From patchwork Thu Nov 29 13:52:20 2012

Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: conntrack: add support to dump the dying and unconfirmed list via
 ctnetlink
Date: Thu, 29 Nov 2012 03:52:20 -0000
From: Pablo Neira <pablo@netfilter.org>
X-Patchwork-Id: 202751
Message-Id: <1354197140-8498-1-git-send-email-pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org

From: Pablo Neira Ayuso <pablo@netfilter.org>

This patch adds support for:

conntrack -L dying
conntrack -L unconfirmed

To display the list of dying and unconfirmed conntracks. This provides
some instrumentation in case that `conntrack -C` really deviates from
what `conntrack -L | wc -l` says.

Users like to check this to make sure things are going OK. Still, some
conntrack objects may be still in the dying and the unconfirmed list.
With this patch, we can also dump their content, before it was not
possible.

In normal cases both lists would be simply empty, or in the case of
the dying list, you can observe that entries go slightly down in
number.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

---
src/conntrack.c |  108 ++++++++++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 95 insertions(+), 13 deletions(-)

Index: conntrack-tools-oxnard-2d010c5/src/conntrack.c
===================================================================
--- conntrack-tools-oxnard-2d010c5.orig/src/conntrack.c	2012-11-30 22:02:18.356340288 +0100
+++ conntrack-tools-oxnard-2d010c5/src/conntrack.c	2012-11-30 22:02:31.011558172 +0100
@@ -820,27 +820,45 @@
 	*cmd |= newcmd;
 }

-static unsigned int
-check_type(int argc, char *argv[])
+static char *get_table(int argc, char *argv[])
 {
 	char *table = NULL;

-	/* Nasty bug or feature in getopt_long ?
+	/* Nasty bug or feature in getopt_long ?
 	 * It seems that it behaves badly with optional arguments.
 	 * Fortunately, I just stole the fix from iptables ;) */
 	if (optarg)
 		return 0;
-	else if (optind < argc && argv[optind][0] != '-'
-			&& argv[optind][0] != '!')
+	else if (optind < argc && argv[optind][0] != '-' &&
+		 argv[optind][0] != '!')
 		table = argv[optind++];
-
-	if (!table)
-		return 0;
-
+
+	return table;
+}
+
+enum {
+	CT_TABLE_CONNTRACK,
+	CT_TABLE_EXPECT,
+	CT_TABLE_DYING,
+	CT_TABLE_UNCONFIRMED,
+};
+
+static unsigned int check_type(int argc, char *argv[])
+{
+	const char *table = get_table(argc, argv);
+
+	/* default to conntrack subsystem if nothing has been specified. */
+	if (table == NULL)
+		return CT_TABLE_CONNTRACK;
+
 	if (strncmp("expect", table, strlen(table)) == 0)
-		return 1;
+		return CT_TABLE_EXPECT;
 	else if (strncmp("conntrack", table, strlen(table)) == 0)
-		return 0;
+		return CT_TABLE_CONNTRACK;
+	else if (strncmp("dying", table, strlen(table)) == 0)
+		return CT_TABLE_DYING;
+	else if (strncmp("unconfirmed", table, strlen(table)) == 0)
+		return CT_TABLE_UNCONFIRMED;
 	else
 		exit_error(PARAMETER_PROBLEM, "unknown type `%s'", table);

@@ -1633,6 +1651,27 @@
 	return MNL_CB_OK;
 }

+static int mnl_nfct_dump_cb(const struct nlmsghdr *nlh, void *data)
+{
+	struct nf_conntrack *ct;
+	char buf[4096];
+
+	ct = nfct_new();
+	if (ct == NULL)
+		return MNL_CB_OK;
+
+	nfct_nlmsg_parse(nlh, ct);
+
+	nfct_snprintf(buf, sizeof(buf), ct, NFCT_T_UNKNOWN, NFCT_O_DEFAULT, 0);
+	printf("%s\n", buf);
+
+	nfct_destroy(ct);
+
+	counter++;
+
+	return MNL_CB_OK;
+}
+
 static struct ctproto_handler *h;

 int main(int argc, char *argv[])
@@ -1667,6 +1706,16 @@
 	switch(c) {
 		/* commands */
 		case 'L':
+			type = check_type(argc, argv);
+			/* Special case: dumping dying and unconfirmed list
+			 * are handled like normal conntrack dumps.
+			 */
+			if (type == CT_TABLE_DYING ||
+			    type == CT_TABLE_UNCONFIRMED)
+				add_command(&command, cmd2type[c][0]);
+			else
+				add_command(&command, cmd2type[c][type]);
+			break;
 		case 'I':
 		case 'D':
 		case 'G':
@@ -1677,14 +1726,25 @@
 		case 'C':
 		case 'S':
 			type = check_type(argc, argv);
+			if (type == CT_TABLE_DYING ||
+			    type == CT_TABLE_UNCONFIRMED) {
+				exit_error(PARAMETER_PROBLEM,
+					   "Can't do that command with "
+					   "tables `dying' and `unconfirmed'");
+			}
 			add_command(&command, cmd2type[c][type]);
 			break;
 		case 'U':
 			type = check_type(argc, argv);
-			if (type == 0)
+			if (type == CT_TABLE_DYING ||
+			    type == CT_TABLE_UNCONFIRMED) {
+				exit_error(PARAMETER_PROBLEM,
+					   "Can't do that command with "
+					   "tables `dying' and `unconfirmed'");
+			} else if (type == CT_TABLE_CONNTRACK)
 				add_command(&command, CT_UPDATE);
 			else
-				exit_error(PARAMETER_PROBLEM,
+				exit_error(PARAMETER_PROBLEM,
 					   "Can't update expectations");
 			break;
 		/* options */
@@ -1884,6 +1944,28 @@
 	struct nfct_filter_dump *filter_dump;

 	case CT_LIST:
+		if (type == CT_TABLE_DYING) {
+			if (nfct_mnl_socket_open() < 0)
+				exit_error(OTHER_PROBLEM, "Can't open handler");
+
+			res = nfct_mnl_dump(NFNL_SUBSYS_CTNETLINK,
+					    IPCTNL_MSG_CT_GET_DYING,
+					    mnl_nfct_dump_cb);
+
+			nfct_mnl_socket_close();
+			break;
+		} else if (type == CT_TABLE_UNCONFIRMED) {
+			if (nfct_mnl_socket_open() < 0)
+				exit_error(OTHER_PROBLEM, "Can't open handler");
+
+			res = nfct_mnl_dump(NFNL_SUBSYS_CTNETLINK,
+					    IPCTNL_MSG_CT_GET_UNCONFIRMED,
+					    mnl_nfct_dump_cb);
+
+			nfct_mnl_socket_close();
+			break;
+		}
+
 		cth = nfct_open(CONNTRACK, 0);
 		if (!cth)
 			exit_error(OTHER_PROBLEM, "Can't open handler");

4 files changed, 320 insertions, 22 deletions

diff --git a/debian/changelog b/debian/changelog
index 8a4a620..c84ce6c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+conntrack (1:1.0.1-2+vyatta20+oxnard7) unstable; urgency=low
+
+  [ Pablo Neira Ayuso ]
+  * conntrackd: parse: fix wrong maximum length for ATTR_EXP_FN
+
+  [ Gaurav Sinha ]
+
+ -- Gaurav Sinha <gaurav.sinha@vyatta.com>  Wed, 12 Sep 2012 10:54:31 -0700
+
 conntrack (1:1.0.1-2+vyatta20+oxnard6) unstable; urgency=low
 
   [ Pablo Neira Ayuso ]
diff --git a/include/conntrack.h b/include/conntrack.h
index 3882de7..fd6126b 100644
--- a/include/conntrack.h
+++ b/include/conntrack.h
@@ -9,7 +9,7 @@
 
 #include <netinet/in.h>
 
-#define NUMBER_OF_CMD   18
+#define NUMBER_OF_CMD   19
 #define NUMBER_OF_OPT   24
 
 struct ctproto_handler {
diff --git a/src/Makefile.am b/src/Makefile.am
index 0b047e9..e00d35b 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -9,7 +9,8 @@ CLEANFILES = read_config_yy.c read_config_lex.c
 sbin_PROGRAMS = conntrack conntrackd nfct
 
 conntrack_SOURCES = conntrack.c
-conntrack_LDADD = ../extensions/libct_proto_tcp.la ../extensions/libct_proto_udp.la ../extensions/libct_proto_udplite.la ../extensions/libct_proto_icmp.la ../extensions/libct_proto_icmpv6.la ../extensions/libct_proto_sctp.la ../extensions/libct_proto_dccp.la ../extensions/libct_proto_gre.la ../extensions/libct_proto_unknown.la ${LIBNETFILTER_CONNTRACK_LIBS}
+
+conntrack_LDADD = ../extensions/libct_proto_tcp.la ../extensions/libct_proto_udp.la ../extensions/libct_proto_udplite.la ../extensions/libct_proto_icmp.la ../extensions/libct_proto_icmpv6.la ../extensions/libct_proto_sctp.la ../extensions/libct_proto_dccp.la ../extensions/libct_proto_gre.la ../extensions/libct_proto_unknown.la ${LIBNETFILTER_CONNTRACK_LIBS} ${LIBMNL_LIBS}
 
 nfct_SOURCES = nfct.c			\
 	       helpers.c			\
diff --git a/src/conntrack.c b/src/conntrack.c
index 07cc2f9..ee85022 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -34,6 +34,8 @@
  * 	Ported to the new libnetfilter_conntrack API
  * 2008-04-13 Pablo Neira Ayuso <pablo@netfilter.org>:
  *	Way more flexible update and delete operations
+ *
+ * Part of this code has been funded by Sophos Astaro <http://www.sophos.com>
  */
 
 #include "conntrack.h"
@@ -57,6 +59,7 @@
 #include <netdb.h>
 #include <sys/stat.h>
 #include <fcntl.h>
+#include <libmnl/libmnl.h>
 #include <libnetfilter_conntrack/libnetfilter_conntrack.h>
 
 struct u32_mask {
@@ -157,8 +160,11 @@ enum ct_command {
 	EXP_COUNT_BIT	= 16,
 	EXP_COUNT	= (1 << EXP_COUNT_BIT),
 
-	X_STATS_BIT	= 17,
-	X_STATS		= (1 << X_STATS_BIT),
+	CT_STATS_BIT	= 17,
+	CT_STATS	= (1 << CT_STATS_BIT),
+
+	EXP_STATS_BIT	= 18,
+	EXP_STATS	= (1 << EXP_STATS_BIT),
 };
 /* If you add a new command, you have to update NUMBER_OF_CMD in conntrack.h */
 
@@ -352,7 +358,8 @@ static char commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] =
 /*EXP_EVENT*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0},
 /*CT_COUNT*/  {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
 /*EXP_COUNT*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-/*X_STATS*/   {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+/*CT_STATS*/  {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+/*EXP_STATS*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
 };
 
 static const int cmd2type[][2] = {
@@ -365,6 +372,7 @@ static const int cmd2type[][2] = {
 	['V']	= { CT_VERSION,	CT_VERSION },
 	['h']	= { CT_HELP,	CT_HELP },
 	['C']	= { CT_COUNT,	EXP_COUNT },
+	['S']	= { CT_STATS,	EXP_STATS },
 };
 
 static const int opt2type[] = {
@@ -812,27 +820,45 @@ add_command(unsigned int *cmd, const int newcmd)
 	*cmd |= newcmd;
 }
 
-static unsigned int
-check_type(int argc, char *argv[])
+static char *get_table(int argc, char *argv[])
 {
 	char *table = NULL;
 
-	/* Nasty bug or feature in getopt_long ? 
+	/* Nasty bug or feature in getopt_long ?
 	 * It seems that it behaves badly with optional arguments.
 	 * Fortunately, I just stole the fix from iptables ;) */
 	if (optarg)
 		return 0;
-	else if (optind < argc && argv[optind][0] != '-' 
-			&& argv[optind][0] != '!')
+	else if (optind < argc && argv[optind][0] != '-' &&
+		 argv[optind][0] != '!')
 		table = argv[optind++];
-	
-	if (!table)
-		return 0;
-		
+
+	return table;
+}
+
+enum {
+	CT_TABLE_CONNTRACK,
+	CT_TABLE_EXPECT,
+	CT_TABLE_DYING,
+	CT_TABLE_UNCONFIRMED,
+};
+
+static unsigned int check_type(int argc, char *argv[])
+{
+	const char *table = get_table(argc, argv);
+
+	/* default to conntrack subsystem if nothing has been specified. */
+	if (table == NULL)
+		return CT_TABLE_CONNTRACK;
+
 	if (strncmp("expect", table, strlen(table)) == 0)
-		return 1;
+		return CT_TABLE_EXPECT;
 	else if (strncmp("conntrack", table, strlen(table)) == 0)
-		return 0;
+		return CT_TABLE_CONNTRACK;
+	else if (strncmp("dying", table, strlen(table)) == 0)
+		return CT_TABLE_DYING;
+	else if (strncmp("unconfirmed", table, strlen(table)) == 0)
+		return CT_TABLE_UNCONFIRMED;
 	else
 		exit_error(PARAMETER_PROBLEM, "unknown type `%s'", table);
 
@@ -1460,6 +1486,192 @@ out_err:
 	return ret;
 }
 
+static struct nfct_mnl_socket {
+	struct mnl_socket	*mnl;
+	uint32_t		portid;
+} sock;
+
+static int nfct_mnl_socket_open(void)
+{
+	sock.mnl = mnl_socket_open(NETLINK_NETFILTER);
+	if (sock.mnl == NULL) {
+		perror("mnl_socket_open");
+		return -1;
+	}
+	if (mnl_socket_bind(sock.mnl, 0, MNL_SOCKET_AUTOPID) < 0) {
+		perror("mnl_socket_bind");
+		return -1;
+	}
+	sock.portid = mnl_socket_get_portid(sock.mnl);
+
+	return 0;
+}
+
+static struct nlmsghdr *
+nfct_mnl_nlmsghdr_put(char *buf, uint16_t subsys, uint16_t type)
+{
+	struct nlmsghdr *nlh;
+	struct nfgenmsg *nfh;
+
+	nlh = mnl_nlmsg_put_header(buf);
+	nlh->nlmsg_type = (subsys << 8) | type;
+	nlh->nlmsg_flags = NLM_F_REQUEST|NLM_F_DUMP;
+	nlh->nlmsg_seq = time(NULL);
+
+	nfh = mnl_nlmsg_put_extra_header(nlh, sizeof(struct nfgenmsg));
+	nfh->nfgen_family = AF_INET;
+	nfh->version = NFNETLINK_V0;
+	nfh->res_id = 0;
+
+	return nlh;
+}
+
+static void nfct_mnl_socket_close(void)
+{
+	mnl_socket_close(sock.mnl);
+}
+
+static int
+nfct_mnl_dump(uint16_t subsys, uint16_t type, mnl_cb_t cb)
+{
+	char buf[MNL_SOCKET_BUFFER_SIZE];
+	struct nlmsghdr *nlh;
+	int res;
+
+	nlh = nfct_mnl_nlmsghdr_put(buf, subsys, type);
+
+	res = mnl_socket_sendto(sock.mnl, nlh, nlh->nlmsg_len);
+	if (res < 0)
+		return res;
+
+	res = mnl_socket_recvfrom(sock.mnl, buf, sizeof(buf));
+	while (res > 0) {
+		res = mnl_cb_run(buf, res, nlh->nlmsg_seq, sock.portid,
+					 cb, NULL);
+		if (res <= MNL_CB_STOP)
+			break;
+
+		res = mnl_socket_recvfrom(sock.mnl, buf, sizeof(buf));
+	}
+
+	return res;
+}
+
+static int nfct_stats_attr_cb(const struct nlattr *attr, void *data)
+{
+	const struct nlattr **tb = data;
+	int type = mnl_attr_get_type(attr);
+
+	if (mnl_attr_type_valid(attr, CTA_STATS_MAX) < 0)
+		return MNL_CB_OK;
+
+	if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0) {
+		perror("mnl_attr_validate");
+		return MNL_CB_ERROR;
+	}
+
+	tb[type] = attr;
+	return MNL_CB_OK;
+}
+
+static int nfct_stats_cb(const struct nlmsghdr *nlh, void *data)
+{
+	struct nlattr *tb[CTA_STATS_MAX+1] = {};
+	struct nfgenmsg *nfg = mnl_nlmsg_get_payload(nlh);
+	const char *attr2name[CTA_STATS_MAX+1] = {
+		[CTA_STATS_SEARCHED]	= "searched",
+		[CTA_STATS_FOUND]	= "found",
+		[CTA_STATS_NEW]		= "new",
+		[CTA_STATS_INVALID]	= "invalid",
+		[CTA_STATS_IGNORE]	= "ignore",
+		[CTA_STATS_DELETE]	= "delete",
+		[CTA_STATS_DELETE_LIST]	= "delete_list",
+		[CTA_STATS_INSERT]	= "insert",
+		[CTA_STATS_INSERT_FAILED] = "insert_failed",
+		[CTA_STATS_DROP]	= "drop",
+		[CTA_STATS_EARLY_DROP]	= "early_drop",
+		[CTA_STATS_ERROR]	= "error",
+		[CTA_STATS_SEARCH_RESTART] = "search_restart",
+	};
+	int i;
+
+	mnl_attr_parse(nlh, sizeof(*nfg), nfct_stats_attr_cb, tb);
+
+	printf("cpu=%-4u\t", ntohs(nfg->res_id));
+
+	for (i=0; i<CTA_STATS_MAX+1; i++) {
+		if (tb[i]) {
+			printf("%s=%u ",
+				attr2name[i], ntohl(mnl_attr_get_u32(tb[i])));
+		}
+	}
+	printf("\n");
+	return MNL_CB_OK;
+}
+
+static int nfexp_stats_attr_cb(const struct nlattr *attr, void *data)
+{
+	const struct nlattr **tb = data;
+	int type = mnl_attr_get_type(attr);
+
+	if (mnl_attr_type_valid(attr, CTA_STATS_EXP_MAX) < 0)
+		return MNL_CB_OK;
+
+	if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0) {
+		perror("mnl_attr_validate");
+		return MNL_CB_ERROR;
+	}
+
+	tb[type] = attr;
+	return MNL_CB_OK;
+}
+
+static int nfexp_stats_cb(const struct nlmsghdr *nlh, void *data)
+{
+	struct nlattr *tb[CTA_STATS_EXP_MAX+1] = {};
+	struct nfgenmsg *nfg = mnl_nlmsg_get_payload(nlh);
+	const char *attr2name[CTA_STATS_EXP_MAX+1] = {
+		[CTA_STATS_EXP_NEW] = "expect_new",
+		[CTA_STATS_EXP_CREATE] = "expect_create",
+		[CTA_STATS_EXP_DELETE] = "expect_delete",
+	};
+	int i;
+
+	mnl_attr_parse(nlh, sizeof(*nfg), nfexp_stats_attr_cb, tb);
+
+	printf("cpu=%-4u\t", ntohs(nfg->res_id));
+
+	for (i=0; i<CTA_STATS_EXP_MAX+1; i++) {
+		if (tb[i]) {
+			printf("%s=%u ",
+				attr2name[i], ntohl(mnl_attr_get_u32(tb[i])));
+		}
+	}
+	printf("\n");
+	return MNL_CB_OK;
+}
+
+static int mnl_nfct_dump_cb(const struct nlmsghdr *nlh, void *data)
+{
+	struct nf_conntrack *ct;
+	char buf[4096];
+
+	ct = nfct_new();
+	if (ct == NULL)
+		return MNL_CB_OK;
+
+	nfct_nlmsg_parse(nlh, ct);
+
+	nfct_snprintf(buf, sizeof(buf), ct, NFCT_T_UNKNOWN, NFCT_O_DEFAULT, 0);
+	printf("%s\n", buf);
+
+	nfct_destroy(ct);
+
+	counter++;
+
+	return MNL_CB_OK;
+}
+
 static struct ctproto_handler *h;
 
 int main(int argc, char *argv[])
@@ -1494,6 +1706,16 @@ int main(int argc, char *argv[])
 	switch(c) {
 		/* commands */
 		case 'L':
+			type = check_type(argc, argv);
+			/* Special case: dumping dying and unconfirmed list
+			 * are handled like normal conntrack dumps.
+			 */
+			if (type == CT_TABLE_DYING ||
+			    type == CT_TABLE_UNCONFIRMED)
+				add_command(&command, cmd2type[c][0]);
+			else
+				add_command(&command, cmd2type[c][type]);
+			break;
 		case 'I':
 		case 'D':
 		case 'G':
@@ -1502,20 +1724,29 @@ int main(int argc, char *argv[])
 		case 'V':
 		case 'h':
 		case 'C':
+		case 'S':
 			type = check_type(argc, argv);
+			if (type == CT_TABLE_DYING ||
+			    type == CT_TABLE_UNCONFIRMED) {
+				exit_error(PARAMETER_PROBLEM,
+					   "Can't do that command with "
+					   "tables `dying' and `unconfirmed'");
+			}
 			add_command(&command, cmd2type[c][type]);
 			break;
 		case 'U':
 			type = check_type(argc, argv);
-			if (type == 0)
+			if (type == CT_TABLE_DYING ||
+			    type == CT_TABLE_UNCONFIRMED) {
+				exit_error(PARAMETER_PROBLEM,
+					   "Can't do that command with "
+					   "tables `dying' and `unconfirmed'");
+			} else if (type == CT_TABLE_CONNTRACK)
 				add_command(&command, CT_UPDATE);
 			else
-				exit_error(PARAMETER_PROBLEM, 
+				exit_error(PARAMETER_PROBLEM,
 					   "Can't update expectations");
 			break;
-		case 'S':
-			add_command(&command, X_STATS);
-			break;
 		/* options */
 		case 's':
 		case 'd':
@@ -1713,6 +1944,28 @@ int main(int argc, char *argv[])
 	struct nfct_filter_dump *filter_dump;
 
 	case CT_LIST:
+		if (type == CT_TABLE_DYING) {
+			if (nfct_mnl_socket_open() < 0)
+				exit_error(OTHER_PROBLEM, "Can't open handler");
+
+			res = nfct_mnl_dump(NFNL_SUBSYS_CTNETLINK,
+					    IPCTNL_MSG_CT_GET_DYING,
+					    mnl_nfct_dump_cb);
+
+			nfct_mnl_socket_close();
+			break;
+		} else if (type == CT_TABLE_UNCONFIRMED) {
+			if (nfct_mnl_socket_open() < 0)
+				exit_error(OTHER_PROBLEM, "Can't open handler");
+
+			res = nfct_mnl_dump(NFNL_SUBSYS_CTNETLINK,
+					    IPCTNL_MSG_CT_GET_UNCONFIRMED,
+					    mnl_nfct_dump_cb);
+
+			nfct_mnl_socket_close();
+			break;
+		}
+
 		cth = nfct_open(CONNTRACK, 0);
 		if (!cth)
 			exit_error(OTHER_PROBLEM, "Can't open handler");
@@ -1990,7 +2243,42 @@ int main(int argc, char *argv[])
 		nfct_close(cth);
 		printf("%d\n", counter);
 		break;
-	case X_STATS:
+	case CT_STATS:
+		/* If we fail with netlink, fall back to /proc to ensure
+		 * backward compatibility.
+		 */
+		if (nfct_mnl_socket_open() < 0)
+			goto try_proc;
+
+		res = nfct_mnl_dump(NFNL_SUBSYS_CTNETLINK,
+				    IPCTNL_MSG_CT_GET_STATS_CPU,
+				    nfct_stats_cb);
+
+		nfct_mnl_socket_close();
+
+		/* don't look at /proc, we got the information via ctnetlink */
+		if (res >= 0)
+			break;
+
+		goto try_proc;
+
+	case EXP_STATS:
+		/* If we fail with netlink, fall back to /proc to ensure
+		 * backward compatibility.
+		 */
+		if (nfct_mnl_socket_open() < 0)
+			goto try_proc;
+
+		res = nfct_mnl_dump(NFNL_SUBSYS_CTNETLINK_EXP,
+				    IPCTNL_MSG_EXP_GET_STATS_CPU,
+				    nfexp_stats_cb);
+
+		nfct_mnl_socket_close();
+
+		/* don't look at /proc, we got the information via ctnetlink */
+		if (res >= 0)
+			break;
+try_proc:
 		if (display_proc_conntrack_stats() < 0)
 			exit_error(OTHER_PROBLEM, "Can't open /proc interface");
 		break;