[pve-devel] [PATCH v3 conntrack-tool 3/4] add expectation support

Mira Limbeck m.limbeck at proxmox.com
Tue Feb 16 17:56:41 CET 2021


Expectation support requires net.netfilter.nf_conntrack_helper to be set
to 1. In addition the helper modules have to be loaded as well. In the
tests nf_conntrack_ftp was used as helper.

Signed-off-by: Mira Limbeck <m.limbeck at proxmox.com>
---
v3:
 - split expect functions into their own files
 - made required functions in conntrack.rs public
v2:
 - mostly the same changes as for patch 1

 src/conntrack.rs           |  20 ++--
 src/expect.rs              | 228 +++++++++++++++++++++++++++++++++++++
 src/main.rs                |  38 +++++--
 src/netfilter_conntrack.rs |  44 +++++++
 4 files changed, 306 insertions(+), 24 deletions(-)
 create mode 100644 src/expect.rs

diff --git a/src/conntrack.rs b/src/conntrack.rs
index 6abd4a5..248c7a6 100644
--- a/src/conntrack.rs
+++ b/src/conntrack.rs
@@ -57,7 +57,7 @@ pub struct Conntrack {
 }
 
 impl Conntrack {
-    fn is_ipv6(&self) -> bool {
+    pub fn is_ipv6(&self) -> bool {
         for attr in self.attributes.iter() {
             if IPV6_ATTRIBUTES.contains(&attr.key) {
                 return true;
@@ -67,7 +67,7 @@ impl Conntrack {
     }
 }
 
-fn build_nf_conntrack(ct: Conntrack) -> Result<(*mut nf_conntrack, Vec<CString>)> {
+pub fn build_nf_conntrack(ct: Conntrack) -> Result<(*mut nf_conntrack, Vec<CString>)> {
     let cth = unsafe { nfct_new() };
     if cth.is_null() {
         bail!("Failed to create new conntrack object");
@@ -100,7 +100,7 @@ fn build_nf_conntrack(ct: Conntrack) -> Result<(*mut nf_conntrack, Vec<CString>)
     Ok((cth, strings))
 }
 
-fn parse_nf_conntrack(ct: *const nf_conntrack) -> Option<Conntrack> {
+pub fn parse_nf_conntrack(ct: *const nf_conntrack) -> Option<Conntrack> {
     let mut attributes = Vec::new();
     for (attr, ty) in ALL_ATTRIBUTES {
         if *attr == CTAttr::ID {
@@ -145,7 +145,7 @@ fn parse_nf_conntrack(ct: *const nf_conntrack) -> Option<Conntrack> {
             AttrType::U128 => {
                 let val = unsafe { nfct_get_attr(ct, *attr) } as *const u32;
                 let val = unsafe { std::slice::from_raw_parts(val, 4) }
-                .try_into()
+                    .try_into()
                     .unwrap();
                 attributes.push(Attr {
                     key: *attr,
@@ -156,9 +156,8 @@ fn parse_nf_conntrack(ct: *const nf_conntrack) -> Option<Conntrack> {
                 let ptr = unsafe { nfct_get_attr(ct, *attr) };
                 let cstr = unsafe { std::ffi::CStr::from_ptr(ptr as _) };
                 let s = cstr.to_bytes();
-                let s = unsafe {
-                    CString::from_vec_unchecked(s[0..s.len().min(*len as _)].to_vec())
-                };
+                let s =
+                    unsafe { CString::from_vec_unchecked(s[0..s.len().min(*len as _)].to_vec()) };
                 attributes.push(Attr {
                     key: *attr,
                     value: AttrValue::String(s),
@@ -191,12 +190,7 @@ pub fn query_all(socket: &mut Socket) -> Result<Vec<Conntrack>> {
     Ok(cts)
 }
 
-fn query_impl(
-    socket: &mut Socket,
-    cts: &mut Vec<Conntrack>,
-    seq: u32,
-    proto: u8,
-) -> Result<()> {
+fn query_impl(socket: &mut Socket, cts: &mut Vec<Conntrack>, seq: u32, proto: u8) -> Result<()> {
     let mut buf = vec![0u8; *MNL_SOCKET_BUFFER_SIZE as _];
     let hdr = build_msg_header(
         buf.as_mut_ptr() as _,
diff --git a/src/expect.rs b/src/expect.rs
new file mode 100644
index 0000000..a97c7ef
--- /dev/null
+++ b/src/expect.rs
@@ -0,0 +1,228 @@
+use crate::conntrack;
+use crate::conntrack::Conntrack;
+use crate::mnl::{IPCTNL_MSG_EXP_GET, IPCTNL_MSG_EXP_NEW, MNL_SOCKET_BUFFER_SIZE};
+use crate::netfilter_conntrack::{
+    nfct_destroy, nfexp_attr_is_set, nfexp_destroy, nfexp_get_attr, nfexp_get_attr_u16,
+    nfexp_get_attr_u32, nfexp_get_attr_u8, nfexp_new, nfexp_nlmsg_build, nfexp_nlmsg_parse,
+    nfexp_set_attr, nfexp_set_attr_u16, nfexp_set_attr_u32, nfexp_set_attr_u8, ExpAttr,
+};
+use crate::socket::Socket;
+use crate::utils::build_msg_header;
+
+use anyhow::{bail, Result};
+use serde::{Deserialize, Serialize};
+
+use std::ffi::{CStr, CString};
+
+const EXPECT_QUERY_MSG_TYPE: u16 =
+    ((libc::NFNL_SUBSYS_CTNETLINK_EXP << 8) | IPCTNL_MSG_EXP_GET) as u16;
+const EXPECT_QUERY_FLAGS: u16 = (libc::NLM_F_ACK | libc::NLM_F_REQUEST | libc::NLM_F_DUMP) as u16;
+const EXPECT_INSERT_MSG_TYPE: u16 =
+    ((libc::NFNL_SUBSYS_CTNETLINK_EXP << 8) | IPCTNL_MSG_EXP_NEW) as u16;
+const EXPECT_INSERT_FLAGS: u16 =
+    (libc::NLM_F_ACK | libc::NLM_F_REQUEST | libc::NLM_F_CREATE) as u16;
+
+#[derive(Debug, Serialize, Deserialize)]
+pub struct Expect {
+    attributes: Vec<ExpectAttr>,
+}
+
+impl Expect {
+    pub fn is_ipv6(&self) -> bool {
+        for attr in &self.attributes {
+            if let ExpectAttrValue::CT(ct) = &attr.value {
+                return ct.is_ipv6();
+            }
+        }
+        false
+    }
+}
+
+pub fn query_all(socket: &mut Socket) -> Result<Vec<Expect>> {
+    let mut exps = Vec::new();
+    let seq = socket.seq();
+    query_impl(socket, &mut exps, seq, libc::AF_INET as _)?;
+    let seq = socket.seq();
+    query_impl(socket, &mut exps, seq, libc::AF_INET6 as _)?;
+    Ok(exps)
+}
+
+fn query_impl(socket: &mut Socket, exps: &mut Vec<Expect>, seq: u32, proto: u8) -> Result<()> {
+    let mut buf = vec![0u8; *MNL_SOCKET_BUFFER_SIZE as _];
+    let hdr = build_msg_header(
+        buf.as_mut_ptr() as _,
+        EXPECT_QUERY_MSG_TYPE,
+        EXPECT_QUERY_FLAGS,
+        seq,
+        proto,
+    );
+
+    let mut cb = |nlh| {
+        let exp = unsafe { nfexp_new() };
+        unsafe {
+            nfexp_nlmsg_parse(nlh, exp);
+        }
+
+        let mut attributes = Vec::new();
+        for (attr, ty) in EXPECT_ALL_ATTRIBUTES {
+            if unsafe { nfexp_attr_is_set(exp, *attr) } == 0 {
+                continue;
+            }
+            match ty {
+                ExpectAttrType::CT => {
+                    let ct = unsafe { nfexp_get_attr(exp, *attr) };
+                    if let Some(ct) = conntrack::parse_nf_conntrack(ct as _) {
+                        attributes.push(ExpectAttr {
+                            key: *attr,
+                            value: ExpectAttrValue::CT(ct),
+                        });
+                    }
+                }
+                ExpectAttrType::U8 => {
+                    let val = unsafe { nfexp_get_attr_u8(exp, *attr) };
+                    attributes.push(ExpectAttr {
+                        key: *attr,
+                        value: ExpectAttrValue::U8(val),
+                    });
+                }
+                ExpectAttrType::U16 => {
+                    let val = unsafe { nfexp_get_attr_u16(exp, *attr) };
+                    attributes.push(ExpectAttr {
+                        key: *attr,
+                        value: ExpectAttrValue::U16(val),
+                    });
+                }
+                ExpectAttrType::U32 => {
+                    let val = unsafe { nfexp_get_attr_u32(exp, *attr) };
+                    attributes.push(ExpectAttr {
+                        key: *attr,
+                        value: ExpectAttrValue::U32(val),
+                    });
+                }
+                ExpectAttrType::String(Some(len)) => {
+                    let ptr = unsafe { nfexp_get_attr(exp, *attr) };
+                    let cstr = unsafe { CStr::from_ptr(ptr as _) };
+                    let s = cstr.to_bytes();
+                    let s = unsafe {
+                        CString::from_vec_unchecked(s[0..s.len().min((*len) as _)].to_vec())
+                    };
+                    attributes.push(ExpectAttr {
+                        key: *attr,
+                        value: ExpectAttrValue::String(s),
+                    });
+                }
+                ExpectAttrType::String(None) => {
+                    let ptr = unsafe { nfexp_get_attr(exp, *attr) };
+                    let cstr = unsafe { CStr::from_ptr(ptr as _) };
+                    let s = cstr.to_bytes();
+                    let s = unsafe { CString::from_vec_unchecked(s.to_vec()) };
+                    attributes.push(ExpectAttr {
+                        key: *attr,
+                        value: ExpectAttrValue::String(s),
+                    });
+                }
+            }
+        }
+
+        exps.push(Expect { attributes });
+    };
+    socket.send_and_receive(hdr, 0, &mut cb)
+}
+
+pub fn insert(socket: &mut Socket, exp: Expect) -> Result<()> {
+    let proto = if exp.is_ipv6() {
+        libc::AF_INET6 as u8
+    } else {
+        libc::AF_INET as u8
+    };
+
+    let mut buf = vec![0u8; *MNL_SOCKET_BUFFER_SIZE as _];
+    let hdr = build_msg_header(
+        buf.as_mut_ptr() as _,
+        EXPECT_INSERT_MSG_TYPE,
+        EXPECT_INSERT_FLAGS,
+        socket.seq(),
+        proto,
+    );
+
+    let exph = unsafe { nfexp_new() };
+    if exph.is_null() {
+        bail!("Failed to create new expect object");
+    }
+
+    let mut strings = Vec::new();
+    let mut cts = Vec::new();
+    for attr in exp.attributes {
+        match attr.value {
+            ExpectAttrValue::CT(ct) => unsafe {
+                let (ct, mut s) = conntrack::build_nf_conntrack(ct)?;
+                nfexp_set_attr(exph, attr.key, ct as _);
+                strings.append(&mut s);
+                cts.push(ct);
+            },
+            ExpectAttrValue::U8(v) => unsafe {
+                nfexp_set_attr_u8(exph, attr.key, v);
+            },
+            ExpectAttrValue::U16(v) => unsafe {
+                nfexp_set_attr_u16(exph, attr.key, v);
+            },
+            ExpectAttrValue::U32(v) => unsafe {
+                nfexp_set_attr_u32(exph, attr.key, v);
+            },
+            ExpectAttrValue::String(v) => unsafe {
+                nfexp_set_attr(exph, attr.key, v.as_ptr() as _);
+                strings.push(v);
+            },
+        }
+    }
+
+    unsafe {
+        nfexp_nlmsg_build(hdr, exph);
+        nfexp_destroy(exph);
+    }
+    for ct in cts {
+        unsafe {
+            nfct_destroy(ct);
+        }
+    }
+
+    socket.send_and_receive(hdr, 0, &mut |_| {})
+}
+
+enum ExpectAttrType {
+    CT,
+    U8,
+    U16,
+    U32,
+    String(Option<u32>),
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+enum ExpectAttrValue {
+    CT(Conntrack),
+    U8(u8),
+    U16(u16),
+    U32(u32),
+    String(CString),
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+struct ExpectAttr {
+    #[serde(rename = "type")]
+    key: ExpAttr,
+    value: ExpectAttrValue,
+}
+
+const EXPECT_ALL_ATTRIBUTES: &[(ExpAttr, ExpectAttrType)] = &[
+    (ExpAttr::MASTER, ExpectAttrType::CT),   // conntrack
+    (ExpAttr::EXPECTED, ExpectAttrType::CT), // conntrack
+    (ExpAttr::MASK, ExpectAttrType::CT),     // conntrack
+    (ExpAttr::TIMEOUT, ExpectAttrType::U32), // u32 bits
+    (ExpAttr::ZONE, ExpectAttrType::U16),    // u16 bits
+    (ExpAttr::FLAGS, ExpectAttrType::U32),   // u32 bits
+    (ExpAttr::HELPER_NAME, ExpectAttrType::String(Some(16))), // string 16 bytes max
+    (ExpAttr::CLASS, ExpectAttrType::U32),   // u32 bits
+    (ExpAttr::NAT_TUPLE, ExpectAttrType::CT), // conntrack
+    (ExpAttr::NAT_DIR, ExpectAttrType::U8),  // u8 bits
+    (ExpAttr::FN, ExpectAttrType::String(None)), // string
+];
diff --git a/src/main.rs b/src/main.rs
index 792d487..5ee3451 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -6,12 +6,14 @@ use std::os::unix::ffi::OsStringExt;
 
 use anyhow::{bail, format_err, Result};
 
-mod socket;
 mod conntrack;
+mod expect;
+mod socket;
 mod utils;
 
-use socket::Socket;
 use conntrack::Conntrack;
+use expect::Expect;
+use socket::Socket;
 
 fn main() -> Result<()> {
     let args = std::env::args_os()
@@ -42,20 +44,35 @@ fn main() -> Result<()> {
                 }
             }
         }
+
+        let exps = expect::query_all(&mut socket)
+            .map_err(|err| format_err!("Error querying expects: {}", err))?;
+
+        for exp in exps.iter() {
+            match serde_json::to_string(exp) {
+                Ok(s) => println!("{}", s),
+                Err(err) => {
+                    eprintln!("Failed to serialize expect: {}", err);
+                    break;
+                }
+            }
+        }
     } else if args[1] == "insert" {
         for line in BufReader::new(stdin())
             .lines()
             .map(|line| line.unwrap_or_else(|_| "".to_string()))
         {
-            let ct: Conntrack = match serde_json::from_str(&line) {
-                Ok(ct) => ct,
-                Err(err) => {
-                    eprintln!("Failed to deserialize conntrack: {}", err);
-                    break;
+            if let Ok(ct) = serde_json::from_str::<Conntrack>(&line) {
+                if let Err(err) = conntrack::insert(&mut socket, ct) {
+                    eprintln!("Error inserting conntrack: {}", err);
                 }
-            };
-            if let Err(err) = conntrack::insert(&mut socket, ct) {
-                eprintln!("Error inserting conntrack: {}", err);
+            } else if let Ok(exp) = serde_json::from_str::<Expect>(&line) {
+                if let Err(err) = expect::insert(&mut socket, exp) {
+                    eprintln!("Error inserting expect: {}", err);
+                }
+            } else {
+                eprintln!("Failed to deserialize input: {}", line);
+                break;
             }
         }
     } else {
@@ -64,4 +81,3 @@ fn main() -> Result<()> {
 
     Ok(())
 }
-
diff --git a/src/netfilter_conntrack.rs b/src/netfilter_conntrack.rs
index a9e67e4..8a56ad8 100644
--- a/src/netfilter_conntrack.rs
+++ b/src/netfilter_conntrack.rs
@@ -39,6 +39,25 @@ extern "C" {
     pub fn nfct_get_attr_u64(ct: *const nf_conntrack, type_: CTAttr) -> u64;
 
     pub fn nfct_attr_is_set(ct: *const nf_conntrack, type_: CTAttr) -> libc::c_int;
+
+    // expectation API
+    pub fn nfexp_new() -> *mut nf_expect;
+    pub fn nfexp_destroy(exp: *mut nf_expect);
+
+    pub fn nfexp_set_attr(exp: *mut nf_expect, type_: ExpAttr, value: *const libc::c_void);
+    pub fn nfexp_set_attr_u8(exp: *mut nf_expect, type_: ExpAttr, value: u8);
+    pub fn nfexp_set_attr_u16(exp: *mut nf_expect, type_: ExpAttr, value: u16);
+    pub fn nfexp_set_attr_u32(exp: *mut nf_expect, type_: ExpAttr, value: u32);
+
+    pub fn nfexp_get_attr(exp: *const nf_expect, type_: ExpAttr) -> *const libc::c_void;
+    pub fn nfexp_get_attr_u8(exp: *const nf_expect, type_: ExpAttr) -> u8;
+    pub fn nfexp_get_attr_u16(exp: *const nf_expect, type_: ExpAttr) -> u16;
+    pub fn nfexp_get_attr_u32(exp: *const nf_expect, type_: ExpAttr) -> u32;
+
+    pub fn nfexp_attr_is_set(exp: *const nf_expect, type_: ExpAttr) -> libc::c_int;
+
+    pub fn nfexp_nlmsg_parse(nlh: *const libc::nlmsghdr, exp: *mut nf_expect) -> libc::c_int;
+    pub fn nfexp_nlmsg_build(nlh: *mut libc::nlmsghdr, exp: *const nf_expect) -> libc::c_int;
 }
 
 // set option
@@ -166,3 +185,28 @@ pub enum CTAttr {
     SYNPROXY_TSOFF = 74,		/* u32 bits */
     MAX = 75,
 }
+
+#[repr(C)]
+pub struct nf_expect {
+    _private: [u8; 0],
+}
+
+#[repr(u32)]
+#[non_exhaustive]
+#[derive(Debug, Copy, Clone, PartialEq)]
+#[derive(serde::Deserialize, serde::Serialize)]
+#[allow(non_camel_case_types)]
+pub enum ExpAttr {
+    MASTER = 0,         /* pointer to conntrack object */
+    EXPECTED = 1,	/* pointer to conntrack object */
+    MASK = 2,		/* pointer to conntrack object */
+    TIMEOUT = 3,	/* u32 bits */
+    ZONE = 4,		/* u16 bits */
+    FLAGS = 5,		/* u32 bits */
+    HELPER_NAME = 6,	/* string (16 bytes max) */
+    CLASS = 7,		/* u32 bits */
+    NAT_TUPLE = 8,	/* pointer to conntrack object */
+    NAT_DIR = 9,	/* u8 bits */
+    FN = 10,		/* string */
+    MAX = 11,
+}
-- 
2.20.1





More information about the pve-devel mailing list