[pve-devel] [PATCH conntrack-tool v2 3/5] add expectation support
Mira Limbeck
m.limbeck at proxmox.com
Wed Feb 3 15:25:33 CET 2021
Expectation support requires net.netfilter.nf_conntrack_helper to be set
to 1. In addition the helper modules have to be loaded as well. In the
tests nf_conntrack_ftp was used as helper.
Together with expectation support, string attribute support is also
added. Some functions which are conntrack specific are renamed to
contain 'conntrack' in their names.
Signed-off-by: Mira Limbeck <m.limbeck at proxmox.com>
---
v2:
- mostly the same changes as for patch 1
src/main.rs | 249 +++++++++++++++++++++++++++++++++++--
src/netfilter_conntrack.rs | 44 +++++++
2 files changed, 285 insertions(+), 8 deletions(-)
diff --git a/src/main.rs b/src/main.rs
index 2137556..79779ff 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -43,20 +43,37 @@ fn main() -> Result<()> {
}
}
}
+
+ let mut exps = Vec::new();
+ socket
+ .query_expects(&mut exps)
+ .map_err(|err| format_err!("Error querying expects: {}", err))?;
+
+ for exp in exps.iter() {
+ match serde_json::to_string(exp) {
+ Ok(s) => println!("{}", s),
+ Err(err) => {
+ eprintln!("Failed to serialize expect: {}", err);
+ break;
+ }
+ }
+ }
} else if args[1] == "insert" {
for line in BufReader::new(stdin())
.lines()
.map(|line| line.unwrap_or_else(|_| "".to_string()))
{
- let ct: Conntrack = match serde_json::from_str(&line) {
- Ok(ct) => ct,
- Err(err) => {
- eprintln!("Failed to deserialize conntrack: {}", err);
- break;
+ if let Ok(ct) = serde_json::from_str::<Conntrack>(&line) {
+ if let Err(err) = socket.insert_conntrack(ct) {
+ eprintln!("Error inserting conntrack: {}", err);
}
- };
- if let Err(err) = socket.insert_conntrack(ct) {
- eprintln!("Error inserting conntrack: {}", err);
+ } else if let Ok(exp) = serde_json::from_str::<Expect>(&line) {
+ if let Err(err) = socket.insert_expect(exp) {
+ eprintln!("Error inserting expect: {}", err);
+ }
+ } else {
+ eprintln!("Failed to deserialize input: {}", line);
+ break;
}
}
} else {
@@ -92,6 +109,13 @@ const CONNTRACK_INSERT_MSG_TYPE: u16 =
((libc::NFNL_SUBSYS_CTNETLINK << 8) | IPCTNL_MSG_CT_NEW) as u16;
const CONNTRACK_INSERT_FLAGS: u16 =
(libc::NLM_F_ACK | libc::NLM_F_REQUEST | libc::NLM_F_CREATE) as u16;
+const EXPECT_QUERY_MSG_TYPE: u16 =
+ ((libc::NFNL_SUBSYS_CTNETLINK_EXP << 8) | IPCTNL_MSG_EXP_GET) as u16;
+const EXPECT_QUERY_FLAGS: u16 = (libc::NLM_F_ACK | libc::NLM_F_REQUEST | libc::NLM_F_DUMP) as u16;
+const EXPECT_INSERT_MSG_TYPE: u16 =
+ ((libc::NFNL_SUBSYS_CTNETLINK_EXP << 8) | IPCTNL_MSG_EXP_NEW) as u16;
+const EXPECT_INSERT_FLAGS: u16 =
+ (libc::NLM_F_ACK | libc::NLM_F_REQUEST | libc::NLM_F_CREATE) as u16;
pub struct Socket {
socket: NonNull<mnl_socket>,
@@ -176,6 +200,88 @@ impl Socket {
Ok(())
}
+ fn query_expects(&mut self, exps: &mut Vec<Expect>) -> Result<()> {
+ let seq = self.seq();
+ self.query_expects_impl(exps, seq, libc::AF_INET as _)?;
+ let seq = self.seq();
+ self.query_expects_impl(exps, seq, libc::AF_INET6 as _)?;
+ Ok(())
+ }
+
+ fn query_expects_impl(&mut self, exps: &mut Vec<Expect>, seq: u32, proto: u8) -> Result<()> {
+ let mut buf = [0u8; MNL_SOCKET_DUMP_SIZE as _];
+ let hdr = build_msg_header(
+ buf.as_mut_ptr() as _,
+ EXPECT_QUERY_MSG_TYPE,
+ EXPECT_QUERY_FLAGS,
+ seq,
+ proto,
+ );
+ self.send_and_receive(hdr, 0, Some(query_exp_cb), exps as *mut Vec<Expect> as _)
+ }
+
+ fn insert_expect(&mut self, exp: Expect) -> Result<()> {
+ let proto = if exp.is_ipv6() {
+ libc::AF_INET6 as u8
+ } else {
+ libc::AF_INET as u8
+ };
+
+ let mut buf = [0u8; MNL_SOCKET_BUFFER_SIZE as _];
+ let hdr = build_msg_header(
+ buf.as_mut_ptr() as _,
+ EXPECT_INSERT_MSG_TYPE,
+ EXPECT_INSERT_FLAGS,
+ self.seq(),
+ proto,
+ );
+
+ let exph = unsafe { nfexp_new() };
+ if exph.is_null() {
+ bail!("Failed to create new expect object");
+ }
+
+ let mut strings = Vec::new();
+ let mut cts = Vec::new();
+ for attr in exp.attributes {
+ match attr.value {
+ ExpectAttrValue::CT(ct) => unsafe {
+ let (ct, mut s) = build_conntrack(ct)?;
+ nfexp_set_attr(exph, attr.key, ct as _);
+ strings.append(&mut s);
+ cts.push(ct);
+ },
+ ExpectAttrValue::U8(v) => unsafe {
+ nfexp_set_attr_u8(exph, attr.key, v);
+ },
+ ExpectAttrValue::U16(v) => unsafe {
+ nfexp_set_attr_u16(exph, attr.key, v);
+ },
+ ExpectAttrValue::U32(v) => unsafe {
+ nfexp_set_attr_u32(exph, attr.key, v);
+ },
+ ExpectAttrValue::String(v) => unsafe {
+ nfexp_set_attr(exph, attr.key, v.as_ptr() as _);
+ strings.push(v);
+ },
+ }
+ }
+
+ unsafe {
+ nfexp_nlmsg_build(hdr, exph);
+ nfexp_destroy(exph);
+ }
+ for ct in cts {
+ unsafe {
+ nfct_destroy(ct);
+ }
+ }
+
+ self.send_and_receive(hdr, 0, None, std::ptr::null_mut())?;
+
+ Ok(())
+ }
+
fn send_and_receive(
&mut self,
msg: *const libc::nlmsghdr,
@@ -409,6 +515,7 @@ fn build_conntrack(ct: Conntrack) -> Result<(*mut nf_conntrack, Vec<CString>)> {
}
Ok((cth, strings))
}
+
const ALL_ATTRIBUTES: &[(CTAttr, AttrType)] = &[
(CTAttr::ORIG_IPV4_SRC, AttrType::U32), /* u32 bits */
(CTAttr::ORIG_IPV4_DST, AttrType::U32), /* u32 bits */
@@ -486,3 +593,129 @@ const ALL_ATTRIBUTES: &[(CTAttr, AttrType)] = &[
(CTAttr::SYNPROXY_ITS, AttrType::U32), /* u32 bits */
(CTAttr::SYNPROXY_TSOFF, AttrType::U32), /* u32 bits */
];
+
+extern "C" fn query_exp_cb(nlh: *const libc::nlmsghdr, data_ptr: *mut libc::c_void) -> libc::c_int {
+ let exp = unsafe { nfexp_new() };
+ unsafe {
+ nfexp_nlmsg_parse(nlh, exp);
+ }
+
+ let mut attributes = Vec::new();
+ for (attr, ty) in EXPECT_ALL_ATTRIBUTES {
+ if unsafe { nfexp_attr_is_set(exp, *attr) } == 0 {
+ continue;
+ }
+ match ty {
+ ExpectAttrType::CT => {
+ let ct = unsafe { nfexp_get_attr(exp, *attr) };
+ if let Some(ct) = parse_conntrack(ct as _) {
+ attributes.push(ExpectAttr {
+ key: *attr,
+ value: ExpectAttrValue::CT(ct),
+ });
+ }
+ }
+ ExpectAttrType::U8 => {
+ let val = unsafe { nfexp_get_attr_u8(exp, *attr) };
+ attributes.push(ExpectAttr {
+ key: *attr,
+ value: ExpectAttrValue::U8(val),
+ });
+ }
+ ExpectAttrType::U16 => {
+ let val = unsafe { nfexp_get_attr_u16(exp, *attr) };
+ attributes.push(ExpectAttr {
+ key: *attr,
+ value: ExpectAttrValue::U16(val),
+ });
+ }
+ ExpectAttrType::U32 => {
+ let val = unsafe { nfexp_get_attr_u32(exp, *attr) };
+ attributes.push(ExpectAttr {
+ key: *attr,
+ value: ExpectAttrValue::U32(val),
+ });
+ }
+ ExpectAttrType::String(Some(len)) => {
+ let ptr = unsafe { nfexp_get_attr(exp, *attr) };
+ let cstr = unsafe { std::ffi::CStr::from_ptr(ptr as _) };
+ let s = cstr.to_bytes();
+ let s =
+ unsafe { CString::from_vec_unchecked(s[0..s.len().min((*len) as _)].to_vec()) };
+ attributes.push(ExpectAttr {
+ key: *attr,
+ value: ExpectAttrValue::String(s),
+ });
+ }
+ ExpectAttrType::String(None) => {
+ let ptr = unsafe { nfexp_get_attr(exp, *attr) };
+ let cstr = unsafe { std::ffi::CStr::from_ptr(ptr as _) };
+ let s = cstr.to_bytes();
+ let s = unsafe { CString::from_vec_unchecked(s.to_vec()) };
+ attributes.push(ExpectAttr {
+ key: *attr,
+ value: ExpectAttrValue::String(s),
+ });
+ }
+ }
+ }
+
+ let exps: &mut Vec<Expect> = unsafe { &mut *(data_ptr as *mut Vec<Expect>) };
+ exps.push(Expect { attributes });
+
+ MNL_CB_OK
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+struct Expect {
+ attributes: Vec<ExpectAttr>,
+}
+
+impl Expect {
+ fn is_ipv6(&self) -> bool {
+ for attr in &self.attributes {
+ if let ExpectAttrValue::CT(ct) = &attr.value {
+ return ct.is_ipv6();
+ }
+ }
+ false
+ }
+}
+
+enum ExpectAttrType {
+ CT,
+ U8,
+ U16,
+ U32,
+ String(Option<u32>),
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+enum ExpectAttrValue {
+ CT(Conntrack),
+ U8(u8),
+ U16(u16),
+ U32(u32),
+ String(CString),
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+struct ExpectAttr {
+ #[serde(rename = "type")]
+ key: ExpAttr,
+ value: ExpectAttrValue,
+}
+
+const EXPECT_ALL_ATTRIBUTES: &[(ExpAttr, ExpectAttrType)] = &[
+ (ExpAttr::MASTER, ExpectAttrType::CT), // conntrack
+ (ExpAttr::EXPECTED, ExpectAttrType::CT), // conntrack
+ (ExpAttr::MASK, ExpectAttrType::CT), // conntrack
+ (ExpAttr::TIMEOUT, ExpectAttrType::U32), // u32 bits
+ (ExpAttr::ZONE, ExpectAttrType::U16), // u16 bits
+ (ExpAttr::FLAGS, ExpectAttrType::U32), // u32 bits
+ (ExpAttr::HELPER_NAME, ExpectAttrType::String(Some(16))), // string 16 bytes max
+ (ExpAttr::CLASS, ExpectAttrType::U32), // u32 bits
+ (ExpAttr::NAT_TUPLE, ExpectAttrType::CT), // conntrack
+ (ExpAttr::NAT_DIR, ExpectAttrType::U8), // u8 bits
+ (ExpAttr::FN, ExpectAttrType::String(None)), // string
+];
diff --git a/src/netfilter_conntrack.rs b/src/netfilter_conntrack.rs
index a9e67e4..8a56ad8 100644
--- a/src/netfilter_conntrack.rs
+++ b/src/netfilter_conntrack.rs
@@ -39,6 +39,25 @@ extern "C" {
pub fn nfct_get_attr_u64(ct: *const nf_conntrack, type_: CTAttr) -> u64;
pub fn nfct_attr_is_set(ct: *const nf_conntrack, type_: CTAttr) -> libc::c_int;
+
+ // expectation API
+ pub fn nfexp_new() -> *mut nf_expect;
+ pub fn nfexp_destroy(exp: *mut nf_expect);
+
+ pub fn nfexp_set_attr(exp: *mut nf_expect, type_: ExpAttr, value: *const libc::c_void);
+ pub fn nfexp_set_attr_u8(exp: *mut nf_expect, type_: ExpAttr, value: u8);
+ pub fn nfexp_set_attr_u16(exp: *mut nf_expect, type_: ExpAttr, value: u16);
+ pub fn nfexp_set_attr_u32(exp: *mut nf_expect, type_: ExpAttr, value: u32);
+
+ pub fn nfexp_get_attr(exp: *const nf_expect, type_: ExpAttr) -> *const libc::c_void;
+ pub fn nfexp_get_attr_u8(exp: *const nf_expect, type_: ExpAttr) -> u8;
+ pub fn nfexp_get_attr_u16(exp: *const nf_expect, type_: ExpAttr) -> u16;
+ pub fn nfexp_get_attr_u32(exp: *const nf_expect, type_: ExpAttr) -> u32;
+
+ pub fn nfexp_attr_is_set(exp: *const nf_expect, type_: ExpAttr) -> libc::c_int;
+
+ pub fn nfexp_nlmsg_parse(nlh: *const libc::nlmsghdr, exp: *mut nf_expect) -> libc::c_int;
+ pub fn nfexp_nlmsg_build(nlh: *mut libc::nlmsghdr, exp: *const nf_expect) -> libc::c_int;
}
// set option
@@ -166,3 +185,28 @@ pub enum CTAttr {
SYNPROXY_TSOFF = 74, /* u32 bits */
MAX = 75,
}
+
+#[repr(C)]
+pub struct nf_expect {
+ _private: [u8; 0],
+}
+
+#[repr(u32)]
+#[non_exhaustive]
+#[derive(Debug, Copy, Clone, PartialEq)]
+#[derive(serde::Deserialize, serde::Serialize)]
+#[allow(non_camel_case_types)]
+pub enum ExpAttr {
+ MASTER = 0, /* pointer to conntrack object */
+ EXPECTED = 1, /* pointer to conntrack object */
+ MASK = 2, /* pointer to conntrack object */
+ TIMEOUT = 3, /* u32 bits */
+ ZONE = 4, /* u16 bits */
+ FLAGS = 5, /* u32 bits */
+ HELPER_NAME = 6, /* string (16 bytes max) */
+ CLASS = 7, /* u32 bits */
+ NAT_TUPLE = 8, /* pointer to conntrack object */
+ NAT_DIR = 9, /* u8 bits */
+ FN = 10, /* string */
+ MAX = 11,
+}
--
2.20.1
More information about the pve-devel
mailing list