Patchwork [2/2] conntrack: add connlabel format attribute

login
register
mail settings
Submitter Florian Westphal
Date June 30, 2013, 9:10 p.m.
Message ID <1372626648-19482-2-git-send-email-fw@strlen.de>
Download mbox | patch
Permalink /patch/255935/
State Changes Requested
Headers show

Comments

Florian Westphal - June 30, 2013, 9:10 p.m.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 Change since v1:
 - rename option to '-o labels'
 - make it incompatible with xml option (can't
   add attributes to existing xml output
   buffer without insane hackery ]

 conntrack.8     |  4 +++-
 src/conntrack.c | 39 +++++++++++++++++++++++++++++++++++----
 2 files changed, 38 insertions(+), 5 deletions(-)
Pablo Neira - June 30, 2013, 9:39 p.m.
On Sun, Jun 30, 2013 at 11:10:48PM +0200, Florian Westphal wrote:
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
>  Change since v1:
>  - rename option to '-o labels'
>  - make it incompatible with xml option (can't
>    add attributes to existing xml output
>    buffer without insane hackery ]

Ah, now I understand the XML issue.

You can have something like in libnetfilter_conntrack:

extern int nfct_snprintf_clabels(char *buf, 
                                 unsigned int size,
                                 const struct nf_conntrack *ct,
                                 const unsigned int msg_type,
                                 const unsigned int out_type,
                                 const unsigned int out_flags,
                                 struct nfct_labelmap *map,
                                 const struct nfct_bitmask *b);

We have then two interfaces, the normal nfct_snprintf(...) for people
that don't need clabels, and the one that includes clabels (including
XML support).

Having two interfaces to print seems fine to me. You could even
emulate nfct_snprintf by allow last two parameters (labelmap and
bitmask) to be NULL, that will simply the patch as nfct_snprintf will
interface call nfct_snprintf_clabels.

You'll have to adapt this patch for the conntrack util though.

Thanks.

>  conntrack.8     |  4 +++-
>  src/conntrack.c | 39 +++++++++++++++++++++++++++++++++++----
>  2 files changed, 38 insertions(+), 5 deletions(-)
> 
> diff --git a/conntrack.8 b/conntrack.8
> index a411fd4..41a59ce 100644
> --- a/conntrack.8
> +++ b/conntrack.8
> @@ -88,11 +88,13 @@ Show the in-kernel connection tracking system statistics.
>  Atomically zero counters after reading them.  This option is only valid in
>  combination with the "-L, --dump" command options.
>  .TP
> -.BI "-o, --output [extended,xml,timestamp,id,ktimestamp] "
> +.BI "-o, --output [extended,xml,timestamp,id,ktimestamp,labels] "
>  Display output in a certain format. With the extended output option, this tool
>  displays the layer 3 information. With ktimestamp, it displays the in-kernel
>  timestamp available since 2.6.38 (you can enable it via echo 1 >
>  /proc/sys/net/netfilter/nf_conntrack_timestamp).
> +The labels output option tells conntrack to show the names of labels that
> +might be present, this is currently incompatible with xml output.
>  .TP
>  .BI "-e, --event-mask " "[ALL|NEW|UPDATES|DESTROY][,...]"
>  Set the bitmask of events that are to be generated by the in-kernel ctnetlink
> diff --git a/src/conntrack.c b/src/conntrack.c
> index d4e79de..74561ba 100644
> --- a/src/conntrack.c
> +++ b/src/conntrack.c
> @@ -488,6 +488,7 @@ static unsigned int addr_valid_flags[ADDR_VALID_FLAGS_MAX] = {
>  static LIST_HEAD(proto_list);
>  
>  static unsigned int options;
> +static struct nfct_labelmap *label_map;
>  
>  void register_proto(struct ctproto_handler *h)
>  {
> @@ -731,6 +732,7 @@ enum {
>  	_O_TMS	= (1 << 2),
>  	_O_ID	= (1 << 3),
>  	_O_KTMS	= (1 << 4),
> +	_O_LAB	= (1 << 5),
>  };
>  
>  enum {
> @@ -749,8 +751,8 @@ static struct parse_parameter {
>  	  { IPS_ASSURED, IPS_SEEN_REPLY, 0, IPS_FIXED_TIMEOUT, IPS_EXPECTED} },
>  	{ {"ALL", "NEW", "UPDATES", "DESTROY"}, 4,
>  	  { CT_EVENT_F_ALL, CT_EVENT_F_NEW, CT_EVENT_F_UPD, CT_EVENT_F_DEL } },
> -	{ {"xml", "extended", "timestamp", "id", "ktimestamp"}, 5, 
> -	  { _O_XML, _O_EXT, _O_TMS, _O_ID, _O_KTMS },
> +	{ {"xml", "extended", "timestamp", "id", "ktimestamp", "labels", }, 6, 
> +	  { _O_XML, _O_EXT, _O_TMS, _O_ID, _O_KTMS, _O_LAB },
>  	},
>  };
>  
> @@ -1108,6 +1110,15 @@ exp_event_sighandler(int s)
>  	exit(0);
>  }
>  
> +static void print_labels(const struct nfct_bitmask *b)
> +{
> +	char buf[1024];
> +	if (!b)
> +		return;
> +	nfct_snprintf_labels(buf, sizeof(buf), label_map, b, NFCT_O_DEFAULT);
> +	printf(" labels=%s", buf);
> +}
> +
>  static int event_cb(enum nf_conntrack_msg_type type,
>  		    struct nf_conntrack *ct,
>  		    void *data)
> @@ -1152,7 +1163,11 @@ static int event_cb(enum nf_conntrack_msg_type type,
>  
>  	nfct_snprintf(buf, sizeof(buf), ct, type, op_type, op_flags);
>  
> -	printf("%s\n", buf);
> +	printf("%s", buf);
> +
> +	if (output_mask & _O_LAB)
> +		print_labels(nfct_get_attr(ct, ATTR_CONNLABELS));
> +	printf("\n");
>  	fflush(stdout);
>  
>  	counter++;
> @@ -1195,8 +1210,11 @@ static int dump_cb(enum nf_conntrack_msg_type type,
>  		op_flags |= NFCT_OF_ID;
>  
>  	nfct_snprintf(buf, sizeof(buf), ct, NFCT_T_UNKNOWN, op_type, op_flags);
> -	printf("%s\n", buf);
> +	printf("%s", buf);
>  
> +	if (output_mask & _O_LAB)
> +		print_labels(nfct_get_attr(ct, ATTR_CONNLABELS));
> +	printf("\n");
>  	counter++;
>  
>  	return NFCT_CB_CONTINUE;
> @@ -1879,6 +1897,17 @@ int main(int argc, char *argv[])
>  		case 'o':
>  			options |= CT_OPT_OUTPUT;
>  			parse_parameter(optarg, &output_mask, PARSE_OUTPUT);
> +			if (output_mask & _O_LAB) {
> +				if (output_mask & _O_XML) {
> +					output_mask &= ~_O_LAB;
> +					break;
> +				}
> +				label_map = nfct_labelmap_new(NULL);
> +				if (!label_map) {
> +					perror("nfct_labelmap_new");
> +					output_mask &= ~_O_LAB;
> +				}
> +			}
>  			break;
>  		case 'z':
>  			options |= CT_OPT_ZERO;
> @@ -2372,6 +2401,8 @@ try_proc:
>  
>  	free_tmpl_objects();
>  	free_options();
> +	if (label_map)
> +		nfct_labelmap_destroy(label_map);
>  
>  	if (command && exit_msg[cmd][0]) {
>  		fprintf(stderr, "%s v%s (conntrack-tools): ",PROGNAME,VERSION);
> -- 
> 1.8.1.5
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/conntrack.8 b/conntrack.8
index a411fd4..41a59ce 100644
--- a/conntrack.8
+++ b/conntrack.8
@@ -88,11 +88,13 @@  Show the in-kernel connection tracking system statistics.
 Atomically zero counters after reading them.  This option is only valid in
 combination with the "-L, --dump" command options.
 .TP
-.BI "-o, --output [extended,xml,timestamp,id,ktimestamp] "
+.BI "-o, --output [extended,xml,timestamp,id,ktimestamp,labels] "
 Display output in a certain format. With the extended output option, this tool
 displays the layer 3 information. With ktimestamp, it displays the in-kernel
 timestamp available since 2.6.38 (you can enable it via echo 1 >
 /proc/sys/net/netfilter/nf_conntrack_timestamp).
+The labels output option tells conntrack to show the names of labels that
+might be present, this is currently incompatible with xml output.
 .TP
 .BI "-e, --event-mask " "[ALL|NEW|UPDATES|DESTROY][,...]"
 Set the bitmask of events that are to be generated by the in-kernel ctnetlink
diff --git a/src/conntrack.c b/src/conntrack.c
index d4e79de..74561ba 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -488,6 +488,7 @@  static unsigned int addr_valid_flags[ADDR_VALID_FLAGS_MAX] = {
 static LIST_HEAD(proto_list);
 
 static unsigned int options;
+static struct nfct_labelmap *label_map;
 
 void register_proto(struct ctproto_handler *h)
 {
@@ -731,6 +732,7 @@  enum {
 	_O_TMS	= (1 << 2),
 	_O_ID	= (1 << 3),
 	_O_KTMS	= (1 << 4),
+	_O_LAB	= (1 << 5),
 };
 
 enum {
@@ -749,8 +751,8 @@  static struct parse_parameter {
 	  { IPS_ASSURED, IPS_SEEN_REPLY, 0, IPS_FIXED_TIMEOUT, IPS_EXPECTED} },
 	{ {"ALL", "NEW", "UPDATES", "DESTROY"}, 4,
 	  { CT_EVENT_F_ALL, CT_EVENT_F_NEW, CT_EVENT_F_UPD, CT_EVENT_F_DEL } },
-	{ {"xml", "extended", "timestamp", "id", "ktimestamp"}, 5, 
-	  { _O_XML, _O_EXT, _O_TMS, _O_ID, _O_KTMS },
+	{ {"xml", "extended", "timestamp", "id", "ktimestamp", "labels", }, 6, 
+	  { _O_XML, _O_EXT, _O_TMS, _O_ID, _O_KTMS, _O_LAB },
 	},
 };
 
@@ -1108,6 +1110,15 @@  exp_event_sighandler(int s)
 	exit(0);
 }
 
+static void print_labels(const struct nfct_bitmask *b)
+{
+	char buf[1024];
+	if (!b)
+		return;
+	nfct_snprintf_labels(buf, sizeof(buf), label_map, b, NFCT_O_DEFAULT);
+	printf(" labels=%s", buf);
+}
+
 static int event_cb(enum nf_conntrack_msg_type type,
 		    struct nf_conntrack *ct,
 		    void *data)
@@ -1152,7 +1163,11 @@  static int event_cb(enum nf_conntrack_msg_type type,
 
 	nfct_snprintf(buf, sizeof(buf), ct, type, op_type, op_flags);
 
-	printf("%s\n", buf);
+	printf("%s", buf);
+
+	if (output_mask & _O_LAB)
+		print_labels(nfct_get_attr(ct, ATTR_CONNLABELS));
+	printf("\n");
 	fflush(stdout);
 
 	counter++;
@@ -1195,8 +1210,11 @@  static int dump_cb(enum nf_conntrack_msg_type type,
 		op_flags |= NFCT_OF_ID;
 
 	nfct_snprintf(buf, sizeof(buf), ct, NFCT_T_UNKNOWN, op_type, op_flags);
-	printf("%s\n", buf);
+	printf("%s", buf);
 
+	if (output_mask & _O_LAB)
+		print_labels(nfct_get_attr(ct, ATTR_CONNLABELS));
+	printf("\n");
 	counter++;
 
 	return NFCT_CB_CONTINUE;
@@ -1879,6 +1897,17 @@  int main(int argc, char *argv[])
 		case 'o':
 			options |= CT_OPT_OUTPUT;
 			parse_parameter(optarg, &output_mask, PARSE_OUTPUT);
+			if (output_mask & _O_LAB) {
+				if (output_mask & _O_XML) {
+					output_mask &= ~_O_LAB;
+					break;
+				}
+				label_map = nfct_labelmap_new(NULL);
+				if (!label_map) {
+					perror("nfct_labelmap_new");
+					output_mask &= ~_O_LAB;
+				}
+			}
 			break;
 		case 'z':
 			options |= CT_OPT_ZERO;
@@ -2372,6 +2401,8 @@  try_proc:
 
 	free_tmpl_objects();
 	free_options();
+	if (label_map)
+		nfct_labelmap_destroy(label_map);
 
 	if (command && exit_msg[cmd][0]) {
 		fprintf(stderr, "%s v%s (conntrack-tools): ",PROGNAME,VERSION);