diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2011-01-19 10:00:07 -0500 |
|---|---|---|
| committer | Patrick McHardy <kaber@trash.net> | 2011-01-19 10:00:07 -0500 |
| commit | a992ca2a0498edd22a88ac8c41570f536de29c9e (patch) | |
| tree | 4574d4da3f44c7dd3879cb4f209a8bd3a37c0ca9 /include | |
| parent | 93557f53e1fbd9e2b6574ab0a9b5852628fde9e3 (diff) | |
netfilter: nf_conntrack_tstamp: add flow-based timestamp extension
This patch adds flow-based timestamping for conntracks. This
conntrack extension is disabled by default. Basically, we use
two 64-bits variables to store the creation timestamp once the
conntrack has been confirmed and the other to store the deletion
time. This extension is disabled by default, to enable it, you
have to:
echo 1 > /proc/sys/net/netfilter/nf_conntrack_timestamp
This patch allows to save memory for user-space flow-based
loogers such as ulogd2. In short, ulogd2 does not need to
keep a hashtable with the conntrack in user-space to know
when they were created and destroyed, instead we use the
kernel timestamp. If we want to have a sane IPFIX implementation
in user-space, this nanosecs resolution timestamps are also
useful. Other custom user-space applications can benefit from
this via libnetfilter_conntrack.
This patch modifies the /proc output to display the delta time
in seconds since the flow start. You can also obtain the
flow-start date by means of the conntrack-tools.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'include')
| -rw-r--r-- | include/linux/netfilter/nfnetlink_conntrack.h | 9 | ||||
| -rw-r--r-- | include/net/netfilter/nf_conntrack_extend.h | 4 | ||||
| -rw-r--r-- | include/net/netfilter/nf_conntrack_timestamp.h | 53 | ||||
| -rw-r--r-- | include/net/netns/conntrack.h | 2 |
4 files changed, 68 insertions, 0 deletions
diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/linux/netfilter/nfnetlink_conntrack.h index 19711e3ffd42..debf1aefd753 100644 --- a/include/linux/netfilter/nfnetlink_conntrack.h +++ b/include/linux/netfilter/nfnetlink_conntrack.h | |||
| @@ -42,6 +42,7 @@ enum ctattr_type { | |||
| 42 | CTA_SECMARK, /* obsolete */ | 42 | CTA_SECMARK, /* obsolete */ |
| 43 | CTA_ZONE, | 43 | CTA_ZONE, |
| 44 | CTA_SECCTX, | 44 | CTA_SECCTX, |
| 45 | CTA_TIMESTAMP, | ||
| 45 | __CTA_MAX | 46 | __CTA_MAX |
| 46 | }; | 47 | }; |
| 47 | #define CTA_MAX (__CTA_MAX - 1) | 48 | #define CTA_MAX (__CTA_MAX - 1) |
| @@ -127,6 +128,14 @@ enum ctattr_counters { | |||
| 127 | }; | 128 | }; |
| 128 | #define CTA_COUNTERS_MAX (__CTA_COUNTERS_MAX - 1) | 129 | #define CTA_COUNTERS_MAX (__CTA_COUNTERS_MAX - 1) |
| 129 | 130 | ||
| 131 | enum ctattr_tstamp { | ||
| 132 | CTA_TIMESTAMP_UNSPEC, | ||
| 133 | CTA_TIMESTAMP_START, | ||
| 134 | CTA_TIMESTAMP_STOP, | ||
| 135 | __CTA_TIMESTAMP_MAX | ||
| 136 | }; | ||
| 137 | #define CTA_TIMESTAMP_MAX (__CTA_TIMESTAMP_MAX - 1) | ||
| 138 | |||
| 130 | enum ctattr_nat { | 139 | enum ctattr_nat { |
| 131 | CTA_NAT_UNSPEC, | 140 | CTA_NAT_UNSPEC, |
| 132 | CTA_NAT_MINIP, | 141 | CTA_NAT_MINIP, |
diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h index 1a9f96db3798..2dcf31703acb 100644 --- a/include/net/netfilter/nf_conntrack_extend.h +++ b/include/net/netfilter/nf_conntrack_extend.h | |||
| @@ -17,6 +17,9 @@ enum nf_ct_ext_id { | |||
| 17 | #ifdef CONFIG_NF_CONNTRACK_ZONES | 17 | #ifdef CONFIG_NF_CONNTRACK_ZONES |
| 18 | NF_CT_EXT_ZONE, | 18 | NF_CT_EXT_ZONE, |
| 19 | #endif | 19 | #endif |
| 20 | #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP | ||
| 21 | NF_CT_EXT_TSTAMP, | ||
| 22 | #endif | ||
| 20 | NF_CT_EXT_NUM, | 23 | NF_CT_EXT_NUM, |
| 21 | }; | 24 | }; |
| 22 | 25 | ||
| @@ -25,6 +28,7 @@ enum nf_ct_ext_id { | |||
| 25 | #define NF_CT_EXT_ACCT_TYPE struct nf_conn_counter | 28 | #define NF_CT_EXT_ACCT_TYPE struct nf_conn_counter |
| 26 | #define NF_CT_EXT_ECACHE_TYPE struct nf_conntrack_ecache | 29 | #define NF_CT_EXT_ECACHE_TYPE struct nf_conntrack_ecache |
| 27 | #define NF_CT_EXT_ZONE_TYPE struct nf_conntrack_zone | 30 | #define NF_CT_EXT_ZONE_TYPE struct nf_conntrack_zone |
| 31 | #define NF_CT_EXT_TSTAMP_TYPE struct nf_conn_tstamp | ||
| 28 | 32 | ||
| 29 | /* Extensions: optional stuff which isn't permanently in struct. */ | 33 | /* Extensions: optional stuff which isn't permanently in struct. */ |
| 30 | struct nf_ct_ext { | 34 | struct nf_ct_ext { |
diff --git a/include/net/netfilter/nf_conntrack_timestamp.h b/include/net/netfilter/nf_conntrack_timestamp.h new file mode 100644 index 000000000000..f17dcb664e29 --- /dev/null +++ b/include/net/netfilter/nf_conntrack_timestamp.h | |||
| @@ -0,0 +1,53 @@ | |||
| 1 | #ifndef _NF_CONNTRACK_TSTAMP_H | ||
| 2 | #define _NF_CONNTRACK_TSTAMP_H | ||
| 3 | |||
| 4 | #include <net/net_namespace.h> | ||
| 5 | #include <linux/netfilter/nf_conntrack_common.h> | ||
| 6 | #include <linux/netfilter/nf_conntrack_tuple_common.h> | ||
| 7 | #include <net/netfilter/nf_conntrack.h> | ||
| 8 | #include <net/netfilter/nf_conntrack_extend.h> | ||
| 9 | |||
| 10 | struct nf_conn_tstamp { | ||
| 11 | u_int64_t start; | ||
| 12 | u_int64_t stop; | ||
| 13 | }; | ||
| 14 | |||
| 15 | static inline | ||
| 16 | struct nf_conn_tstamp *nf_conn_tstamp_find(const struct nf_conn *ct) | ||
| 17 | { | ||
| 18 | #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP | ||
| 19 | return nf_ct_ext_find(ct, NF_CT_EXT_TSTAMP); | ||
| 20 | #else | ||
| 21 | return NULL; | ||
| 22 | #endif | ||
| 23 | } | ||
| 24 | |||
| 25 | static inline | ||
| 26 | struct nf_conn_tstamp *nf_ct_tstamp_ext_add(struct nf_conn *ct, gfp_t gfp) | ||
| 27 | { | ||
| 28 | #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP | ||
| 29 | struct net *net = nf_ct_net(ct); | ||
| 30 | |||
| 31 | if (!net->ct.sysctl_tstamp) | ||
| 32 | return NULL; | ||
| 33 | |||
| 34 | return nf_ct_ext_add(ct, NF_CT_EXT_TSTAMP, gfp); | ||
| 35 | #else | ||
| 36 | return NULL; | ||
| 37 | #endif | ||
| 38 | }; | ||
| 39 | |||
| 40 | static inline bool nf_ct_tstamp_enabled(struct net *net) | ||
| 41 | { | ||
| 42 | return net->ct.sysctl_tstamp != 0; | ||
| 43 | } | ||
| 44 | |||
| 45 | static inline void nf_ct_set_tstamp(struct net *net, bool enable) | ||
| 46 | { | ||
| 47 | net->ct.sysctl_tstamp = enable; | ||
| 48 | } | ||
| 49 | |||
| 50 | extern int nf_conntrack_tstamp_init(struct net *net); | ||
| 51 | extern void nf_conntrack_tstamp_fini(struct net *net); | ||
| 52 | |||
| 53 | #endif /* _NF_CONNTRACK_TSTAMP_H */ | ||
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h index 5cf8a8c141aa..341eb089349e 100644 --- a/include/net/netns/conntrack.h +++ b/include/net/netns/conntrack.h | |||
| @@ -21,11 +21,13 @@ struct netns_ct { | |||
| 21 | int sysctl_events; | 21 | int sysctl_events; |
| 22 | unsigned int sysctl_events_retry_timeout; | 22 | unsigned int sysctl_events_retry_timeout; |
| 23 | int sysctl_acct; | 23 | int sysctl_acct; |
| 24 | int sysctl_tstamp; | ||
| 24 | int sysctl_checksum; | 25 | int sysctl_checksum; |
| 25 | unsigned int sysctl_log_invalid; /* Log invalid packets */ | 26 | unsigned int sysctl_log_invalid; /* Log invalid packets */ |
| 26 | #ifdef CONFIG_SYSCTL | 27 | #ifdef CONFIG_SYSCTL |
| 27 | struct ctl_table_header *sysctl_header; | 28 | struct ctl_table_header *sysctl_header; |
| 28 | struct ctl_table_header *acct_sysctl_header; | 29 | struct ctl_table_header *acct_sysctl_header; |
| 30 | struct ctl_table_header *tstamp_sysctl_header; | ||
| 29 | struct ctl_table_header *event_sysctl_header; | 31 | struct ctl_table_header *event_sysctl_header; |
| 30 | #endif | 32 | #endif |
| 31 | char *slabname; | 33 | char *slabname; |