From 293e7eff59e0bfc4401d620b6d38e096fc0e3b04 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 20 Feb 2019 19:41:45 +0100 Subject: conntrack: add -o userspace option to tag user-triggered events The following command: # conntrack -E -o userspace & # conntrack -F [DESTROY] tcp 6 src=122.127.186.172 dst=192.168.10.195 sport=443 dport=48232 packets=56 bytes=5313 src=192.168.10.195 dst=122.127.186.172 sport=48232 dport=443 packets=49 bytes=5174 [ASSURED] [USERSPACE] prints the [USERSPACE] tag at the end of the event, this tells users if this event has been triggered by process, eg. via conntrack command invocation. Signed-off-by: Pablo Neira Ayuso --- src/conntrack.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) (limited to 'src/conntrack.c') diff --git a/src/conntrack.c b/src/conntrack.c index e3abe9f..daa93db 100644 --- a/src/conntrack.c +++ b/src/conntrack.c @@ -854,6 +854,7 @@ enum { _O_ID = (1 << 3), _O_KTMS = (1 << 4), _O_CL = (1 << 5), + _O_US = (1 << 6), }; enum { @@ -864,16 +865,16 @@ enum { }; static struct parse_parameter { - const char *parameter[6]; + const char *parameter[7]; size_t size; - unsigned int value[6]; + unsigned int value[7]; } parse_array[PARSE_MAX] = { { {"ASSURED", "SEEN_REPLY", "UNSET", "FIXED_TIMEOUT", "EXPECTED"}, 5, { IPS_ASSURED, IPS_SEEN_REPLY, 0, IPS_FIXED_TIMEOUT, IPS_EXPECTED} }, { {"ALL", "NEW", "UPDATES", "DESTROY"}, 4, { CT_EVENT_F_ALL, CT_EVENT_F_NEW, CT_EVENT_F_UPD, CT_EVENT_F_DEL } }, - { {"xml", "extended", "timestamp", "id", "ktimestamp", "labels", }, 6, - { _O_XML, _O_EXT, _O_TMS, _O_ID, _O_KTMS, _O_CL }, + { {"xml", "extended", "timestamp", "id", "ktimestamp", "labels", "userspace" }, 7, + { _O_XML, _O_EXT, _O_TMS, _O_ID, _O_KTMS, _O_CL, _O_US }, }, }; @@ -1427,6 +1428,7 @@ static int event_cb(const struct nlmsghdr *nlh, void *data) enum nf_conntrack_msg_type type; unsigned int op_flags = 0; struct nf_conntrack *ct; + bool userspace = false; char buf[1024]; switch(nlh->nlmsg_type & 0xff) { @@ -1480,7 +1482,14 @@ static int event_cb(const struct nlmsghdr *nlh, void *data) nfct_snprintf_labels(buf, sizeof(buf), ct, type, op_type, op_flags, labelmap); - printf("%s\n", buf); + if (output_mask & _O_US) { + if (nlh->nlmsg_pid) + userspace = true; + else + userspace = false; + } + + printf("%s%s\n", buf, userspace ? " [USERSPACE]" : ""); fflush(stdout); counter++; -- cgit v1.2.3