[ulogd2] NFCT: fix reset counters via SIGUSR2 signal

Pablo Neira netfilter-cvslog-bounces at lists.netfilter.org
Sun Jan 17 22:24:52 CET 2010


Gitweb:		http://git.netfilter.org/cgi-bin/gitweb.cgi?p=ulogd2.git;a=commit;h=ead3e460478c9b085227a4380f38d6bf1d39836d
commit ead3e460478c9b085227a4380f38d6bf1d39836d
Author:     Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Wed Jan 13 11:39:18 2010 +0100
Commit:     Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sun Jan 17 22:23:18 2010 +0100

    NFCT: fix reset counters via SIGUSR2 signal
    
    This patch fixes a feature that allows to force the logging of
    the existing entries and reset the counters.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

commit eda8f99726e6b27b9ebefe7bbd68de0c64aaabfb
Author:     Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Tue Jan 12 16:31:00 2010 +0100
Commit:     Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sun Jan 17 22:23:18 2010 +0100

    NFCT: fix number of options (missing one)
    
    This patch fixes the number of options in NFCT that is
    actually 8, not 7.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

commit 1eb7fbc09ada511d1dcdfbe7d493068773dfd7f9
Author:     Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Tue Jan 12 16:21:50 2010 +0100
Commit:     Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sun Jan 17 22:23:17 2010 +0100

    NFCT: split event handler if hashtable is used or not
    
    This patch splits event_handler into two functions:
    event_handler_hashtable and event_handler_no_hashtable.
    Thus, we register the appropriate handler during the
    initialization time. This patch is a cleanup.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

commit ec9983fa23bc2e5a9c4bdf06c533c5e8ae483ade
Author:     Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Mon Jan 11 19:15:49 2010 +0100
Commit:     Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sun Jan 17 22:23:17 2010 +0100

    NFCT: use new hashtable implementation for better performance
    
    This patch replaces the existing hashtable implementation with
    a newer that provide better performance since it reduces the
    number of hash computations.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

commit 1f50a6a2d5a4ede3505f9298b25fc3e081cbc443
Author:     Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Mon Jan 11 17:38:22 2010 +0100
Commit:     Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sun Jan 17 22:23:16 2010 +0100

    NFCT: change `pollinterval' behaviour
    
    This patch adds support for poll-based logging. Basically,
    ulogd polls from the kernel periodically to log entries. You
    can use the `pollinterval' option in the configuration file to
    set the polling period.
    
    This patch changes the current behaviour of `pollinterval'
    that allowed to mix both the event-driven logging with
    polling periodically from the kernel. I have tried to look
    for anyone in google (and asking Eric Leblond) using this
    feature but I found noone.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

commit df78c5c6863c7f68ef7a089e26dab22540f3f015
Author:     Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sun Jan 10 21:39:48 2010 +0100
Commit:     Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Mon Jan 11 17:32:08 2010 +0100

    NFCT: cleanup constructor and destructor functions
    
    This patch cleans up the destructor and the destructor functions
    in the NFCT plugin. I know, this patch isn't easy to review
    because it includes too many changes in one.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
       via  ead3e460478c9b085227a4380f38d6bf1d39836d (commit)
       via  eda8f99726e6b27b9ebefe7bbd68de0c64aaabfb (commit)
       via  1eb7fbc09ada511d1dcdfbe7d493068773dfd7f9 (commit)
       via  ec9983fa23bc2e5a9c4bdf06c533c5e8ae483ade (commit)
       via  1f50a6a2d5a4ede3505f9298b25fc3e081cbc443 (commit)
       via  df78c5c6863c7f68ef7a089e26dab22540f3f015 (commit)
      from  2e4c70c26984c6c844380d1f27a2023900502f9e (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit ead3e460478c9b085227a4380f38d6bf1d39836d
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Wed Jan 13 11:39:18 2010 +0100

    NFCT: fix reset counters via SIGUSR2 signal
    
    This patch fixes a feature that allows to force the logging of
    the existing entries and reset the counters.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

commit eda8f99726e6b27b9ebefe7bbd68de0c64aaabfb
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Tue Jan 12 16:31:00 2010 +0100

    NFCT: fix number of options (missing one)
    
    This patch fixes the number of options in NFCT that is
    actually 8, not 7.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

commit 1eb7fbc09ada511d1dcdfbe7d493068773dfd7f9
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Tue Jan 12 16:21:50 2010 +0100

    NFCT: split event handler if hashtable is used or not
    
    This patch splits event_handler into two functions:
    event_handler_hashtable and event_handler_no_hashtable.
    Thus, we register the appropriate handler during the
    initialization time. This patch is a cleanup.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

commit ec9983fa23bc2e5a9c4bdf06c533c5e8ae483ade
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Mon Jan 11 19:15:49 2010 +0100

    NFCT: use new hashtable implementation for better performance
    
    This patch replaces the existing hashtable implementation with
    a newer that provide better performance since it reduces the
    number of hash computations.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

commit 1f50a6a2d5a4ede3505f9298b25fc3e081cbc443
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Mon Jan 11 17:38:22 2010 +0100

    NFCT: change `pollinterval' behaviour
    
    This patch adds support for poll-based logging. Basically,
    ulogd polls from the kernel periodically to log entries. You
    can use the `pollinterval' option in the configuration file to
    set the polling period.
    
    This patch changes the current behaviour of `pollinterval'
    that allowed to mix both the event-driven logging with
    polling periodically from the kernel. I have tried to look
    for anyone in google (and asking Eric Leblond) using this
    feature but I found noone.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

commit df78c5c6863c7f68ef7a089e26dab22540f3f015
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Sun Jan 10 21:39:48 2010 +0100

    NFCT: cleanup constructor and destructor functions
    
    This patch cleans up the destructor and the destructor functions
    in the NFCT plugin. I know, this patch isn't easy to review
    because it includes too many changes in one.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

-----------------------------------------------------------------------

 include/ulogd/hash.h            |   34 ++--
 input/flow/ulogd_inpflow_NFCT.c |  441 ++++++++++++++++++++++++++++++---------
 src/hash.c                      |  168 +++++----------
 ulogd.conf.in                   |    1 +
 4 files changed, 413 insertions(+), 231 deletions(-)
This patch cleans up the destructor and the destructor functions
in the NFCT plugin. I know, this patch isn't easy to review
because it includes too many changes in one.

Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

diff --git a/input/flow/ulogd_inpflow_NFCT.c b/input/flow/ulogd_inpflow_NFCT.c
index 8d6347f..5f42523 100644
--- a/input/flow/ulogd_inpflow_NFCT.c
+++ b/input/flow/ulogd_inpflow_NFCT.c
@@ -3,7 +3,7 @@
  * ulogd input plugin for ctnetlink
  *
  * (C) 2005 by Harald Welte <laforge at netfilter.org>
- * (C) 2008 by Pablo Neira Ayuso <pablo at netfilter.org>
+ * (C) 2008-2010 by Pablo Neira Ayuso <pablo at netfilter.org>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2
@@ -852,7 +852,7 @@ static int constructor_nfct(struct ulogd_pluginstance *upi)
 			     eventmask_ce(upi->config_kset).u.value);
 	if (!cpi->cth) {
 		ulogd_log(ULOGD_FATAL, "error opening ctnetlink\n");
-		return -1;
+		goto err_cth;
 	}
 
 	nfct_callback_register(cpi->cth, NFCT_T_ALL, &event_handler, upi);
@@ -863,25 +863,6 @@ static int constructor_nfct(struct ulogd_pluginstance *upi)
 					"set to %d\n", cpi->nlbufsiz);
 	}
 
-	if (usehash_ce(upi->config_kset).u.value != 0) {
-		cpi->ovh = nfct_open(NFNL_SUBSYS_CTNETLINK, 0);
-		if (!cpi->ovh) {
-			ulogd_log(ULOGD_FATAL, "error opening ctnetlink\n");
-			return -1;
-		}
-
-		nfct_callback_register(cpi->ovh, NFCT_T_ALL,
-				       &overrun_handler, upi);
-	}
-
-	cpi->pgh = nfct_open(NFNL_SUBSYS_CTNETLINK, 0);
-	if (!cpi->pgh) {
-		ulogd_log(ULOGD_FATAL, "error opening ctnetlink\n");
-		return -1;
-	}
-
-	ulogd_init_timer(&cpi->ov_timer, upi, overrun_timeout);
-
 	cpi->nfct_fd.fd = nfct_fd(cpi->cth);
 	cpi->nfct_fd.cb = &read_cb_nfct;
 	cpi->nfct_fd.data = cpi;
@@ -890,13 +871,10 @@ static int constructor_nfct(struct ulogd_pluginstance *upi)
 	ulogd_register_fd(&cpi->nfct_fd);
 
 	if (usehash_ce(upi->config_kset).u.value != 0) {
-		cpi->nfct_ov.fd = nfct_fd(cpi->ovh);
-		cpi->nfct_ov.cb = &read_cb_ovh;
-		cpi->nfct_ov.data = cpi;
-		cpi->nfct_ov.when = ULOGD_FD_READ;
-
-		ulogd_register_fd(&cpi->nfct_ov);
+		int family = AF_UNSPEC;
+		struct nfct_handle *h;
 
+		/* we use a hashtable to cache entries in userspace. */
 		cpi->ct_active =
 		     hashtable_create(buckets_ce(upi->config_kset).u.value,
 				      maxentries_ce(upi->config_kset).u.value,
@@ -905,14 +883,62 @@ static int constructor_nfct(struct ulogd_pluginstance *upi)
 				      compare);
 		if (!cpi->ct_active) {
 			ulogd_log(ULOGD_FATAL, "error allocating hash\n");
-			nfct_close(cpi->cth);
-			nfct_close(cpi->ovh);
-			nfct_close(cpi->pgh);
-			return -1;
+			goto err_hashtable;
+		}
+
+		/* populate the hashtable: we use a disposable handler, we
+		 * may hit overrun if we use cpi->cth. This ensures that the
+		 * initial dump is successful. */
+		h = nfct_open(CONNTRACK, 0);
+		if (!h) {
+			ulogd_log(ULOGD_FATAL, "error opening ctnetlink\n");
+			goto err_ovh;
+		}
+		nfct_callback_register(cpi->cth, NFCT_T_ALL,
+				       &event_handler, upi);
+		nfct_query(h, NFCT_Q_DUMP, &family);
+		nfct_close(h);
+
+		/* the overrun handler only make sense with the hashtable,
+		 * if we hit overrun, we resync with ther kernel table. */
+		cpi->ovh = nfct_open(NFNL_SUBSYS_CTNETLINK, 0);
+		if (!cpi->ovh) {
+			ulogd_log(ULOGD_FATAL, "error opening ctnetlink\n");
+			goto err_ovh;
+		}
+
+		nfct_callback_register(cpi->ovh, NFCT_T_ALL,
+				       &overrun_handler, upi);
+
+		ulogd_init_timer(&cpi->ov_timer, upi, overrun_timeout);
+
+		cpi->nfct_ov.fd = nfct_fd(cpi->ovh);
+		cpi->nfct_ov.cb = &read_cb_ovh;
+		cpi->nfct_ov.data = cpi;
+		cpi->nfct_ov.when = ULOGD_FD_READ;
+
+		ulogd_register_fd(&cpi->nfct_ov);
+
+		/* we use this to purge old entries during overruns.*/
+		cpi->pgh = nfct_open(NFNL_SUBSYS_CTNETLINK, 0);
+		if (!cpi->pgh) {
+			ulogd_log(ULOGD_FATAL, "error opening ctnetlink\n");
+			goto err_pgh;
 		}
 	}
 
 	return 0;
+
+err_pgh:
+	ulogd_unregister_fd(&cpi->nfct_ov);
+	nfct_close(cpi->ovh);
+err_ovh:
+	hashtable_destroy(cpi->ct_active);
+err_hashtable:
+	ulogd_unregister_fd(&cpi->nfct_fd);
+	nfct_close(cpi->cth);
+err_cth:
+	return -1;
 }
 
 static int destructor_nfct(struct ulogd_pluginstance *pi)
@@ -920,12 +946,7 @@ static int destructor_nfct(struct ulogd_pluginstance *pi)
 	struct nfct_pluginstance *cpi = (void *) pi->private;
 	int rc;
 
-	/* free existent entries */
-	hashtable_iterate(cpi->ct_active, NULL, do_free);
-
-	hashtable_destroy(cpi->ct_active);
-
-	ulogd_del_timer(&cpi->ov_timer);
+	ulogd_unregister_fd(&cpi->nfct_fd);
 
 	rc = nfct_close(cpi->cth);
 	if (rc < 0)
@@ -933,15 +954,20 @@ static int destructor_nfct(struct ulogd_pluginstance *pi)
 
 
 	if (usehash_ce(pi->config_kset).u.value != 0) {
+		ulogd_del_timer(&cpi->ov_timer);
+		ulogd_unregister_fd(&cpi->nfct_ov);
+
 		rc = nfct_close(cpi->ovh);
 		if (rc < 0)
 			return rc;
-	}
 
-	rc = nfct_close(cpi->pgh);
-	if (rc < 0)
-		return rc;
+		rc = nfct_close(cpi->pgh);
+		if (rc < 0)
+			return rc;
 
+		hashtable_iterate(cpi->ct_active, NULL, do_free);
+		hashtable_destroy(cpi->ct_active);
+	}
 	return 0;
 }
 



More information about the netfilter-cvslog mailing list