On 2020-12-03, at 14:10:38 +0100, Arturo Borrero Gonzalez wrote:
> In busy firewalls that run conntrackd in NOTRACK with both internal
> and external caches disabled, external_inject can get lots of traffic.
> In case of issues injecting or updating conntrack entries a log entry
> will be generated, the infamous inject-addX, inject-updX messages.
>
> But there is nothing end users can do about this error message, is
^^
"which is"
> purely internal. This patch is basically cosmetic, relaxing the
> message from ERROR to WARNING. The information reported is the same,
> but the idea is to leave ERROR messages to issues that would *stop* or
> *prevent* conntrackd from working at all.
>
> Another nice thing to do in the future is to rate-limit this message,
> which is generated in the data path and can easily fill log files. But
> ideally, the actual root cause would be fixed, and there would be no
> WARNING message reported at all, meaning that all conntrack entries
> are smothly synced between the firewalls in the cluster. We can work
^^^^^^^
"smoothly"
> on that later.
>
> Signed-off-by: Arturo Borrero Gonzalez <arturo@xxxxxxxxxxxxx>
> ---
> src/external_inject.c | 12 ++++++------
> 1 file changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/src/external_inject.c b/src/external_inject.c
> index 0ad3478..e4ef569 100644
> --- a/src/external_inject.c
> +++ b/src/external_inject.c
> @@ -76,12 +76,12 @@ retry:
> }
> }
> external_inject_stat.add_fail++;
> - dlog(LOG_ERR, "inject-add1: %s", strerror(errno));
> + dlog(LOG_WARNING, "inject-add1: %s", strerror(errno));
> dlog_ct(STATE(log), ct, NFCT_O_PLAIN);
> return;
> }
> external_inject_stat.add_fail++;
> - dlog(LOG_ERR, "inject-add2: %s", strerror(errno));
> + dlog(LOG_WARNING, "inject-add2: %s", strerror(errno));
> dlog_ct(STATE(log), ct, NFCT_O_PLAIN);
> } else {
> external_inject_stat.add_ok++;
> @@ -102,7 +102,7 @@ static void external_inject_ct_upd(struct nf_conntrack *ct)
> if (errno == ENOENT) {
> if (nl_create_conntrack(inject, ct, 0) == -1) {
> external_inject_stat.upd_fail++;
> - dlog(LOG_ERR, "inject-upd1: %s", strerror(errno));
> + dlog(LOG_WARNING, "inject-upd1: %s", strerror(errno));
> dlog_ct(STATE(log), ct, NFCT_O_PLAIN);
> } else {
> external_inject_stat.upd_ok++;
> @@ -117,7 +117,7 @@ static void external_inject_ct_upd(struct nf_conntrack *ct)
> if (ret == 0 || (ret == -1 && errno == ENOENT)) {
> if (nl_create_conntrack(inject, ct, 0) == -1) {
> external_inject_stat.upd_fail++;
> - dlog(LOG_ERR, "inject-upd2: %s", strerror(errno));
> + dlog(LOG_WARNING, "inject-upd2: %s", strerror(errno));
> dlog_ct(STATE(log), ct, NFCT_O_PLAIN);
> } else {
> external_inject_stat.upd_ok++;
> @@ -125,7 +125,7 @@ static void external_inject_ct_upd(struct nf_conntrack *ct)
> return;
> }
> external_inject_stat.upd_fail++;
> - dlog(LOG_ERR, "inject-upd3: %s", strerror(errno));
> + dlog(LOG_WARNING, "inject-upd3: %s", strerror(errno));
> dlog_ct(STATE(log), ct, NFCT_O_PLAIN);
> }
>
> @@ -134,7 +134,7 @@ static void external_inject_ct_del(struct nf_conntrack *ct)
> if (nl_destroy_conntrack(inject, ct) == -1) {
> if (errno != ENOENT) {
> external_inject_stat.del_fail++;
> - dlog(LOG_ERR, "inject-del: %s", strerror(errno));
> + dlog(LOG_WARNING, "inject-del: %s", strerror(errno));
> dlog_ct(STATE(log), ct, NFCT_O_PLAIN);
> }
> } else {
>
>
J.
Attachment:
signature.asc
Description: PGP signature
