84d6d09f0b3fe534b9a0c5a120d8
commit 84ebcb1c96cd84d6d09f0b3fe534b9a0c5a120d8
Author:     Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Wed Sep 23 18:14:09 2009 +0200
Commit:     Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Wed Sep 23 18:14:09 2009 +0200

    conntrackd: add alive control messages to notrack mode
    
    This patch adds the alive control message to the notrack mode.
    This helps to diagnose problems in the synchronization and
    the state of the channel, specifically for TCP-based channels.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

commit 6360f319362fd13c86c3387a4bac57665d5ecd73
Author:     Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Wed Sep 23 18:12:37 2009 +0200
Commit:     Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Wed Sep 23 18:12:37 2009 +0200

    conntrackd: add retention queue for TCP errors
    
    Under stress, the TCP stack may return EAGAIN if there is not
    space left in the sender buffer. We also enqueue any other
    error.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

commit 90bbd8b34565ff5106dde34e0798c5e33fb4b786
Author:     Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Wed Sep 23 17:58:19 2009 +0200
Commit:     Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Wed Sep 23 17:58:19 2009 +0200

    conntrackd: rate-limit the amount of connect() calls
    
    This patch rate-limits the amount of connect() calls to avoid
    syn-floods when the other peer is not connected and we are
    generating updates.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
       via  84ebcb1c96cd84d6d09f0b3fe534b9a0c5a120d8 (commit)
       via  6360f319362fd13c86c3387a4bac57665d5ecd73 (commit)
       via  90bbd8b34565ff5106dde34e0798c5e33fb4b786 (commit)
      from  b52b2712e51172b0c03d3ed25a8f6377d81e51e9 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 84ebcb1c96cd84d6d09f0b3fe534b9a0c5a120d8
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Wed Sep 23 18:14:09 2009 +0200

    conntrackd: add alive control messages to notrack mode
    
    This patch adds the alive control message to the notrack mode.
    This helps to diagnose problems in the synchronization and
    the state of the channel, specifically for TCP-based channels.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

commit 6360f319362fd13c86c3387a4bac57665d5ecd73
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Wed Sep 23 18:12:37 2009 +0200

    conntrackd: add retention queue for TCP errors
    
    Under stress, the TCP stack may return EAGAIN if there is not
    space left in the sender buffer. We also enqueue any other
    error.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

commit 90bbd8b34565ff5106dde34e0798c5e33fb4b786
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Wed Sep 23 17:58:19 2009 +0200

    conntrackd: rate-limit the amount of connect() calls
    
    This patch rate-limits the amount of connect() calls to avoid
    syn-floods when the other peer is not connected and we are
    generating updates.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

-----------------------------------------------------------------------

 include/channel.h     |    6 ++-
 include/conntrackd.h  |    3 +
 include/queue.h       |    3 +-
 src/channel.c         |  119 +++++++++++++++++++++++++++++++++++++++++++++++--
 src/read_config_lex.l |    1 +
 src/read_config_yy.y  |   18 ++++++-
 src/sync-mode.c       |    5 ++-
 src/sync-notrack.c    |   39 ++++++++++++++++
 src/tcp.c             |   14 ++++++
 9 files changed, 197 insertions(+), 11 deletions(-)
This patch rate-limits the amount of connect() calls to avoid
syn-floods when the other peer is not connected and we are
generating updates.

Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

diff --git a/src/tcp.c b/src/tcp.c
index ce2cd6f..c551c54 100644
--- a/src/tcp.c
+++ b/src/tcp.c
@@ -224,6 +224,10 @@ tcp_client_init(struct tcp_sock *m, struct tcp_conf *c)
 	return 0;
 }
 
+/* We use this to rate-limit the amount of connect() calls per second. */
+static struct alarm_block tcp_connect_alarm;
+static void tcp_connect_alarm_cb(struct alarm_block *a, void *data) {}
+
 struct tcp_sock *tcp_client_create(struct tcp_conf *c)
 {
 	struct tcp_sock *m;
@@ -239,6 +243,8 @@ struct tcp_sock *tcp_client_create(struct tcp_conf *c)
 		return NULL;
 	}
 
+	init_alarm(&tcp_connect_alarm, NULL, tcp_connect_alarm_cb);
+
 	return m;
 }
 
@@ -286,12 +292,20 @@ int tcp_accept(struct tcp_sock *m)
 	return m->client_fd;
 }
 
+#define TCP_CONNECT_TIMEOUT	1
+
 ssize_t tcp_send(struct tcp_sock *m, const void *data, int size)
 {
 	ssize_t ret = 0;
 
 	switch(m->state) {
 	case TCP_CLIENT_DISCONNECTED:
+		/* We rate-limit the amount of connect() calls. */
+		if (alarm_pending(&tcp_connect_alarm)) {
+			ret = -1;
+			break;
+		}
+		add_alarm(&tcp_connect_alarm, TCP_CONNECT_TIMEOUT, 0);
 		ret = connect(m->fd, (struct sockaddr *)&m->addr,
 			      m->sockaddr_len);
 		if (ret == -1) {

More information about the netfilter-cvslog mailing list