| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While at it, also fix up commit
5ec55c2a0a264 ("conntrack: add support for CLASH_RESOLVED counter").
The intention was to also print unknown statistic counters provided
the attributes are of type u32, but mnl_attr_type_valid() needs the
correct max-attr number for this to work.
With this fix in place, conntrack -S shows:
cpu=3 found=0 inv[..] clash_resolve=0 unknown1=8200
on a modified kernel.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
The tests/conntrack/bulk-load-stress.sh is intended to be used for
stress-testing the bulk load of ct entries from a file (-R option).
Script usage detail is given by the ./bulk-load-stress.sh -h
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
conntrack tool prints [UNREPLIED] if a conntrack entry lacks the
SEEN_REPLY bit. Accept this as '-u' argument too.
If requested, mask is set to SEEN_REPLY and value remains 0 (bit not set).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
This change is backwards compatible:
Old kernels do not recognize CTA_STATUS_MASK attribute and will
ignore it (no filtering in kernel).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Userspace helpers cannot have overlapping queue number, update the
example file to fix the existing overlap.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Describe how to configure conntrackd using the new simple setup approach.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add a new setting to allow conntrackd to autoconfigure the userspace
helpers at startup.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Add ct_parse_be32() and ct_parse_be128() and use them to deal with
an IP address which is already in network byte order.
Reported-by: Tao Gong <gongtao0607@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Tests to cover conntrack -L and conntrack -D with and w/o
family (-f) specfied.
conntrack -L and contnrack -D shold list/delete
both IPv4 and IPv6 entries if no family is specified,
and should ony display the corresponding entries if
the family is given.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@cloud.ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@cloud.ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@cloud.ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit implements the --load-file option which allows processing
conntrack commands stored in file. Most often this would be used as
a counter-part for the -o save option, which outputs conntrack entries
in the format of the conntrack tool options. This could be useful when
one needs to add/update/delete a large set of ct entries with a single
conntrack tool invocation. This patch introduces a ct_cmd_list, which
represents a list of ct_cmd elements.
Expected syntax is "conntrack --load-file file". If "-" is given as a
file name, stdin is used. No other commands or options are allowed to
be specified in conjunction with the --load-file command. It is however
possible to specify multiple --load-file file pairs.
Example:
Copy all entries from ct zone 11 to ct zone 12:
conntrack -L -w 11 -o save | sed "s/-w 11/-w 12/g" | \
conntrack --load-file -
Joint work with Pablo.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix memleak in parser:
==8445== 3,808 bytes in 2 blocks are definitely lost in loss record 6 of 6
==8445== at 0x483577F: malloc (vg_replace_malloc.c:299)
==8445== by 0x112636: merge_options (conntrack.c:1056)
==8445== by 0x112636: do_parse (conntrack.c:2903)
==8445== by 0x11343E: ct_file_parse_line (conntrack.c:3672)
==8445== by 0x11343E: ct_parse_file (conntrack.c:3693)
==8445== by 0x10D819: main (conntrack.c:3750)
Fixes: 8f76d6360dbf ("conntrack: add struct ct_cmd")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Wrap code to display command stats in a function.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Prepare for the batch support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Pass the command object to the nat, mark and IP address userspace
filters.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Pass the command object to the userspace filter routine.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Pass command object to initialize the userspace filter.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Pass the command object to prepare for batch support.
Move ct_cmd structure definition right at the top of file otherwise
compilation breaks.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
We are not interested in sysctl echoing the value it just set.
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This test case covers missing hashtable buckets and max entries configuration options. There should
be a value for them, otherwise the daemon segfaults.
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Fall back to 65536 buckets and 262144 entries.
It would be probably good to add code to autoadjust by reading
/proc/sys/net/netfilter/nf_conntrack_buckets and
/proc/sys/net/nf_conntrack_max.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1491
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This allows for running the script away from the test infrastructure,
which is convenient when developing new tests. This also allows for
reusing the same netns setup from new tests.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces a new scenario with a virtual network layout that was previously designed by
Pablo (see commit 7f1fb5dad90f04caa94f4fcefd1340aeb2c2f0e3).
The scenario is called 'basic_2_peer_network_tcp_notrack' and can be used to test conntrack entry
replication in TCP/NOTRACK mode with both caches disables. In this mode entry syncronization should
happen basically in the same instant the event is produced.
The testcase is very simple, but works really well:
* send 1 ping to a network peer across the router
* verify the conntrack entry has been replicated to the stand-by router
=== 8< ===
$ cd tests ; sudo ./conntrackd-tests.py --single tcp_notrack_replicate_icmp
[conntrackd-tests.py] INFO: --- running test: tcp_notrack_replicate_icmp
[conntrackd-tests.py] INFO: --- passed test: tcp_notrack_replicate_icmp
[conntrackd-tests.py] INFO: ---
[conntrackd-tests.py] INFO: --- finished
[conntrackd-tests.py] INFO: --- passed tests: 1
[conntrackd-tests.py] INFO: --- failed tests: 0
[conntrackd-tests.py] INFO: --- scenario failure: 0
[conntrackd-tests.py] INFO: --- total tests: 1
=== 8< ===
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
framework
Introduce some initial basic testcases for configuration parsing and standard daemon startup and
shutdown routines.
This should give an example of how the framework works.
Here is an example of running this:
=== 8< ===
$ cd tests/conntrackd ; sudo ./conntrackd-tests.py
[conntrackd-tests.py] INFO: --- running test: stats_general
[conntrackd-tests.py] INFO: --- passed test: stats_general
[conntrackd-tests.py] INFO: --- running test: stats_network
[conntrackd-tests.py] INFO: --- passed test: stats_network
[conntrackd-tests.py] INFO: --- running test: stats_runtime
[conntrackd-tests.py] INFO: --- passed test: stats_runtime
[conntrackd-tests.py] INFO: --- running test: stats_process
[conntrackd-tests.py] INFO: --- passed test: stats_process
[conntrackd-tests.py] INFO: --- running test: stats_queue
[conntrackd-tests.py] INFO: --- passed test: stats_queue
[conntrackd-tests.py] INFO: --- running test: stats_ct
[conntrackd-tests.py] INFO: --- passed test: stats_ct
[conntrackd-tests.py] INFO: --- running test: stats_expect
[conntrackd-tests.py] INFO: --- passed test: stats_expect
[conntrackd-tests.py] INFO: ---
[conntrackd-tests.py] INFO: --- finished
[conntrackd-tests.py] INFO: --- passed tests: 7
[conntrackd-tests.py] INFO: --- failed tests: 0
[conntrackd-tests.py] INFO: --- scenario failure: 0
[conntrackd-tests.py] INFO: --- total tests: 7
=== 8< ===
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This test suite should help us develop better tests for conntrack-tools in general and conntrackd
in particular.
The framework is composed of a runner script, written in python3, and 3 yaml files for
configuration and testcase definition:
- scenarios.yaml: contains information on network scenarios for tests to use
- tests.yaml: contains testcase definition
- env.yaml: contains default values for environment variables
The test cases can be anything, from a simple command to an external script call to perform more
complex operations. See follow-up patches to know more on how this works.
The plan is to replace or call from this framework the other testsuites in this tree.
The runner script is rather simple, and it should be more or less straight forward to use it.
On Debian machines, it requires the *python3-yaml* package to be installed as a dependency.
For reference, here are the script options:
=== 8< ===
$ tests/conntrackd/conntrackd-tests.py --help
usage: conntrackd-tests.py [-h] [--tests-file TESTS_FILE]
[--scenarios-file SCENARIOS_FILE]
[--env-file ENV_FILE]
[--single SINGLE]
[--start-scenario START_SCENARIO]
[--stop-scenario STOP_SCENARIO]
[--debug]
Utility to run tests for conntrack-tools
optional arguments:
-h, --help show this help message and exit
--tests-file TESTS_FILE
File with testcase definitions. Defaults to 'tests.yaml'
--scenarios-file SCENARIOS_FILE
File with configuration scenarios for tests. Defaults to 'scenarios.yaml'
--env-file ENV_FILE File with environment variables for scenarios/tests. Defaults to 'env.yaml'
--single SINGLE Execute a single testcase and exit. Use this for developing testcases
--start-scenario START_SCENARIO
Execute scenario start commands and exit. Use this for developing testcases
--stop-scenario STOP_SCENARIO
Execute scenario stop commands and exit. Use this for cleanup
--debug debug mode
=== 8< ===
To run it, simply use:
=== 8< ===
$ cd tests/conntrackd/ ; sudo ./conntrackd-tests.py
[..]
=== 8< ===
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
| |
|
|
|
|
| |
They are equivalent of 'on' and 'off' and makes the config easier to understand.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
| |
|
|
|
|
| |
Wrap the code to run the command around the do_command_ct() function.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove the global template object, add it to struct ct_cmd. This patch
prepares for the batch support.
The global cur_tmpl pointer is used to access the template from the
callbacks and the exit_error() path.
Note that it should be possible to remove this global cur_tmpl pointer
by passing the new command object as parameter to the callbacks and
exit_error().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This new object stores the result of the command parser, this prepares
for batch support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a script that creates a ip netns testbed. The network
topology looks like this:
veth0---veth0
host nsr1 ns2
veth0----veth0
ns1 veth2
|
veth0
nsr2
* ns1 and ns2 are clients to generate traffic
* nsr1 and nsr2 run conntrackd to synchronize states
* nsr1 is the primary gateway
- veth2 is used to synchronize states
* nsr2 is the backup gateway
- veth0 is used to synchronize states
To set up the testbed:
% sudo ./conntrackd-netns-test.sh start
To test your testbed works, from ns2:
% sudo ip netns exec ns2 nc -l -p 8080
From ns1:
% sudo ip netns exec ns1 nc -vvv 10.0.1.2 8080
From nsr1:
% sudo ip netns exec nsr1 conntrackd -s -C conntrackd-nsr1.conf
cache internal:
current active connections: 1
[...]
cache external:
current active connections: 0
From nsr2:
% sudo ip netns exec nsr1 conntrackd -s -C conntrackd-nsr2.conf
cache internal:
current active connections: 0
[...]
cache external:
current active connections: 1
To stop it:
% sudo ./conntrackd-netns-test.sh stop
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
DESTROY events already include the portid. Add some /proc glue
to lookup the portid.
Problem is that there is no direct mapping to a name.
Lookup steps are:
1. Obtain the portid inode from /proc/net/netlink.
If we can't even find that, no luck.
2. assume portid == pid and search
/proc/portid/fd/ for a socket with matching inode.
This is modeled on iproute2 ss tool.
If /proc/portid/fd/ comes up empty, entire process space
(/proc/*/fd) is searched for a matching inode.
As this is quite some work, cache the last portid result (including
'not found', so that 'conntrack -F' generating 10000k events will do
this lookup only once.
The lookup won't work in case the deleting/flushing program has already
exited; in that case [USERSPACE] tag and portid are still included.
Example:
$ conntrack -E -o userspace
[DESTROY] tcp 6 src=192... dst=192... sport=4404 dport=22 ... [USERSPACE] portid=5146 progname=conntrack
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In busy firewalls that run conntrackd in NOTRACK with both internal and
external caches disabled, external_inject can get lots of traffic. In
case of issues injecting or updating conntrack entries a log entry will
be generated, the infamous inject-addX, inject-updX messages.
But there is nothing end users can do about this error message, which is
purely internal. This patch is basically cosmetic, relaxing the message
from ERROR to WARNING. The information reported is also extended a bit.
The idea is to leave ERROR messages to issues that would *stop* or
*prevent* conntrackd from working at all.
Another nice thing to do in the future is to rate-limit this message,
which is generated in the data path and can easily fill log files. But
ideally, the actual root cause would be fixed, and there would be no
WARNING message reported at all, meaning that all conntrack entries are
smoothly synced between the firewalls in the cluster. We can work on
that later.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Ignore the nano swap file.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@cloud.ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit allows dumping conntrack entries in the format
used by the conntrack parameters, aka "save" output format.
This is useful for saving ct entry data to allow applying
it later on.
To enable the "save" output the "-o save" parameter needs
to be passed to the conntrack tool invocation.
[ pablo@netfilter.org: several updates to the original patch ]
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@cloud.ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This allows users to flush IPv4 entries only through:
conntrack -F -f ipv4
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch allows you to filter event through -f, e.g.
conntrack -E -f ipv4
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
2bcbae4c14b2 ("conntrack: -f family filter does not work") restored the
fallback to IPv4 if -f is not specified, which was the original
behaviour.
This patch modifies the default to use the unspec family if -f is not
specified for the following ct commands:
- list
- update
- delete
- get
(these two commands below do not support for -f though, but in case this is
extended in the future to support it):
- flush
- event
The existing code that parses IPv4 and IPv6 addresses already infers the
family, which simplifies the introduction of this update.
The expect commands are not updated, they still require many mandatory
options for filtering.
This patch includes a few test updates too.
Based on patch from Mikhail Sennikovsky.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
In some use cases, zone is used to differentiate different
conntrack state tables, so zone also should be synchronized
if it is set.
Signed-off-by: Yi Yang <yangyi01@inspur.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Creating icmp ct entry with command like
conntrack -I -t 29 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 \
-q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226
results in nfct_query( NFCT_Q_CREATE ) request would fail
because reply L4 proto is not set while having reply data specified
Set reply L4 proto when reply data is given for the icmp ct entry
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@cloud.ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add test to cover icmp entry creation/deletion with conntrack
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@cloud.ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
While at it, also allow to display up to 4 counters that are sent
by kernel but that we do not know.
This is useful to list counters that a new kernel supports with
and older release of conntrack-tools.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
A quick revamp on the conntrack-tools manual which is aging a bit.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
ip_conntrack sysctl entries are very old and available for backward
compatibility reasons.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
> (1) The mark in the command line is '10', not '1'.
> (2) The dport in the example is '993', not '3486' and not '34846'.
... text says "has been deleted"; but conntrack prints "have been deleted"
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Extend testsuite with a few more tests.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch adds support for the IPS_HW_OFFLOAD flag which specifies that
this conntrack entry has been offloaded into the hardware.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix for the following warning:
In file included from rpc.c:29:
/usr/include/tirpc/rpc/rpc_msg.h:214:52: warning: 'struct rpc_err' declared inside parameter list will not be visible outside of this definition or declaration
214 | extern void _seterr_reply(struct rpc_msg *, struct rpc_err *);
| ^~~~~~~
Struct rpc_err is declared in rpc/clnt.h which also declares rpc_call(),
therefore rename the local version.
Fixes: 5ededc4476f27 ("conntrackd: search for RPC headers")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
