From 2217eb4c53a54eabbc09e043209181c483e2eace Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sat, 23 Oct 2010 17:35:57 +0200 Subject: conntrack: add timestamp support This patch adds the connection tracking extension that allows conntrack timestamping. This requires a Linux kernel >= 2.6.38. We have now 65 attributes, we need 96 bits to store what attributes are set in the objects. Signed-off-by: Pablo Neira Ayuso --- src/conntrack/api.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) (limited to 'src/conntrack/api.c') diff --git a/src/conntrack/api.c b/src/conntrack/api.c index 6b73817..2262974 100644 --- a/src/conntrack/api.c +++ b/src/conntrack/api.c @@ -356,6 +356,7 @@ void nfct_callback_unregister2(struct nfct_handle *h) * - ATTR_ID * - ATTR_*_COUNTER_* * - ATTR_SECCTX + * - ATTR_TIMESTAMP_* * The call of this function for such attributes do nothing. */ void nfct_set_attr(struct nf_conntrack *ct, @@ -970,7 +971,20 @@ int nfct_catch(struct nfct_handle *h) * The output flags are: * - NFCT_OF_SHOW_LAYER3: include layer 3 information in the output, * this is *only* required by NFCT_O_DEFAULT. - * - NFCT_OF_TIME: display time. + * - NFCT_OF_TIME: display current time. + * - NFCT_OF_ID: display the ID number. + * - NFCT_OF_TIMESTAMP: display creation and (if exists) deletion time. + * + * To use NFCT_OF_TIMESTAMP, you have to: + * \verbatim + * $ echo 1 > /proc/sys/net/netfilter/nf_conntrack_timestamp +\endverbatim + * This requires a Linux kernel >= 2.6.38. + * + * Note that NFCT_OF_TIME displays the current time when nfct_snprintf() has + * been called. Thus, it can be used to know when a flow was destroy if you + * print the message just after you receive the destroy event. If you want + * more accurate timestamping, use NFCT_OF_TIMESTAMP. * * This function returns the size of the information that _would_ have been * written to the buffer, even if there was no room for it. Thus, the -- cgit v1.2.3