summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--conntrack.823
-rw-r--r--src/cache-ct.c11
-rw-r--r--src/conntrack.c82
3 files changed, 67 insertions, 49 deletions
diff --git a/conntrack.8 b/conntrack.8
index a14cca6..c3214ee 100644
--- a/conntrack.8
+++ b/conntrack.8
@@ -26,7 +26,7 @@ conntrack \- command line interface for netfilter connection tracking
.br
.BR "conntrack -R file"
.SH DESCRIPTION
-The \fBconntrack\fP utilty provides a full featured userspace interface to the
+The \fBconntrack\fP utility provides a full\-featured userspace interface to the
Netfilter connection tracking system that is intended to replace the old
/proc/net/ip_conntrack interface. This tool can be used to search, list,
inspect and maintain the connection tracking subsystem of the Linux kernel.
@@ -121,12 +121,12 @@ timestamp available since 2.6.38 (you can enable it via the \fBsysctl(8)\fP
key \fBnet.netfilter.nf_conntrack_timestamp\fP).
The labels output option tells \fBconntrack\fP to show the names of connection
tracking labels that might be present.
-The userspace output options tells if the event has been triggered by a process.
+The userspace output option tells if the event has been triggered by a process.
.TP
.BI "-e, --event-mask " "[ALL|NEW|UPDATES|DESTROY][,...]"
Set the bitmask of events that are to be generated by the in-kernel ctnetlink
event code. Using this parameter, you can reduce the event messages generated
-by the kernel to those types to those that you are actually interested in.
+by the kernel to the types that you are actually interested in.
.
This option can only be used in conjunction with "\-E, \-\-event".
.TP
@@ -135,7 +135,7 @@ Set the Netlink socket buffer size in bytes. This option is useful if the
command line tool reports ENOBUFS errors. If you do not pass this option, the
default value available at \fBsysctl(8)\fP key \fBnet.core.rmem_default\fP is
used. The tool reports this problem if your process is too slow to handle all
-the event messages or, in other words, if the amount of events are big enough
+the event messages or, in other words, if the amount of events is big enough
to overrun the socket buffer. Note that using a big buffer reduces the chances
to hit ENOBUFS, however, this results in more memory consumption.
.
@@ -163,7 +163,7 @@ one specified as argument.
Specify layer four (TCP, UDP, ...) protocol.
.TP
.BI "-f, --family " "PROTO"
-Specify layer three (ipv4, ipv6) protocol
+Specify layer three (ipv4, ipv6) protocol.
This option is only required in conjunction with "\-L, \-\-dump". If this
option is not passed, the default layer 3 protocol will be IPv4.
.TP
@@ -181,12 +181,11 @@ comparision. In "\-\-create" mode, the mask is ignored.
Specify a conntrack label.
This option is only available in conjunction with "\-L, \-\-dump",
"\-E, \-\-event", "\-U \-\-update" or "\-D \-\-delete".
-Match entries whose labels match at least those specified.
-Use multiple \-l commands to specify multiple labels that need to be set.
-Match entries whose labels matches at least those specified as arguments.
+Match entries whose labels include those specified as arguments.
+Use multiple \-l options to specify multiple labels that need to be set.
.TP
.BI "--label-add " "LABEL"
-Specify the conntrack label to add to to the selected conntracks.
+Specify the conntrack label to add to the selected conntracks.
This option is only available in conjunction with "\-I, \-\-create" or
"\-U, \-\-update".
.TP
@@ -395,7 +394,7 @@ Show source NAT connections
Show connection events together with the timestamp
.TP
.B conntrack \-D \-s 1.2.3.4
-Delete all flow whose source address is 1.2.3.4
+Delete all flows whose source address is 1.2.3.4
.TP
.B conntrack \-U \-s 1.2.3.4 \-m 1
Set connmark to 1 of all the flows whose source address is 1.2.3.4
@@ -417,8 +416,8 @@ See
Jay Schulist, Patrick McHardy, Harald Welte and Pablo Neira Ayuso wrote the
kernel-level "ctnetlink" interface that is used by the conntrack tool.
.PP
-Pablo Neira Ayuso wrote and maintain the conntrack tool, Harald Welte added
-support for conntrack based accounting counters.
+Pablo Neira Ayuso wrote and maintains the conntrack tool, Harald Welte added
+support for conntrack\-based accounting counters.
.PP
Man page written by Harald Welte <laforge@netfilter.org> and
Pablo Neira Ayuso <pablo@netfilter.org>.
diff --git a/src/cache-ct.c b/src/cache-ct.c
index fe01e16..f56e450 100644
--- a/src/cache-ct.c
+++ b/src/cache-ct.c
@@ -90,21 +90,12 @@ cache_ct_hash(const void *data, const struct hashtable *table)
return ret;
}
-/* master conntrack of expectations have no ID */
-static inline int
-cache_ct_cmp_id(const struct nf_conntrack *ct1, const struct nf_conntrack *ct2)
-{
- return nfct_attr_is_set(ct2, ATTR_ID) ?
- nfct_get_attr_u32(ct1, ATTR_ID) == nfct_get_attr_u32(ct2, ATTR_ID) : 1;
-}
-
static int cache_ct_cmp(const void *data1, const void *data2)
{
const struct cache_object *obj = data1;
const struct nf_conntrack *ct = data2;
- return nfct_cmp(obj->ptr, ct, NFCT_CMP_ORIG) &&
- cache_ct_cmp_id(obj->ptr, ct);
+ return nfct_cmp(obj->ptr, ct, NFCT_CMP_ORIG);
}
static void *cache_ct_alloc(void)
diff --git a/src/conntrack.c b/src/conntrack.c
index 9e2fa25..5bd3cb5 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -2441,14 +2441,19 @@ static void nfct_mnl_socket_close(void)
}
static int
-nfct_mnl_dump(uint16_t subsys, uint16_t type, mnl_cb_t cb, uint8_t family)
+nfct_mnl_dump(uint16_t subsys, uint16_t type, mnl_cb_t cb,
+ struct ct_cmd *cmd, const struct nfct_filter_dump *filter_dump)
{
+ uint8_t family = cmd ? cmd->family : AF_UNSPEC;
char buf[MNL_SOCKET_BUFFER_SIZE];
struct nlmsghdr *nlh;
int res;
nlh = nfct_mnl_nlmsghdr_put(buf, subsys, type, family);
+ if (filter_dump)
+ nfct_nlmsg_build_filter(nlh, filter_dump);
+
res = mnl_socket_sendto(sock.mnl, nlh, nlh->nlmsg_len);
if (res < 0)
return res;
@@ -2456,7 +2461,7 @@ nfct_mnl_dump(uint16_t subsys, uint16_t type, mnl_cb_t cb, uint8_t family)
res = mnl_socket_recvfrom(sock.mnl, buf, sizeof(buf));
while (res > 0) {
res = mnl_cb_run(buf, res, nlh->nlmsg_seq, sock.portid,
- cb, NULL);
+ cb, cmd);
if (res <= MNL_CB_STOP)
break;
@@ -2625,6 +2630,9 @@ static int nfct_global_stats_cb(const struct nlmsghdr *nlh, void *data)
static int mnl_nfct_dump_cb(const struct nlmsghdr *nlh, void *data)
{
+ unsigned int op_type = NFCT_O_DEFAULT;
+ unsigned int op_flags = 0;
+ struct ct_cmd *cmd = data;
struct nf_conntrack *ct;
char buf[4096];
@@ -2634,7 +2642,34 @@ static int mnl_nfct_dump_cb(const struct nlmsghdr *nlh, void *data)
nfct_nlmsg_parse(nlh, ct);
- nfct_snprintf(buf, sizeof(buf), ct, NFCT_T_UNKNOWN, NFCT_O_DEFAULT, 0);
+ if (nfct_filter(cmd, ct, cur_tmpl)) {
+ nfct_destroy(ct);
+ return MNL_CB_OK;
+ }
+
+ if (output_mask & _O_SAVE) {
+ ct_save_snprintf(buf, sizeof(buf), ct, labelmap, NFCT_T_NEW);
+ goto done;
+ }
+
+ if (output_mask & _O_XML) {
+ op_type = NFCT_O_XML;
+ if (dump_xml_header_done) {
+ dump_xml_header_done = 0;
+ printf("<?xml version=\"1.0\" encoding=\"utf-8\"?>\n"
+ "<conntrack>\n");
+ }
+ }
+ if (output_mask & _O_EXT)
+ op_flags = NFCT_OF_SHOW_LAYER3;
+ if (output_mask & _O_KTMS)
+ op_flags |= NFCT_OF_TIMESTAMP;
+ if (output_mask & _O_ID)
+ op_flags |= NFCT_OF_ID;
+
+ nfct_snprintf_labels(buf, sizeof(buf), ct, NFCT_T_UNKNOWN, op_type,
+ op_flags, labelmap);
+done:
printf("%s\n", buf);
nfct_destroy(ct);
@@ -3184,32 +3219,23 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd)
switch(cmd->command) {
case CT_LIST:
- if (cmd->type == CT_TABLE_DYING) {
- if (nfct_mnl_socket_open(0) < 0)
- exit_error(OTHER_PROBLEM, "Can't open handler");
+ if (nfct_mnl_socket_open(0) < 0)
+ exit_error(OTHER_PROBLEM, "Can't open handler");
+ if (cmd->type == CT_TABLE_DYING) {
res = nfct_mnl_dump(NFNL_SUBSYS_CTNETLINK,
IPCTNL_MSG_CT_GET_DYING,
- mnl_nfct_dump_cb, cmd->family);
-
+ mnl_nfct_dump_cb, cmd, NULL);
nfct_mnl_socket_close();
break;
} else if (cmd->type == CT_TABLE_UNCONFIRMED) {
- if (nfct_mnl_socket_open(0) < 0)
- exit_error(OTHER_PROBLEM, "Can't open handler");
-
res = nfct_mnl_dump(NFNL_SUBSYS_CTNETLINK,
IPCTNL_MSG_CT_GET_UNCONFIRMED,
- mnl_nfct_dump_cb, cmd->family);
-
+ mnl_nfct_dump_cb, cmd, NULL);
nfct_mnl_socket_close();
break;
}
- cth = nfct_open(CONNTRACK, 0);
- if (!cth)
- exit_error(OTHER_PROBLEM, "Can't open handler");
-
if (cmd->options & CT_COMPARISON &&
cmd->options & CT_OPT_ZERO)
exit_error(PARAMETER_PROBLEM, "Can't use -z with "
@@ -3217,8 +3243,6 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd)
nfct_filter_init(cmd);
- nfct_callback_register(cth, NFCT_T_ALL, dump_cb, cmd);
-
filter_dump = nfct_filter_dump_create();
if (filter_dump == NULL)
exit_error(OTHER_PROBLEM, "OOM");
@@ -3236,11 +3260,15 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd)
NFCT_FILTER_DUMP_STATUS,
&cmd->tmpl.filter_status_kernel);
}
- if (cmd->options & CT_OPT_ZERO)
- res = nfct_query(cth, NFCT_Q_DUMP_FILTER_RESET,
- filter_dump);
- else
- res = nfct_query(cth, NFCT_Q_DUMP_FILTER, filter_dump);
+ if (cmd->options & CT_OPT_ZERO) {
+ res = nfct_mnl_dump(NFNL_SUBSYS_CTNETLINK,
+ IPCTNL_MSG_CT_GET_CTRZERO,
+ mnl_nfct_dump_cb, cmd, filter_dump);
+ } else {
+ res = nfct_mnl_dump(NFNL_SUBSYS_CTNETLINK,
+ IPCTNL_MSG_CT_GET,
+ mnl_nfct_dump_cb, cmd, filter_dump);
+ }
nfct_filter_dump_destroy(filter_dump);
@@ -3249,7 +3277,7 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd)
fflush(stdout);
}
- nfct_close(cth);
+ nfct_mnl_socket_close();
break;
case EXP_LIST:
@@ -3557,7 +3585,7 @@ try_proc_count:
res = nfct_mnl_dump(NFNL_SUBSYS_CTNETLINK,
IPCTNL_MSG_CT_GET_STATS_CPU,
- nfct_stats_cb, AF_UNSPEC);
+ nfct_stats_cb, NULL, NULL);
nfct_mnl_socket_close();
@@ -3576,7 +3604,7 @@ try_proc_count:
res = nfct_mnl_dump(NFNL_SUBSYS_CTNETLINK_EXP,
IPCTNL_MSG_EXP_GET_STATS_CPU,
- nfexp_stats_cb, AF_UNSPEC);
+ nfexp_stats_cb, NULL, NULL);
nfct_mnl_socket_close();