v19

It appears that using a signed int causes the reads from libsystemd-journal
to return incorrect values when comparing time stamps. I've fixed them
to unsigned ones and monitored the performance on 2 systems for 3 days and
it no longer misbehaves. I've also made it use `atoll` instead of `atoi`
to prevent incomplete results.

configure.ac

@@ -2,7 +2,7 @@
 # Process this file with autoconf to produce a configure script.
 
 AC_PREREQ([2.64])
-AC_INIT([tallow], [17], [auke-jan.h.kok@intel.com])
+AC_INIT([tallow], [19], [auke-jan.h.kok@intel.com])
 AM_INIT_AUTOMAKE([foreign -Wall -Werror -Wno-portability silent-rules subdir-objects color-tests
 	no-dist-gzip dist-xz])
 AC_CONFIG_FILES([Makefile])

src/tallow.c

@@ -71,20 +71,20 @@ static void ext_ignore(char *fmt, ...)
 static void reset_rules(void)
 {
 	/* reset all rules in case the running fw changes */
-	ext_ignore("%s/firewall-cmd --permanent --direct --quiet --remove-rule ipv4 filter INPUT 1 -m set --match-set tallow src -j DROP", ipt_path);
-	ext_ignore("%s/firewall-cmd --quiet --permanent --delete-ipset=tallow", ipt_path);
+	ext_ignore("%s/firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 1 -m set --match-set tallow src -j DROP 2> /dev/null", ipt_path);
+	ext_ignore("%s/firewall-cmd --permanent --delete-ipset=tallow 2> /dev/null", ipt_path);
 
 	/* delete iptables ref to set before the ipset! */
 	ext_ignore("%s/iptables -t filter -D INPUT -m set --match-set tallow src -j DROP 2> /dev/null", ipt_path);
 	ext_ignore("%s/ipset destroy tallow 2> /dev/null", ipt_path);
 
 	if (has_ipv6) {
-		ext_ignore("%s/firewall-cmd --permanent --direct --quiet --remove-rule ipv6 filter INPUT 1 -m set --match-set tallow6 src -j DROP", ipt_path);
-		ext_ignore("%s/firewall-cmd --permanent --delete-ipset=tallow6 --quiet", ipt_path);	
+		ext_ignore("%s/firewall-cmd --permanent --direct --remove-rule ipv6 filter INPUT 1 -m set --match-set tallow6 src -j DROP 2> /dev/null", ipt_path);
+		ext_ignore("%s/firewall-cmd --permanent --delete-ipset=tallow6 2> /dev/null", ipt_path);
 		
 		/* delete iptables ref to set before the ipset! */
 		ext_ignore("%s/ip6tables -t filter -D INPUT -m set --match-set tallow6 src -j DROP 2> /dev/null", ipt_path);
-		ext_ignore("%s/ipset destroy tallow6 2> /dev/null", ipt_path);		
+		ext_ignore("%s/ipset destroy tallow6 2> /dev/null", ipt_path);
 	}
 }
 
@@ -100,9 +100,7 @@ static void setup(void)
 
 	/* firewalld */
 	char *fwd_path;
-	if (asprintf(&fwd_path, "%s/firewall-cmd", ipt_path) < 0)
-	{
-		fprintf(stderr, "Unable to allocate buffer for path to firewall-cmd.\n");
+	if (asprintf(&fwd_path, "%s/firewall-cmd", ipt_path) < 0) {
 		exit(EXIT_FAILURE);
 	}
 
@@ -138,10 +136,8 @@ static void setup(void)
 			fprintf(stderr, "Unable to reload firewalld rules.\n");
 			exit(EXIT_FAILURE);
 		}
-	}
-	/* iptables */
-	else {
-
+	} else {
+		/* iptables */
 		reset_rules();
 
 		/* create ipv4 rule and ipset */
@@ -291,7 +287,7 @@ int main(void)
 	int r;
 	FILE *f;
 	int timeout = 60;
-	long long int last_timestamp = 0;
+	long long unsigned int last_timestamp = 0;
 
 	json_load_patterns();
 
@@ -400,11 +396,13 @@ int main(void)
 			 * this happens when the journal rotates - we get replayed events
 			 */
 			if (sd_journal_get_data(j, "_SOURCE_REALTIME_TIMESTAMP", &dt, &dl) == 0) {
-				long long int lt = atoi(dt + strlen("_SOURCE_REALTIME_TIMESTAMP="));
+				long long unsigned int lt = atoll(dt + strlen("_SOURCE_REALTIME_TIMESTAMP="));
 				if (lt > last_timestamp)
 					last_timestamp = lt;
-				else if (lt < last_timestamp)
+				else if (lt < last_timestamp) {
+					dbg("Discarding old entry: %llu - %llu\n", lt, last_timestamp);
 					continue;
+				}
 			}
 
 			if (sd_journal_get_data(j, "MESSAGE", &d, &l) < 0) {