conntrack icon indicating copy to clipboard operation
conntrack copied to clipboard

Published 20 hours ago verified publisher icon ti-mo

Allow zoneID to be netfilter attribute

Open srikartati opened this issue 4 years ago • 4 comments

zoneID can be a netfilter attribute along with mark and mask. This will help in dumping connections in a specific zoneID of conntrack table.

srikartati avatar Jun 11 '20 06:06 srikartati

@srikartati Flow.Zone is implemented and taken into account when marshaling and unmarshaling. Could you elaborate on any missing feature or functionality?

ti-mo avatar Jul 26 '20 10:07 ti-mo

Hi @ti-mo , Missing feature is passing the zone into conn.DumpFilter function. I think this struct has to be extended to support zone along with mark and mask: https://github.com/ti-mo/conntrack/blob/master/filter.go#L11 This is probably a small change. Let me know if I am missing something.

srikartati avatar Aug 03 '20 17:08 srikartati

Hi @srikartati, that makes sense, thanks. I've investigated if this is possible before, but the kernel doesn't seem to support filtering dumps based on zone ID. The conntrack tool seems to do this in userspace as well, as demonstrated by this dump for the arbitrary zone 123:

~ sudo strace -esendto,recvfrom conntrack -L -w 123
sendto(3, {{len=20, type=NFNL_SUBSYS_CTNETLINK<<8|IPCTNL_MSG_CT_GET, flags=NLM_F_REQUEST|NLM_F_DUMP, seq=0, pid=0}, {nfgen_family=AF_INET, version=NFNETLINK_V0, res_id=htons(0)}, 20, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 20
recvfrom(3, [{{len=212, type=NFNL_SUBSYS_CTNETLINK<<8|IPCTNL_MSG_CT_NEW, flags=NLM_F_MULTI, seq=0, pid=107063}, {nfgen_family=AF_INET, version=NFNETLINK_V0, res_id=htons(0), [{{nla_len=52, nla_type=NLA_F_NESTED|NFNETLINK_V1}, "\x14\x00\x01\x80\x08\x00\x01\x00\x0a\x01\x01\x77\x08\x00\x02\x00....
...
(payload with flows being sent to userspace)
...
conntrack v1.4.6 (conntrack-tools): 0 flow entries have been shown.

And a dump of the default zone 0:

~ sudo strace -esendto,recvfrom conntrack -L -w 0
... (same payload) ...
udp      17 11 src=10.1.1.2 dst=10.1.1.1 sport=33529 dport=53 src=10.1.1.1 dst=10.1.1.2 sport=53 dport=33529 [ASSURED] mark=0 use=1
...
conntrack v1.4.6 (conntrack-tools): 36 flow entries have been shown.

For now, I think your best bet is to filter in userspace as well. I'll likely implement the feature requested in https://github.com/ti-mo/conntrack/issues/13 which would allow for only the zone ID to be unmarshaled, skipping entries you're not interested in.

I'll keep this issue open to have a better look into it later. I might be able to get some more eyes on the kernel side of things, I find the implementation there rather difficult to understand, so it's likely that I'm missing something.

Sorry for the slow comms, was on an extended break. :) Thanks for your patience.

ti-mo avatar Sep 11 '20 17:09 ti-mo

@ti-mo Makes sense to do this in userspace. Thanks for looking in to this. Looking forward to the decoder feature to unmarshal the netattributes.

srikartati avatar Sep 17 '20 19:09 srikartati

Closing this, nothing actionable for zoneIDs specifically.

ti-mo avatar Oct 11 '23 11:10 ti-mo