[pve-devel] [PATCH v3 conntrack-tool 3/4] add expectation support
Mira Limbeck
m.limbeck at proxmox.com
Tue Feb 16 17:56:41 CET 2021
Expectation support requires net.netfilter.nf_conntrack_helper to be set
to 1. In addition the helper modules have to be loaded as well. In the
tests nf_conntrack_ftp was used as helper.
Signed-off-by: Mira Limbeck <m.limbeck at proxmox.com>
---
v3:
- split expect functions into their own files
- made required functions in conntrack.rs public
v2:
- mostly the same changes as for patch 1
src/conntrack.rs | 20 ++--
src/expect.rs | 228 +++++++++++++++++++++++++++++++++++++
src/main.rs | 38 +++++--
src/netfilter_conntrack.rs | 44 +++++++
4 files changed, 306 insertions(+), 24 deletions(-)
create mode 100644 src/expect.rs
diff --git a/src/conntrack.rs b/src/conntrack.rs
index 6abd4a5..248c7a6 100644
--- a/src/conntrack.rs
+++ b/src/conntrack.rs
@@ -57,7 +57,7 @@ pub struct Conntrack {
}
impl Conntrack {
- fn is_ipv6(&self) -> bool {
+ pub fn is_ipv6(&self) -> bool {
for attr in self.attributes.iter() {
if IPV6_ATTRIBUTES.contains(&attr.key) {
return true;
@@ -67,7 +67,7 @@ impl Conntrack {
}
}
-fn build_nf_conntrack(ct: Conntrack) -> Result<(*mut nf_conntrack, Vec<CString>)> {
+pub fn build_nf_conntrack(ct: Conntrack) -> Result<(*mut nf_conntrack, Vec<CString>)> {
let cth = unsafe { nfct_new() };
if cth.is_null() {
bail!("Failed to create new conntrack object");
@@ -100,7 +100,7 @@ fn build_nf_conntrack(ct: Conntrack) -> Result<(*mut nf_conntrack, Vec<CString>)
Ok((cth, strings))
}
-fn parse_nf_conntrack(ct: *const nf_conntrack) -> Option<Conntrack> {
+pub fn parse_nf_conntrack(ct: *const nf_conntrack) -> Option<Conntrack> {
let mut attributes = Vec::new();
for (attr, ty) in ALL_ATTRIBUTES {
if *attr == CTAttr::ID {
@@ -145,7 +145,7 @@ fn parse_nf_conntrack(ct: *const nf_conntrack) -> Option<Conntrack> {
AttrType::U128 => {
let val = unsafe { nfct_get_attr(ct, *attr) } as *const u32;
let val = unsafe { std::slice::from_raw_parts(val, 4) }
- .try_into()
+ .try_into()
.unwrap();
attributes.push(Attr {
key: *attr,
@@ -156,9 +156,8 @@ fn parse_nf_conntrack(ct: *const nf_conntrack) -> Option<Conntrack> {
let ptr = unsafe { nfct_get_attr(ct, *attr) };
let cstr = unsafe { std::ffi::CStr::from_ptr(ptr as _) };
let s = cstr.to_bytes();
- let s = unsafe {
- CString::from_vec_unchecked(s[0..s.len().min(*len as _)].to_vec())
- };
+ let s =
+ unsafe { CString::from_vec_unchecked(s[0..s.len().min(*len as _)].to_vec()) };
attributes.push(Attr {
key: *attr,
value: AttrValue::String(s),
@@ -191,12 +190,7 @@ pub fn query_all(socket: &mut Socket) -> Result<Vec<Conntrack>> {
Ok(cts)
}
-fn query_impl(
- socket: &mut Socket,
- cts: &mut Vec<Conntrack>,
- seq: u32,
- proto: u8,
-) -> Result<()> {
+fn query_impl(socket: &mut Socket, cts: &mut Vec<Conntrack>, seq: u32, proto: u8) -> Result<()> {
let mut buf = vec![0u8; *MNL_SOCKET_BUFFER_SIZE as _];
let hdr = build_msg_header(
buf.as_mut_ptr() as _,
diff --git a/src/expect.rs b/src/expect.rs
new file mode 100644
index 0000000..a97c7ef
--- /dev/null
+++ b/src/expect.rs
@@ -0,0 +1,228 @@
+use crate::conntrack;
+use crate::conntrack::Conntrack;
+use crate::mnl::{IPCTNL_MSG_EXP_GET, IPCTNL_MSG_EXP_NEW, MNL_SOCKET_BUFFER_SIZE};
+use crate::netfilter_conntrack::{
+ nfct_destroy, nfexp_attr_is_set, nfexp_destroy, nfexp_get_attr, nfexp_get_attr_u16,
+ nfexp_get_attr_u32, nfexp_get_attr_u8, nfexp_new, nfexp_nlmsg_build, nfexp_nlmsg_parse,
+ nfexp_set_attr, nfexp_set_attr_u16, nfexp_set_attr_u32, nfexp_set_attr_u8, ExpAttr,
+};
+use crate::socket::Socket;
+use crate::utils::build_msg_header;
+
+use anyhow::{bail, Result};
+use serde::{Deserialize, Serialize};
+
+use std::ffi::{CStr, CString};
+
+const EXPECT_QUERY_MSG_TYPE: u16 =
+ ((libc::NFNL_SUBSYS_CTNETLINK_EXP << 8) | IPCTNL_MSG_EXP_GET) as u16;
+const EXPECT_QUERY_FLAGS: u16 = (libc::NLM_F_ACK | libc::NLM_F_REQUEST | libc::NLM_F_DUMP) as u16;
+const EXPECT_INSERT_MSG_TYPE: u16 =
+ ((libc::NFNL_SUBSYS_CTNETLINK_EXP << 8) | IPCTNL_MSG_EXP_NEW) as u16;
+const EXPECT_INSERT_FLAGS: u16 =
+ (libc::NLM_F_ACK | libc::NLM_F_REQUEST | libc::NLM_F_CREATE) as u16;
+
+#[derive(Debug, Serialize, Deserialize)]
+pub struct Expect {
+ attributes: Vec<ExpectAttr>,
+}
+
+impl Expect {
+ pub fn is_ipv6(&self) -> bool {
+ for attr in &self.attributes {
+ if let ExpectAttrValue::CT(ct) = &attr.value {
+ return ct.is_ipv6();
+ }
+ }
+ false
+ }
+}
+
+pub fn query_all(socket: &mut Socket) -> Result<Vec<Expect>> {
+ let mut exps = Vec::new();
+ let seq = socket.seq();
+ query_impl(socket, &mut exps, seq, libc::AF_INET as _)?;
+ let seq = socket.seq();
+ query_impl(socket, &mut exps, seq, libc::AF_INET6 as _)?;
+ Ok(exps)
+}
+
+fn query_impl(socket: &mut Socket, exps: &mut Vec<Expect>, seq: u32, proto: u8) -> Result<()> {
+ let mut buf = vec![0u8; *MNL_SOCKET_BUFFER_SIZE as _];
+ let hdr = build_msg_header(
+ buf.as_mut_ptr() as _,
+ EXPECT_QUERY_MSG_TYPE,
+ EXPECT_QUERY_FLAGS,
+ seq,
+ proto,
+ );
+
+ let mut cb = |nlh| {
+ let exp = unsafe { nfexp_new() };
+ unsafe {
+ nfexp_nlmsg_parse(nlh, exp);
+ }
+
+ let mut attributes = Vec::new();
+ for (attr, ty) in EXPECT_ALL_ATTRIBUTES {
+ if unsafe { nfexp_attr_is_set(exp, *attr) } == 0 {
+ continue;
+ }
+ match ty {
+ ExpectAttrType::CT => {
+ let ct = unsafe { nfexp_get_attr(exp, *attr) };
+ if let Some(ct) = conntrack::parse_nf_conntrack(ct as _) {
+ attributes.push(ExpectAttr {
+ key: *attr,
+ value: ExpectAttrValue::CT(ct),
+ });
+ }
+ }
+ ExpectAttrType::U8 => {
+ let val = unsafe { nfexp_get_attr_u8(exp, *attr) };
+ attributes.push(ExpectAttr {
+ key: *attr,
+ value: ExpectAttrValue::U8(val),
+ });
+ }
+ ExpectAttrType::U16 => {
+ let val = unsafe { nfexp_get_attr_u16(exp, *attr) };
+ attributes.push(ExpectAttr {
+ key: *attr,
+ value: ExpectAttrValue::U16(val),
+ });
+ }
+ ExpectAttrType::U32 => {
+ let val = unsafe { nfexp_get_attr_u32(exp, *attr) };
+ attributes.push(ExpectAttr {
+ key: *attr,
+ value: ExpectAttrValue::U32(val),
+ });
+ }
+ ExpectAttrType::String(Some(len)) => {
+ let ptr = unsafe { nfexp_get_attr(exp, *attr) };
+ let cstr = unsafe { CStr::from_ptr(ptr as _) };
+ let s = cstr.to_bytes();
+ let s = unsafe {
+ CString::from_vec_unchecked(s[0..s.len().min((*len) as _)].to_vec())
+ };
+ attributes.push(ExpectAttr {
+ key: *attr,
+ value: ExpectAttrValue::String(s),
+ });
+ }
+ ExpectAttrType::String(None) => {
+ let ptr = unsafe { nfexp_get_attr(exp, *attr) };
+ let cstr = unsafe { CStr::from_ptr(ptr as _) };
+ let s = cstr.to_bytes();
+ let s = unsafe { CString::from_vec_unchecked(s.to_vec()) };
+ attributes.push(ExpectAttr {
+ key: *attr,
+ value: ExpectAttrValue::String(s),
+ });
+ }
+ }
+ }
+
+ exps.push(Expect { attributes });
+ };
+ socket.send_and_receive(hdr, 0, &mut cb)
+}
+
+pub fn insert(socket: &mut Socket, exp: Expect) -> Result<()> {
+ let proto = if exp.is_ipv6() {
+ libc::AF_INET6 as u8
+ } else {
+ libc::AF_INET as u8
+ };
+
+ let mut buf = vec![0u8; *MNL_SOCKET_BUFFER_SIZE as _];
+ let hdr = build_msg_header(
+ buf.as_mut_ptr() as _,
+ EXPECT_INSERT_MSG_TYPE,
+ EXPECT_INSERT_FLAGS,
+ socket.seq(),
+ proto,
+ );
+
+ let exph = unsafe { nfexp_new() };
+ if exph.is_null() {
+ bail!("Failed to create new expect object");
+ }
+
+ let mut strings = Vec::new();
+ let mut cts = Vec::new();
+ for attr in exp.attributes {
+ match attr.value {
+ ExpectAttrValue::CT(ct) => unsafe {
+ let (ct, mut s) = conntrack::build_nf_conntrack(ct)?;
+ nfexp_set_attr(exph, attr.key, ct as _);
+ strings.append(&mut s);
+ cts.push(ct);
+ },
+ ExpectAttrValue::U8(v) => unsafe {
+ nfexp_set_attr_u8(exph, attr.key, v);
+ },
+ ExpectAttrValue::U16(v) => unsafe {
+ nfexp_set_attr_u16(exph, attr.key, v);
+ },
+ ExpectAttrValue::U32(v) => unsafe {
+ nfexp_set_attr_u32(exph, attr.key, v);
+ },
+ ExpectAttrValue::String(v) => unsafe {
+ nfexp_set_attr(exph, attr.key, v.as_ptr() as _);
+ strings.push(v);
+ },
+ }
+ }
+
+ unsafe {
+ nfexp_nlmsg_build(hdr, exph);
+ nfexp_destroy(exph);
+ }
+ for ct in cts {
+ unsafe {
+ nfct_destroy(ct);
+ }
+ }
+
+ socket.send_and_receive(hdr, 0, &mut |_| {})
+}
+
+enum ExpectAttrType {
+ CT,
+ U8,
+ U16,
+ U32,
+ String(Option<u32>),
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+enum ExpectAttrValue {
+ CT(Conntrack),
+ U8(u8),
+ U16(u16),
+ U32(u32),
+ String(CString),
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+struct ExpectAttr {
+ #[serde(rename = "type")]
+ key: ExpAttr,
+ value: ExpectAttrValue,
+}
+
+const EXPECT_ALL_ATTRIBUTES: &[(ExpAttr, ExpectAttrType)] = &[
+ (ExpAttr::MASTER, ExpectAttrType::CT), // conntrack
+ (ExpAttr::EXPECTED, ExpectAttrType::CT), // conntrack
+ (ExpAttr::MASK, ExpectAttrType::CT), // conntrack
+ (ExpAttr::TIMEOUT, ExpectAttrType::U32), // u32 bits
+ (ExpAttr::ZONE, ExpectAttrType::U16), // u16 bits
+ (ExpAttr::FLAGS, ExpectAttrType::U32), // u32 bits
+ (ExpAttr::HELPER_NAME, ExpectAttrType::String(Some(16))), // string 16 bytes max
+ (ExpAttr::CLASS, ExpectAttrType::U32), // u32 bits
+ (ExpAttr::NAT_TUPLE, ExpectAttrType::CT), // conntrack
+ (ExpAttr::NAT_DIR, ExpectAttrType::U8), // u8 bits
+ (ExpAttr::FN, ExpectAttrType::String(None)), // string
+];
diff --git a/src/main.rs b/src/main.rs
index 792d487..5ee3451 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -6,12 +6,14 @@ use std::os::unix::ffi::OsStringExt;
use anyhow::{bail, format_err, Result};
-mod socket;
mod conntrack;
+mod expect;
+mod socket;
mod utils;
-use socket::Socket;
use conntrack::Conntrack;
+use expect::Expect;
+use socket::Socket;
fn main() -> Result<()> {
let args = std::env::args_os()
@@ -42,20 +44,35 @@ fn main() -> Result<()> {
}
}
}
+
+ let exps = expect::query_all(&mut socket)
+ .map_err(|err| format_err!("Error querying expects: {}", err))?;
+
+ for exp in exps.iter() {
+ match serde_json::to_string(exp) {
+ Ok(s) => println!("{}", s),
+ Err(err) => {
+ eprintln!("Failed to serialize expect: {}", err);
+ break;
+ }
+ }
+ }
} else if args[1] == "insert" {
for line in BufReader::new(stdin())
.lines()
.map(|line| line.unwrap_or_else(|_| "".to_string()))
{
- let ct: Conntrack = match serde_json::from_str(&line) {
- Ok(ct) => ct,
- Err(err) => {
- eprintln!("Failed to deserialize conntrack: {}", err);
- break;
+ if let Ok(ct) = serde_json::from_str::<Conntrack>(&line) {
+ if let Err(err) = conntrack::insert(&mut socket, ct) {
+ eprintln!("Error inserting conntrack: {}", err);
}
- };
- if let Err(err) = conntrack::insert(&mut socket, ct) {
- eprintln!("Error inserting conntrack: {}", err);
+ } else if let Ok(exp) = serde_json::from_str::<Expect>(&line) {
+ if let Err(err) = expect::insert(&mut socket, exp) {
+ eprintln!("Error inserting expect: {}", err);
+ }
+ } else {
+ eprintln!("Failed to deserialize input: {}", line);
+ break;
}
}
} else {
@@ -64,4 +81,3 @@ fn main() -> Result<()> {
Ok(())
}
-
diff --git a/src/netfilter_conntrack.rs b/src/netfilter_conntrack.rs
index a9e67e4..8a56ad8 100644
--- a/src/netfilter_conntrack.rs
+++ b/src/netfilter_conntrack.rs
@@ -39,6 +39,25 @@ extern "C" {
pub fn nfct_get_attr_u64(ct: *const nf_conntrack, type_: CTAttr) -> u64;
pub fn nfct_attr_is_set(ct: *const nf_conntrack, type_: CTAttr) -> libc::c_int;
+
+ // expectation API
+ pub fn nfexp_new() -> *mut nf_expect;
+ pub fn nfexp_destroy(exp: *mut nf_expect);
+
+ pub fn nfexp_set_attr(exp: *mut nf_expect, type_: ExpAttr, value: *const libc::c_void);
+ pub fn nfexp_set_attr_u8(exp: *mut nf_expect, type_: ExpAttr, value: u8);
+ pub fn nfexp_set_attr_u16(exp: *mut nf_expect, type_: ExpAttr, value: u16);
+ pub fn nfexp_set_attr_u32(exp: *mut nf_expect, type_: ExpAttr, value: u32);
+
+ pub fn nfexp_get_attr(exp: *const nf_expect, type_: ExpAttr) -> *const libc::c_void;
+ pub fn nfexp_get_attr_u8(exp: *const nf_expect, type_: ExpAttr) -> u8;
+ pub fn nfexp_get_attr_u16(exp: *const nf_expect, type_: ExpAttr) -> u16;
+ pub fn nfexp_get_attr_u32(exp: *const nf_expect, type_: ExpAttr) -> u32;
+
+ pub fn nfexp_attr_is_set(exp: *const nf_expect, type_: ExpAttr) -> libc::c_int;
+
+ pub fn nfexp_nlmsg_parse(nlh: *const libc::nlmsghdr, exp: *mut nf_expect) -> libc::c_int;
+ pub fn nfexp_nlmsg_build(nlh: *mut libc::nlmsghdr, exp: *const nf_expect) -> libc::c_int;
}
// set option
@@ -166,3 +185,28 @@ pub enum CTAttr {
SYNPROXY_TSOFF = 74, /* u32 bits */
MAX = 75,
}
+
+#[repr(C)]
+pub struct nf_expect {
+ _private: [u8; 0],
+}
+
+#[repr(u32)]
+#[non_exhaustive]
+#[derive(Debug, Copy, Clone, PartialEq)]
+#[derive(serde::Deserialize, serde::Serialize)]
+#[allow(non_camel_case_types)]
+pub enum ExpAttr {
+ MASTER = 0, /* pointer to conntrack object */
+ EXPECTED = 1, /* pointer to conntrack object */
+ MASK = 2, /* pointer to conntrack object */
+ TIMEOUT = 3, /* u32 bits */
+ ZONE = 4, /* u16 bits */
+ FLAGS = 5, /* u32 bits */
+ HELPER_NAME = 6, /* string (16 bytes max) */
+ CLASS = 7, /* u32 bits */
+ NAT_TUPLE = 8, /* pointer to conntrack object */
+ NAT_DIR = 9, /* u8 bits */
+ FN = 10, /* string */
+ MAX = 11,
+}
--
2.20.1
More information about the pve-devel
mailing list