diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2010-10-23 17:35:57 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2011-02-17 00:57:54 +0100 |
| commit | 2217eb4c53a54eabbc09e043209181c483e2eace (patch) | |
| tree | b8f0b8da65e53b562993f6a373fb71826ec0cbf9 | |
| parent | c2ddcf3225edcc13699131820f90b063161ff2ca (diff) | |
conntrack: add timestamp support
This patch adds the connection tracking extension that allows
conntrack timestamping.
This requires a Linux kernel >= 2.6.38.
We have now 65 attributes, we need 96 bits to store what attributes
are set in the objects.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | include/internal/internal.h | 4 | ||||
| -rw-r--r-- | include/internal/object.h | 8 | ||||
| -rw-r--r-- | include/libnetfilter_conntrack/libnetfilter_conntrack.h | 5 | ||||
| -rw-r--r-- | include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h | 9 | ||||
| -rw-r--r-- | src/conntrack/api.c | 16 | ||||
| -rw-r--r-- | src/conntrack/copy.c | 14 | ||||
| -rw-r--r-- | src/conntrack/getter.c | 12 | ||||
| -rw-r--r-- | src/conntrack/parse.c | 23 | ||||
| -rw-r--r-- | src/conntrack/setter.c | 2 | ||||
| -rw-r--r-- | src/conntrack/snprintf_default.c | 56 | ||||
| -rw-r--r-- | src/conntrack/snprintf_xml.c | 151 | ||||
| -rw-r--r-- | utils/conntrack_dump.c | 2 | ||||
| -rw-r--r-- | utils/conntrack_events.c | 2 |
13 files changed, 276 insertions, 28 deletions
diff --git a/include/internal/internal.h b/include/internal/internal.h index c335afd..a984e6b 100644 --- a/include/internal/internal.h +++ b/include/internal/internal.h @@ -77,4 +77,8 @@ #define likely(x) __builtin_expect((x),1) #define unlikely(x) __builtin_expect((x),0) +#ifndef NSEC_PER_SEC +#define NSEC_PER_SEC 1000000000L +#endif + #endif diff --git a/include/internal/object.h b/include/internal/object.h index 76a0566..5dce9d0 100644 --- a/include/internal/object.h +++ b/include/internal/object.h @@ -175,7 +175,13 @@ struct nf_conntrack { struct __nfct_nat snat; struct __nfct_nat dnat; -#define __NFCT_BITSET 2 + struct { + u_int64_t start; + u_int64_t stop; + } timestamp; + +/* we've got more than 64 attributes now, we need 96 bits to store them. */ +#define __NFCT_BITSET 3 u_int32_t set[__NFCT_BITSET]; }; diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack.h b/include/libnetfilter_conntrack/libnetfilter_conntrack.h index 698b0ae..f09e03b 100644 --- a/include/libnetfilter_conntrack/libnetfilter_conntrack.h +++ b/include/libnetfilter_conntrack/libnetfilter_conntrack.h @@ -128,6 +128,8 @@ enum nf_conntrack_attr { ATTR_TCP_WSCALE_REPL = 60, /* u8 bits */ ATTR_ZONE, /* u16 bits */ ATTR_SECCTX, /* string */ + ATTR_TIMESTAMP_START, /* u64 bits, linux >= 2.6.38 */ + ATTR_TIMESTAMP_STOP = 64, /* u64 bits, linux >= 2.6.38 */ ATTR_MAX }; @@ -344,6 +346,9 @@ enum { NFCT_OF_ID_BIT = 2, NFCT_OF_ID = (1 << NFCT_OF_ID_BIT), + + NFCT_OF_TIMESTAMP_BIT = 3, + NFCT_OF_TIMESTAMP = (1 << NFCT_OF_TIMESTAMP_BIT), }; extern int nfct_snprintf(char *buf, diff --git a/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h b/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h index 3b0c009..abab4a0 100644 --- a/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h +++ b/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h @@ -46,6 +46,7 @@ enum ctattr_type { CTA_SECMARK, /* obsolete */ CTA_ZONE, CTA_SECCTX, + CTA_TIMESTAMP, __CTA_MAX }; #define CTA_MAX (__CTA_MAX - 1) @@ -131,6 +132,14 @@ enum ctattr_counters { }; #define CTA_COUNTERS_MAX (__CTA_COUNTERS_MAX - 1) +enum ctattr_tstamp { + CTA_TIMESTAMP_UNSPEC, + CTA_TIMESTAMP_START, + CTA_TIMESTAMP_STOP, + __CTA_TIMESTAMP_MAX +}; +#define CTA_TIMESTAMP_MAX (__CTA_TIMESTAMP_MAX - 1) + enum ctattr_nat { CTA_NAT_UNSPEC, CTA_NAT_MINIP, diff --git a/src/conntrack/api.c b/src/conntrack/api.c index 6b73817..2262974 100644 --- a/src/conntrack/api.c +++ b/src/conntrack/api.c @@ -356,6 +356,7 @@ void nfct_callback_unregister2(struct nfct_handle *h) * - ATTR_ID * - ATTR_*_COUNTER_* * - ATTR_SECCTX + * - ATTR_TIMESTAMP_* * The call of this function for such attributes do nothing. */ void nfct_set_attr(struct nf_conntrack *ct, @@ -970,7 +971,20 @@ int nfct_catch(struct nfct_handle *h) * The output flags are: * - NFCT_OF_SHOW_LAYER3: include layer 3 information in the output, * this is *only* required by NFCT_O_DEFAULT. - * - NFCT_OF_TIME: display time. + * - NFCT_OF_TIME: display current time. + * - NFCT_OF_ID: display the ID number. + * - NFCT_OF_TIMESTAMP: display creation and (if exists) deletion time. + * + * To use NFCT_OF_TIMESTAMP, you have to: + * \verbatim + * $ echo 1 > /proc/sys/net/netfilter/nf_conntrack_timestamp +\endverbatim + * This requires a Linux kernel >= 2.6.38. + * + * Note that NFCT_OF_TIME displays the current time when nfct_snprintf() has + * been called. Thus, it can be used to know when a flow was destroy if you + * print the message just after you receive the destroy event. If you want + * more accurate timestamping, use NFCT_OF_TIMESTAMP. * * This function returns the size of the information that _would_ have been * written to the buffer, even if there was no room for it. Thus, the diff --git a/src/conntrack/copy.c b/src/conntrack/copy.c index 9148640..591dde1 100644 --- a/src/conntrack/copy.c +++ b/src/conntrack/copy.c @@ -423,6 +423,18 @@ static void copy_attr_secctx(struct nf_conntrack *dest, dest->secctx = strdup(orig->secctx); } +static void copy_attr_timestamp_start(struct nf_conntrack *dest, + const struct nf_conntrack *orig) +{ + dest->timestamp.start = orig->timestamp.start; +} + +static void copy_attr_timestamp_stop(struct nf_conntrack *dest, + const struct nf_conntrack *orig) +{ + dest->timestamp.stop = orig->timestamp.stop; +} + const copy_attr copy_attr_array[ATTR_MAX] = { [ATTR_ORIG_IPV4_SRC] = copy_attr_orig_ipv4_src, [ATTR_ORIG_IPV4_DST] = copy_attr_orig_ipv4_dst, @@ -487,4 +499,6 @@ const copy_attr copy_attr_array[ATTR_MAX] = { [ATTR_TCP_WSCALE_REPL] = copy_attr_tcp_wscale_repl, [ATTR_ZONE] = copy_attr_zone, [ATTR_SECCTX] = copy_attr_secctx, + [ATTR_TIMESTAMP_START] = copy_attr_timestamp_start, + [ATTR_TIMESTAMP_STOP] = copy_attr_timestamp_stop, }; diff --git a/src/conntrack/getter.c b/src/conntrack/getter.c index 8a093c6..0b56468 100644 --- a/src/conntrack/getter.c +++ b/src/conntrack/getter.c @@ -322,6 +322,16 @@ static const void *get_attr_secctx(const struct nf_conntrack *ct) return ct->secctx; } +static const void *get_attr_timestamp_start(const struct nf_conntrack *ct) +{ + return &ct->timestamp.start; +} + +static const void *get_attr_timestamp_stop(const struct nf_conntrack *ct) +{ + return &ct->timestamp.stop; +} + const get_attr get_attr_array[ATTR_MAX] = { [ATTR_ORIG_IPV4_SRC] = get_attr_orig_ipv4_src, [ATTR_ORIG_IPV4_DST] = get_attr_orig_ipv4_dst, @@ -386,4 +396,6 @@ const get_attr get_attr_array[ATTR_MAX] = { [ATTR_TCP_WSCALE_REPL] = get_attr_tcp_wscale_repl, [ATTR_ZONE] = get_attr_zone, [ATTR_SECCTX] = get_attr_secctx, + [ATTR_TIMESTAMP_START] = get_attr_timestamp_start, + [ATTR_TIMESTAMP_STOP] = get_attr_timestamp_stop, }; diff --git a/src/conntrack/parse.c b/src/conntrack/parse.c index 841693e..743e8d4 100644 --- a/src/conntrack/parse.c +++ b/src/conntrack/parse.c @@ -453,6 +453,26 @@ int __parse_message_type(const struct nlmsghdr *nlh) return ret; } +static void +__parse_timestamp(const struct nfattr *attr, struct nf_conntrack *ct) +{ + struct nfattr *tb[CTA_TIMESTAMP_MAX]; + + nfnl_parse_nested(tb, CTA_TIMESTAMP_MAX, attr); + if (tb[CTA_TIMESTAMP_START-1]) { + u_int64_t tmp; + memcpy(&tmp, NFA_DATA(tb[CTA_TIMESTAMP_START-1]), sizeof(tmp)); + ct->timestamp.start = __be64_to_cpu(tmp); + set_bit(ATTR_TIMESTAMP_START, ct->set); + } + if (tb[CTA_TIMESTAMP_STOP-1]) { + u_int64_t tmp; + memcpy(&tmp, NFA_DATA(tb[CTA_TIMESTAMP_STOP-1]), sizeof(tmp)); + ct->timestamp.stop = __be64_to_cpu(tmp); + set_bit(ATTR_TIMESTAMP_STOP, ct->set); + } +} + void __parse_conntrack(const struct nlmsghdr *nlh, struct nfattr *cda[], struct nf_conntrack *ct) @@ -538,4 +558,7 @@ void __parse_conntrack(const struct nlmsghdr *nlh, if (cda[CTA_SECCTX-1]) __parse_secctx(cda[CTA_SECCTX-1], ct); + + if (cda[CTA_TIMESTAMP-1]) + __parse_timestamp(cda[CTA_TIMESTAMP-1], ct); } diff --git a/src/conntrack/setter.c b/src/conntrack/setter.c index 99ac8d7..3282035 100644 --- a/src/conntrack/setter.c +++ b/src/conntrack/setter.c @@ -411,4 +411,6 @@ const set_attr set_attr_array[ATTR_MAX] = { [ATTR_TCP_WSCALE_REPL] = set_attr_tcp_wscale_repl, [ATTR_ZONE] = set_attr_zone, [ATTR_SECCTX] = set_attr_do_nothing, + [ATTR_TIMESTAMP_START] = set_attr_do_nothing, + [ATTR_TIMESTAMP_STOP] = set_attr_do_nothing, }; diff --git a/src/conntrack/snprintf_default.c b/src/conntrack/snprintf_default.c index abb9d9f..8523bd1 100644 --- a/src/conntrack/snprintf_default.c +++ b/src/conntrack/snprintf_default.c @@ -231,6 +231,47 @@ __snprintf_secctx(char *buf, unsigned int len, const struct nf_conntrack *ct) return (snprintf(buf, len, "secctx=%s ", ct->secctx)); } +static int +__snprintf_timestamp_start(char *buf, unsigned int len, + const struct nf_conntrack *ct) +{ + time_t start = (time_t)(ct->timestamp.start / NSEC_PER_SEC); + char *tmp = ctime(&start); + + /* overwrite \n in the ctime() output. */ + tmp[strlen(tmp)-1] = '\0'; + return (snprintf(buf, len, "[start=%s] ", tmp)); +} + +static int +__snprintf_timestamp_stop(char *buf, unsigned int len, + const struct nf_conntrack *ct) +{ + time_t stop = (time_t)(ct->timestamp.stop / NSEC_PER_SEC); + char *tmp = ctime(&stop); + + /* overwrite \n in the ctime() output. */ + tmp[strlen(tmp)-1] = '\0'; + return (snprintf(buf, len, "[stop=%s] ", tmp)); +} + +static int +__snprintf_timestamp_delta(char *buf, unsigned int len, + const struct nf_conntrack *ct) +{ + time_t delta_time, stop; + + if (ct->timestamp.stop == 0) + time(&stop); + else + stop = (time_t)(ct->timestamp.stop / NSEC_PER_SEC); + + delta_time = stop - (time_t)(ct->timestamp.start / NSEC_PER_SEC); + + return (snprintf(buf, len, "delta-time=%llu ", + (unsigned long long)delta_time)); +} + int __snprintf_conntrack_default(char *buf, unsigned int len, const struct nf_conntrack *ct, @@ -337,6 +378,21 @@ int __snprintf_conntrack_default(char *buf, BUFFER_SIZE(ret, size, len, offset); } + if (test_bit(ATTR_TIMESTAMP_START, ct->set)) { + ret = __snprintf_timestamp_delta(buf+offset, len, ct); + BUFFER_SIZE(ret, size, len, offset); + } + if (flags & NFCT_OF_TIMESTAMP) { + if (test_bit(ATTR_TIMESTAMP_START, ct->set)) { + ret = __snprintf_timestamp_start(buf+offset, len, ct); + BUFFER_SIZE(ret, size, len, offset); + } + if (test_bit(ATTR_TIMESTAMP_STOP, ct->set)) { + ret = __snprintf_timestamp_stop(buf+offset, len, ct); + BUFFER_SIZE(ret, size, len, offset); + } + } + if (test_bit(ATTR_USE, ct->set)) { ret = __snprintf_use(buf+offset, len, ct); BUFFER_SIZE(ret, size, len, offset); diff --git a/src/conntrack/snprintf_xml.c b/src/conntrack/snprintf_xml.c index 97f6650..12dd686 100644 --- a/src/conntrack/snprintf_xml.c +++ b/src/conntrack/snprintf_xml.c @@ -198,6 +198,97 @@ static int __snprintf_counters_xml(char *buf, return size; } +static int +__snprintf_timestamp_start(char *buf, unsigned int len, + const struct nf_conntrack *ct) +{ + int ret; + unsigned int size = 0, offset = 0; + + ret = snprintf(buf, len, "<start>%llu</start>", + (unsigned long long)ct->timestamp.start); + BUFFER_SIZE(ret, size, len, offset); + + return size; +} + +static int +__snprintf_timestamp_stop(char *buf, unsigned int len, + const struct nf_conntrack *ct) +{ + int ret; + unsigned int size = 0, offset = 0; + + ret = snprintf(buf, len, "<stop>%llu</stop>", + (unsigned long long)ct->timestamp.stop); + BUFFER_SIZE(ret, size, len, offset); + + return size; +} + +static int +__snprintf_deltatime_now(char *buf, unsigned int len, + const struct nf_conntrack *ct) +{ + int ret; + unsigned int size = 0, offset = 0; + time_t now, delta_time; + + time(&now); + delta_time = now - (time_t)(ct->timestamp.start / NSEC_PER_SEC); + + ret = snprintf(buf+offset, len, "<deltatime>%llu</deltatime>", + (unsigned long long)delta_time); + BUFFER_SIZE(ret, size, len, offset); + + return size; +} + +static int +__snprintf_deltatime(char *buf, unsigned int len, const struct nf_conntrack *ct) +{ + int ret; + unsigned int size = 0, offset = 0; + time_t delta_time = (time_t)((ct->timestamp.stop - + ct->timestamp.start) / NSEC_PER_SEC); + + ret = snprintf(buf+offset, len, "<deltatime>%llu</deltatime>", + (unsigned long long)delta_time); + BUFFER_SIZE(ret, size, len, offset); + + return size; +} + +static int +__snprintf_localtime_xml(char *buf, unsigned int len, const struct tm *tm) +{ + int ret = 0; + unsigned int size = 0, offset = 0; + + ret = snprintf(buf+offset, len, "<hour>%d</hour>", tm->tm_hour); + BUFFER_SIZE(ret, size, len, offset); + + ret = snprintf(buf+offset, len, "<min>%02d</min>", tm->tm_min); + BUFFER_SIZE(ret, size, len, offset); + + ret = snprintf(buf+offset, len, "<sec>%02d</sec>", tm->tm_sec); + BUFFER_SIZE(ret, size, len, offset); + + ret = snprintf(buf+offset, len, "<wday>%d</wday>", tm->tm_wday + 1); + BUFFER_SIZE(ret, size, len, offset); + + ret = snprintf(buf+offset, len, "<day>%d</day>", tm->tm_mday); + BUFFER_SIZE(ret, size, len, offset); + + ret = snprintf(buf+offset, len, "<month>%d</month>", tm->tm_mon + 1); + BUFFER_SIZE(ret, size, len, offset); + + ret = snprintf(buf+offset, len, "<year>%d</year>", 1900 + tm->tm_year); + BUFFER_SIZE(ret, size, len, offset); + + return size; +} + static int __snprintf_tuple_xml(char *buf, unsigned int len, const struct nf_conntrack *ct, @@ -298,7 +389,9 @@ int __snprintf_conntrack_xml(char *buf, test_bit(ATTR_ZONE, ct->set) || test_bit(ATTR_USE, ct->set) || test_bit(ATTR_STATUS, ct->set) || - test_bit(ATTR_ID, ct->set)) { + test_bit(ATTR_ID, ct->set) || + test_bit(ATTR_TIMESTAMP_START, ct->set) || + test_bit(ATTR_TIMESTAMP_STOP, ct->set)) { ret = snprintf(buf+offset, len, "<meta direction=\"independent\">"); BUFFER_SIZE(ret, size, len, offset); @@ -378,6 +471,35 @@ int __snprintf_conntrack_xml(char *buf, BUFFER_SIZE(ret, size, len, offset); } + if (flags & NFCT_OF_TIMESTAMP) { + if (test_bit(ATTR_TIMESTAMP_START, ct->set) || + test_bit(ATTR_TIMESTAMP_STOP, ct->set)) { + ret = snprintf(buf+offset, len, "<timestamp>"); + BUFFER_SIZE(ret, size, len, offset); + } + if (test_bit(ATTR_TIMESTAMP_START, ct->set)) { + ret = __snprintf_timestamp_start(buf+offset, len, ct); + BUFFER_SIZE(ret, size, len, offset); + } + if (test_bit(ATTR_TIMESTAMP_STOP, ct->set)) { + ret = __snprintf_timestamp_stop(buf+offset, len, ct); + BUFFER_SIZE(ret, size, len, offset); + } + if (test_bit(ATTR_TIMESTAMP_START, ct->set) || + test_bit(ATTR_TIMESTAMP_STOP, ct->set)) { + ret = snprintf(buf+offset, len, "</timestamp>"); + BUFFER_SIZE(ret, size, len, offset); + } + } + if (test_bit(ATTR_TIMESTAMP_START, ct->set) && + test_bit(ATTR_TIMESTAMP_STOP, ct->set)) { + ret = __snprintf_deltatime(buf+offset, len, ct); + BUFFER_SIZE(ret, size, len, offset); + } else if (test_bit(ATTR_TIMESTAMP_START, ct->set)) { + ret = __snprintf_deltatime_now(buf+offset, len, ct); + BUFFER_SIZE(ret, size, len, offset); + } + if (test_bit(ATTR_TCP_STATE, ct->set) || test_bit(ATTR_SCTP_STATE, ct->set) || test_bit(ATTR_DCCP_STATE, ct->set) || @@ -387,7 +509,9 @@ int __snprintf_conntrack_xml(char *buf, test_bit(ATTR_ZONE, ct->set) || test_bit(ATTR_USE, ct->set) || test_bit(ATTR_STATUS, ct->set) || - test_bit(ATTR_ID, ct->set)) { + test_bit(ATTR_ID, ct->set) || + test_bit(ATTR_TIMESTAMP_START, ct->set) || + test_bit(ATTR_TIMESTAMP_STOP, ct->set)) { ret = snprintf(buf+offset, len, "</meta>"); BUFFER_SIZE(ret, size, len, offset); } @@ -403,28 +527,7 @@ int __snprintf_conntrack_xml(char *buf, ret = snprintf(buf+offset, len, "<when>"); BUFFER_SIZE(ret, size, len, offset); - ret = snprintf(buf+offset, len, "<hour>%d</hour>", tm.tm_hour); - BUFFER_SIZE(ret, size, len, offset); - - ret = snprintf(buf+offset, len, "<min>%02d</min>", tm.tm_min); - BUFFER_SIZE(ret, size, len, offset); - - ret = snprintf(buf+offset, len, "<sec>%02d</sec>", tm.tm_sec); - BUFFER_SIZE(ret, size, len, offset); - - ret = snprintf(buf+offset, len, "<wday>%d</wday>", - tm.tm_wday + 1); - BUFFER_SIZE(ret, size, len, offset); - - ret = snprintf(buf+offset, len, "<day>%d</day>", tm.tm_mday); - BUFFER_SIZE(ret, size, len, offset); - - ret = snprintf(buf+offset, len, "<month>%d</month>", - tm.tm_mon + 1); - BUFFER_SIZE(ret, size, len, offset); - - ret = snprintf(buf+offset, len, "<year>%d</year>", - 1900 + tm.tm_year); + ret = __snprintf_localtime_xml(buf+offset, len, &tm); BUFFER_SIZE(ret, size, len, offset); ret = snprintf(buf+offset, len, "</when>"); diff --git a/utils/conntrack_dump.c b/utils/conntrack_dump.c index a36e753..f1d63bb 100644 --- a/utils/conntrack_dump.c +++ b/utils/conntrack_dump.c @@ -11,7 +11,7 @@ static int cb(enum nf_conntrack_msg_type type, { char buf[1024]; - nfct_snprintf(buf, sizeof(buf), ct, NFCT_T_UNKNOWN, NFCT_O_DEFAULT, NFCT_OF_SHOW_LAYER3); + nfct_snprintf(buf, sizeof(buf), ct, NFCT_T_UNKNOWN, NFCT_O_DEFAULT, NFCT_OF_SHOW_LAYER3 | NFCT_OF_TIMESTAMP); printf("%s\n", buf); return NFCT_CB_CONTINUE; diff --git a/utils/conntrack_events.c b/utils/conntrack_events.c index f5e72c7..7675663 100644 --- a/utils/conntrack_events.c +++ b/utils/conntrack_events.c @@ -12,7 +12,7 @@ static int event_cb(enum nf_conntrack_msg_type type, static int n = 0; char buf[1024]; - nfct_snprintf(buf, sizeof(buf), ct, type, NFCT_O_XML, NFCT_OF_TIME); + nfct_snprintf(buf, sizeof(buf), ct, type, NFCT_O_XML, NFCT_OF_TIME | NFCT_OF_TIMESTAMP); printf("%s\n", buf); if (++n == 10) |