Google Git
Sign in
nest-open-source / manifest_repos / conntrack-tools / refs/heads/main / . / src / ctnl.c
blob: 10b5f4cdf0c93033384cbe25873af35ec25015b6 [file] [log] [blame]
/*
* (C) 2006-2012 by Pablo Neira Ayuso <pablo@netfilter.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*
* Part of this code has been sponsored by Vyatta Inc. <http://www.vyatta.com>
*/
#include "conntrackd.h"
#include "netlink.h"
#include "filter.h"
#include "log.h"
#include "alarm.h"
#include "fds.h"
#include "traffic_stats.h"
#include "process.h"
#include "origin.h"
#include "date.h"
#include "internal.h"
#include <errno.h>
#include <signal.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/wait.h>
#include <string.h>
#include <time.h>
#include <fcntl.h>
void ctnl_kill(void)
{
if (!(CONFIG(flags) & CTD_POLL))
nfct_close(STATE(event));
nfct_close(STATE(resync));
nfct_close(STATE(get));
origin_unregister(STATE(flush));
nfct_close(STATE(flush));
if (STATE(us_filter))
ct_filter_destroy(STATE(us_filter));
STATE(mode)->kill();
if (STATE(mode)->internal->flags & INTERNAL_F_POPULATE) {
nfct_close(STATE(dump));
}
}
static void local_flush_master(void)
{
STATE(stats).nl_kernel_table_flush++;
dlog(LOG_NOTICE, "flushing kernel conntrack table");
/* fork a child process that performs the flush operation,
* meanwhile the parent process handles events. */
if (fork_process_new(CTD_PROC_FLUSH, CTD_PROC_F_EXCL,
NULL, NULL) == 0) {
nl_flush_conntrack_table_selective();
exit(EXIT_SUCCESS);
}
}
static void local_resync_master(void)
{
if (STATE(mode)->internal->flags & INTERNAL_F_POPULATE) {
STATE(stats).nl_kernel_table_resync++;
dlog(LOG_NOTICE, "resync with master conntrack table");
nl_dump_conntrack_table(STATE(dump));
} else {
dlog(LOG_NOTICE, "resync is unsupported in this mode");
}
}
static void local_exp_flush_master(void)
{
if (!(CONFIG(flags) & CTD_EXPECT))
return;
STATE(stats).nl_kernel_table_flush++;
dlog(LOG_NOTICE, "flushing kernel expect table");
/* fork a child process that performs the flush operation,
* meanwhile the parent process handles events. */
if (fork_process_new(CTD_PROC_FLUSH, CTD_PROC_F_EXCL,
NULL, NULL) == 0) {
nl_flush_expect_table(STATE(flush));
exit(EXIT_SUCCESS);
}
}
static void local_exp_resync_master(void)
{
if (!(CONFIG(flags) & CTD_EXPECT))
return;
if (STATE(mode)->internal->flags & INTERNAL_F_POPULATE) {
STATE(stats).nl_kernel_table_resync++;
dlog(LOG_NOTICE, "resync with master expect table");
nl_dump_expect_table(STATE(dump));
} else {
dlog(LOG_NOTICE, "resync is unsupported in this mode");
}
}
int ctnl_local(int fd, int type, void *data)
{
int ret = LOCAL_RET_OK;
switch(type) {
case CT_FLUSH_MASTER:
local_flush_master();
break;
case CT_RESYNC_MASTER:
local_resync_master();
break;
case EXP_FLUSH_MASTER:
local_exp_flush_master();
break;
case EXP_RESYNC_MASTER:
local_exp_resync_master();
break;
case ALL_FLUSH_MASTER:
local_flush_master();
local_exp_flush_master();
break;
case ALL_RESYNC_MASTER:
local_resync_master();
local_exp_resync_master();
break;
}
ret = STATE(mode)->local(fd, type, data);
if (ret == LOCAL_RET_ERROR) {
STATE(stats).local_unknown_request++;
return LOCAL_RET_ERROR;
}
return ret;
}
static void do_overrun_resync_alarm(struct alarm_block *a, void *data)
{
nl_send_resync(STATE(resync));
STATE(stats).nl_kernel_table_resync++;
}
static void do_polling_alarm(struct alarm_block *a, void *data)
{
if (STATE(mode)->internal->ct.purge)
STATE(mode)->internal->ct.purge();
if (STATE(mode)->internal->exp.purge)
STATE(mode)->internal->exp.purge();
nl_send_resync(STATE(resync));
if (CONFIG(flags) & CTD_EXPECT)
nl_send_expect_resync(STATE(resync));
add_alarm(&STATE(polling_alarm), CONFIG(poll_kernel_secs), 0);
}
static int event_handler(const struct nlmsghdr *nlh,
enum nf_conntrack_msg_type type,
struct nf_conntrack *ct,
void *data)
{
int origin_type;
STATE(stats).nl_events_received++;
/* skip user-space filtering if already do it in the kernel */
if (ct_filter_conntrack(ct, !CONFIG(filter_from_kernelspace))) {
STATE(stats).nl_events_filtered++;
goto out;
}
origin_type = origin_find(nlh);
switch(type) {
case NFCT_T_NEW:
STATE(mode)->internal->ct.new(ct, origin_type);
break;
case NFCT_T_UPDATE:
STATE(mode)->internal->ct.upd(ct, origin_type);
break;
case NFCT_T_DESTROY:
if (STATE(mode)->internal->ct.del(ct, origin_type))
update_traffic_stats(ct);
break;
default:
STATE(stats).nl_events_unknown_type++;
break;
}
out:
/* we reset the iteration limiter in the main select loop. */
if (STATE(event_iterations_limit)-- <= 0)
return NFCT_CB_STOP;
else
return NFCT_CB_CONTINUE;
}
static int exp_event_handler(const struct nlmsghdr *nlh,
enum nf_conntrack_msg_type type,
struct nf_expect *exp,
void *data)
{
int origin_type;
const struct nf_conntrack *master =
nfexp_get_attr(exp, ATTR_EXP_MASTER);
STATE(stats).nl_events_received++;
if (!exp_filter_find(STATE(exp_filter), exp)) {
STATE(stats).nl_events_filtered++;
goto out;
}
if (ct_filter_master(master))
return NFCT_CB_CONTINUE;
origin_type = origin_find(nlh);
switch(type) {
case NFCT_T_NEW:
STATE(mode)->internal->exp.new(exp, origin_type);
break;
case NFCT_T_UPDATE:
STATE(mode)->internal->exp.upd(exp, origin_type);
break;
case NFCT_T_DESTROY:
STATE(mode)->internal->exp.del(exp, origin_type);
break;
default:
STATE(stats).nl_events_unknown_type++;
break;
}
out:
/* we reset the iteration limiter in the main select loop. */
if (STATE(event_iterations_limit)-- <= 0)
return NFCT_CB_STOP;
else
return NFCT_CB_CONTINUE;
}
static int dump_handler(enum nf_conntrack_msg_type type,
struct nf_conntrack *ct,
void *data)
{
if (ct_filter_conntrack(ct, 1))
return NFCT_CB_CONTINUE;
switch(type) {
case NFCT_T_UPDATE:
STATE(mode)->internal->ct.populate(ct);
break;
default:
STATE(stats).nl_dump_unknown_type++;
break;
}
return NFCT_CB_CONTINUE;
}
static int exp_dump_handler(enum nf_conntrack_msg_type type,
struct nf_expect *exp, void *data)
{
const struct nf_conntrack *master =
nfexp_get_attr(exp, ATTR_EXP_MASTER);
if (!exp_filter_find(STATE(exp_filter), exp))
return NFCT_CB_CONTINUE;
if (ct_filter_master(master))
return NFCT_CB_CONTINUE;
switch(type) {
case NFCT_T_UPDATE:
STATE(mode)->internal->exp.populate(exp);
break;
default:
STATE(stats).nl_dump_unknown_type++;
break;
}
return NFCT_CB_CONTINUE;
}
static int get_handler(enum nf_conntrack_msg_type type,
struct nf_conntrack *ct,
void *data)
{
if (ct_filter_conntrack(ct, 1))
return NFCT_CB_CONTINUE;
STATE(get_retval) = 1;
return NFCT_CB_CONTINUE;
}
static int exp_get_handler(enum nf_conntrack_msg_type type,
struct nf_expect *exp, void *data)
{
const struct nf_conntrack *master =
nfexp_get_attr(exp, ATTR_EXP_MASTER);
if (!exp_filter_find(STATE(exp_filter), exp))
return NFCT_CB_CONTINUE;
if (ct_filter_master(master))
return NFCT_CB_CONTINUE;
STATE(get_retval) = 1;
return NFCT_CB_CONTINUE;
}
/* we have received an event from ctnetlink */
static void event_cb(void *data)
{
int ret;
ret = nfct_catch(STATE(event));
/* reset event iteration limit counter */
STATE(event_iterations_limit) = CONFIG(event_iterations_limit);
if (ret == -1) {
switch(errno) {
case ENOBUFS:
/* We have hit ENOBUFS, it's likely that we are
* losing events. Two possible situations may
* trigger this error:
*
* 1) The netlink receiver buffer is too small:
* increasing the netlink buffer size should
* be enough. However, some event messages
* got lost. We have to resync ourselves
* with the kernel table conntrack table to
* resolve the inconsistency.
*
* 2) The receiver is too slow to process the
* netlink messages so that the queue gets
* full quickly. This generally happens
* if the system is under heavy workload
* (busy CPU). In this case, increasing the
* size of the netlink receiver buffer
* would not help anymore since we would
* be delaying the overrun. Moreover, we
* should avoid resynchronizations. We
* should do our best here and keep
* replicating as much states as possible.
* If workload lowers at some point,
* we resync ourselves.
*/
nl_resize_socket_buffer(STATE(event));
if (CONFIG(nl_overrun_resync) > 0 &&
STATE(mode)->internal->flags & INTERNAL_F_RESYNC) {
add_alarm(&STATE(resync_alarm),
CONFIG(nl_overrun_resync),0);
}
STATE(stats).nl_catch_event_failed++;
STATE(stats).nl_overrun++;
break;
case ENOENT:
/*
* We received a message from another
* netfilter subsystem that we are not
* interested in. Just ignore it.
*/
break;
case EAGAIN:
/* No more events to receive, try later. */
break;
default:
STATE(stats).nl_catch_event_failed++;
break;
}
}
}
/* we previously requested a resync due to buffer overrun. */
static void resync_cb(void *data)
{
nfct_catch(STATE(resync));
if (STATE(mode)->internal->ct.purge)
STATE(mode)->internal->ct.purge();
}
static void poll_cb(void *data)
{
nfct_catch(STATE(resync));
}
int ctnl_init(void)
{
if (CONFIG(flags) & CTD_STATS_MODE)
STATE(mode) = &stats_mode;
else if (CONFIG(flags) & CTD_SYNC_MODE)
STATE(mode) = &sync_mode;
else {
fprintf(stderr, "WARNING: No running mode specified. "
"Defaulting to statistics mode.\n");
CONFIG(flags) |= CTD_STATS_MODE;
STATE(mode) = &stats_mode;
}
/* Initialization */
if (STATE(mode)->init() == -1) {
dlog(LOG_ERR, "initialization failed");
return -1;
}
/* resynchronize (like 'dump' socket) but it also purges old entries */
STATE(resync) = nfct_open(CONFIG(netlink).subsys_id, 0);
if (STATE(resync)== NULL) {
dlog(LOG_ERR, "can't open netlink handler: %s",
strerror(errno));
dlog(LOG_ERR, "no ctnetlink kernel support?");
return -1;
}
nfct_callback_register(STATE(resync),
NFCT_T_ALL,
STATE(mode)->internal->ct.resync,
NULL);
if (CONFIG(flags) & CTD_POLL) {
register_fd(nfct_fd(STATE(resync)), poll_cb,
NULL, STATE(fds));
} else {
register_fd(nfct_fd(STATE(resync)), resync_cb,
NULL, STATE(fds));
}
fcntl(nfct_fd(STATE(resync)), F_SETFL, O_NONBLOCK);
if (STATE(mode)->internal->flags & INTERNAL_F_POPULATE) {
STATE(dump) = nfct_open(CONFIG(netlink).subsys_id, 0);
if (STATE(dump) == NULL) {
dlog(LOG_ERR, "can't open netlink handler: %s",
strerror(errno));
dlog(LOG_ERR, "no ctnetlink kernel support?");
return -1;
}
nfct_callback_register(STATE(dump), NFCT_T_ALL,
dump_handler, NULL);
if (CONFIG(flags) & CTD_EXPECT) {
nfexp_callback_register(STATE(dump), NFCT_T_ALL,
exp_dump_handler, NULL);
}
if (nl_dump_conntrack_table(STATE(dump)) == -1) {
dlog(LOG_ERR, "can't get kernel conntrack table");
return -1;
}
if (CONFIG(flags) & CTD_EXPECT) {
if (nl_dump_expect_table(STATE(dump)) == -1) {
dlog(LOG_ERR, "can't get kernel "
"expect table");
return -1;
}
}
}
STATE(get) = nfct_open(CONFIG(netlink).subsys_id, 0);
if (STATE(get) == NULL) {
dlog(LOG_ERR, "can't open netlink handler: %s",
strerror(errno));
dlog(LOG_ERR, "no ctnetlink kernel support?");
return -1;
}
nfct_callback_register(STATE(get), NFCT_T_ALL, get_handler, NULL);
if (CONFIG(flags) & CTD_EXPECT) {
nfexp_callback_register(STATE(get), NFCT_T_ALL,
exp_get_handler, NULL);
}
STATE(flush) = nfct_open(CONFIG(netlink).subsys_id, 0);
if (STATE(flush) == NULL) {
dlog(LOG_ERR, "cannot open flusher handler");
return -1;
}
/* register this handler as the origin of a flush operation */
origin_register(STATE(flush), CTD_ORIGIN_FLUSH);
if (CONFIG(flags) & CTD_POLL) {
init_alarm(&STATE(polling_alarm), NULL, do_polling_alarm);
add_alarm(&STATE(polling_alarm), CONFIG(poll_kernel_secs), 0);
dlog(LOG_NOTICE, "running in polling mode");
} else {
init_alarm(&STATE(resync_alarm), NULL, do_overrun_resync_alarm);
/*
* The last nfct handler that we register is the event handler.
* The reason to do this is that we may receive events while
* populating the internal cache. Thus, we hit ENOBUFS
* prematurely. However, if we open the event handler before
* populating the internal cache, we may still lose events
* that have occured during the population.
*/
STATE(event) = nl_init_event_handler();
if (STATE(event) == NULL) {
dlog(LOG_ERR, "can't open netlink handler: %s",
strerror(errno));
dlog(LOG_ERR, "no ctnetlink kernel support?");
return -1;
}
nfct_callback_register2(STATE(event), NFCT_T_ALL,
event_handler, NULL);
if (CONFIG(flags) & CTD_EXPECT) {
nfexp_callback_register2(STATE(event), NFCT_T_ALL,
exp_event_handler, NULL);
}
register_fd(nfct_fd(STATE(event)), event_cb, NULL, STATE(fds));
}
return 0;
}