| Age | Commit message (Collapse) | Author |
|---|
|
From patchwork Thu Nov 29 13:52:20 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: conntrack: add support to dump the dying and unconfirmed list via
ctnetlink
Date: Thu, 29 Nov 2012 03:52:20 -0000
From: Pablo Neira <pablo@netfilter.org>
X-Patchwork-Id: 202751
Message-Id: <1354197140-8498-1-git-send-email-pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
From: Pablo Neira Ayuso <pablo@netfilter.org>
This patch adds support for:
conntrack -L dying
conntrack -L unconfirmed
To display the list of dying and unconfirmed conntracks. This provides
some instrumentation in case that `conntrack -C` really deviates from
what `conntrack -L | wc -l` says.
Users like to check this to make sure things are going OK. Still, some
conntrack objects may be still in the dying and the unconfirmed list.
With this patch, we can also dump their content, before it was not
possible.
In normal cases both lists would be simply empty, or in the case of
the dying list, you can observe that entries go slightly down in
number.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/conntrack.c | 108 ++++++++++++++++++++++++++++++++++++++++++++++++-------
1 file changed, 95 insertions(+), 13 deletions(-)
Index: conntrack-tools-oxnard-2d010c5/src/conntrack.c
===================================================================
--- conntrack-tools-oxnard-2d010c5.orig/src/conntrack.c 2012-11-30 22:02:18.356340288 +0100
+++ conntrack-tools-oxnard-2d010c5/src/conntrack.c 2012-11-30 22:02:31.011558172 +0100
@@ -820,27 +820,45 @@
*cmd |= newcmd;
}
-static unsigned int
-check_type(int argc, char *argv[])
+static char *get_table(int argc, char *argv[])
{
char *table = NULL;
- /* Nasty bug or feature in getopt_long ?
+ /* Nasty bug or feature in getopt_long ?
* It seems that it behaves badly with optional arguments.
* Fortunately, I just stole the fix from iptables ;) */
if (optarg)
return 0;
- else if (optind < argc && argv[optind][0] != '-'
- && argv[optind][0] != '!')
+ else if (optind < argc && argv[optind][0] != '-' &&
+ argv[optind][0] != '!')
table = argv[optind++];
-
- if (!table)
- return 0;
-
+
+ return table;
+}
+
+enum {
+ CT_TABLE_CONNTRACK,
+ CT_TABLE_EXPECT,
+ CT_TABLE_DYING,
+ CT_TABLE_UNCONFIRMED,
+};
+
+static unsigned int check_type(int argc, char *argv[])
+{
+ const char *table = get_table(argc, argv);
+
+ /* default to conntrack subsystem if nothing has been specified. */
+ if (table == NULL)
+ return CT_TABLE_CONNTRACK;
+
if (strncmp("expect", table, strlen(table)) == 0)
- return 1;
+ return CT_TABLE_EXPECT;
else if (strncmp("conntrack", table, strlen(table)) == 0)
- return 0;
+ return CT_TABLE_CONNTRACK;
+ else if (strncmp("dying", table, strlen(table)) == 0)
+ return CT_TABLE_DYING;
+ else if (strncmp("unconfirmed", table, strlen(table)) == 0)
+ return CT_TABLE_UNCONFIRMED;
else
exit_error(PARAMETER_PROBLEM, "unknown type `%s'", table);
@@ -1633,6 +1651,27 @@
return MNL_CB_OK;
}
+static int mnl_nfct_dump_cb(const struct nlmsghdr *nlh, void *data)
+{
+ struct nf_conntrack *ct;
+ char buf[4096];
+
+ ct = nfct_new();
+ if (ct == NULL)
+ return MNL_CB_OK;
+
+ nfct_nlmsg_parse(nlh, ct);
+
+ nfct_snprintf(buf, sizeof(buf), ct, NFCT_T_UNKNOWN, NFCT_O_DEFAULT, 0);
+ printf("%s\n", buf);
+
+ nfct_destroy(ct);
+
+ counter++;
+
+ return MNL_CB_OK;
+}
+
static struct ctproto_handler *h;
int main(int argc, char *argv[])
@@ -1667,6 +1706,16 @@
switch(c) {
/* commands */
case 'L':
+ type = check_type(argc, argv);
+ /* Special case: dumping dying and unconfirmed list
+ * are handled like normal conntrack dumps.
+ */
+ if (type == CT_TABLE_DYING ||
+ type == CT_TABLE_UNCONFIRMED)
+ add_command(&command, cmd2type[c][0]);
+ else
+ add_command(&command, cmd2type[c][type]);
+ break;
case 'I':
case 'D':
case 'G':
@@ -1677,14 +1726,25 @@
case 'C':
case 'S':
type = check_type(argc, argv);
+ if (type == CT_TABLE_DYING ||
+ type == CT_TABLE_UNCONFIRMED) {
+ exit_error(PARAMETER_PROBLEM,
+ "Can't do that command with "
+ "tables `dying' and `unconfirmed'");
+ }
add_command(&command, cmd2type[c][type]);
break;
case 'U':
type = check_type(argc, argv);
- if (type == 0)
+ if (type == CT_TABLE_DYING ||
+ type == CT_TABLE_UNCONFIRMED) {
+ exit_error(PARAMETER_PROBLEM,
+ "Can't do that command with "
+ "tables `dying' and `unconfirmed'");
+ } else if (type == CT_TABLE_CONNTRACK)
add_command(&command, CT_UPDATE);
else
- exit_error(PARAMETER_PROBLEM,
+ exit_error(PARAMETER_PROBLEM,
"Can't update expectations");
break;
/* options */
@@ -1884,6 +1944,28 @@
struct nfct_filter_dump *filter_dump;
case CT_LIST:
+ if (type == CT_TABLE_DYING) {
+ if (nfct_mnl_socket_open() < 0)
+ exit_error(OTHER_PROBLEM, "Can't open handler");
+
+ res = nfct_mnl_dump(NFNL_SUBSYS_CTNETLINK,
+ IPCTNL_MSG_CT_GET_DYING,
+ mnl_nfct_dump_cb);
+
+ nfct_mnl_socket_close();
+ break;
+ } else if (type == CT_TABLE_UNCONFIRMED) {
+ if (nfct_mnl_socket_open() < 0)
+ exit_error(OTHER_PROBLEM, "Can't open handler");
+
+ res = nfct_mnl_dump(NFNL_SUBSYS_CTNETLINK,
+ IPCTNL_MSG_CT_GET_UNCONFIRMED,
+ mnl_nfct_dump_cb);
+
+ nfct_mnl_socket_close();
+ break;
+ }
+
cth = nfct_open(CONNTRACK, 0);
if (!cth)
exit_error(OTHER_PROBLEM, "Can't open handler");
(cherry picked from commit 2cd070dbd7966af448ef38b245bb59c002bbcedb)
Conflicts:
debian/changelog
|
|
This patch adds `--zone' to the command line tool. This adds
the missing user-space support for Patrick's McHardy iptables
CT target.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the --any-nat option that allows to display src-NATted
OR dst-NATted flows.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch is a cleanup, it puts all the commands and options code
together. This makes easier and less error-prone the task to add
new commands and options.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds GRE support for the command line tool conntrack.
With this patch, we support all protocols available in the kernel.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.
|
|
This patch adds DCCP support for the command line tool conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds SCTP support to the command line tool conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds UDPlite support for the command line tool conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch extends the generic_opt_check() function to add
extra information on the possible option combinations. Under
some specific situations, like the creation and getting of
a conntrack, you may specify the original or the reply tuple
but at least one MUST be present. This handling has been
always tricky, it still remains but we're more user friendly
at least.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds `-S' command to display kernel statistics. Using
raw `cat' on /proc and the hexadecimal output is not very handy.
This option parses the /proc entry and display the information
is a more human friendly way.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the -C command, to display the table counter. In the
case of `-C conntrack' the tool reads the proc interface. For
expectation, it loops on the table to count the number of entries
(as there is not proc interface to display the number of
expectations).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes filtering for unsupported protocol. Thus, you can
use -L -p 47 or -L -p gre to filter `gre' traffic.
Based on an initial patch from Bryan Duff <bduff@astrocorp.com>.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch removes the use of snprintf and directly print the XML header
to the standard output. This simplifies the handling.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Add new option --buffer-size for -E to set the netlink socket buffer
size.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
o recover the ID support
o show display counters to stderr
o enable filtering by status and ID
|
|
|
|
o add ICMPv6 (-p icmpv6) support
o add possibility to distinguish between invalid (unknown) and empty proto
|
|
import only required C headers and put local headers on top to check
|
|
use C99 integers (uint32_t instead of u_int32_t)
|
|
Fix tons of gcc warnings
|
|
o fix missing `-g' and `-n' options in getopt_long control string
o add support for secmark (requires Linux kernel >= 2.6.25)
o add mark and secmark information to the manpage
o cleanup error message
= conntrackd =
o add support for secmark (requires Linux kernel >= 2.6.25)
o add conntrackd (8) manpage
|
|
- use buffer of MTU size
conntrack:
- better protocol argument checkings
- fix per-protocol filtering, eg. conntrack -[L|E] -p tcp now works
- show per-protocol help, ie. conntrack -h -p tcp
- add alias --src for --orig-src and alias --dst for --orig-dst
|
|
|
|
o several fixes for the output of usage messages
|
|
- split expect_api_test.c into small example files expect_*.c
- introduce alias tags for original tuple attributes
- introduce nfexp_sizeof and nfexp_maxsize
- build expectation attributes iif they are set
- fix l3num setting in expect/build.c
|
|
chain
|
|
|
|
|
|
o Bumped version to 1.00beta2
|
|
o add IPv6 support: main change
o removed dead code: iptables_insmod and get_modprobe
o compact the commands vs. options table
o move working vars from the stack to the BSS section
o update manpage
o Bumped version to 1.0beta1
<yasuyuki.kozakai@toshiba.co.jp>
o check address family mismatch
o fix incomplete copying IPv6 addresses
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
