API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 30th, 2014
33
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 7.53 KB | None | 0 0
raw download clone embed print report
  1. diff --git a/ipt_NETFLOW.c b/ipt_NETFLOW.c
  2. index 6e30709..e1fa909 100644
  3. --- a/ipt_NETFLOW.c
  4. +++ b/ipt_NETFLOW.c
  5. @@ -40,6 +40,9 @@
  6.  #include <net/ip6_fib.h>
  7.  #include <net/dst.h>
  8.  #include <linux/netfilter_ipv4/ip_tables.h>
  9. +#undef CONFIG_NF_NAT_NEEDED
  10. +#undef CONFIG_NF_CONNTRACK_MARK
  11. +
  12.  #if defined(CONFIG_NF_NAT_NEEDED) || defined(CONFIG_NF_CONNTRACK_MARK)
  13.  #include <linux/notifier.h>
  14.  #include <net/netfilter/nf_conntrack.h>
  15. @@ -178,6 +181,7 @@ static unsigned long nat_events_stop = 0;
  16.  #endif
  17.  static struct kmem_cache *ipt_netflow_cachep __read_mostly; /* ipt_netflow memory */
  18.  static atomic_t ipt_netflow_count = ATOMIC_INIT(0);
  19. +static atomic_t ipt_netflow_skip = ATOMIC_INIT(0);
  20.  
  21.  static long long pdu_packets = 0, pdu_traf = 0; /* how much accounted traffic in pdu */
  22.  static unsigned int pdu_count = 0;
  23. @@ -185,6 +189,7 @@ static unsigned int pdu_seq = 0;
  24.  static unsigned int pdu_data_records = 0;
  25.  static unsigned int pdu_tpl_records = 0;
  26.  static unsigned long pdu_ts_mod; /* ts(jiffies) of last flow */
  27. +static unsigned long jiffies_on_debug_dump; /* ts(jiffies) of last flow */
  28.  static union {
  29.         struct netflow5_pdu v5;
  30.         struct netflow9_pdu v9;
  31. @@ -220,6 +225,9 @@ static long long min_prate = 0, min_brate = 0;
  32.  static long long min5_prate = 0, min5_brate = 0;
  33.  static unsigned int metric = 100, min15_metric = 100, min5_metric = 100, min_metric = 100; /* hash metrics */
  34.  
  35. +static inline int active_needs_export(const struct ipt_netflow *nf, const long a_timeout);
  36. +static inline int active_needs_export_debug(const struct ipt_netflow *nf, const long a_timeout);
  37. +static inline u_int32_t hash_netflow(const struct ipt_netflow_tuple *tuple);
  38.  static int set_hashsize(int new_size);
  39.  static void destination_removeall(void);
  40.  static int add_destinations(char *ptr);
  41. @@ -297,6 +305,57 @@ static inline void pause_scan_worker(void)
  42.  #endif
  43.  
  44.  #ifdef CONFIG_PROC_FS
  45. +
  46. +
  47. +static void * nf_seq_debug_start(struct seq_file *seq, loff_t *pos)
  48. +{
  49. +       struct ipt_netflow *nf;
  50. +
  51. +       loff_t off = 0;
  52. +       list_for_each_entry(nf, &ipt_netflow_list, list) {
  53. +           if (*pos == off++) {
  54. +               return nf;
  55. +               }
  56. +       }
  57. +       return NULL;
  58. +}
  59. +
  60. +static void * nf_seq_debug_next(struct seq_file *seq, void *v, loff_t *pos)
  61. +{
  62. +       struct list_head *n = ((struct ipt_netflow *)v)->list.next;
  63. +       ++*pos;
  64. +       return(n != &ipt_netflow_list) ?
  65. +       list_entry(n, struct ipt_netflow, list) : NULL;
  66. +}
  67. +
  68. +static int nf_seq_debug_show(struct seq_file *seq, void *v)
  69. +{
  70. +       const struct ipt_netflow *nf = v;
  71. +       long i_timeout = inactive_timeout * HZ;
  72. +       long a_timeout = active_timeout * HZ;
  73. +
  74. +       int export = (((jiffies_on_debug_dump - nf->ts_last) >= i_timeout) ||
  75. +                           active_needs_export_debug(nf, a_timeout));
  76. +
  77. +       unsigned int hash = hash_netflow(&nf->tuple);
  78. +       char  src_ip_port[32];
  79. +       char  dst_ip_port[32];
  80. +       sprintf(src_ip_port,"%u.%u.%u.%u:%u", NIPQUAD(nf->tuple.src), ntohs(nf->tuple.s_port));
  81. +       sprintf(dst_ip_port,"%u.%u.%u.%u:%u", NIPQUAD(nf->tuple.dst), ntohs(nf->tuple.d_port));
  82. +
  83. +       seq_printf(seq,"i_ifc:%hd o_ifc:%hd src:%-21s dst:%-21s proto:%-2d tos:%-3d l3proto:%d needs_export:%d hash:%08x hash&mask:%02x\n",
  84. +                      nf->tuple.i_ifc, nf->o_ifc,
  85. +                      src_ip_port, dst_ip_port,
  86. +                      nf->tuple.protocol, nf->tuple.tos, nf->tuple.l3proto, export, hash, hash & LOCK_COUNT_MASK);
  87. +        return 0;
  88. +}
  89. +
  90. +static void nf_seq_debug_stop(struct seq_file *seq, void *v)
  91. +{
  92. +
  93. +}
  94. +
  95. +
  96.  /* procfs statistics /proc/net/stat/ipt_netflow */
  97.  static int nf_seq_show(struct seq_file *seq, void *v)
  98.  {
  99. @@ -485,6 +544,40 @@ static struct file_operations nf_seq_fops = {
  100.         .llseek  = seq_lseek,
  101.         .release = single_release,
  102.  };
  103. +
  104. +static struct seq_operations nf_seq_debug_ops = {
  105. +       .start = nf_seq_debug_start,
  106. +       .next  = nf_seq_debug_next,
  107. +       .stop  = nf_seq_debug_stop,
  108. +       .show  = nf_seq_debug_show,
  109. +};
  110. +
  111. +static int nf_seq_debug_open(struct inode *inode, struct file *file)
  112. +{
  113. +       atomic_inc(&ipt_netflow_skip);
  114. +       pause_scan_worker();
  115. +       spin_lock(&hlist_lock);
  116. +       jiffies_on_debug_dump=jiffies;
  117. +       return seq_open(file, &nf_seq_debug_ops);
  118. +}
  119. +
  120. +static int nf_seq_debug_release(struct inode *inode, struct file *file)
  121. +{
  122. +       spin_unlock(&hlist_lock);
  123. +       cont_scan_worker();
  124. +       atomic_dec(&ipt_netflow_skip);
  125. +       return seq_release(inode, file);
  126. +}
  127. +
  128. +static struct file_operations nf_seq_fops_debug = {
  129. +       .owner   = THIS_MODULE,
  130. +       .open    = nf_seq_debug_open,
  131. +       .read    = seq_read,
  132. +       .llseek  = seq_lseek,
  133. +       .release = nf_seq_debug_release,
  134. +};
  135. +
  136. +
  137.  #endif /* CONFIG_PROC_FS */
  138.  
  139.  #ifdef CONFIG_SYSCTL
  140. @@ -1987,6 +2080,18 @@ static inline int active_needs_export(const struct ipt_netflow *nf, const long a
  141.                 nf->nr_bytes >= FLOW_FULL_WATERMARK;
  142.  }
  143.  
  144. +static inline int active_needs_export_debug(const struct ipt_netflow *nf, const long a_timeout)
  145. +{
  146. +       /* active too long, finishing, or having too much bytes */
  147. +       return ((jiffies_on_debug_dump - nf->ts_first) > a_timeout) ||
  148. +               (nf->tuple.protocol == IPPROTO_TCP &&
  149. +                (nf->tcp_flags & TCP_FIN_RST) &&
  150. +                (jiffies - nf->ts_last) > (1 * HZ)) ||
  151. +               nf->nr_bytes >= FLOW_FULL_WATERMARK;
  152. +}
  153. +
  154. +
  155. +
  156.  /* could be called with zero to flush cache and pdu */
  157.  /* this function is guaranteed to be called non-concurrently */
  158.  /* return -1 is trylockfailed, 0 if nothin gexported, >=1 if exported something */
  159. @@ -2445,6 +2550,11 @@ static unsigned int netflow_target(
  160.         int options = 0;
  161.         int tcpoptions = 0;
  162.  
  163. +       unsigned int skip = atomic_read(&ipt_netflow_skip);
  164. +       if (skip > 0 ) {
  165. +           return IPT_CONTINUE;
  166. +       }
  167. +
  168.         iph = skb_header_pointer(skb, 0, (likely(family == AF_INET))? sizeof(_iph.ip) : sizeof(_iph.ip6), &iph);
  169.         if (unlikely(iph == NULL)) {
  170.                 NETFLOW_STAT_INC(truncated);
  171. @@ -2961,6 +3071,7 @@ static int __init ipt_netflow_init(void)
  172.  {
  173.  #ifdef CONFIG_PROC_FS
  174.         struct proc_dir_entry *proc_stat;
  175. +       struct proc_dir_entry *proc_stat_debug;
  176.  #endif
  177.         printk(KERN_INFO "ipt_NETFLOW version %s, srcversion %s\n",
  178.                 IPT_NETFLOW_VERSION, THIS_MODULE->srcversion);
  179. @@ -3003,8 +3114,10 @@ static int __init ipt_netflow_init(void)
  180.  #ifdef CONFIG_PROC_FS
  181.  #if LINUX_VERSION_CODE < KERNEL_VERSION(3,10,0)
  182.         proc_stat = create_proc_entry("ipt_netflow", S_IRUGO, INIT_NET(proc_net_stat));
  183. +       proc_stat_debug = create_proc_entry("ipt_netflow_debug", S_IRUGO, INIT_NET(proc_net_stat));
  184.  #else
  185.         proc_stat = proc_create("ipt_netflow", S_IRUGO, INIT_NET(proc_net_stat), &nf_seq_fops);
  186. +       proc_stat_debug = proc_create("ipt_netflow_debug", S_IRUGO, INIT_NET(proc_net_stat), &nf_seq_fops_debug);
  187.  #endif
  188.         if (!proc_stat) {
  189.                 printk(KERN_ERR "Unable to create /proc/net/stat/ipt_netflow entry\n");
  190. @@ -3012,9 +3125,11 @@ static int __init ipt_netflow_init(void)
  191.         }
  192.  #if LINUX_VERSION_CODE < KERNEL_VERSION(3,10,0)
  193.         proc_stat->proc_fops = &nf_seq_fops;
  194. +       proc_stat_debug->proc_fops = &nf_seq_fops_debug;
  195.  #endif
  196.  #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,30)
  197.         proc_stat->owner = THIS_MODULE;
  198. +       proc_stat_debug->owner = THIS_MODULE;
  199.  #endif
  200.         printk(KERN_INFO "netflow: registered: /proc/net/stat/ipt_netflow\n");
  201.  #endif
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!