[conntrack-tools] CLI: add new option --buffer-size for -E
Pablo Neira
netfilter-cvslog-bounces at lists.netfilter.org
Tue Jul 29 17:53:29 CEST 2008
Gitweb: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=conntrack-tools.git;a=commit;h=21aabc2c4248d389fbf18a9110443371cc678b53
commit 21aabc2c4248d389fbf18a9110443371cc678b53
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Tue Jul 29 17:53:18 2008 +0200
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Tue Jul 29 17:53:18 2008 +0200
CLI: add new option --buffer-size for -E
Add new option --buffer-size for -E to set the netlink socket buffer
size.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
via 21aabc2c4248d389fbf18a9110443371cc678b53 (commit)
from b0a327b7a8fda0ebe936839235394de03b520f5e (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 21aabc2c4248d389fbf18a9110443371cc678b53
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Tue Jul 29 17:53:18 2008 +0200
CLI: add new option --buffer-size for -E
Add new option --buffer-size for -E to set the netlink socket buffer
size.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
-----------------------------------------------------------------------
conntrack.8 | 10 ++++++++
include/conntrack.h | 5 +++-
src/conntrack.c | 61 ++++++++++++++++++++++++++++++++++++---------------
3 files changed, 57 insertions(+), 19 deletions(-)
Add new option --buffer-size for -E to set the netlink socket buffer
size.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
diff --git a/conntrack.8 b/conntrack.8
index 7c4a168..bfb2de0 100644
--- a/conntrack.8
+++ b/conntrack.8
@@ -82,6 +82,16 @@ event code. Using this parameter, you can reduce the event messages generated
by the kernel to those types to those that you are actually interested in.
.
This option can only be used in conjunction with "-E, --event".
+.BI "-b, --buffer-size " "value (in bytes)"
+Set the Netlink socket buffer size. This option is useful if the command line
+tool reports ENOBUFS errors. If you do not pass this option, the default value
+available at /proc/sys/net/core/rmem_default is used. The tool reports this
+problem if your process is too slow to handle all the event messages or, in
+other words, if the amount of events are big enough to overrun the socket
+buffer. Note that using a big buffer reduces the chances to hit ENOBUFS,
+however, this results in more memory consumption.
+.
+This option can only be used in conjunction with "-E, --event".
.SS FILTER PARAMETERS
.TP
.BI "-s, --orig-src " IP_ADDRESS
diff --git a/include/conntrack.h b/include/conntrack.h
index dc30c13..e8059c8 100644
--- a/include/conntrack.h
+++ b/include/conntrack.h
@@ -132,8 +132,11 @@ enum options {
CT_OPT_SECMARK_BIT = 20,
CT_OPT_SECMARK = (1 << CT_OPT_SECMARK_BIT),
+
+ CT_OPT_BUFFERSIZE_BIT = 21,
+ CT_OPT_BUFFERSIZE = (1 << CT_OPT_BUFFERSIZE_BIT),
- CT_OPT_MAX = CT_OPT_SECMARK_BIT
+ CT_OPT_MAX = CT_OPT_BUFFERSIZE_BIT
};
#define NUMBER_OF_OPT CT_OPT_MAX+1
diff --git a/src/conntrack.c b/src/conntrack.c
index 1ee98e3..7400c1b 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -64,7 +64,7 @@ static const char cmd_need_param[NUMBER_OF_CMD]
static const char *optflags[NUMBER_OF_OPT] = {
"src","dst","reply-src","reply-dst","protonum","timeout","status","zero",
"event-mask","tuple-src","tuple-dst","mask-src","mask-dst","nat-range","mark",
-"id","family","src-nat","dst-nat","output","secmark"};
+"id","family","src-nat","dst-nat","output","secmark","buffersize"};
static struct option original_opts[] = {
{"dump", 2, 0, 'L'},
@@ -99,6 +99,7 @@ static struct option original_opts[] = {
{"src-nat", 2, 0, 'n'},
{"dst-nat", 2, 0, 'g'},
{"output", 1, 0, 'o'},
+ {"buffer-size", 1, 0, 'b'},
{0, 0, 0, 0}
};
@@ -120,22 +121,22 @@ static unsigned int global_option_offset = 0;
static char commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] =
/* Well, it's better than "Re: Linux vs FreeBSD" */
{
- /* s d r q p t u z e [ ] { } a m i f n g o c */
-/*CT_LIST*/ {2,2,2,2,2,0,2,2,0,0,0,0,0,0,2,0,2,2,2,2,2},
-/*CT_CREATE*/ {2,2,2,2,1,1,1,0,0,0,0,0,0,2,2,0,0,2,2,0,0},
-/*CT_UPDATE*/ {2,2,2,2,2,2,2,0,0,0,0,0,0,0,2,2,2,2,2,2,0},
-/*CT_DELETE*/ {2,2,2,2,2,2,2,0,0,0,0,0,0,0,2,2,2,2,2,2,0},
-/*CT_GET*/ {2,2,2,2,1,0,0,0,0,0,0,0,0,0,0,2,0,0,0,2,0},
-/*CT_FLUSH*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-/*CT_EVENT*/ {2,2,2,2,2,0,0,0,2,0,0,0,0,0,2,0,0,2,2,2,2},
-/*VERSION*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-/*HELP*/ {0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-/*EXP_LIST*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0},
-/*EXP_CREATE*/{1,1,2,2,1,1,2,0,0,1,1,1,1,0,0,0,0,0,0,0,0},
-/*EXP_DELETE*/{1,1,2,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-/*EXP_GET*/ {1,1,2,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-/*EXP_FLUSH*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-/*EXP_EVENT*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+ /* s d r q p t u z e [ ] { } a m i f n g o c b*/
+/*CT_LIST*/ {2,2,2,2,2,0,2,2,0,0,0,0,0,0,2,0,2,2,2,2,2,0},
+/*CT_CREATE*/ {2,2,2,2,1,1,1,0,0,0,0,0,0,2,2,0,0,2,2,0,0,0},
+/*CT_UPDATE*/ {2,2,2,2,2,2,2,0,0,0,0,0,0,0,2,2,2,2,2,2,0,0},
+/*CT_DELETE*/ {2,2,2,2,2,2,2,0,0,0,0,0,0,0,2,2,2,2,2,2,0,0},
+/*CT_GET*/ {2,2,2,2,1,0,0,0,0,0,0,0,0,0,0,2,0,0,0,2,0,0},
+/*CT_FLUSH*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+/*CT_EVENT*/ {2,2,2,2,2,0,0,0,2,0,0,0,0,0,2,0,0,2,2,2,2,2},
+/*VERSION*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+/*HELP*/ {0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+/*EXP_LIST*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0},
+/*EXP_CREATE*/{1,1,2,2,1,1,2,0,0,1,1,1,1,0,0,0,0,0,0,0,0,0},
+/*EXP_DELETE*/{1,1,2,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+/*EXP_GET*/ {1,1,2,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+/*EXP_FLUSH*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+/*EXP_EVENT*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
};
static LIST_HEAD(proto_list);
@@ -540,6 +541,7 @@ static const char usage_parameters[] =
" -f, --family proto\t\tLayer 3 Protocol, eg. 'ipv6'\n"
" -t, --timeout timeout\t\tSet timeout\n"
" -u, --status status\t\tSet status, eg. ASSURED\n"
+ " -b, --buffer-size\t\tNetlink socket buffer size\n"
;
@@ -907,6 +909,7 @@ int main(int argc, char *argv[])
int c, cmd;
unsigned int type = 0, event_mask = 0, l4flags = 0, status = 0;
int res = 0;
+ size_t socketbuffersize = 0;
int family = AF_UNSPEC;
char __obj[nfct_maxsize()];
char __exptuple[nfct_maxsize()];
@@ -933,7 +936,7 @@ int main(int argc, char *argv[])
while ((c = getopt_long(argc, argv, "L::I::U::D::G::E::F::hVs:d:r:q:"
"p:t:u:e:a:z[:]:{:}:m:i:f:o:n::"
- "g::c:",
+ "g::c:b:",
opts, NULL)) != -1) {
switch(c) {
/* commands */
@@ -1105,6 +1108,10 @@ int main(int argc, char *argv[])
"`%s' unsupported protocol",
optarg);
break;
+ case 'b':
+ socketbuffersize = atol(optarg);
+ options |= CT_OPT_BUFFERSIZE;
+ break;
default:
if (h && h->parse_opts
&&!h->parse_opts(c - h->option_offset, obj,
@@ -1297,10 +1304,28 @@ int main(int argc, char *argv[])
if (!cth)
exit_error(OTHER_PROBLEM, "Can't open handler");
+
+ if (options & CT_OPT_BUFFERSIZE) {
+ size_t ret;
+ ret = nfnl_rcvbufsiz(nfct_nfnlh(cth), socketbuffersize);
+ fprintf(stderr, "NOTICE: Netlink socket buffer size "
+ "has been set to %u bytes.\n", ret);
+ }
signal(SIGINT, event_sighandler);
signal(SIGTERM, event_sighandler);
nfct_callback_register(cth, NFCT_T_ALL, event_cb, obj);
res = nfct_catch(cth);
+ if (res == -1) {
+ if (errno == ENOBUFS) {
+ fprintf(stderr,
+ "WARNING: We have hit ENOBUFS! We "
+ "are losing events.\nThis message "
+ "means that the current netlink "
+ "socket buffer size is too small.\n"
+ "Please, check --buffer-size in "
+ "conntrack(8) manpage.\n");
+ }
+ }
nfct_close(cth);
break;
More information about the netfilter-cvslog
mailing list