conntrack-tools i.e. conntrack and conntrackd (mirror of https://github.com/vyos/conntrack-tools.git) https://git.amelek.net/vyos/conntrack-tools.git/atom?h=helium 2012-12-13T19:35:34+00:00 2012-12-13T19:35:34+00:00 Gaurav Sinha gaurav.sinha@vyatta.com 2012-12-13T19:35:34+00:00 urn:sha1:e0ce5aa88e519caf01e1264c3e8f0d3ac29a4f5e From patchwork Thu Nov 29 13:52:20 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: conntrack: add support to dump the dying and unconfirmed list via ctnetlink Date: Thu, 29 Nov 2012 03:52:20 -0000 From: Pablo Neira <pablo@netfilter.org> X-Patchwork-Id: 202751 Message-Id: <1354197140-8498-1-git-send-email-pablo@netfilter.org> To: netfilter-devel@vger.kernel.org From: Pablo Neira Ayuso <pablo@netfilter.org> This patch adds support for: conntrack -L dying conntrack -L unconfirmed To display the list of dying and unconfirmed conntracks. This provides some instrumentation in case that `conntrack -C` really deviates from what `conntrack -L | wc -l` says. Users like to check this to make sure things are going OK. Still, some conntrack objects may be still in the dying and the unconfirmed list. With this patch, we can also dump their content, before it was not possible. In normal cases both lists would be simply empty, or in the case of the dying list, you can observe that entries go slightly down in number. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- src/conntrack.c | 108 ++++++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 95 insertions(+), 13 deletions(-) Index: conntrack-tools-oxnard-2d010c5/src/conntrack.c =================================================================== --- conntrack-tools-oxnard-2d010c5.orig/src/conntrack.c 2012-11-30 22:02:18.356340288 +0100 +++ conntrack-tools-oxnard-2d010c5/src/conntrack.c 2012-11-30 22:02:31.011558172 +0100 @@ -820,27 +820,45 @@ *cmd |= newcmd; } -static unsigned int -check_type(int argc, char *argv[]) +static char *get_table(int argc, char *argv[]) { char *table = NULL; - /* Nasty bug or feature in getopt_long ? + /* Nasty bug or feature in getopt_long ? * It seems that it behaves badly with optional arguments. * Fortunately, I just stole the fix from iptables ;) */ if (optarg) return 0; - else if (optind < argc && argv[optind][0] != '-' - && argv[optind][0] != '!') + else if (optind < argc && argv[optind][0] != '-' && + argv[optind][0] != '!') table = argv[optind++]; - - if (!table) - return 0; - + + return table; +} + +enum { + CT_TABLE_CONNTRACK, + CT_TABLE_EXPECT, + CT_TABLE_DYING, + CT_TABLE_UNCONFIRMED, +}; + +static unsigned int check_type(int argc, char *argv[]) +{ + const char *table = get_table(argc, argv); + + /* default to conntrack subsystem if nothing has been specified. */ + if (table == NULL) + return CT_TABLE_CONNTRACK; + if (strncmp("expect", table, strlen(table)) == 0) - return 1; + return CT_TABLE_EXPECT; else if (strncmp("conntrack", table, strlen(table)) == 0) - return 0; + return CT_TABLE_CONNTRACK; + else if (strncmp("dying", table, strlen(table)) == 0) + return CT_TABLE_DYING; + else if (strncmp("unconfirmed", table, strlen(table)) == 0) + return CT_TABLE_UNCONFIRMED; else exit_error(PARAMETER_PROBLEM, "unknown type `%s'", table); @@ -1633,6 +1651,27 @@ return MNL_CB_OK; } +static int mnl_nfct_dump_cb(const struct nlmsghdr *nlh, void *data) +{ + struct nf_conntrack *ct; + char buf[4096]; + + ct = nfct_new(); + if (ct == NULL) + return MNL_CB_OK; + + nfct_nlmsg_parse(nlh, ct); + + nfct_snprintf(buf, sizeof(buf), ct, NFCT_T_UNKNOWN, NFCT_O_DEFAULT, 0); + printf("%s\n", buf); + + nfct_destroy(ct); + + counter++; + + return MNL_CB_OK; +} + static struct ctproto_handler *h; int main(int argc, char *argv[]) @@ -1667,6 +1706,16 @@ switch(c) { /* commands */ case 'L': + type = check_type(argc, argv); + /* Special case: dumping dying and unconfirmed list + * are handled like normal conntrack dumps. + */ + if (type == CT_TABLE_DYING || + type == CT_TABLE_UNCONFIRMED) + add_command(&command, cmd2type[c][0]); + else + add_command(&command, cmd2type[c][type]); + break; case 'I': case 'D': case 'G': @@ -1677,14 +1726,25 @@ case 'C': case 'S': type = check_type(argc, argv); + if (type == CT_TABLE_DYING || + type == CT_TABLE_UNCONFIRMED) { + exit_error(PARAMETER_PROBLEM, + "Can't do that command with " + "tables `dying' and `unconfirmed'"); + } add_command(&command, cmd2type[c][type]); break; case 'U': type = check_type(argc, argv); - if (type == 0) + if (type == CT_TABLE_DYING || + type == CT_TABLE_UNCONFIRMED) { + exit_error(PARAMETER_PROBLEM, + "Can't do that command with " + "tables `dying' and `unconfirmed'"); + } else if (type == CT_TABLE_CONNTRACK) add_command(&command, CT_UPDATE); else - exit_error(PARAMETER_PROBLEM, + exit_error(PARAMETER_PROBLEM, "Can't update expectations"); break; /* options */ @@ -1884,6 +1944,28 @@ struct nfct_filter_dump *filter_dump; case CT_LIST: + if (type == CT_TABLE_DYING) { + if (nfct_mnl_socket_open() < 0) + exit_error(OTHER_PROBLEM, "Can't open handler"); + + res = nfct_mnl_dump(NFNL_SUBSYS_CTNETLINK, + IPCTNL_MSG_CT_GET_DYING, + mnl_nfct_dump_cb); + + nfct_mnl_socket_close(); + break; + } else if (type == CT_TABLE_UNCONFIRMED) { + if (nfct_mnl_socket_open() < 0) + exit_error(OTHER_PROBLEM, "Can't open handler"); + + res = nfct_mnl_dump(NFNL_SUBSYS_CTNETLINK, + IPCTNL_MSG_CT_GET_UNCONFIRMED, + mnl_nfct_dump_cb); + + nfct_mnl_socket_close(); + break; + } + cth = nfct_open(CONNTRACK, 0); if (!cth) exit_error(OTHER_PROBLEM, "Can't open handler"); (cherry picked from commit 2cd070dbd7966af448ef38b245bb59c002bbcedb) Conflicts: debian/changelog 2012-09-12T21:05:08+00:00 Pablo Neira Ayuso pablo@netfilter.org 2012-09-08T19:39:21+00:00 urn:sha1:15edbf1df499f97ff39d9d316ebb288abcf180cd It was set to NFCT_HELPER_NAME_MAX (16 bytes), but we have function names that are larger, eg. nf-nat-follow-master which is 18 bytes long. This leads to hitting malformed message while synchronizing expectations. I'll add some new constant to libnetfilter_conntrack instead of hardcoding this, later. Reported-by: Gaurav Sinha <gaurav.sinha@vyatta.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit 46faeab56cf4117f41cb6f1f1c40a9c18a81372f) (cherry picked from commit 0cf70ce9b1bcb63d54d9514558b74ae2bde39d9f) 2012-07-31T17:25:05+00:00 Gaurav Sinha gaurav.sinha@vyatta.com 2012-07-31T17:25:05+00:00 urn:sha1:0048c67d414381245942cd83410006d1dfea9c75 2012-07-07T00:03:36+00:00 Pablo Neira Ayuso pablo@netfilter.org 2012-07-04T22:42:38+00:00 urn:sha1:a3650c974b2c8a57ea29241ced3a79f0ffb6dff8 While adding the expectation support for conntrackd, I accidentally broke synchrony in 'conntrackd -c' command. Basically, conntrackd -c should not return control to the shell until the cache has been committed. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit 7eb63b5872f07903d952aa5cfd6ad0e7647a066a) (cherry picked from commit 93d244a982f80a691bfb6eb4e17e2cccc32a5cb9) 2012-07-07T00:03:18+00:00 Pablo Neira Ayuso pablo@netfilter.org 2012-07-04T22:17:48+00:00 urn:sha1:141fb636bc0bea8e31b65414ce962b06c56028f2 Flushing the external cache, ie. conntrackd -f, while commit is in progress is not allowed anymore, ie. conntrackd -c. Note that conntrackd -c is synchronous. Thus, it returns control to the caller once the commit has finished. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit 8648ae6d08bb84030c2c3519454532f6e04e31d9) (cherry picked from commit 3611b5f5992837224205361c25cfed55c47af8c4) 2012-06-07T17:36:39+00:00 Gaurav Sinha gaurav.sinha@vyatta.com 2012-06-07T17:36:39+00:00 urn:sha1:375a9a47f361a5abc7aa8674979a0ac881d45d90 Conflicts: include/helper.h src/expect.c src/helpers/ftp.c src/helpers/rpc.c src/helpers/tns.c tests/conntrackd/cthelper/main.c tests/conntrackd/cthelper/run-test.sh 2012-06-07T15:39:38+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2012-05-15T12:43:20+00:00 urn:sha1:bd417501343532713120c114eda951bd4581a46d Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-06-07T15:36:56+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2012-05-15T12:31:35+00:00 urn:sha1:265c4f8e4e47daa146446f48d2eb15ece627b658 How to use this helper in a few steps: 1) You can enable this helper via: nfct helper add rpc inet tcp nfct helper add rpc inet udp 2) Configure /etc/conntrackd/conntrackd.conf and launch it. 3) You can test this helper locally with the following rule-set: iptables -A OUTPUT -t raw -p udp -m udp --dport 111 -j CT --helper rpc iptables -A OUTPUT -t raw -p tcp -m tcp --dport 111 -j CT --helper rpc iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 111 -j ACCEPT iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -m udp --dport 111 -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -P OUTPUT DROP 4) Configure NFS and export some local directory. Then, mount it with version 3. mount.nfs -onfsvers=3 127.0.0.1:/srv/cvs /mnt/ You should see permanent expectations created for this. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-06-07T15:33:22+00:00 Pablo Neira Ayuso pablo@netfilter.org 2012-05-14T23:51:29+00:00 urn:sha1:a6cf1454b9a435d489ebdc0692058a3c27a59e30 This patch adds the user-space helper infrastructure. It also contains the implementation of the FTP helper in user-space. There's one example file that you can use to configure conntrackd as user-space connection tracking helper under: doc/helper/conntrackd.conf Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-06-01T18:53:27+00:00 Gaurav Sinha gaurav.sinha@vyatta.com 2012-06-01T18:53:27+00:00 urn:sha1:a73f21e48caff390fde2c1a31e55fe1fba2c82fa Conflicts: src/cthelper.c src/helpers/ftp.c src/helpers/tns.c