[pve-devel] [PATCH conntrack-tool v2 1/5] initial commit

Thomas Lamprecht t.lamprecht at proxmox.com
Thu Feb 4 09:07:30 CET 2021

On 03.02.21 15:25, Mira Limbeck wrote:
> Dumping conntrack information and importing conntrack information works
> for IPv4 and IPv6. No filtering is supported for now. pve-conntrack-tool
> will always return both IPv4 and IPv6 conntracks together.
> Conntracks are serialized as JSON and printed on STDOUT line by line
> with one line containing one conntrack. When inserting data is read
> from STDIN line by line and expected to be one JSON object per line
> representing the conntrack.
> Currently some conntrack attributes are not supported. These are
> HELPER_INFO, CONNLABELS and CONNLABELS_MASK. The reason for this is that
> handling of variable length attributes does not seem to be correctly
> implemented in libnetfilter_conntrack. To fix this we would probably have
> to use libmnl directly.
> Conntracks containing protonum 2 (IGMP) are ignored in the dump as
> they can't be inserted using libnetfilter_conntrack (conntrack-tools'
> conntrack also exhibits the same behavior).
> Expectation support, which is necessary for FTP and other protocols, is
> not yet implemented.
> Signed-off-by: Mira Limbeck <m.limbeck at proxmox.com>
> ---
> v2:
>  - changed Conntracks to Socket
>  - reworked a lot of the code for less code duplication
>  - reduced usage of 'unsafe'
>  - added/changed things based on @Wobu's suggestions (off-list)
>  Cargo.toml                 |  14 ++
>  src/main.rs                | 488 +++++++++++++++++++++++++++++++++++++
>  src/mnl.rs                 | 132 ++++++++++
>  src/netfilter_conntrack.rs | 168 +++++++++++++
>  4 files changed, 802 insertions(+)
>  create mode 100644 Cargo.toml
>  create mode 100644 src/main.rs
>  create mode 100644 src/mnl.rs
>  create mode 100644 src/netfilter_conntrack.rs

I take a (very) quick look at it and the code itself seems quite sensible.

One higher level question though, would it makes sense do have the whole
plumbing and general socket interfacing in it's own library crate (or sub
workspace or something like that) and the binary here separate and as
plain user of that create.

That way we could additionally publish it on crates.io, could be helpful
form some people (even if conntrack/nl is certainly a bit of a niche).

What do you think about that?

More information about the pve-devel mailing list