conntrack-tools i.e. conntrack and conntrackd (mirror of https://github.com/vyos/conntrack-tools.git) https://git.amelek.net/vyos/conntrack-tools.git/atom?h=vyatta%2FVC6.6R1%2Famd64 2012-12-14T21:27:38+00:00 2012-12-14T21:27:38+00:00 Gaurav Sinha gaurav.sinha@vyatta.com 2012-12-14T21:27:38+00:00 urn:sha1:09eea91f145d9b444b9a82463037e9ce61d23db0 2012-12-14T21:27:37+00:00 Gaurav Sinha gaurav.sinha@vyatta.com 2012-12-14T21:27:37+00:00 urn:sha1:58f52e58109b867697ad18d20f062a23ca9c1494 2012-12-13T19:50:31+00:00 Gaurav Sinha gaurav.sinha@vyatta.com 2012-12-13T19:50:31+00:00 urn:sha1:dc324bb12324ef3c3950737eea31440ed3afdde1 2012-12-13T19:35:34+00:00 Gaurav Sinha gaurav.sinha@vyatta.com 2012-12-13T19:35:34+00:00 urn:sha1:e0ce5aa88e519caf01e1264c3e8f0d3ac29a4f5e From patchwork Thu Nov 29 13:52:20 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: conntrack: add support to dump the dying and unconfirmed list via ctnetlink Date: Thu, 29 Nov 2012 03:52:20 -0000 From: Pablo Neira <pablo@netfilter.org> X-Patchwork-Id: 202751 Message-Id: <1354197140-8498-1-git-send-email-pablo@netfilter.org> To: netfilter-devel@vger.kernel.org From: Pablo Neira Ayuso <pablo@netfilter.org> This patch adds support for: conntrack -L dying conntrack -L unconfirmed To display the list of dying and unconfirmed conntracks. This provides some instrumentation in case that `conntrack -C` really deviates from what `conntrack -L | wc -l` says. Users like to check this to make sure things are going OK. Still, some conntrack objects may be still in the dying and the unconfirmed list. With this patch, we can also dump their content, before it was not possible. In normal cases both lists would be simply empty, or in the case of the dying list, you can observe that entries go slightly down in number. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- src/conntrack.c | 108 ++++++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 95 insertions(+), 13 deletions(-) Index: conntrack-tools-oxnard-2d010c5/src/conntrack.c =================================================================== --- conntrack-tools-oxnard-2d010c5.orig/src/conntrack.c 2012-11-30 22:02:18.356340288 +0100 +++ conntrack-tools-oxnard-2d010c5/src/conntrack.c 2012-11-30 22:02:31.011558172 +0100 @@ -820,27 +820,45 @@ *cmd |= newcmd; } -static unsigned int -check_type(int argc, char *argv[]) +static char *get_table(int argc, char *argv[]) { char *table = NULL; - /* Nasty bug or feature in getopt_long ? + /* Nasty bug or feature in getopt_long ? * It seems that it behaves badly with optional arguments. * Fortunately, I just stole the fix from iptables ;) */ if (optarg) return 0; - else if (optind < argc && argv[optind][0] != '-' - && argv[optind][0] != '!') + else if (optind < argc && argv[optind][0] != '-' && + argv[optind][0] != '!') table = argv[optind++]; - - if (!table) - return 0; - + + return table; +} + +enum { + CT_TABLE_CONNTRACK, + CT_TABLE_EXPECT, + CT_TABLE_DYING, + CT_TABLE_UNCONFIRMED, +}; + +static unsigned int check_type(int argc, char *argv[]) +{ + const char *table = get_table(argc, argv); + + /* default to conntrack subsystem if nothing has been specified. */ + if (table == NULL) + return CT_TABLE_CONNTRACK; + if (strncmp("expect", table, strlen(table)) == 0) - return 1; + return CT_TABLE_EXPECT; else if (strncmp("conntrack", table, strlen(table)) == 0) - return 0; + return CT_TABLE_CONNTRACK; + else if (strncmp("dying", table, strlen(table)) == 0) + return CT_TABLE_DYING; + else if (strncmp("unconfirmed", table, strlen(table)) == 0) + return CT_TABLE_UNCONFIRMED; else exit_error(PARAMETER_PROBLEM, "unknown type `%s'", table); @@ -1633,6 +1651,27 @@ return MNL_CB_OK; } +static int mnl_nfct_dump_cb(const struct nlmsghdr *nlh, void *data) +{ + struct nf_conntrack *ct; + char buf[4096]; + + ct = nfct_new(); + if (ct == NULL) + return MNL_CB_OK; + + nfct_nlmsg_parse(nlh, ct); + + nfct_snprintf(buf, sizeof(buf), ct, NFCT_T_UNKNOWN, NFCT_O_DEFAULT, 0); + printf("%s\n", buf); + + nfct_destroy(ct); + + counter++; + + return MNL_CB_OK; +} + static struct ctproto_handler *h; int main(int argc, char *argv[]) @@ -1667,6 +1706,16 @@ switch(c) { /* commands */ case 'L': + type = check_type(argc, argv); + /* Special case: dumping dying and unconfirmed list + * are handled like normal conntrack dumps. + */ + if (type == CT_TABLE_DYING || + type == CT_TABLE_UNCONFIRMED) + add_command(&command, cmd2type[c][0]); + else + add_command(&command, cmd2type[c][type]); + break; case 'I': case 'D': case 'G': @@ -1677,14 +1726,25 @@ case 'C': case 'S': type = check_type(argc, argv); + if (type == CT_TABLE_DYING || + type == CT_TABLE_UNCONFIRMED) { + exit_error(PARAMETER_PROBLEM, + "Can't do that command with " + "tables `dying' and `unconfirmed'"); + } add_command(&command, cmd2type[c][type]); break; case 'U': type = check_type(argc, argv); - if (type == 0) + if (type == CT_TABLE_DYING || + type == CT_TABLE_UNCONFIRMED) { + exit_error(PARAMETER_PROBLEM, + "Can't do that command with " + "tables `dying' and `unconfirmed'"); + } else if (type == CT_TABLE_CONNTRACK) add_command(&command, CT_UPDATE); else - exit_error(PARAMETER_PROBLEM, + exit_error(PARAMETER_PROBLEM, "Can't update expectations"); break; /* options */ @@ -1884,6 +1944,28 @@ struct nfct_filter_dump *filter_dump; case CT_LIST: + if (type == CT_TABLE_DYING) { + if (nfct_mnl_socket_open() < 0) + exit_error(OTHER_PROBLEM, "Can't open handler"); + + res = nfct_mnl_dump(NFNL_SUBSYS_CTNETLINK, + IPCTNL_MSG_CT_GET_DYING, + mnl_nfct_dump_cb); + + nfct_mnl_socket_close(); + break; + } else if (type == CT_TABLE_UNCONFIRMED) { + if (nfct_mnl_socket_open() < 0) + exit_error(OTHER_PROBLEM, "Can't open handler"); + + res = nfct_mnl_dump(NFNL_SUBSYS_CTNETLINK, + IPCTNL_MSG_CT_GET_UNCONFIRMED, + mnl_nfct_dump_cb); + + nfct_mnl_socket_close(); + break; + } + cth = nfct_open(CONNTRACK, 0); if (!cth) exit_error(OTHER_PROBLEM, "Can't open handler"); (cherry picked from commit 2cd070dbd7966af448ef38b245bb59c002bbcedb) Conflicts: debian/changelog 2012-10-13T20:33:50+00:00 John Southworth john.southworth@vyatta.com 2012-10-13T20:33:50+00:00 urn:sha1:d8cb0fe1f560a884028656e49576647ed68fb19d 2012-10-13T20:29:19+00:00 John Southworth john.southworth@vyatta.com 2012-10-13T20:29:19+00:00 urn:sha1:35c2fa1c9217c0739ec86b978b7cfd6097e6243a 2012-10-13T20:29:18+00:00 John Southworth john.southworth@vyatta.com 2012-10-13T20:29:18+00:00 urn:sha1:01443d7713d2ce2659039cb221da8d116337bb7e 2012-09-12T21:06:02+00:00 Gaurav Sinha gaurav.sinha@vyatta.com 2012-09-12T21:06:02+00:00 urn:sha1:90a17911e9fe2aa36330a9a8da1ff6c622fbb6a6 2012-09-12T21:05:08+00:00 Pablo Neira Ayuso pablo@netfilter.org 2012-09-08T19:39:21+00:00 urn:sha1:15edbf1df499f97ff39d9d316ebb288abcf180cd It was set to NFCT_HELPER_NAME_MAX (16 bytes), but we have function names that are larger, eg. nf-nat-follow-master which is 18 bytes long. This leads to hitting malformed message while synchronizing expectations. I'll add some new constant to libnetfilter_conntrack instead of hardcoding this, later. Reported-by: Gaurav Sinha <gaurav.sinha@vyatta.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit 46faeab56cf4117f41cb6f1f1c40a9c18a81372f) (cherry picked from commit 0cf70ce9b1bcb63d54d9514558b74ae2bde39d9f) 2012-07-31T17:25:55+00:00 Gaurav Sinha gaurav.sinha@vyatta.com 2012-07-31T17:25:55+00:00 urn:sha1:fe17d8f3c6c08b08eb3971a0efcba1a0063733a3