summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVadim Kochan <vadim4j@gmail.com>2015-07-25 19:09:39 +0300
committerDaniel Borkmann <daniel@iogearbox.net>2015-07-26 20:38:23 +0200
commit59341681d3dcc3e17105261425b5f08ab954a948 (patch)
treefa3f27c79f7b9385e507c3b51b2cf5869ff3035e
parentbbd4b152f7cc6795379a5927c4d7e2c61bb5c9f5 (diff)
flowtop: Fix collector stuck while flush IPv6 flows
Seems it was caused by specifying all netfilter groups when flushing connections. Used separated nfct instance w/o netfilter groups to flush ipv4/ipv6 connections. More info can be fetched from the issue item on github: https://github.com/netsniff-ng/netsniff-ng/issues/145 Signed-off-by: Vadim Kochan <vadim4j@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
-rw-r--r--flowtop.c22
1 files changed, 17 insertions, 5 deletions
diff --git a/flowtop.c b/flowtop.c
index 9b7e0dc..9d935e1 100644
--- a/flowtop.c
+++ b/flowtop.c
@@ -1044,9 +1044,22 @@ static int collector_cb(enum nf_conntrack_msg_type type,
return NFCT_CB_CONTINUE;
}
-static inline void collector_flush(struct nfct_handle *handle, uint8_t family)
+static inline void collector_flush(void)
{
- nfct_query(handle, NFCT_Q_FLUSH, &family);
+ struct nfct_handle *nfct = nfct_open(CONNTRACK, 0);
+ uint8_t family;
+
+ if (!nfct)
+ panic("Cannot create a nfct to flush connections: %s\n",
+ strerror(errno));
+
+ family = AF_INET;
+ nfct_query(nfct, NFCT_Q_FLUSH, &family);
+
+ family = AF_INET6;
+ nfct_query(nfct, NFCT_Q_FLUSH, &family);
+
+ nfct_close(nfct);
}
static void restore_sysctl(void *value)
@@ -1121,15 +1134,14 @@ static void *collector(void *null __maybe_unused)
struct pollfd poll_fd[1];
int ret;
+ collector_flush();
+
ct_event = nfct_open(CONNTRACK, NF_NETLINK_CONNTRACK_NEW |
NF_NETLINK_CONNTRACK_UPDATE |
NF_NETLINK_CONNTRACK_DESTROY);
if (!ct_event)
panic("Cannot create a nfct handle: %s\n", strerror(errno));
- collector_flush(ct_event, AF_INET);
- collector_flush(ct_event, AF_INET6);
-
filter = nfct_filter_create();
if (!filter)
panic("Cannot create a nfct filter: %s\n", strerror(errno));