improve overrun handling NFLOG

This patch improves the overrun handling. The NFLOG plugin duplicates the
netlink buffer size if the size does not goes after the upper boundary.
This patch also introduces two new clauses, the netlink_socket_buffer_size
and netlink_socket_buffer_maxsize that set the size of the netlink socket
buffer.

diff --git a/input/packet/ulogd_inppkt_NFLOG.c b/input/packet/ulogd_inppkt_NFLOG.c
index bb69bb6b8564550675e893ab8177c491725a56c8..9918fae6182b4affb90d2b98bef283a0bfecd5d2 100644 (file)
--- a/input/packet/ulogd_inppkt_NFLOG.c
+++ b/input/packet/ulogd_inppkt_NFLOG.c
@@ -6,8 +6,10 @@
 #include <unistd.h>
 #include <stdlib.h>
 #include <netinet/in.h>
+#include <errno.h>
 
 #include <ulogd/ulogd.h>
+#include <libnfnetlink/libnfnetlink.h>
 #include <libnetfilter_log/libnetfilter_log.h>
 
 #ifndef NFLOG_GROUP_DEFAULT
@@ -29,12 +31,13 @@ struct nflog_input {
        struct nflog_g_handle *nful_gh;
        unsigned char *nfulog_buf;
        struct ulogd_fd nful_fd;
+       int nlbufsiz;
 };
 
 /* configuration entries */
 
 static struct config_keyset libulog_kset = {
-       .num_ces = 8,
+       .num_ces = 10,
        .ces = {
                {
                        .key     = "bufsize",
@@ -84,7 +87,18 @@ static struct config_keyset libulog_kset = {
                        .options = CONFIG_OPT_NONE,
                        .u.value = 0,
                },
-
+               {
+                       .key     = "netlink_socket_buffer_size",
+                       .type    = CONFIG_TYPE_INT,
+                       .options = CONFIG_OPT_NONE,
+                       .u.value = 0,
+               },
+               {
+                       .key     = "netlink_socket_buffer_maxsize",
+                       .type    = CONFIG_TYPE_INT,
+                       .options = CONFIG_OPT_NONE,
+                       .u.value = 0,
+               },
        }
 };
 
@@ -96,6 +110,8 @@ static struct config_keyset libulog_kset = {
 #define seq_ce(x)      (x->ces[5])
 #define seq_global_ce(x)       (x->ces[6])
 #define label_ce(x)    (x->ces[7])
+#define nlsockbufsize_ce(x) (x->ces[8])
+#define nlsockbufmaxsize_ce(x) (x->ces[9])
 
 enum nflog_keys {
        NFLOG_KEY_RAW_MAC = 0,
@@ -371,6 +387,23 @@ interp_packet(struct ulogd_pluginstance *upi, struct nflog_data *ldata)
        return 0;
 }
 
+static int setnlbufsiz(struct ulogd_pluginstance *upi, int size)
+{
+       struct nflog_input *ui = (struct nflog_input *)upi->private;
+
+       if (size < nlsockbufmaxsize_ce(upi->config_kset).u.value) {
+               ui->nlbufsiz = nfnl_rcvbufsiz(nflog_nfnlh(ui->nful_h), size);
+               return 1;
+       }
+
+       ulogd_log(ULOGD_NOTICE, "Maximum buffer size (%d) in NFLOG has been "
+                               "reached. Please, consider rising "
+                               "`netlink_socket_buffer_size` and "
+                               "`netlink_socket_buffer_maxsize` "
+                               "clauses.\n", ui->nlbufsiz);
+       return 0;
+}
+
 /* callback called from ulogd core when fd is readable */
 static int nful_read_cb(int fd, unsigned int what, void *param)
 {
@@ -385,8 +418,26 @@ static int nful_read_cb(int fd, unsigned int what, void *param)
         * grab all the processing time just for us.  there might be other
         * sockets that have pending work */
        len = recv(fd, ui->nfulog_buf, bufsiz_ce(upi->config_kset).u.value, 0);
-       if (len < 0)
+       if (len < 0) {
+               if (errno == ENOBUFS) {
+                       if (nlsockbufmaxsize_ce(upi->config_kset).u.value) {
+                               int s = ui->nlbufsiz * 2;
+                               if (setnlbufsiz(upi, s)) {
+                                       ulogd_log(ULOGD_NOTICE,
+                                                 "We are losing events, "
+                                                 "increasing buffer size "
+                                                 "to %d\n", ui->nlbufsiz);
+                               }
+                       } else {
+                               ulogd_log(ULOGD_NOTICE,
+                                         "We are losing events. Please, "
+                                         "consider using the clauses "
+                                         "`netlink_socket_buffer_size' and "
+                                         "`netlink_socket_buffer_maxsize\n'");
+                       }
+               }
                return len;
+       }
 
        nflog_handle_packet(ui->nful_h, (char *)ui->nfulog_buf, len);
 
@@ -468,9 +519,12 @@ static int start(struct ulogd_pluginstance *upi)
 
        nflog_set_mode(ui->nful_gh, NFULNL_COPY_PACKET, 0xffff);
 
-       //nflog_set_nlbufsiz(&ui->nful_gh, );
-       //nfnl_set_rcvbuf();
-       
+       if (nlsockbufsize_ce(upi->config_kset).u.value) {
+               setnlbufsiz(upi, nlsockbufsize_ce(upi->config_kset).u.value);
+               ulogd_log(ULOGD_NOTICE, "NFLOG netlink buffer size has been "
+                                       "set to %d\n", ui->nlbufsiz);
+       }
+
        /* set log flags based on configuration */
        flags = 0;
        if (seq_ce(upi->config_kset).u.value != 0)

diff --git a/ulogd.conf.in b/ulogd.conf.in
index a63026a39e805fb4f193a7b34bc6cee790036ed3..be5e585e232ead7231ea3fea124d8f9e15d20007 100644 (file)
--- a/ulogd.conf.in
+++ b/ulogd.conf.in
@@ -94,6 +94,8 @@ plugin="@libdir@/ulogd/ulogd_raw2packet_BASE.so"
 [log1]
 # netlink multicast group (the same as the iptables --nflog-group param)
 group=0
+#netlink_socket_buffer_size=217088
+#netlink_socket_buffer_maxsize=1085440
 
 # IPv6 logging through NFLOG
 [log2]