[conntrack-tools PATCH 1/2] .gitignore: add nano swap file

[conntrack-tools PATCH 1/2] .gitignore: add nano swap file

[Arturo Borrero Gonzalez]

Ignore the nano swap file.

Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
---
 .gitignore |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/.gitignore b/.gitignore
index f7a5fc7..d061ad7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -13,3 +13,5 @@ Makefile.in
 /config.*
 /configure
 /libtool
+
+*.swp

[conntrack-tools PATCH 2/2] conntrackd: external_inject: report inject issues as warning

[Arturo Borrero Gonzalez]

In busy firewalls that run conntrackd in NOTRACK with both internal and external caches disabled,
external_inject can get lots of traffic. In case of issues injecting or updating conntrack entries
a log entry will be generated, the infamous inject-addX, inject-updX messages.

But there is nothing end users can do about this error message, is purely internal. This patch is
basically cosmetic, relaxing the message from ERROR to WARNING. The information reported is the
same, but the idea is to leave ERROR messages to issues that would *stop* or *prevent* conntrackd
from working at all.

Another nice thing to do in the future is to rate-limit this message, which is generated in the
data path and can easily fill log files. But ideally, the actual root cause would be fixed, and
there would be no WARNING message reported at all, meaning that all conntrack entries are smothly
synced between the firewalls in the cluster. We can work on that later.

Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
---
 src/external_inject.c |   12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/external_inject.c b/src/external_inject.c
index 0ad3478..e4ef569 100644
--- a/src/external_inject.c
+++ b/src/external_inject.c
@@ -76,12 +76,12 @@ retry:
 				}
 			}
 			external_inject_stat.add_fail++;
-			dlog(LOG_ERR, "inject-add1: %s", strerror(errno));
+			dlog(LOG_WARNING, "inject-add1: %s", strerror(errno));
 			dlog_ct(STATE(log), ct, NFCT_O_PLAIN);
 			return;
 		}
 		external_inject_stat.add_fail++;
-		dlog(LOG_ERR, "inject-add2: %s", strerror(errno));
+		dlog(LOG_WARNING, "inject-add2: %s", strerror(errno));
 		dlog_ct(STATE(log), ct, NFCT_O_PLAIN);
 	} else {
 		external_inject_stat.add_ok++;
@@ -102,7 +102,7 @@ static void external_inject_ct_upd(struct nf_conntrack *ct)
 	if (errno == ENOENT) {
 		if (nl_create_conntrack(inject, ct, 0) == -1) {
 			external_inject_stat.upd_fail++;
-			dlog(LOG_ERR, "inject-upd1: %s", strerror(errno));
+			dlog(LOG_WARNING, "inject-upd1: %s", strerror(errno));
 			dlog_ct(STATE(log), ct, NFCT_O_PLAIN);
 		} else {
 			external_inject_stat.upd_ok++;
@@ -117,7 +117,7 @@ static void external_inject_ct_upd(struct nf_conntrack *ct)
 	if (ret == 0 || (ret == -1 && errno == ENOENT)) {
 		if (nl_create_conntrack(inject, ct, 0) == -1) {
 			external_inject_stat.upd_fail++;
-			dlog(LOG_ERR, "inject-upd2: %s", strerror(errno));
+			dlog(LOG_WARNING, "inject-upd2: %s", strerror(errno));
 			dlog_ct(STATE(log), ct, NFCT_O_PLAIN);
 		} else {
 			external_inject_stat.upd_ok++;
@@ -125,7 +125,7 @@ static void external_inject_ct_upd(struct nf_conntrack *ct)
 		return;
 	}
 	external_inject_stat.upd_fail++;
-	dlog(LOG_ERR, "inject-upd3: %s", strerror(errno));
+	dlog(LOG_WARNING, "inject-upd3: %s", strerror(errno));
 	dlog_ct(STATE(log), ct, NFCT_O_PLAIN);
 }
 
@@ -134,7 +134,7 @@ static void external_inject_ct_del(struct nf_conntrack *ct)
 	if (nl_destroy_conntrack(inject, ct) == -1) {
 		if (errno != ENOENT) {
 			external_inject_stat.del_fail++;
-			dlog(LOG_ERR, "inject-del: %s", strerror(errno));
+			dlog(LOG_WARNING, "inject-del: %s", strerror(errno));
 			dlog_ct(STATE(log), ct, NFCT_O_PLAIN);
 		}
 	} else {

Re: [conntrack-tools PATCH 2/2] conntrackd: external_inject: report inject issues as warning

[Jeremy Sowden]

[-- Attachment #1: Type: text/plain, Size: 3545 bytes --]

On 2020-12-03, at 14:10:38 +0100, Arturo Borrero Gonzalez wrote:
> In busy firewalls that run conntrackd in NOTRACK with both internal
> and external caches disabled, external_inject can get lots of traffic.
> In case of issues injecting or updating conntrack entries a log entry
> will be generated, the infamous inject-addX, inject-updX messages.
>
> But there is nothing end users can do about this error message, is
                                                                  ^^

"which is"

> purely internal. This patch is basically cosmetic, relaxing the
> message from ERROR to WARNING. The information reported is the same,
> but the idea is to leave ERROR messages to issues that would *stop* or
> *prevent* conntrackd from working at all.
>
> Another nice thing to do in the future is to rate-limit this message,
> which is generated in the data path and can easily fill log files. But
> ideally, the actual root cause would be fixed, and there would be no
> WARNING message reported at all, meaning that all conntrack entries
> are smothly synced between the firewalls in the cluster. We can work
      ^^^^^^^

"smoothly"

> on that later.
>
> Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
> ---
>  src/external_inject.c |   12 ++++++------
>  1 file changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/src/external_inject.c b/src/external_inject.c
> index 0ad3478..e4ef569 100644
> --- a/src/external_inject.c
> +++ b/src/external_inject.c
> @@ -76,12 +76,12 @@ retry:
>  				}
>  			}
>  			external_inject_stat.add_fail++;
> -			dlog(LOG_ERR, "inject-add1: %s", strerror(errno));
> +			dlog(LOG_WARNING, "inject-add1: %s", strerror(errno));
>  			dlog_ct(STATE(log), ct, NFCT_O_PLAIN);
>  			return;
>  		}
>  		external_inject_stat.add_fail++;
> -		dlog(LOG_ERR, "inject-add2: %s", strerror(errno));
> +		dlog(LOG_WARNING, "inject-add2: %s", strerror(errno));
>  		dlog_ct(STATE(log), ct, NFCT_O_PLAIN);
>  	} else {
>  		external_inject_stat.add_ok++;
> @@ -102,7 +102,7 @@ static void external_inject_ct_upd(struct nf_conntrack *ct)
>  	if (errno == ENOENT) {
>  		if (nl_create_conntrack(inject, ct, 0) == -1) {
>  			external_inject_stat.upd_fail++;
> -			dlog(LOG_ERR, "inject-upd1: %s", strerror(errno));
> +			dlog(LOG_WARNING, "inject-upd1: %s", strerror(errno));
>  			dlog_ct(STATE(log), ct, NFCT_O_PLAIN);
>  		} else {
>  			external_inject_stat.upd_ok++;
> @@ -117,7 +117,7 @@ static void external_inject_ct_upd(struct nf_conntrack *ct)
>  	if (ret == 0 || (ret == -1 && errno == ENOENT)) {
>  		if (nl_create_conntrack(inject, ct, 0) == -1) {
>  			external_inject_stat.upd_fail++;
> -			dlog(LOG_ERR, "inject-upd2: %s", strerror(errno));
> +			dlog(LOG_WARNING, "inject-upd2: %s", strerror(errno));
>  			dlog_ct(STATE(log), ct, NFCT_O_PLAIN);
>  		} else {
>  			external_inject_stat.upd_ok++;
> @@ -125,7 +125,7 @@ static void external_inject_ct_upd(struct nf_conntrack *ct)
>  		return;
>  	}
>  	external_inject_stat.upd_fail++;
> -	dlog(LOG_ERR, "inject-upd3: %s", strerror(errno));
> +	dlog(LOG_WARNING, "inject-upd3: %s", strerror(errno));
>  	dlog_ct(STATE(log), ct, NFCT_O_PLAIN);
>  }
>
> @@ -134,7 +134,7 @@ static void external_inject_ct_del(struct nf_conntrack *ct)
>  	if (nl_destroy_conntrack(inject, ct) == -1) {
>  		if (errno != ENOENT) {
>  			external_inject_stat.del_fail++;
> -			dlog(LOG_ERR, "inject-del: %s", strerror(errno));
> +			dlog(LOG_WARNING, "inject-del: %s", strerror(errno));
>  			dlog_ct(STATE(log), ct, NFCT_O_PLAIN);
>  		}
>  	} else {
>
>

J.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]