Changeset View
Standalone View
sys/netinet/siftr.c
Show First 20 Lines • Show All 266 Lines • ▼ Show 20 Lines | |||||
}; | }; | ||||
DPCPU_DEFINE_STATIC(struct siftr_stats, ss); | DPCPU_DEFINE_STATIC(struct siftr_stats, ss); | ||||
static volatile unsigned int siftr_exit_pkt_manager_thread = 0; | static volatile unsigned int siftr_exit_pkt_manager_thread = 0; | ||||
static unsigned int siftr_enabled = 0; | static unsigned int siftr_enabled = 0; | ||||
static unsigned int siftr_pkts_per_log = 1; | static unsigned int siftr_pkts_per_log = 1; | ||||
static unsigned int siftr_generate_hashes = 0; | static unsigned int siftr_generate_hashes = 0; | ||||
static unsigned int siftr_port_filter = 0; | |||||
/* static unsigned int siftr_binary_log = 0; */ | /* static unsigned int siftr_binary_log = 0; */ | ||||
static char siftr_logfile[PATH_MAX] = "/var/log/siftr.log"; | static char siftr_logfile[PATH_MAX] = "/var/log/siftr.log"; | ||||
static char siftr_logfile_shadow[PATH_MAX] = "/var/log/siftr.log"; | static char siftr_logfile_shadow[PATH_MAX] = "/var/log/siftr.log"; | ||||
static u_long siftr_hashmask; | static u_long siftr_hashmask; | ||||
STAILQ_HEAD(pkthead, pkt_node) pkt_queue = STAILQ_HEAD_INITIALIZER(pkt_queue); | STAILQ_HEAD(pkthead, pkt_node) pkt_queue = STAILQ_HEAD_INITIALIZER(pkt_queue); | ||||
LIST_HEAD(listhead, flow_hash_node) *counter_hash; | LIST_HEAD(listhead, flow_hash_node) *counter_hash; | ||||
static int wait_for_pkt; | static int wait_for_pkt; | ||||
static struct alq *siftr_alq = NULL; | static struct alq *siftr_alq = NULL; | ||||
Show All 29 Lines | |||||
SYSCTL_UINT(_net_inet_siftr, OID_AUTO, ppl, CTLFLAG_RW, | SYSCTL_UINT(_net_inet_siftr, OID_AUTO, ppl, CTLFLAG_RW, | ||||
&siftr_pkts_per_log, 1, | &siftr_pkts_per_log, 1, | ||||
"number of packets between generating a log message"); | "number of packets between generating a log message"); | ||||
SYSCTL_UINT(_net_inet_siftr, OID_AUTO, genhashes, CTLFLAG_RW, | SYSCTL_UINT(_net_inet_siftr, OID_AUTO, genhashes, CTLFLAG_RW, | ||||
&siftr_generate_hashes, 0, | &siftr_generate_hashes, 0, | ||||
"enable packet hash generation"); | "enable packet hash generation"); | ||||
SYSCTL_UINT(_net_inet_siftr, OID_AUTO, port_filter, CTLFLAG_RW, | |||||
&siftr_port_filter, 0, | |||||
brooks: Does it make sense to use SYSCTL_U16 and a uint16_t here to match the port number? | |||||
rscheffAuthorUnsubmitted Done Inline ActionsI assume that also implies that range checking of the user provided value is then done by the sysctl framework? Absolutely, I have to admit, I didn't check all the various types available when fetching the patch. rscheff: I assume that also implies that range checking of the user provided value is then done by the… | |||||
ccUnsubmitted Not Done Inline ActionsWith SYSCTL_U16, this will wraparound and cause unexpected storage. Prefer the SYSCTL_UINT. ccui@FBSD11:~/siftr % sudo sysctl net.inet.siftr.port_filter=22 cc: With SYSCTL_U16, this will wraparound and cause unexpected storage. Prefer the SYSCTL_UINT. | |||||
brooksUnsubmitted Not Done Inline ActionsCrappy kernel API design... The handler should reject over-long inputs, but it's probably unfixable at this date. I'm not sure I care about this case of user error... brooks: Crappy kernel API design... The handler should reject over-long inputs, but it's probably… | |||||
rscheffAuthorUnsubmitted Done Inline ActionsSuggestion:
Whichever way, I believe having a light-weight port filtering available at the siftr level reduces the clutter in the log files enough to be worthwhile. (Also, sysctl returns the actually set value already; if misconfigurations happen frequently, a check should be scripted when setting the filter value, that the set value is the expected value...) rscheff: Suggestion:
* The uint16_t would probably require 4 bytes due to alignment anyway; perhaps we… | |||||
"enable packet filter on a TCP port"); | |||||
/* XXX: TODO | /* XXX: TODO | ||||
SYSCTL_UINT(_net_inet_siftr, OID_AUTO, binary, CTLFLAG_RW, | SYSCTL_UINT(_net_inet_siftr, OID_AUTO, binary, CTLFLAG_RW, | ||||
&siftr_binary_log, 0, | &siftr_binary_log, 0, | ||||
"write log files in binary instead of ascii"); | "write log files in binary instead of ascii"); | ||||
*/ | */ | ||||
/* Begin functions. */ | /* Begin functions. */ | ||||
▲ Show 20 Lines • Show All 571 Lines • ▼ Show 20 Lines | siftr_chkpkt(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, | ||||
* or we're in the timewait state, bail | * or we're in the timewait state, bail | ||||
*/ | */ | ||||
if (tp == NULL || inp->inp_flags & INP_TIMEWAIT) { | if (tp == NULL || inp->inp_flags & INP_TIMEWAIT) { | ||||
if (dir == PFIL_IN) | if (dir == PFIL_IN) | ||||
ss->nskip_in_tcpcb++; | ss->nskip_in_tcpcb++; | ||||
else | else | ||||
ss->nskip_out_tcpcb++; | ss->nskip_out_tcpcb++; | ||||
goto inp_unlock; | |||||
} | |||||
/* | |||||
* Only pkts selected by the tcp port filter | |||||
* can be inserted into the pkt_queue | |||||
*/ | |||||
if (siftr_port_filter && (siftr_port_filter != ntohs(inp->inp_lport)) && | |||||
brooksUnsubmitted Done Inline ActionsI'd tend to use an explicit != 0 since this isn't a bool. brooks: I'd tend to use an explicit != 0 since this isn't a bool. | |||||
(siftr_port_filter != ntohs(inp->inp_fport))) { | |||||
goto inp_unlock; | goto inp_unlock; | ||||
} | } | ||||
pn = malloc(sizeof(struct pkt_node), M_SIFTR_PKTNODE, M_NOWAIT|M_ZERO); | pn = malloc(sizeof(struct pkt_node), M_SIFTR_PKTNODE, M_NOWAIT|M_ZERO); | ||||
if (pn == NULL) { | if (pn == NULL) { | ||||
if (dir == PFIL_IN) | if (dir == PFIL_IN) | ||||
ss->nskip_in_malloc++; | ss->nskip_in_malloc++; | ||||
▲ Show 20 Lines • Show All 657 Lines • Show Last 20 Lines |
Does it make sense to use SYSCTL_U16 and a uint16_t here to match the port number?