├── .github └── workflows │ ├── lint.yml │ ├── linux-integration-test.yml │ └── linux-test.yml ├── .gitignore ├── .golangci.yaml ├── LICENSE ├── Makefile ├── README.md ├── Vagrantfile ├── attribute_types.go ├── attribute_types_test.go ├── attributetype_string.go ├── conn.go ├── conn_integration_test.go ├── conn_test.go ├── doc.go ├── enum.go ├── errors.go ├── event.go ├── event_integration_test.go ├── event_test.go ├── eventtype_string.go ├── expect.go ├── expect_integration_test.go ├── expect_test.go ├── expectnattype_string.go ├── expecttype_string.go ├── filter.go ├── filter_test.go ├── flow.go ├── flow_integration_test.go ├── flow_test.go ├── gen.go ├── go.mod ├── go.sum ├── helpers.md ├── protoinfotype_string.go ├── stats.go ├── stats_integration_test.go ├── stats_test.go ├── status.go ├── status_test.go ├── string.go ├── string_test.go ├── tuple.go ├── tuple_test.go └── tupletype_string.go /.github/workflows/lint.yml: -------------------------------------------------------------------------------- 1 | name: Lint 2 | 3 | on: 4 | pull_request: {} 5 | push: 6 | branches: 7 | - master 8 | 9 | jobs: 10 | build: 11 | strategy: 12 | matrix: 13 | go-version: ["1.23", "1.24"] 14 | runs-on: ubuntu-latest 15 | 16 | steps: 17 | - name: Set up Go 18 | uses: actions/setup-go@v5 19 | with: 20 | go-version: ${{ matrix.go-version }} 21 | id: go 22 | 23 | - name: Check out Go module 24 | uses: actions/checkout@v4 25 | 26 | - name: Tidy Go module 27 | run: | 28 | go mod tidy 29 | test -z "$(git status --porcelain)" || (echo "please run 'go mod tidy' and submit your changes"; exit 1) 30 | 31 | - name: golangci-lint 32 | uses: golangci/golangci-lint-action@v8 33 | -------------------------------------------------------------------------------- /.github/workflows/linux-integration-test.yml: -------------------------------------------------------------------------------- 1 | name: Linux Integration Test 2 | 3 | on: 4 | pull_request: {} 5 | push: 6 | branches: 7 | - master 8 | 9 | jobs: 10 | build: 11 | strategy: 12 | matrix: 13 | go-version: ["1.23", "1.24"] 14 | runs-on: ubuntu-latest 15 | 16 | steps: 17 | - name: Set up Go 18 | uses: actions/setup-go@v5 19 | with: 20 | go-version: ${{ matrix.go-version }} 21 | id: go 22 | 23 | - name: Check out Go module 24 | uses: actions/checkout@v4 25 | 26 | - name: Run integration tests 27 | run: make integration 28 | 29 | - name: goveralls 30 | uses: shogo82148/actions-goveralls@v1 31 | with: 32 | path-to-profile: cover-int.out 33 | -------------------------------------------------------------------------------- /.github/workflows/linux-test.yml: -------------------------------------------------------------------------------- 1 | name: Linux Test 2 | 3 | on: 4 | pull_request: {} 5 | push: 6 | branches: 7 | - master 8 | 9 | jobs: 10 | build: 11 | strategy: 12 | matrix: 13 | go-version: ["1.23", "1.24"] 14 | runs-on: ubuntu-latest 15 | 16 | steps: 17 | - name: Set up Go 18 | uses: actions/setup-go@v5 19 | with: 20 | go-version: ${{ matrix.go-version }} 21 | id: go 22 | 23 | - name: Check out Go module 24 | uses: actions/checkout@v4 25 | 26 | - name: Run tests 27 | run: make test 28 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Generated output 2 | *.out 3 | *.test 4 | build/ 5 | 6 | .vagrant/ 7 | -------------------------------------------------------------------------------- /.golangci.yaml: -------------------------------------------------------------------------------- 1 | version: "2" 2 | linters: 3 | default: none 4 | enable: 5 | - govet 6 | - gocyclo 7 | - goheader 8 | - lll 9 | - misspell 10 | - prealloc 11 | - revive 12 | - ineffassign 13 | - staticcheck 14 | - unused 15 | 16 | formatters: 17 | enable: 18 | - gofmt 19 | - goimports 20 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 Timo Beckers 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | SOURCEDIR = . 2 | SOURCES := $(shell find $(SOURCEDIR) -name '*.go') 3 | 4 | # Require the Go compiler/toolchain to be installed 5 | ifeq (, $(shell which go 2>/dev/null)) 6 | $(error No 'go' found in $(PATH), please install the Go compiler for your system) 7 | endif 8 | 9 | .DEFAULT_GOAL: generate 10 | 11 | .PHONY: generate 12 | generate: 13 | go generate ./... 14 | 15 | .PHONY: test 16 | test: 17 | go test -race ./... 18 | 19 | .PHONY: testv 20 | testv: 21 | go test -v -race ./... 22 | 23 | .PHONY: modprobe 24 | kmods = nf_nat nf_conntrack xt_conntrack xt_MASQUERADE nf_conntrack_netlink 25 | modprobe: 26 | ifeq ($(shell id -u),0) 27 | -modprobe -a $(kmods) 28 | else 29 | -sudo modprobe -a $(kmods) 30 | endif 31 | 32 | .PHONY: integration 33 | integration: modprobe 34 | ifeq ($(shell id -u),0) 35 | go test -v -race -coverprofile=cover-int.out -covermode=atomic -tags=integration ./... 36 | else 37 | $(info Running integration tests under sudo..) 38 | go test -v -race -coverprofile=cover-int.out -covermode=atomic -tags=integration -exec sudo ./... 39 | endif 40 | 41 | # Remove coverage output from files generated by Stringer. 42 | sed -i '/_string.go/d' cover-int.out 43 | go tool cover -func=cover-int.out 44 | 45 | .PHONY: coverhtml-integration 46 | coverhtml-integration: integration 47 | go tool cover -html=cover-int.out 48 | 49 | .PHONY: bench 50 | bench: 51 | go test -bench=. ./... 52 | 53 | .PHONY: bench-integration 54 | bench-integration: modprobe 55 | go test -bench=. -tags=integration -exec sudo ./... 56 | 57 | .PHONY: cover 58 | cover: 59 | go test -coverprofile=cover.out -covermode=atomic ./... 60 | # Remove coverage output from files generated by Stringer. 61 | sed -i '/_string.go/d' cover.out 62 | go tool cover -func=cover.out 63 | 64 | .PHONY: coverhtml 65 | coverhtml: cover 66 | go tool cover -html=cover.out 67 | 68 | .PHONY: check 69 | check: test cover lint 70 | 71 | .PHONY: lint 72 | lint: 73 | golangci-lint run 74 | 75 | # Build integration test binary to run in Vagrant VM 76 | build-integration: build/integration.test 77 | build/integration.test: $(SOURCES) 78 | go test -c -o build/integration.test -covermode=atomic -tags integration 79 | 80 | # Execute the integration tests in Vagrant VM 81 | CMD := sudo /build/integration.test -test.v -test.coverprofile /build/ 82 | vagrant-integration: build/integration.test 83 | 84 | @echo -e "\n\e[33m-> centos7" 85 | @vagrant ssh centos7 -c "${CMD}centos7.out" && echo "centos7 successful!" 86 | 87 | @echo -e "\n\e[94m-> ubuntu-precise" 88 | @vagrant ssh precise -c "${CMD}precise.out" && echo "ubuntu-precise successful!" 89 | 90 | @echo -e "\n\e[95m-> ubuntu-trusty" 91 | @vagrant ssh trusty -c "${CMD}trusty.out" && echo "ubuntu-trusty successful!" 92 | 93 | @echo -e "\n\e[96m-> ubuntu-xenial" 94 | @vagrant ssh xenial -c "${CMD}xenial.out" && echo "ubuntu-xenial successful!" 95 | 96 | @echo -e "\e[0m" 97 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # conntrack [![GoDoc](https://godoc.org/github.com/ti-mo/conntrack?status.svg)](https://godoc.org/github.com/ti-mo/conntrack) ![Tests Status](https://github.com/ti-mo/conntrack/actions/workflows/linux-integration-test.yml/badge.svg) [![Coverage Status](https://coveralls.io/repos/github/ti-mo/conntrack/badge.svg?branch=master)](https://coveralls.io/github/ti-mo/conntrack?branch=master) [![Go Report Card](https://goreportcard.com/badge/github.com/ti-mo/conntrack)](https://goreportcard.com/report/github.com/ti-mo/conntrack) 2 | 3 | Package `conntrack` implements the Conntrack subsystem of the Netfilter (Netlink) protocol family. 4 | The package is intended to be clear, user-friendly, thoroughly tested and easy to understand. 5 | 6 | It is purely written in Go, without any dependency on Cgo or any C library, kernel headers 7 | or userspace tools. It uses a native Netlink implementation (https://github.com/mdlayher/netlink) 8 | and does not parse or scrape any output of the `conntrack` command. 9 | 10 | It is designed in a way that makes the user acquainted with the structure of the protocol, 11 | with a clean separation between the Conntrack types/attributes and the Netfilter layer (implemented 12 | in https://github.com/ti-mo/netfilter). 13 | 14 | All Conntrack attributes known to the kernel up until version 4.17 are implemented. There is experimental 15 | support for manipulating Conntrack 'expectations', beside listening and dumping. The original focus of the 16 | package was receiving Conntrack events over Netlink multicast sockets, but was since expanded to be a full 17 | implementation supporting queries. 18 | 19 | ## Features 20 | 21 | With this library, the user can: 22 | 23 | - Interact with conntrack connections and expectations through Flow and Expect types respectively 24 | - Create, get, update and delete Flows in an idiomatic way (and Expects, to an extent) 25 | - Listen for create/update/destroy events 26 | - Flush (empty) and dump (display) the whole conntrack table, optionally filtering on specific flow fields 27 | 28 | There are many usage examples in the [godoc](https://godoc.org/github.com/ti-mo/conntrack). 29 | 30 | ## Contributing 31 | 32 | Contributions are absolutely welcome! Before starting work on large changes, please create an issue first, 33 | or join #networking on Gophers Slack to discuss the design. 34 | 35 | If you encounter a problem implementing the library, please open a GitHub issue for help. 36 | -------------------------------------------------------------------------------- /Vagrantfile: -------------------------------------------------------------------------------- 1 | boxes = { 2 | "centos7" => "generic/centos7", 3 | "precise" => "ubuntu/precise64", 4 | "trusty" => "ubuntu/trusty64", 5 | "xenial" => "ubuntu/xenial64", 6 | } 7 | 8 | Vagrant.configure("2") do |vagrant| 9 | boxes.each do |name, image| 10 | 11 | vagrant.vm.define name do |config| 12 | config.vm.box = image 13 | config.vm.provider "virtualbox" do |vb| 14 | vb.memory = "512" 15 | 16 | # Disable serial connection to the VM, can sometimes write log files to repo 17 | vb.customize [ "modifyvm", :id, "--uartmode1", "disconnected" ] 18 | end 19 | 20 | config.vm.synced_folder "build/", "/build" 21 | 22 | # Ensure the necessary kernel modules are loaded in the VM. 23 | config.vm.provision "shell", inline: <<-SHELL 24 | modprobe -a nf_conntrack_ipv4 nf_conntrack_ipv6 25 | SHELL 26 | end 27 | 28 | end 29 | end 30 | -------------------------------------------------------------------------------- /attribute_types.go: -------------------------------------------------------------------------------- 1 | package conntrack 2 | 3 | import ( 4 | "fmt" 5 | "time" 6 | 7 | "github.com/mdlayher/netlink" 8 | "github.com/ti-mo/netfilter" 9 | ) 10 | 11 | // nestedFlag returns true if the NLA_F_NESTED flag is set on typ. 12 | func nestedFlag(typ uint16) bool { 13 | return typ&netlink.Nested != 0 14 | } 15 | 16 | // A Helper holds the name and info the helper that creates a related connection. 17 | type Helper struct { 18 | Name string 19 | Info []byte 20 | } 21 | 22 | // Filled returns true if the Helper's values are non-zero. 23 | func (hlp Helper) filled() bool { 24 | return hlp.Name != "" || len(hlp.Info) != 0 25 | } 26 | 27 | // unmarshal unmarshals netlink attributes into a Helper. 28 | func (hlp *Helper) unmarshal(ad *netlink.AttributeDecoder) error { 29 | for ad.Next() { 30 | switch helperType(ad.Type()) { 31 | case ctaHelpName: 32 | hlp.Name = ad.String() 33 | case ctaHelpInfo: 34 | hlp.Info = ad.Bytes() 35 | default: 36 | return fmt.Errorf("child type %d: %w", ad.Type(), errUnknownAttribute) 37 | } 38 | } 39 | 40 | return ad.Err() 41 | } 42 | 43 | // marshal marshals a Helper into a netfilter.Attribute. 44 | func (hlp Helper) marshal() netfilter.Attribute { 45 | nfa := netfilter.Attribute{Type: uint16(ctaHelp), Nested: true, Children: make([]netfilter.Attribute, 1, 2)} 46 | 47 | nfa.Children[0] = netfilter.Attribute{Type: uint16(ctaHelpName), Data: []byte(hlp.Name)} 48 | 49 | if len(hlp.Info) > 0 { 50 | nfa.Children = append(nfa.Children, netfilter.Attribute{Type: uint16(ctaHelpInfo), Data: hlp.Info}) 51 | } 52 | 53 | return nfa 54 | } 55 | 56 | // The ProtoInfo structure holds a pointer to 57 | // one of ProtoInfoTCP, ProtoInfoDCCP or ProtoInfoSCTP. 58 | type ProtoInfo struct { 59 | TCP *ProtoInfoTCP 60 | DCCP *ProtoInfoDCCP 61 | SCTP *ProtoInfoSCTP 62 | } 63 | 64 | // Filled returns true if one of the ProtoInfo's values are non-zero. 65 | func (pi ProtoInfo) filled() bool { 66 | return pi.TCP != nil || pi.DCCP != nil || pi.SCTP != nil 67 | } 68 | 69 | // unmarshal unmarshals netlink attributes into a ProtoInfo. 70 | // one of three ProtoInfo types; TCP, DCCP or SCTP. 71 | func (pi *ProtoInfo) unmarshal(ad *netlink.AttributeDecoder) error { 72 | // Make sure we don't unmarshal into the same ProtoInfo twice. 73 | if pi.filled() { 74 | return errReusedProtoInfo 75 | } 76 | 77 | if ad.Len() != 1 { 78 | return errNeedSingleChild 79 | } 80 | 81 | // Step into the single nested child, return on error. 82 | if !ad.Next() { 83 | return ad.Err() 84 | } 85 | 86 | t := protoInfoType(ad.Type()) 87 | switch t { 88 | case ctaProtoInfoTCP: 89 | var tpi ProtoInfoTCP 90 | ad.Nested(tpi.unmarshal) 91 | pi.TCP = &tpi 92 | case ctaProtoInfoDCCP: 93 | var dpi ProtoInfoDCCP 94 | ad.Nested(dpi.unmarshal) 95 | pi.DCCP = &dpi 96 | case ctaProtoInfoSCTP: 97 | var spi ProtoInfoSCTP 98 | ad.Nested(spi.unmarshal) 99 | pi.SCTP = &spi 100 | default: 101 | return fmt.Errorf("child type %d: %w", ad.Type(), errUnknownAttribute) 102 | } 103 | 104 | if err := ad.Err(); err != nil { 105 | return fmt.Errorf("unmarshal %s: %w", t, err) 106 | } 107 | 108 | return nil 109 | } 110 | 111 | // marshal marshals a ProtoInfo into a netfilter.Attribute. 112 | func (pi ProtoInfo) marshal() netfilter.Attribute { 113 | nfa := netfilter.Attribute{Type: uint16(ctaProtoInfo), Nested: true, Children: make([]netfilter.Attribute, 0, 1)} 114 | 115 | if pi.TCP != nil { 116 | nfa.Children = append(nfa.Children, pi.TCP.marshal()) 117 | } else if pi.DCCP != nil { 118 | nfa.Children = append(nfa.Children, pi.DCCP.marshal()) 119 | } else if pi.SCTP != nil { 120 | nfa.Children = append(nfa.Children, pi.SCTP.marshal()) 121 | } 122 | 123 | return nfa 124 | } 125 | 126 | // A ProtoInfoTCP describes the state of a TCP session in both directions. 127 | // It contains state, window scale and TCP flags. 128 | type ProtoInfoTCP struct { 129 | State uint8 130 | OriginalWindowScale uint8 131 | ReplyWindowScale uint8 132 | OriginalFlags uint16 133 | ReplyFlags uint16 134 | } 135 | 136 | // unmarshal unmarshals netlink attributes into a ProtoInfoTCP. 137 | func (tpi *ProtoInfoTCP) unmarshal(ad *netlink.AttributeDecoder) error { 138 | // Since 86d21fc74745 ("netfilter: ctnetlink: add timeout and protoinfo to 139 | // destroy events"), ProtoInfoTCP is sent in conntrack events, where 140 | // previously it was only present in dumps/queries. 141 | // 142 | // NEW and UPDATE events potentially contain all attributes, but DESTROY 143 | // events only contain TCP_STATE. Expect at least one attribute here. 144 | if ad.Len() == 0 { 145 | return errNeedSingleChild 146 | } 147 | 148 | for ad.Next() { 149 | switch protoInfoTCPType(ad.Type()) { 150 | case ctaProtoInfoTCPState: 151 | tpi.State = ad.Uint8() 152 | case ctaProtoInfoTCPWScaleOriginal: 153 | tpi.OriginalWindowScale = ad.Uint8() 154 | case ctaProtoInfoTCPWScaleReply: 155 | tpi.ReplyWindowScale = ad.Uint8() 156 | case ctaProtoInfoTCPFlagsOriginal: 157 | tpi.OriginalFlags = ad.Uint16() 158 | case ctaProtoInfoTCPFlagsReply: 159 | tpi.ReplyFlags = ad.Uint16() 160 | default: 161 | return fmt.Errorf("child type %d: %w", ad.Type(), errUnknownAttribute) 162 | } 163 | } 164 | 165 | return ad.Err() 166 | } 167 | 168 | // marshal marshals a ProtoInfoTCP into a netfilter.Attribute. 169 | func (tpi ProtoInfoTCP) marshal() netfilter.Attribute { 170 | nfa := netfilter.Attribute{Type: uint16(ctaProtoInfoTCP), Nested: true, Children: make([]netfilter.Attribute, 3, 5)} 171 | 172 | nfa.Children[0] = netfilter.Attribute{ 173 | Type: uint16(ctaProtoInfoTCPState), Data: []byte{tpi.State}, 174 | } 175 | nfa.Children[1] = netfilter.Attribute{ 176 | Type: uint16(ctaProtoInfoTCPWScaleOriginal), Data: []byte{tpi.OriginalWindowScale}, 177 | } 178 | nfa.Children[2] = netfilter.Attribute{ 179 | Type: uint16(ctaProtoInfoTCPWScaleReply), Data: []byte{tpi.ReplyWindowScale}, 180 | } 181 | 182 | // Only append TCP flags to attributes when either of them is non-zero. 183 | if tpi.OriginalFlags != 0 || tpi.ReplyFlags != 0 { 184 | nfa.Children = append(nfa.Children, 185 | netfilter.Attribute{Type: uint16(ctaProtoInfoTCPFlagsOriginal), Data: netfilter.Uint16Bytes(tpi.OriginalFlags)}, 186 | netfilter.Attribute{Type: uint16(ctaProtoInfoTCPFlagsReply), Data: netfilter.Uint16Bytes(tpi.ReplyFlags)}) 187 | } 188 | 189 | return nfa 190 | } 191 | 192 | // ProtoInfoDCCP describes the state of a DCCP connection. 193 | type ProtoInfoDCCP struct { 194 | State, Role uint8 195 | HandshakeSeq uint64 196 | } 197 | 198 | // unmarshal unmarshals netlink attributes into a ProtoInfoDCCP. 199 | func (dpi *ProtoInfoDCCP) unmarshal(ad *netlink.AttributeDecoder) error { 200 | if ad.Len() == 0 { 201 | return errNeedSingleChild 202 | } 203 | 204 | for ad.Next() { 205 | switch protoInfoDCCPType(ad.Type()) { 206 | case ctaProtoInfoDCCPState: 207 | dpi.State = ad.Uint8() 208 | case ctaProtoInfoDCCPRole: 209 | dpi.Role = ad.Uint8() 210 | case ctaProtoInfoDCCPHandshakeSeq: 211 | dpi.HandshakeSeq = ad.Uint64() 212 | default: 213 | return fmt.Errorf("child type %d: %w", ad.Type(), errUnknownAttribute) 214 | } 215 | } 216 | 217 | return ad.Err() 218 | } 219 | 220 | // marshal marshals a ProtoInfoDCCP into a netfilter.Attribute. 221 | func (dpi ProtoInfoDCCP) marshal() netfilter.Attribute { 222 | nfa := netfilter.Attribute{Type: uint16(ctaProtoInfoDCCP), Nested: true, Children: make([]netfilter.Attribute, 3)} 223 | 224 | nfa.Children[0] = netfilter.Attribute{Type: uint16(ctaProtoInfoDCCPState), Data: []byte{dpi.State}} 225 | nfa.Children[1] = netfilter.Attribute{Type: uint16(ctaProtoInfoDCCPRole), Data: []byte{dpi.Role}} 226 | nfa.Children[2] = netfilter.Attribute{Type: uint16(ctaProtoInfoDCCPHandshakeSeq), 227 | Data: netfilter.Uint64Bytes(dpi.HandshakeSeq)} 228 | 229 | return nfa 230 | } 231 | 232 | // ProtoInfoSCTP describes the state of an SCTP connection. 233 | type ProtoInfoSCTP struct { 234 | State uint8 235 | VTagOriginal, VTagReply uint32 236 | } 237 | 238 | // unmarshal unmarshals netlink attributes into a ProtoInfoSCTP. 239 | func (spi *ProtoInfoSCTP) unmarshal(ad *netlink.AttributeDecoder) error { 240 | if ad.Len() == 0 { 241 | return errNeedSingleChild 242 | } 243 | 244 | for ad.Next() { 245 | switch protoInfoSCTPType(ad.Type()) { 246 | case ctaProtoInfoSCTPState: 247 | spi.State = ad.Uint8() 248 | case ctaProtoInfoSCTPVTagOriginal: 249 | spi.VTagOriginal = ad.Uint32() 250 | case ctaProtoInfoSCTPVtagReply: 251 | spi.VTagReply = ad.Uint32() 252 | default: 253 | return fmt.Errorf("child type %d: %w", ad.Type(), errUnknownAttribute) 254 | } 255 | } 256 | 257 | return ad.Err() 258 | } 259 | 260 | // marshal marshals a ProtoInfoSCTP into a netfilter.Attribute. 261 | func (spi ProtoInfoSCTP) marshal() netfilter.Attribute { 262 | nfa := netfilter.Attribute{Type: uint16(ctaProtoInfoSCTP), Nested: true, Children: make([]netfilter.Attribute, 3)} 263 | 264 | nfa.Children[0] = netfilter.Attribute{Type: uint16(ctaProtoInfoSCTPState), Data: []byte{spi.State}} 265 | nfa.Children[1] = netfilter.Attribute{Type: uint16(ctaProtoInfoSCTPVTagOriginal), 266 | Data: netfilter.Uint32Bytes(spi.VTagOriginal)} 267 | nfa.Children[2] = netfilter.Attribute{Type: uint16(ctaProtoInfoSCTPVtagReply), 268 | Data: netfilter.Uint32Bytes(spi.VTagReply)} 269 | 270 | return nfa 271 | } 272 | 273 | // A Counter holds a pair of counters that represent packets and bytes sent over 274 | // a Conntrack connection. Direction is true when it's a reply counter. 275 | // This attribute cannot be changed on a connection and thus cannot be marshaled. 276 | type Counter struct { 277 | 278 | // true means it's a reply counter, 279 | // false is the original direction 280 | Direction bool 281 | 282 | Packets uint64 283 | Bytes uint64 284 | } 285 | 286 | func (ctr Counter) String() string { 287 | dir := "orig" 288 | if ctr.Direction { 289 | dir = "reply" 290 | } 291 | 292 | return fmt.Sprintf("[%s: %d pkts/%d B]", dir, ctr.Packets, ctr.Bytes) 293 | } 294 | 295 | // Filled returns true if the counter's values are non-zero. 296 | func (ctr Counter) filled() bool { 297 | return ctr.Bytes != 0 && ctr.Packets != 0 298 | } 299 | 300 | // unmarshal unmarshals netlink attributes into a Counter. 301 | func (ctr *Counter) unmarshal(ad *netlink.AttributeDecoder) error { 302 | // A Counter consists of packet and byte attributes but may have 303 | // help attributes as well if nf_conntrack_helper enabled 304 | if ad.Len() < 2 { 305 | return errNeedChildren 306 | } 307 | 308 | for ad.Next() { 309 | switch counterType(ad.Type()) { 310 | case ctaCountersPackets: 311 | ctr.Packets = ad.Uint64() 312 | case ctaCountersBytes: 313 | ctr.Bytes = ad.Uint64() 314 | case ctaCountersPad: 315 | // Ignore padding attributes that show up if nf_conntrack_helper is enabled. 316 | continue 317 | default: 318 | return fmt.Errorf("child type %d: %w", ad.Type(), errUnknownAttribute) 319 | } 320 | } 321 | 322 | return ad.Err() 323 | } 324 | 325 | // A Timestamp represents the start and end time of a flow. 326 | // The timer resolution in the kernel is in nanosecond-epoch. 327 | // This attribute cannot be changed on a connection and thus cannot be marshaled. 328 | type Timestamp struct { 329 | Start time.Time 330 | Stop time.Time 331 | } 332 | 333 | // unmarshal unmarshals netlink attributes into a Timestamp. 334 | func (ts *Timestamp) unmarshal(ad *netlink.AttributeDecoder) error { 335 | // A Timestamp will always have at least a start time 336 | if ad.Len() == 0 { 337 | return errNeedSingleChild 338 | } 339 | 340 | for ad.Next() { 341 | switch timestampType(ad.Type()) { 342 | case ctaTimestampStart: 343 | ts.Start = time.Unix(0, int64(ad.Uint64())) 344 | case ctaTimestampStop: 345 | ts.Stop = time.Unix(0, int64(ad.Uint64())) 346 | default: 347 | return fmt.Errorf("child type %d: %w", ad.Type(), errUnknownAttribute) 348 | } 349 | } 350 | 351 | return ad.Err() 352 | } 353 | 354 | // A Security structure holds the security info belonging to a connection. 355 | // Kernel uses this to store and match SELinux context name. 356 | // This attribute cannot be changed on a connection and thus cannot be marshaled. 357 | type Security string 358 | 359 | // unmarshal unmarshals netlink attributes into a Security. 360 | func (sec *Security) unmarshal(ad *netlink.AttributeDecoder) error { 361 | // A SecurityContext has at least a name 362 | if ad.Len() == 0 { 363 | return errNeedChildren 364 | } 365 | 366 | for ad.Next() { 367 | switch securityType(ad.Type()) { 368 | case ctaSecCtxName: 369 | *sec = Security(ad.Bytes()) 370 | default: 371 | return fmt.Errorf("child type %d: %w", ad.Type(), errUnknownAttribute) 372 | } 373 | } 374 | 375 | return ad.Err() 376 | } 377 | 378 | // SequenceAdjust represents a TCP sequence number adjustment event. 379 | // Direction is true when it's a reply adjustment. 380 | type SequenceAdjust struct { 381 | // true means it's a reply adjustment, 382 | // false is the original direction 383 | Direction bool 384 | 385 | Position uint32 386 | OffsetBefore uint32 387 | OffsetAfter uint32 388 | } 389 | 390 | func (seq SequenceAdjust) String() string { 391 | dir := "orig" 392 | if seq.Direction { 393 | dir = "reply" 394 | } 395 | 396 | return fmt.Sprintf("[dir: %s, pos: %d, before: %d, after: %d]", dir, seq.Position, seq.OffsetBefore, seq.OffsetAfter) 397 | } 398 | 399 | // Filled returns true if the SequenceAdjust's values are non-zero. 400 | // SeqAdj qualify as filled if all of its members are non-zero. 401 | func (seq SequenceAdjust) filled() bool { 402 | return seq.Position != 0 && seq.OffsetAfter != 0 && seq.OffsetBefore != 0 403 | } 404 | 405 | // unmarshal unmarshals netlink attributes into a SequenceAdjust. 406 | func (seq *SequenceAdjust) unmarshal(ad *netlink.AttributeDecoder) error { 407 | // A SequenceAdjust message should come with at least 1 child. 408 | if ad.Len() == 0 { 409 | return errNeedSingleChild 410 | } 411 | 412 | for ad.Next() { 413 | switch seqAdjType(ad.Type()) { 414 | case ctaSeqAdjCorrectionPos: 415 | seq.Position = ad.Uint32() 416 | case ctaSeqAdjOffsetBefore: 417 | seq.OffsetBefore = ad.Uint32() 418 | case ctaSeqAdjOffsetAfter: 419 | seq.OffsetAfter = ad.Uint32() 420 | default: 421 | return fmt.Errorf("child type %d: %w", ad.Type(), errUnknownAttribute) 422 | } 423 | } 424 | 425 | return ad.Err() 426 | } 427 | 428 | // marshal marshals a SequenceAdjust into a netfilter.Attribute. 429 | func (seq SequenceAdjust) marshal(reply bool) netfilter.Attribute { 430 | // Set orig/reply AttributeType 431 | at := ctaSeqAdjOrig 432 | if seq.Direction || reply { 433 | at = ctaSeqAdjReply 434 | } 435 | 436 | nfa := netfilter.Attribute{Type: uint16(at), Nested: true, Children: make([]netfilter.Attribute, 3)} 437 | 438 | nfa.Children[0] = netfilter.Attribute{Type: uint16(ctaSeqAdjCorrectionPos), 439 | Data: netfilter.Uint32Bytes(seq.Position)} 440 | nfa.Children[1] = netfilter.Attribute{Type: uint16(ctaSeqAdjOffsetBefore), 441 | Data: netfilter.Uint32Bytes(seq.OffsetBefore)} 442 | nfa.Children[2] = netfilter.Attribute{Type: uint16(ctaSeqAdjOffsetAfter), 443 | Data: netfilter.Uint32Bytes(seq.OffsetAfter)} 444 | 445 | return nfa 446 | } 447 | 448 | // SynProxy represents the SYN proxy parameters of a Conntrack flow. 449 | type SynProxy struct { 450 | ISN uint32 451 | ITS uint32 452 | TSOff uint32 453 | } 454 | 455 | // Filled returns true if the SynProxy's values are non-zero. 456 | // SynProxy qualifies as filled if one of its members is non-zero. 457 | func (sp SynProxy) filled() bool { 458 | return sp.ISN != 0 || sp.ITS != 0 || sp.TSOff != 0 459 | } 460 | 461 | // unmarshal unmarshals netlink attributes into a SynProxy. 462 | func (sp *SynProxy) unmarshal(ad *netlink.AttributeDecoder) error { 463 | if ad.Len() == 0 { 464 | return errNeedSingleChild 465 | } 466 | 467 | for ad.Next() { 468 | switch synProxyType(ad.Type()) { 469 | case ctaSynProxyISN: 470 | sp.ISN = ad.Uint32() 471 | case ctaSynProxyITS: 472 | sp.ITS = ad.Uint32() 473 | case ctaSynProxyTSOff: 474 | sp.TSOff = ad.Uint32() 475 | default: 476 | return fmt.Errorf("child type %d: %w", ad.Type(), errUnknownAttribute) 477 | } 478 | } 479 | 480 | return ad.Err() 481 | } 482 | 483 | // marshal marshals a SynProxy into a netfilter.Attribute. 484 | func (sp SynProxy) marshal() netfilter.Attribute { 485 | nfa := netfilter.Attribute{Type: uint16(ctaSynProxy), Nested: true, Children: make([]netfilter.Attribute, 3)} 486 | 487 | nfa.Children[0] = netfilter.Attribute{Type: uint16(ctaSynProxyISN), Data: netfilter.Uint32Bytes(sp.ISN)} 488 | nfa.Children[1] = netfilter.Attribute{Type: uint16(ctaSynProxyITS), Data: netfilter.Uint32Bytes(sp.ITS)} 489 | nfa.Children[2] = netfilter.Attribute{Type: uint16(ctaSynProxyTSOff), Data: netfilter.Uint32Bytes(sp.TSOff)} 490 | 491 | return nfa 492 | } 493 | 494 | // TODO: ctaStats 495 | // TODO: ctaStatsGlobal 496 | // TODO: ctaStatsExp 497 | -------------------------------------------------------------------------------- /attribute_types_test.go: -------------------------------------------------------------------------------- 1 | package conntrack 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/stretchr/testify/assert" 7 | 8 | "github.com/mdlayher/netlink" 9 | "github.com/ti-mo/netfilter" 10 | ) 11 | 12 | var ( 13 | adEmpty, _ = netfilter.NewAttributeDecoder([]byte{}) 14 | adOneUnknown = *mustDecodeAttribute(netfilter.Attribute{Type: uint16(ctaUnspec)}) 15 | adTwoUnknown = *mustDecodeAttributes( 16 | []netfilter.Attribute{ 17 | {Type: uint16(ctaUnspec)}, 18 | {Type: uint16(ctaUnspec)}, 19 | }) 20 | adThreeUnknown = *mustDecodeAttributes( 21 | []netfilter.Attribute{ 22 | {Type: uint16(ctaUnspec)}, 23 | {Type: uint16(ctaUnspec)}, 24 | {Type: uint16(ctaUnspec)}, 25 | }) 26 | ) 27 | 28 | // mustDecodeAttribute wraps attr in a list of netfilter.Attributes and calls 29 | // mustDecodeAttributes. 30 | func mustDecodeAttribute(attr netfilter.Attribute) *netlink.AttributeDecoder { 31 | return mustDecodeAttributes([]netfilter.Attribute{attr}) 32 | } 33 | 34 | // mustDecodeAttributes marshals a list of netfilter.Attributes and returns 35 | // an AttributeDecoder holding the binary output of the unmarshal. 36 | func mustDecodeAttributes(attrs []netfilter.Attribute) *netlink.AttributeDecoder { 37 | ba, err := netfilter.MarshalAttributes(attrs) 38 | if err != nil { 39 | panic(err) 40 | } 41 | 42 | ad, err := netfilter.NewAttributeDecoder(ba) 43 | if err != nil { 44 | panic(err) 45 | } 46 | 47 | return ad 48 | } 49 | 50 | func TestAttributeTypeString(t *testing.T) { 51 | if attributeType(255).String() == "" { 52 | t.Fatal("AttributeType string representation empty - did you run `go generate`?") 53 | } 54 | } 55 | 56 | func TestAttributeHelper(t *testing.T) { 57 | hlp := Helper{} 58 | assert.Equal(t, false, hlp.filled()) 59 | assert.Equal(t, true, Helper{Info: []byte{1}}.filled()) 60 | assert.Equal(t, true, Helper{Name: "1"}.filled()) 61 | 62 | nfaNameInfo := netfilter.Attribute{ 63 | Type: uint16(ctaHelp), 64 | Nested: true, 65 | Children: []netfilter.Attribute{ 66 | { 67 | Type: uint16(ctaHelpName), 68 | Data: []byte("foo"), 69 | }, 70 | { 71 | Type: uint16(ctaHelpInfo), 72 | Data: []byte{1, 2}, 73 | }, 74 | }, 75 | } 76 | assert.Nil(t, hlp.unmarshal(mustDecodeAttributes(nfaNameInfo.Children))) 77 | 78 | assert.EqualValues(t, hlp.marshal(), nfaNameInfo) 79 | 80 | ad := adOneUnknown 81 | assert.ErrorIs(t, hlp.unmarshal(&ad), errUnknownAttribute) 82 | } 83 | 84 | func TestAttributeProtoInfo(t *testing.T) { 85 | var pi ProtoInfo 86 | assert.Equal(t, false, pi.filled()) 87 | assert.Equal(t, true, ProtoInfo{DCCP: &ProtoInfoDCCP{}}.filled()) 88 | assert.Equal(t, true, ProtoInfo{TCP: &ProtoInfoTCP{}}.filled()) 89 | assert.Equal(t, true, ProtoInfo{SCTP: &ProtoInfoSCTP{}}.filled()) 90 | 91 | assert.ErrorIs(t, pi.unmarshal(adEmpty), errNeedSingleChild) 92 | 93 | // Exhaust the AttributeDecoder before passing to unmarshal. 94 | ead := mustDecodeAttribute(nfaUnspecU16) 95 | ead.Next() 96 | assert.NoError(t, pi.unmarshal(ead)) 97 | 98 | ad := adOneUnknown 99 | assert.ErrorIs(t, pi.unmarshal(&ad), errUnknownAttribute) 100 | 101 | // Attempt marshal of empty ProtoInfo, expect attribute with zero children. 102 | assert.Len(t, pi.marshal().Children, 0) 103 | 104 | // TCP protocol info 105 | nfaInfoTCP := netfilter.Attribute{ 106 | Type: uint16(ctaProtoInfo), 107 | Nested: true, 108 | Children: []netfilter.Attribute{ 109 | { 110 | Type: uint16(ctaProtoInfoTCP), 111 | Nested: true, 112 | Children: []netfilter.Attribute{ 113 | { 114 | Type: uint16(ctaProtoInfoTCPState), 115 | Data: []byte{1}, 116 | }, 117 | { 118 | Type: uint16(ctaProtoInfoTCPWScaleOriginal), 119 | Data: []byte{2}, 120 | }, 121 | { 122 | Type: uint16(ctaProtoInfoTCPWScaleReply), 123 | Data: []byte{3}, 124 | }, 125 | { 126 | Type: uint16(ctaProtoInfoTCPFlagsOriginal), 127 | Data: []byte{0, 4}, 128 | }, 129 | { 130 | Type: uint16(ctaProtoInfoTCPFlagsReply), 131 | Data: []byte{0, 5}, 132 | }, 133 | }, 134 | }, 135 | }, 136 | } 137 | 138 | // Full ProtoInfoTCP unmarshal. 139 | var tpi ProtoInfo 140 | assert.NoError(t, tpi.unmarshal(mustDecodeAttributes(nfaInfoTCP.Children))) 141 | 142 | // Re-marshal into netfilter Attribute 143 | assert.EqualValues(t, nfaInfoTCP, tpi.marshal()) 144 | 145 | // DCCP protocol info 146 | nfaInfoDCCP := netfilter.Attribute{ 147 | Type: uint16(ctaProtoInfo), 148 | Nested: true, 149 | Children: []netfilter.Attribute{ 150 | { 151 | Type: uint16(ctaProtoInfoDCCP), 152 | Nested: true, 153 | Children: []netfilter.Attribute{ 154 | { 155 | Type: uint16(ctaProtoInfoDCCPState), 156 | Data: []byte{1}, 157 | }, 158 | { 159 | Type: uint16(ctaProtoInfoDCCPRole), 160 | Data: []byte{2}, 161 | }, 162 | { 163 | Type: uint16(ctaProtoInfoDCCPHandshakeSeq), 164 | Data: []byte{3, 4, 5, 6, 7, 8, 9, 10}, 165 | }, 166 | }, 167 | }, 168 | }, 169 | } 170 | 171 | // Full ProtoInfoDCCP unmarshal 172 | var dpi ProtoInfo 173 | assert.Nil(t, dpi.unmarshal(mustDecodeAttributes(nfaInfoDCCP.Children))) 174 | 175 | // Re-marshal into netfilter Attribute 176 | assert.EqualValues(t, nfaInfoDCCP, dpi.marshal()) 177 | 178 | nfaInfoSCTP := netfilter.Attribute{ 179 | Type: uint16(ctaProtoInfo), 180 | Nested: true, 181 | Children: []netfilter.Attribute{ 182 | { 183 | Type: uint16(ctaProtoInfoSCTP), 184 | Nested: true, 185 | Children: []netfilter.Attribute{ 186 | { 187 | Type: uint16(ctaProtoInfoSCTPState), 188 | Data: []byte{1}, 189 | }, 190 | { 191 | Type: uint16(ctaProtoInfoSCTPVTagOriginal), 192 | Data: []byte{2, 3, 4, 5}, 193 | }, 194 | { 195 | Type: uint16(ctaProtoInfoSCTPVtagReply), 196 | Data: []byte{6, 7, 8, 9}, 197 | }, 198 | }, 199 | }, 200 | }, 201 | } 202 | 203 | // Full ProtoInfoSCTP unmarshal 204 | var spi ProtoInfo 205 | assert.Nil(t, spi.unmarshal(mustDecodeAttributes(nfaInfoSCTP.Children))) 206 | 207 | // Re-marshal into netfilter Attribute 208 | assert.EqualValues(t, nfaInfoSCTP, spi.marshal()) 209 | 210 | // Attempt to unmarshal into re-used ProtoInfo 211 | pi.TCP = &ProtoInfoTCP{} 212 | assert.ErrorIs(t, pi.unmarshal(mustDecodeAttribute(nfaInfoTCP)), errReusedProtoInfo) 213 | } 214 | 215 | func TestProtoInfoTypeString(t *testing.T) { 216 | ssid := protoInfoType(255) 217 | 218 | ssidStr := ssid.String() 219 | 220 | if ssidStr == "" { 221 | t.Fatal("ProtoInfoType string representation empty - did you run `go generate`?") 222 | } 223 | } 224 | 225 | func TestAttributeProtoInfoTCP(t *testing.T) { 226 | var pit ProtoInfoTCP 227 | assert.ErrorIs(t, pit.unmarshal(adEmpty), errNeedSingleChild) 228 | 229 | ad := adThreeUnknown 230 | assert.ErrorIs(t, pit.unmarshal(&ad), errUnknownAttribute) 231 | 232 | nfaProtoInfoTCP := []netfilter.Attribute{ 233 | { 234 | Type: uint16(ctaProtoInfoTCPState), 235 | Data: []byte{1}, 236 | }, 237 | { 238 | Type: uint16(ctaProtoInfoTCPFlagsOriginal), 239 | Data: []byte{0, 2}, 240 | }, 241 | { 242 | Type: uint16(ctaProtoInfoTCPFlagsReply), 243 | Data: []byte{0, 3}, 244 | }, 245 | { 246 | Type: uint16(ctaProtoInfoTCPWScaleOriginal), 247 | Data: []byte{4}, 248 | }, 249 | { 250 | Type: uint16(ctaProtoInfoTCPWScaleReply), 251 | Data: []byte{5}, 252 | }, 253 | } 254 | assert.NoError(t, pit.unmarshal(mustDecodeAttributes(nfaProtoInfoTCP))) 255 | } 256 | 257 | func TestAttributeProtoInfoDCCP(t *testing.T) { 258 | var pid ProtoInfoDCCP 259 | assert.ErrorIs(t, pid.unmarshal(adEmpty), errNeedSingleChild) 260 | 261 | ad := adThreeUnknown 262 | assert.ErrorIs(t, pid.unmarshal(&ad), errUnknownAttribute) 263 | 264 | nfaProtoInfoDCCP := []netfilter.Attribute{ 265 | { 266 | Type: uint16(ctaProtoInfoDCCPState), 267 | Data: []byte{1}, 268 | }, 269 | { 270 | Type: uint16(ctaProtoInfoDCCPRole), 271 | Data: []byte{2}, 272 | }, 273 | { 274 | Type: uint16(ctaProtoInfoDCCPHandshakeSeq), 275 | Data: []byte{3, 4, 5, 6, 7, 8, 9, 10}, 276 | }, 277 | } 278 | assert.NoError(t, pid.unmarshal(mustDecodeAttributes(nfaProtoInfoDCCP))) 279 | } 280 | 281 | func TestAttributeProtoInfoSCTP(t *testing.T) { 282 | var pid ProtoInfoSCTP 283 | assert.ErrorIs(t, pid.unmarshal(adEmpty), errNeedSingleChild) 284 | 285 | ad := adOneUnknown 286 | assert.ErrorIs(t, pid.unmarshal(&ad), errUnknownAttribute) 287 | 288 | nfaProtoInfoSCTP := []netfilter.Attribute{ 289 | { 290 | Type: uint16(ctaProtoInfoSCTPState), 291 | Data: []byte{1}, 292 | }, 293 | { 294 | Type: uint16(ctaProtoInfoSCTPVTagOriginal), 295 | Data: []byte{2, 3, 4, 5}, 296 | }, 297 | { 298 | Type: uint16(ctaProtoInfoSCTPVtagReply), 299 | Data: []byte{6, 7, 8, 9}, 300 | }, 301 | } 302 | assert.NoError(t, pid.unmarshal(mustDecodeAttributes(nfaProtoInfoSCTP))) 303 | } 304 | 305 | func TestAttributeCounters(t *testing.T) { 306 | ctr := Counter{} 307 | assert.Equal(t, false, ctr.filled()) 308 | assert.Equal(t, true, Counter{Packets: 1, Bytes: 1}.filled()) 309 | 310 | // Counters can be unmarshaled from both ctaCountersOrig and ctaCountersReply 311 | attrTypes := []attributeType{ctaCountersOrig, ctaCountersReply} 312 | 313 | for _, at := range attrTypes { 314 | t.Run(at.String(), func(t *testing.T) { 315 | assert.ErrorIs(t, ctr.unmarshal(adEmpty), errNeedChildren) 316 | 317 | nfaCounter := []netfilter.Attribute{ 318 | { 319 | Type: uint16(ctaCountersBytes), 320 | Data: make([]byte, 8), 321 | }, 322 | { 323 | Type: uint16(ctaCountersPackets), 324 | Data: make([]byte, 8), 325 | }, 326 | { 327 | Type: uint16(ctaCountersPad), 328 | Data: make([]byte, 8), 329 | }, 330 | } 331 | assert.NoError(t, ctr.unmarshal(mustDecodeAttributes(nfaCounter))) 332 | 333 | ad := adTwoUnknown 334 | assert.ErrorIs(t, ctr.unmarshal(&ad), errUnknownAttribute) 335 | }) 336 | } 337 | } 338 | 339 | func TestAttributeTimestamp(t *testing.T) { 340 | var ts Timestamp 341 | assert.ErrorIs(t, ts.unmarshal(adEmpty), errNeedSingleChild) 342 | 343 | ad := adOneUnknown 344 | assert.ErrorIs(t, ts.unmarshal(&ad), errUnknownAttribute) 345 | 346 | nfaTimestamp := []netfilter.Attribute{ 347 | { 348 | Type: uint16(ctaTimestampStart), 349 | Data: make([]byte, 8), 350 | }, 351 | { 352 | Type: uint16(ctaTimestampStop), 353 | Data: make([]byte, 8), 354 | }, 355 | } 356 | assert.NoError(t, ts.unmarshal(mustDecodeAttributes(nfaTimestamp))) 357 | } 358 | 359 | func TestAttributeSecCtx(t *testing.T) { 360 | var sc Security 361 | assert.ErrorIs(t, sc.unmarshal(adEmpty), errNeedChildren) 362 | 363 | ad := adOneUnknown 364 | assert.ErrorIs(t, sc.unmarshal(&ad), errUnknownAttribute) 365 | 366 | nfaSecurity := []netfilter.Attribute{ 367 | { 368 | Type: uint16(ctaSecCtxName), 369 | Data: []byte("foo"), 370 | }, 371 | } 372 | assert.NoError(t, sc.unmarshal(mustDecodeAttributes(nfaSecurity))) 373 | } 374 | 375 | func TestAttributeSeqAdj(t *testing.T) { 376 | sa := SequenceAdjust{} 377 | assert.Equal(t, false, sa.filled()) 378 | assert.Equal(t, true, SequenceAdjust{Position: 1, OffsetBefore: 1, OffsetAfter: 1}.filled()) 379 | 380 | // SequenceAdjust can be unmarshaled from both ctaSeqAdjOrig and ctaSeqAdjReply 381 | attrTypes := []attributeType{ctaSeqAdjOrig, ctaSeqAdjReply} 382 | 383 | for _, at := range attrTypes { 384 | t.Run(at.String(), func(t *testing.T) { 385 | assert.ErrorIs(t, sa.unmarshal(adEmpty), errNeedSingleChild) 386 | 387 | ad := adOneUnknown 388 | assert.ErrorIs(t, sa.unmarshal(&ad), errUnknownAttribute) 389 | 390 | nfaSeqAdj := netfilter.Attribute{ 391 | Type: uint16(at), 392 | Nested: true, 393 | Children: []netfilter.Attribute{ 394 | { 395 | Type: uint16(ctaSeqAdjCorrectionPos), 396 | Data: make([]byte, 4), 397 | }, 398 | { 399 | Type: uint16(ctaSeqAdjOffsetBefore), 400 | Data: make([]byte, 4), 401 | }, 402 | { 403 | Type: uint16(ctaSeqAdjOffsetAfter), 404 | Data: make([]byte, 4), 405 | }, 406 | }, 407 | } 408 | assert.NoError(t, sa.unmarshal(mustDecodeAttributes(nfaSeqAdj.Children))) 409 | 410 | // The AttributeDecoder unmarshal() no longer has the tuple direction, set it manually. 411 | // TODO: Remove when marshal() switches to AttributeEncoder. 412 | if at == ctaSeqAdjReply { 413 | sa.Direction = true 414 | } else { 415 | sa.Direction = false 416 | } 417 | 418 | assert.EqualValues(t, nfaSeqAdj, sa.marshal(false)) 419 | }) 420 | } 421 | } 422 | 423 | func TestAttributeSynProxy(t *testing.T) { 424 | sp := SynProxy{} 425 | assert.Equal(t, false, sp.filled()) 426 | assert.Equal(t, true, SynProxy{ISN: 1}.filled()) 427 | assert.Equal(t, true, SynProxy{ITS: 1}.filled()) 428 | assert.Equal(t, true, SynProxy{TSOff: 1}.filled()) 429 | 430 | assert.ErrorIs(t, sp.unmarshal(adEmpty), errNeedSingleChild) 431 | 432 | ad := adOneUnknown 433 | assert.ErrorIs(t, sp.unmarshal(&ad), errUnknownAttribute) 434 | 435 | nfaSynProxy := netfilter.Attribute{ 436 | Type: uint16(ctaSynProxy), 437 | Nested: true, 438 | Children: []netfilter.Attribute{ 439 | { 440 | Type: uint16(ctaSynProxyISN), 441 | Data: []byte{0, 1, 2, 3}, 442 | }, 443 | { 444 | Type: uint16(ctaSynProxyITS), 445 | Data: []byte{4, 5, 6, 7}, 446 | }, 447 | { 448 | Type: uint16(ctaSynProxyTSOff), 449 | Data: []byte{8, 9, 10, 11}, 450 | }, 451 | }, 452 | } 453 | assert.NoError(t, sp.unmarshal(mustDecodeAttributes(nfaSynProxy.Children))) 454 | 455 | assert.EqualValues(t, nfaSynProxy, sp.marshal()) 456 | } 457 | -------------------------------------------------------------------------------- /attributetype_string.go: -------------------------------------------------------------------------------- 1 | // Code generated by "stringer -type=attributeType"; DO NOT EDIT. 2 | 3 | package conntrack 4 | 5 | import "strconv" 6 | 7 | func _() { 8 | // An "invalid array index" compiler error signifies that the constant values have changed. 9 | // Re-run the stringer command to generate them again. 10 | var x [1]struct{} 11 | _ = x[ctaUnspec-0] 12 | _ = x[ctaTupleOrig-1] 13 | _ = x[ctaTupleReply-2] 14 | _ = x[ctaStatus-3] 15 | _ = x[ctaProtoInfo-4] 16 | _ = x[ctaHelp-5] 17 | _ = x[ctaNatSrc-6] 18 | _ = x[ctaTimeout-7] 19 | _ = x[ctaMark-8] 20 | _ = x[ctaCountersOrig-9] 21 | _ = x[ctaCountersReply-10] 22 | _ = x[ctaUse-11] 23 | _ = x[ctaID-12] 24 | _ = x[ctaNatDst-13] 25 | _ = x[ctaTupleMaster-14] 26 | _ = x[ctaSeqAdjOrig-15] 27 | _ = x[ctaSeqAdjReply-16] 28 | _ = x[ctaSecMark-17] 29 | _ = x[ctaZone-18] 30 | _ = x[ctaSecCtx-19] 31 | _ = x[ctaTimestamp-20] 32 | _ = x[ctaMarkMask-21] 33 | _ = x[ctaLabels-22] 34 | _ = x[ctaLabelsMask-23] 35 | _ = x[ctaSynProxy-24] 36 | _ = x[ctaFilter-25] 37 | _ = x[ctaStatusMask-26] 38 | _ = x[ctaTimestampEvent-27] 39 | } 40 | 41 | const _attributeType_name = "ctaUnspecctaTupleOrigctaTupleReplyctaStatusctaProtoInfoctaHelpctaNatSrcctaTimeoutctaMarkctaCountersOrigctaCountersReplyctaUsectaIDctaNatDstctaTupleMasterctaSeqAdjOrigctaSeqAdjReplyctaSecMarkctaZonectaSecCtxctaTimestampctaMarkMaskctaLabelsctaLabelsMaskctaSynProxyctaFilterctaStatusMaskctaTimestampEvent" 42 | 43 | var _attributeType_index = [...]uint16{0, 9, 21, 34, 43, 55, 62, 71, 81, 88, 103, 119, 125, 130, 139, 153, 166, 180, 190, 197, 206, 218, 229, 238, 251, 262, 271, 284, 301} 44 | 45 | func (i attributeType) String() string { 46 | if i >= attributeType(len(_attributeType_index)-1) { 47 | return "attributeType(" + strconv.FormatInt(int64(i), 10) + ")" 48 | } 49 | return _attributeType_name[_attributeType_index[i]:_attributeType_index[i+1]] 50 | } 51 | -------------------------------------------------------------------------------- /conn.go: -------------------------------------------------------------------------------- 1 | package conntrack 2 | 3 | import ( 4 | "fmt" 5 | "sync" 6 | 7 | "github.com/mdlayher/netlink" 8 | "github.com/pkg/errors" 9 | "github.com/ti-mo/netfilter" 10 | "golang.org/x/sys/unix" 11 | ) 12 | 13 | // Conn represents a Netlink connection to the Netfilter 14 | // subsystem and implements all Conntrack actions. 15 | type Conn struct { 16 | conn *netfilter.Conn 17 | 18 | workers sync.WaitGroup 19 | } 20 | 21 | // DumpOptions is passed as an option to `Dump`-related methods to modify their behaviour. 22 | type DumpOptions struct { 23 | // ZeroCounters resets all flows' counters to zero after the dump operation. 24 | ZeroCounters bool 25 | } 26 | 27 | // Dial opens a new Netfilter Netlink connection and returns it 28 | // wrapped in a Conn structure that implements the Conntrack API. 29 | func Dial(config *netlink.Config) (*Conn, error) { 30 | c, err := netfilter.Dial(config) 31 | if err != nil { 32 | return nil, err 33 | } 34 | 35 | return &Conn{conn: c}, nil 36 | } 37 | 38 | // Close closes a Conn. 39 | // 40 | // If any workers were started using [Conn.Listen], blocks until all have 41 | // terminated. 42 | func (c *Conn) Close() error { 43 | if err := c.conn.Close(); err != nil { 44 | return err 45 | } 46 | 47 | c.workers.Wait() 48 | 49 | return nil 50 | } 51 | 52 | // SetOption enables or disables a netlink socket option for the Conn. 53 | func (c *Conn) SetOption(option netlink.ConnOption, enable bool) error { 54 | return c.conn.SetOption(option, enable) 55 | } 56 | 57 | // SetReadBuffer sets the size of the operating system's receive buffer 58 | // associated with the Conn. 59 | // 60 | // The default read buffer size of a socket is configured with 61 | // `sysctl net.core.rmem_default`. The maximum buffer size that can be set 62 | // without elevated privileges is `sysctl net.core.rmem_max`. 63 | func (c *Conn) SetReadBuffer(bytes int) error { 64 | return c.conn.SetReadBuffer(bytes) 65 | } 66 | 67 | // SetWriteBuffer sets the size of the operating system's transmit buffer associated with the Conn. 68 | // 69 | // The default write buffer size of a socket is configured with 70 | // `sysctl net.core.wmem_default`. The maximum buffer size that can be set 71 | // without elevated privileges is `sysctl net.core.wmem_max`. 72 | func (c *Conn) SetWriteBuffer(bytes int) error { 73 | return c.conn.SetWriteBuffer(bytes) 74 | } 75 | 76 | // Listen joins the Netfilter connection to a multicast group and starts a given 77 | // amount of Flow decoders from the Conn to the Flow channel. Returns an error channel 78 | // the workers will return any errors on. Any error during Flow decoding is fatal and 79 | // will halt the worker it occurs on. When numWorkers amount of errors have been received on 80 | // the error channel, no more events will be produced on evChan. 81 | // 82 | // The Conn will be marked as having listeners active, which will prevent Listen from being 83 | // called again. For listening on other groups, open another socket. 84 | // 85 | // evChan consumers need to be able to keep up with the Event producers. When the channel is full, 86 | // messages will pile up in the Netlink socket's buffer, putting the socket at risk of being closed 87 | // by the kernel when it eventually fills up. 88 | // 89 | // Closing the Conn makes all workers terminate silently. 90 | func (c *Conn) Listen(evChan chan<- Event, numWorkers uint8, groups []netfilter.NetlinkGroup) (chan error, error) { 91 | if numWorkers == 0 { 92 | return nil, errNoWorkers 93 | } 94 | 95 | // Prevent Listen() from being called twice on the same Conn. 96 | // This is checked again in JoinGroups(), but an early failure is preferred. 97 | if c.conn.IsMulticast() { 98 | return nil, errConnHasListeners 99 | } 100 | 101 | err := c.conn.JoinGroups(groups) 102 | if err != nil { 103 | return nil, err 104 | } 105 | 106 | errChan := make(chan error) 107 | 108 | // Start numWorkers amount of worker goroutines 109 | for id := uint8(0); id < numWorkers; id++ { 110 | c.workers.Add(1) 111 | go c.eventWorker(id, evChan, errChan) 112 | } 113 | 114 | return errChan, nil 115 | } 116 | 117 | // eventWorker is a worker function that decodes Netlink messages into Events. 118 | func (c *Conn) eventWorker(workerID uint8, evChan chan<- Event, errChan chan<- error) { 119 | var err error 120 | var recv []netlink.Message 121 | var ev Event 122 | 123 | defer c.workers.Done() 124 | 125 | for { 126 | // Receive data from the Netlink socket. 127 | recv, err = c.conn.Receive() 128 | 129 | // If the Conn gets closed while blocked in Receive(), Go's runtime poller 130 | // will return an src/internal/poll.ErrFileClosing. Since we cannot match 131 | // the underlying error using errors.Is(), retrieve it from the netlink.OpErr. 132 | var opErr *netlink.OpError 133 | if errors.As(err, &opErr) { 134 | if opErr.Err.Error() == "use of closed file" { 135 | return 136 | } 137 | } 138 | 139 | // Underlying fd has been closed, exit receive loop. 140 | if errors.Is(err, unix.EBADF) { 141 | return 142 | } 143 | 144 | if err != nil { 145 | errChan <- fmt.Errorf("Receive() netlink error, closing worker %d: %w", workerID, err) 146 | return 147 | } 148 | 149 | // Receive() always returns a list of Netlink Messages, but multicast messages should never be multi-part 150 | if len(recv) > 1 { 151 | errChan <- errMultipartEvent 152 | return 153 | } 154 | 155 | // Decode event and send on channel 156 | ev = *new(Event) 157 | err := ev.Unmarshal(recv[0]) 158 | if err != nil { 159 | errChan <- err 160 | return 161 | } 162 | 163 | evChan <- ev 164 | } 165 | } 166 | 167 | // Dump gets all Conntrack connections from the kernel in the form of a list 168 | // of Flow objects. 169 | func (c *Conn) Dump(opts *DumpOptions) ([]Flow, error) { 170 | msgType := ctGet 171 | if opts != nil && opts.ZeroCounters { 172 | msgType = ctGetCtrZero 173 | } 174 | 175 | req, err := netfilter.MarshalNetlink( 176 | netfilter.Header{ 177 | SubsystemID: netfilter.NFSubsysCTNetlink, 178 | MessageType: netfilter.MessageType(msgType), 179 | Family: netfilter.ProtoUnspec, // ProtoUnspec dumps both IPv4 and IPv6 180 | Flags: netlink.Request | netlink.Dump, 181 | }, 182 | nil) 183 | 184 | if err != nil { 185 | return nil, err 186 | } 187 | 188 | nlm, err := c.conn.Query(req) 189 | if err != nil { 190 | return nil, err 191 | } 192 | 193 | return unmarshalFlows(nlm) 194 | } 195 | 196 | // DumpFilter gets all Conntrack connections from the kernel in the form of a 197 | // list of Flow objects. Only Flows matching the provided [Filter] are returned. 198 | func (c *Conn) DumpFilter(filter Filter, opts *DumpOptions) ([]Flow, error) { 199 | if filter == nil { 200 | return nil, fmt.Errorf("filter is nil") 201 | } 202 | 203 | msgType := ctGet 204 | if opts != nil && opts.ZeroCounters { 205 | msgType = ctGetCtrZero 206 | } 207 | 208 | req, err := netfilter.MarshalNetlink( 209 | netfilter.Header{ 210 | SubsystemID: netfilter.NFSubsysCTNetlink, 211 | MessageType: netfilter.MessageType(msgType), 212 | Family: filter.family(), 213 | Flags: netlink.Request | netlink.Dump, 214 | }, 215 | filter.marshal()) 216 | 217 | if err != nil { 218 | return nil, err 219 | } 220 | 221 | nlm, err := c.conn.Query(req) 222 | if err != nil { 223 | return nil, err 224 | } 225 | 226 | return unmarshalFlows(nlm) 227 | } 228 | 229 | // DumpExpect gets all expected Conntrack expectations from the kernel in the form 230 | // of a list of Expect objects. 231 | func (c *Conn) DumpExpect() ([]Expect, error) { 232 | req, err := netfilter.MarshalNetlink( 233 | netfilter.Header{ 234 | SubsystemID: netfilter.NFSubsysCTNetlinkExp, 235 | MessageType: netfilter.MessageType(ctGet), 236 | Family: netfilter.ProtoUnspec, // ProtoUnspec dumps both IPv4 and IPv6 237 | Flags: netlink.Request | netlink.Dump | netlink.Acknowledge, 238 | }, 239 | nil) 240 | 241 | if err != nil { 242 | return nil, err 243 | } 244 | 245 | nlm, err := c.conn.Query(req) 246 | if err != nil { 247 | return nil, err 248 | } 249 | 250 | return unmarshalExpects(nlm) 251 | } 252 | 253 | // Flush empties the Conntrack table. Deletes all IPv4 and IPv6 entries. 254 | func (c *Conn) Flush() error { 255 | 256 | req, err := netfilter.MarshalNetlink( 257 | netfilter.Header{ 258 | SubsystemID: netfilter.NFSubsysCTNetlink, 259 | MessageType: netfilter.MessageType(ctDelete), 260 | Family: netfilter.ProtoUnspec, // Family is ignored for flush 261 | Flags: netlink.Request | netlink.Acknowledge, 262 | }, 263 | nil) 264 | 265 | if err != nil { 266 | return err 267 | } 268 | 269 | _, err = c.conn.Query(req) 270 | if err != nil { 271 | return err 272 | } 273 | 274 | return nil 275 | } 276 | 277 | // FlushFilter deletes all entries from the Conntrack table matching a given 278 | // [Filter]. 279 | func (c *Conn) FlushFilter(filter Filter) error { 280 | if filter == nil { 281 | return fmt.Errorf("filter is nil") 282 | } 283 | 284 | req, err := netfilter.MarshalNetlink( 285 | netfilter.Header{ 286 | SubsystemID: netfilter.NFSubsysCTNetlink, 287 | MessageType: netfilter.MessageType(ctDelete), 288 | Family: filter.family(), 289 | Flags: netlink.Request | netlink.Acknowledge, 290 | 291 | // Request 'new' filtered flush behaviour as described in e7600865db32 292 | // ("netfilter: ctnetlink: Fix regression in conntrack entry deletion"). 293 | // Before this patch, the kernel would ignore the nfgenmsg family and 294 | // flush the entire table. As of 1ef7f50ccc6e ("netfilter: ctnetlink: 295 | // support CTA_FILTER for flush"), the same can be accomplished by setting 296 | // an empty CTA_FILTER. 297 | Version: 1, 298 | }, 299 | filter.marshal()) 300 | 301 | if err != nil { 302 | return err 303 | } 304 | 305 | _, err = c.conn.Query(req) 306 | if err != nil { 307 | return err 308 | } 309 | 310 | return nil 311 | } 312 | 313 | // Create creates a new Conntrack entry. 314 | func (c *Conn) Create(f Flow) error { 315 | 316 | // Conntrack create requires timeout to be set. 317 | if f.Timeout == 0 { 318 | return errNeedTimeout 319 | } 320 | 321 | attrs, err := f.marshal() 322 | if err != nil { 323 | return err 324 | } 325 | 326 | pf := netfilter.ProtoIPv4 327 | if f.TupleOrig.IP.IsIPv6() && f.TupleReply.IP.IsIPv6() { 328 | pf = netfilter.ProtoIPv6 329 | } 330 | 331 | req, err := netfilter.MarshalNetlink( 332 | netfilter.Header{ 333 | SubsystemID: netfilter.NFSubsysCTNetlink, 334 | MessageType: netfilter.MessageType(ctNew), 335 | Family: pf, 336 | Flags: netlink.Request | netlink.Acknowledge | 337 | netlink.Excl | netlink.Create, 338 | }, attrs) 339 | 340 | if err != nil { 341 | return err 342 | } 343 | 344 | _, err = c.conn.Query(req) 345 | if err != nil { 346 | return err 347 | } 348 | 349 | return nil 350 | } 351 | 352 | // CreateExpect creates a new Conntrack Expect entry. Warning: Experimental, haven't 353 | // got this to create an Expect correctly. Best-effort implementation based on kernel source. 354 | func (c *Conn) CreateExpect(ex Expect) error { 355 | 356 | attrs, err := ex.marshal() 357 | if err != nil { 358 | return err 359 | } 360 | 361 | pf := netfilter.ProtoIPv4 362 | if ex.Tuple.IP.IsIPv6() && ex.Mask.IP.IsIPv6() && ex.TupleMaster.IP.IsIPv6() { 363 | pf = netfilter.ProtoIPv6 364 | } 365 | 366 | req, err := netfilter.MarshalNetlink( 367 | netfilter.Header{ 368 | SubsystemID: netfilter.NFSubsysCTNetlinkExp, 369 | MessageType: netfilter.MessageType(ctExpNew), 370 | Family: pf, 371 | Flags: netlink.Request | netlink.Acknowledge | 372 | netlink.Excl | netlink.Create, 373 | }, attrs) 374 | 375 | if err != nil { 376 | return err 377 | } 378 | 379 | _, err = c.conn.Query(req) 380 | if err != nil { 381 | return err 382 | } 383 | 384 | return nil 385 | } 386 | 387 | // Get queries the conntrack table for a connection matching some attributes of a given Flow. 388 | // The following attributes are considered in the query: TupleOrig or TupleReply, in that order, 389 | // and Zone. One of TupleOrig or TupleReply is required for a successful query. 390 | func (c *Conn) Get(f Flow) (Flow, error) { 391 | 392 | var qf Flow 393 | 394 | attrs, err := f.marshal() 395 | if err != nil { 396 | return qf, err 397 | } 398 | 399 | pf := netfilter.ProtoIPv4 400 | if f.TupleOrig.IP.IsIPv6() || f.TupleReply.IP.IsIPv6() { 401 | pf = netfilter.ProtoIPv6 402 | } 403 | 404 | req, err := netfilter.MarshalNetlink( 405 | netfilter.Header{ 406 | SubsystemID: netfilter.NFSubsysCTNetlink, 407 | MessageType: netfilter.MessageType(ctGet), 408 | Family: pf, 409 | Flags: netlink.Request | netlink.Acknowledge, 410 | }, attrs) 411 | 412 | if err != nil { 413 | return qf, err 414 | } 415 | 416 | nlm, err := c.conn.Query(req) 417 | if err != nil { 418 | return qf, err 419 | } 420 | 421 | // Since this is not a dump (and ACK flag is set), the kernel sends a message containing 422 | // the flow, followed by a Netlink (non-)error message. The error is already parsed by 423 | // the netlink library, so we only read the first message containing the Flow. 424 | qf, err = unmarshalFlow(nlm[0]) 425 | if err != nil { 426 | return qf, err 427 | } 428 | 429 | return qf, nil 430 | } 431 | 432 | // Update updates a Conntrack entry. Only the following attributes are considered 433 | // when sending a Flow update: Helper, Timeout, Status, ProtoInfo, Mark, SeqAdj (orig/reply), 434 | // SynProxy, Labels. All other attributes are immutable past the point of creation. 435 | // See the ctnetlink_change_conntrack() kernel function for exact behaviour. 436 | func (c *Conn) Update(f Flow) error { 437 | // Kernel rejects updates with a master tuple set 438 | if f.TupleMaster.filled() { 439 | return errUpdateMaster 440 | } 441 | 442 | attrs, err := f.marshal() 443 | if err != nil { 444 | return err 445 | } 446 | 447 | pf := netfilter.ProtoIPv4 448 | if f.TupleOrig.IP.IsIPv6() && f.TupleReply.IP.IsIPv6() { 449 | pf = netfilter.ProtoIPv6 450 | } 451 | 452 | req, err := netfilter.MarshalNetlink( 453 | netfilter.Header{ 454 | SubsystemID: netfilter.NFSubsysCTNetlink, 455 | MessageType: netfilter.MessageType(ctNew), 456 | Family: pf, 457 | Flags: netlink.Request | netlink.Acknowledge, 458 | }, attrs) 459 | 460 | if err != nil { 461 | return err 462 | } 463 | 464 | _, err = c.conn.Query(req) 465 | if err != nil { 466 | return err 467 | } 468 | 469 | return nil 470 | } 471 | 472 | // Delete removes a Conntrack entry given a Flow. Flows are looked up in the conntrack table 473 | // based on the original and reply tuple. When the Flow's ID field is filled, it must match the 474 | // ID on the connection returned from the tuple lookup, or the delete will fail. 475 | func (c *Conn) Delete(f Flow) error { 476 | attrs, err := f.marshal() 477 | if err != nil { 478 | return err 479 | } 480 | 481 | // Default to IPv4, set netlink protocol family to IPv6 if orig/reply is IPv6. 482 | pf := netfilter.ProtoIPv4 483 | if f.TupleOrig.IP.IsIPv6() && f.TupleReply.IP.IsIPv6() { 484 | pf = netfilter.ProtoIPv6 485 | } 486 | 487 | req, err := netfilter.MarshalNetlink( 488 | netfilter.Header{ 489 | SubsystemID: netfilter.NFSubsysCTNetlink, 490 | MessageType: netfilter.MessageType(ctDelete), 491 | Family: pf, 492 | Flags: netlink.Request | netlink.Acknowledge, 493 | }, attrs) 494 | 495 | if err != nil { 496 | return err 497 | } 498 | 499 | _, err = c.conn.Query(req) 500 | if err != nil { 501 | return err 502 | } 503 | 504 | return nil 505 | } 506 | 507 | // Stats returns a list of Stats structures, one per CPU present in the machine. 508 | // Each Stats structure contains performance counters of all Conntrack actions 509 | // performed on that specific CPU. 510 | func (c *Conn) Stats() ([]Stats, error) { 511 | 512 | req, err := netfilter.MarshalNetlink( 513 | netfilter.Header{ 514 | SubsystemID: netfilter.NFSubsysCTNetlink, 515 | MessageType: netfilter.MessageType(ctGetStatsCPU), 516 | Family: netfilter.ProtoUnspec, 517 | Flags: netlink.Request | netlink.Dump, 518 | }, nil) 519 | 520 | if err != nil { 521 | return nil, err 522 | } 523 | 524 | msgs, err := c.conn.Query(req) 525 | if err != nil { 526 | return nil, err 527 | } 528 | 529 | return unmarshalStats(msgs) 530 | } 531 | 532 | // StatsExpect returns a list of StatsExpect structures, one per CPU present in the machine. 533 | // Each StatsExpect structure indicates how many Expect entries were initialized, 534 | // created or deleted on each CPU. 535 | func (c *Conn) StatsExpect() ([]StatsExpect, error) { 536 | 537 | req, err := netfilter.MarshalNetlink( 538 | netfilter.Header{ 539 | SubsystemID: netfilter.NFSubsysCTNetlinkExp, 540 | MessageType: netfilter.MessageType(ctExpGetStatsCPU), 541 | Family: netfilter.ProtoUnspec, 542 | Flags: netlink.Request | netlink.Dump, 543 | }, nil) 544 | 545 | if err != nil { 546 | return nil, err 547 | } 548 | 549 | msgs, err := c.conn.Query(req) 550 | if err != nil { 551 | return nil, err 552 | } 553 | 554 | return unmarshalStatsExpect(msgs) 555 | } 556 | 557 | // StatsGlobal queries Conntrack for an internal global counter that describes the total amount 558 | // of Flow entries currently in the Conntrack table. Only the main Conntrack table has this 559 | // fast query available. To get the amount of Expect entries, execute DumpExpect() and count 560 | // the amount of entries returned. 561 | // 562 | // Starting from kernels 4.18 and higher, MaxEntries is returned, describing the maximum size 563 | // of the Conntrack table. 564 | func (c *Conn) StatsGlobal() (StatsGlobal, error) { 565 | 566 | req, err := netfilter.MarshalNetlink( 567 | netfilter.Header{ 568 | SubsystemID: netfilter.NFSubsysCTNetlink, 569 | MessageType: netfilter.MessageType(ctGetStats), 570 | Family: netfilter.ProtoUnspec, 571 | Flags: netlink.Request | netlink.Dump | netlink.Acknowledge, 572 | }, nil) 573 | 574 | var sg StatsGlobal 575 | 576 | if err != nil { 577 | return sg, err 578 | } 579 | 580 | msgs, err := c.conn.Query(req) 581 | if err != nil { 582 | return sg, err 583 | } 584 | 585 | return unmarshalStatsGlobal(msgs[0]) 586 | } 587 | -------------------------------------------------------------------------------- /conn_integration_test.go: -------------------------------------------------------------------------------- 1 | //go:build integration 2 | 3 | package conntrack 4 | 5 | import ( 6 | "fmt" 7 | "io/ioutil" 8 | "log" 9 | "os" 10 | "strings" 11 | "testing" 12 | 13 | "github.com/stretchr/testify/require" 14 | 15 | "github.com/mdlayher/netlink" 16 | "github.com/vishvananda/netns" 17 | ) 18 | 19 | var ksyms []string 20 | 21 | func TestMain(m *testing.M) { 22 | if err := checkKmod(); err != nil { 23 | log.Fatal(err) 24 | } 25 | 26 | var err error 27 | ksyms, err = getKsyms() 28 | if err != nil { 29 | log.Fatal(err) 30 | } 31 | 32 | rc := m.Run() 33 | os.Exit(rc) 34 | } 35 | 36 | // Open a Netlink socket and set an option on it. 37 | func TestConnDialSetOption(t *testing.T) { 38 | c, err := Dial(nil) 39 | require.NoError(t, err, "opening Conn") 40 | 41 | err = c.SetOption(netlink.ListenAllNSID, true) 42 | require.NoError(t, err, "setting SockOption") 43 | 44 | err = c.Close() 45 | require.NoError(t, err, "closing Conn") 46 | } 47 | 48 | // checkKmod checks if the kernel modules required for this test suite are loaded into the kernel. 49 | // Since around 4.19, conntrack is a single module, so only warn about _ipv4/6 when that one 50 | // is not loaded. 51 | func checkKmod() error { 52 | kmods := []string{ 53 | "nf_conntrack_ipv4", 54 | "nf_conntrack_ipv6", 55 | } 56 | 57 | if _, err := os.Stat("/sys/module/nf_conntrack"); os.IsNotExist(err) { 58 | // Fall back to _ipv4/6 if nf_conntrack is missing. 59 | for _, km := range kmods { 60 | if _, err := os.Stat(fmt.Sprintf("/sys/module/%s", km)); os.IsNotExist(err) { 61 | return fmt.Errorf("missing kernel module %s and module nf_conntrack", km) 62 | } 63 | } 64 | } 65 | 66 | return nil 67 | } 68 | 69 | // makeNSConn creates a Conn in a new network namespace to use for testing. 70 | // Returns the Conn, the netns identifier and error. 71 | func makeNSConn() (*Conn, int, error) { 72 | newns, err := netns.New() 73 | if err != nil { 74 | return nil, 0, fmt.Errorf("unexpected error creating network namespace: %s", err) 75 | } 76 | 77 | newConn, err := Dial(&netlink.Config{NetNS: int(newns)}) 78 | if err != nil { 79 | return nil, 0, fmt.Errorf("unexpected error dialing namespaced connection: %s", err) 80 | } 81 | 82 | return newConn, int(newns), nil 83 | } 84 | 85 | // getKsyms gets a list of all symbols in the kernel. (/proc/kallsyms) 86 | func getKsyms() ([]string, error) { 87 | f, err := ioutil.ReadFile("/proc/kallsyms") 88 | if err != nil { 89 | return nil, err 90 | } 91 | 92 | // Trim trailing newlines and split by newline 93 | content := strings.Split(strings.TrimSuffix(string(f), "\n"), "\n") 94 | out := make([]string, len(content)) 95 | 96 | for i, l := range content { 97 | // Replace any tabs by spaces 98 | l = strings.Replace(l, "\t", " ", -1) 99 | 100 | // Get the third column 101 | out[i] = strings.Split(l, " ")[2] 102 | } 103 | 104 | return out, nil 105 | } 106 | 107 | // findKsym finds a given string in /proc/kallsyms. True means the string was found. 108 | func findKsym(sym string) bool { 109 | for _, v := range ksyms { 110 | if v == sym { 111 | return true 112 | } 113 | } 114 | 115 | return false 116 | } 117 | -------------------------------------------------------------------------------- /conn_test.go: -------------------------------------------------------------------------------- 1 | package conntrack_test 2 | 3 | import ( 4 | "fmt" 5 | "log" 6 | "net/netip" 7 | "testing" 8 | 9 | "github.com/mdlayher/netlink" 10 | "github.com/stretchr/testify/assert" 11 | "github.com/stretchr/testify/require" 12 | 13 | "github.com/ti-mo/conntrack" 14 | "github.com/ti-mo/netfilter" 15 | ) 16 | 17 | func TestConnBufferSizes(t *testing.T) { 18 | c, err := conntrack.Dial(nil) 19 | require.NoError(t, err, "dialing conn") 20 | 21 | assert.NoError(t, c.SetReadBuffer(256)) 22 | assert.NoError(t, c.SetWriteBuffer(256)) 23 | 24 | require.NoError(t, c.Close(), "closing conn") 25 | } 26 | 27 | func ExampleConn_createUpdateFlow() { 28 | // Open a Conntrack connection. 29 | c, err := conntrack.Dial(nil) 30 | if err != nil { 31 | log.Fatal(err) 32 | } 33 | 34 | // Set up a new Flow object using a given set of attributes. 35 | f := conntrack.NewFlow( 36 | 17, 0, 37 | netip.MustParseAddr("2a00:1450:400e:804::200e"), 38 | netip.MustParseAddr("2a00:1450:400e:804::200f"), 39 | 1234, 80, 120, 0, 40 | ) 41 | 42 | // Send the Flow to the kernel. 43 | err = c.Create(f) 44 | if err != nil { 45 | log.Fatal(err) 46 | } 47 | 48 | f.Timeout = 240 49 | 50 | // Update the Flow's timeout to 240 seconds. 51 | err = c.Update(f) 52 | if err != nil { 53 | log.Fatal(err) 54 | } 55 | 56 | // Query the kernel based on the Flow's source/destination tuples. 57 | // Returns a new Flow object with its connection ID assigned by the kernel. 58 | qf, err := c.Get(f) 59 | if err != nil { 60 | log.Fatal(err) 61 | } 62 | 63 | // Print the result. The Flow has a timeout greater than 120 seconds. 64 | log.Print(qf) 65 | } 66 | 67 | func ExampleConn_dumpFilter() { 68 | // Open a Conntrack connection. 69 | c, err := conntrack.Dial(nil) 70 | if err != nil { 71 | log.Fatal(err) 72 | } 73 | 74 | f1 := conntrack.NewFlow( 75 | 6, 0, netip.MustParseAddr("1.2.3.4"), netip.MustParseAddr("5.6.7.8"), 76 | 1234, 80, 120, 0x00ff, // Set a connection mark 77 | ) 78 | 79 | f2 := conntrack.NewFlow( 80 | 17, 0, netip.MustParseAddr("2a00:1450:400e:804::200e"), netip.MustParseAddr("2a00:1450:400e:804::200f"), 81 | 1234, 80, 120, 0xff00, // Set a connection mark 82 | ) 83 | 84 | _ = c.Create(f1) 85 | _ = c.Create(f2) 86 | 87 | // Dump all records in the Conntrack table that match the filter's mark. 88 | df, err := c.DumpFilter(conntrack.NewFilter().Mark(0xff00), nil) 89 | if err != nil { 90 | log.Fatal(err) 91 | } 92 | 93 | // Print the result. Only f2 is displayed. 94 | log.Print(df) 95 | } 96 | 97 | func ExampleConn_dumpFilterZone() { 98 | // Open a Conntrack connection. 99 | c, err := conntrack.Dial(nil) 100 | if err != nil { 101 | log.Fatal(err) 102 | } 103 | 104 | // Create flows in different zones 105 | f1 := conntrack.NewFlow( 106 | 6, 0, netip.MustParseAddr("1.2.3.4"), netip.MustParseAddr("5.6.7.8"), 107 | 1234, 80, 120, 0, 108 | ) 109 | f1.Zone = 10 110 | 111 | f2 := conntrack.NewFlow( 112 | 17, 0, netip.MustParseAddr("2a00:1450:400e:804::200e"), netip.MustParseAddr("2a00:1450:400e:804::200f"), 113 | 1234, 80, 120, 0, 114 | ) 115 | f2.Zone = 20 116 | 117 | _ = c.Create(f1) 118 | _ = c.Create(f2) 119 | 120 | // Dump all flows in table 20. 121 | df, err := c.DumpFilter(conntrack.NewFilter().Zone(20), nil) 122 | if err != nil { 123 | log.Fatal(err) 124 | } 125 | 126 | // Print the result. Only f2 is displayed. 127 | log.Print(df) 128 | } 129 | 130 | func ExampleConn_flush() { 131 | // Open a Conntrack connection. 132 | c, err := conntrack.Dial(nil) 133 | if err != nil { 134 | log.Fatal(err) 135 | } 136 | 137 | // Evict all entries from the conntrack table in the current network namespace. 138 | err = c.Flush() 139 | if err != nil { 140 | log.Fatal(err) 141 | } 142 | } 143 | 144 | func ExampleConn_flushFilter() { 145 | // Open a Conntrack connection. 146 | c, err := conntrack.Dial(nil) 147 | if err != nil { 148 | log.Fatal(err) 149 | } 150 | 151 | f1 := conntrack.NewFlow( 152 | 6, 0, netip.MustParseAddr("1.2.3.4"), netip.MustParseAddr("5.6.7.8"), 153 | 1234, 80, 120, 0x00ff, // Set a connection mark 154 | ) 155 | 156 | f2 := conntrack.NewFlow( 157 | 17, 0, netip.MustParseAddr("2a00:1450:400e:804::200e"), netip.MustParseAddr("2a00:1450:400e:804::200f"), 158 | 1234, 80, 120, 0xff00, // Set a connection mark 159 | ) 160 | 161 | _ = c.Create(f1) 162 | _ = c.Create(f2) 163 | 164 | // Flush only the second flow matching the filter's mark and mask. 165 | err = c.FlushFilter(conntrack.NewFilter().Mark(0xff00).MarkMask(0xffff)) 166 | if err != nil { 167 | log.Fatal(err) 168 | } 169 | 170 | // Getting f1 succeeds. 171 | _, err = c.Get(f1) 172 | if err != nil { 173 | log.Fatal(err) 174 | } 175 | 176 | // Getting f2 will fail, since it was flushed. 177 | _, err = c.Get(f2) 178 | if err != nil { 179 | log.Println("Flow f2 missing, as expected", err) 180 | } 181 | } 182 | 183 | func ExampleConn_delete() { 184 | // Open a Conntrack connection. 185 | c, err := conntrack.Dial(nil) 186 | if err != nil { 187 | log.Fatal(err) 188 | } 189 | 190 | f := conntrack.NewFlow( 191 | 6, 0, netip.MustParseAddr("1.2.3.4"), netip.MustParseAddr("5.6.7.8"), 192 | 1234, 80, 120, 0, 193 | ) 194 | 195 | // Create the Flow, will return err if unsuccessful. 196 | err = c.Create(f) 197 | if err != nil { 198 | log.Fatal(err) 199 | } 200 | 201 | // Delete the Flow based on its IP/port tuple, will return err if unsuccessful. 202 | err = c.Delete(f) 203 | if err != nil { 204 | log.Fatal(err) 205 | } 206 | } 207 | 208 | func ExampleConn_listen() { 209 | // Open a Conntrack connection. 210 | c, err := conntrack.Dial(nil) 211 | if err != nil { 212 | log.Fatal(err) 213 | } 214 | 215 | // Make a buffered channel to receive event updates on. 216 | evCh := make(chan conntrack.Event, 1024) 217 | 218 | // Listen for all Conntrack and Conntrack-Expect events with 4 decoder goroutines. 219 | // All errors caught in the decoders are passed on channel errCh. 220 | errCh, err := c.Listen(evCh, 4, append(netfilter.GroupsCT, netfilter.GroupsCTExp...)) 221 | if err != nil { 222 | log.Fatal(err) 223 | } 224 | 225 | // Listen to Conntrack events from all network namespaces on the system. 226 | err = c.SetOption(netlink.ListenAllNSID, true) 227 | if err != nil { 228 | log.Fatal(err) 229 | } 230 | 231 | // Start a goroutine to print all incoming messages on the event channel. 232 | go func() { 233 | for { 234 | fmt.Println(<-evCh) 235 | } 236 | }() 237 | 238 | // Stop the program as soon as an error is caught in a decoder goroutine. 239 | log.Print(<-errCh) 240 | } 241 | -------------------------------------------------------------------------------- /doc.go: -------------------------------------------------------------------------------- 1 | // Package conntrack implements the Conntrack subsystem of the Netfilter (Netlink) protocol family. 2 | // The package is intended to be clear, user-friendly, thoroughly tested and easy to understand. 3 | // 4 | // It is purely written in Go, without any dependency on Cgo or any C library, kernel headers 5 | // or userspace tools. It uses a native Netlink implementation (https://github.com/mdlayher/netlink) 6 | // and does not parse or scrape any output of the `conntrack` command. 7 | // 8 | // It is designed in a way that makes the user acquainted with the structure of the protocol, 9 | // with a clean separation between the Conntrack types/attributes and the Netfilter layer (implemented 10 | // in https://github.com/ti-mo/netfilter). 11 | // 12 | // All Conntrack attributes known to the kernel up until version 4.17 are implemented. There is experimental 13 | // support for manipulating Conntrack 'expectations', beside listening and dumping. The original focus of the 14 | // package was receiving Conntrack events over Netlink multicast sockets, but was since expanded to be a full 15 | // implementation supporting queries. 16 | package conntrack 17 | -------------------------------------------------------------------------------- /enum.go: -------------------------------------------------------------------------------- 1 | package conntrack 2 | 3 | import "github.com/ti-mo/netfilter" 4 | 5 | // All enums in this file are translated from the Linux kernel source at 6 | // include/uapi/linux/netfilter/nfnetlink_conntrack.h 7 | 8 | // messageType is a Conntrack-specific representation of a netfilter.MessageType. 9 | // It is used to specify the type of action to execute on the kernel's state table 10 | // (get, create, delete, etc.). 11 | type messageType netfilter.MessageType 12 | 13 | // The first three members are similar to NF_NETLINK_CONNTRACK_*, which is still used 14 | // in libnetfilter_conntrack. They can still be used to subscribe to Netlink groups with bind(), 15 | // but subscribing using setsockopt() (like mdlayher/netlink) requires the NFNLGRP_* enum. 16 | // 17 | // enum cntl_msg_types (upstream typo) 18 | const ( 19 | ctNew messageType = iota // IPCTNL_MSG_CT_NEW 20 | ctGet // IPCTNL_MSG_CT_GET 21 | ctDelete // IPCTNL_MSG_CT_DELETE 22 | ctGetCtrZero // IPCTNL_MSG_CT_GET_CTRZERO 23 | ctGetStatsCPU // IPCTNL_MSG_CT_GET_STATS_CPU 24 | ctGetStats // IPCTNL_MSG_CT_GET_STATS 25 | ctGetDying // IPCTNL_MSG_CT_GET_DYING 26 | ctGetUnconfirmed // IPCTNL_MSG_CT_GET_UNCONFIRMED 27 | ) 28 | 29 | // expMessageType is a Conntrack-specific representation of a netfilter.MessageType. 30 | // It holds information about Conntrack Expect events; state created by Conntrack helpers. 31 | type expMessageType netfilter.MessageType 32 | 33 | // enum ctnl_exp_msg_types 34 | const ( 35 | ctExpNew expMessageType = iota // IPCTNL_MSG_EXP_NEW 36 | ctExpGet // IPCTNL_MSG_EXP_GET 37 | ctExpDelete // IPCTNL_MSG_EXP_DELETE 38 | ctExpGetStatsCPU // IPCTNL_MSG_EXP_GET_STATS_CPU 39 | ) 40 | 41 | // attributeType defines the meaning of a root-level Type 42 | // value of a Conntrack-specific Netfilter attribute. 43 | type attributeType uint8 44 | 45 | // enum ctattr_type 46 | const ( 47 | ctaUnspec attributeType = iota // CTA_UNSPEC 48 | ctaTupleOrig // CTA_TUPLE_ORIG 49 | ctaTupleReply // CTA_TUPLE_REPLY 50 | ctaStatus // CTA_STATUS 51 | ctaProtoInfo // CTA_PROTOINFO 52 | ctaHelp // CTA_HELP 53 | ctaNatSrc // CTA_NAT_SRC, Deprecated 54 | ctaTimeout // CTA_TIMEOUT 55 | ctaMark // CTA_MARK 56 | ctaCountersOrig // CTA_COUNTERS_ORIG 57 | ctaCountersReply // CTA_COUNTERS_REPLY 58 | ctaUse // CTA_USE 59 | ctaID // CTA_ID 60 | ctaNatDst // CTA_NAT_DST, Deprecated 61 | ctaTupleMaster // CTA_TUPLE_MASTER 62 | ctaSeqAdjOrig // CTA_SEQ_ADJ_ORIG 63 | ctaSeqAdjReply // CTA_SEQ_ADJ_REPLY 64 | ctaSecMark // CTA_SECMARK, Deprecated 65 | ctaZone // CTA_ZONE 66 | ctaSecCtx // CTA_SECCTX 67 | ctaTimestamp // CTA_TIMESTAMP 68 | ctaMarkMask // CTA_MARK_MASK 69 | ctaLabels // CTA_LABELS 70 | ctaLabelsMask // CTA_LABELS_MASK 71 | ctaSynProxy // CTA_SYNPROXY 72 | ctaFilter // CTA_FILTER 73 | ctaStatusMask // CTA_STATUS_MASK 74 | ctaTimestampEvent // CTA_TIMESTAMP_EVENT 75 | ) 76 | 77 | // tupleType describes the type of tuple contained in this container. 78 | type tupleType uint8 79 | 80 | // enum ctattr_tuple 81 | const ( 82 | ctaTupleUnspec tupleType = iota // CTA_TUPLE_UNSPEC 83 | ctaTupleIP // CTA_TUPLE_IP 84 | ctaTupleProto // CTA_TUPLE_PROTO 85 | ctaTupleZone // CTA_TUPLE_ZONE 86 | ) 87 | 88 | // protoTupleType describes the type of Layer 4 protocol metadata in this container. 89 | type protoTupleType uint8 90 | 91 | // enum ctattr_l4proto 92 | const ( 93 | ctaProtoUnspec protoTupleType = iota // CTA_PROTO_UNSPEC 94 | ctaProtoNum // CTA_PROTO_NUM 95 | ctaProtoSrcPort // CTA_PROTO_SRC_PORT 96 | ctaProtoDstPort // CTA_PROTO_DST_PORT 97 | ctaProtoICMPID // CTA_PROTO_ICMP_ID 98 | ctaProtoICMPType // CTA_PROTO_ICMP_TYPE 99 | ctaProtoICMPCode // CTA_PROTO_ICMP_CODE 100 | ctaProtoICMPv6ID // CTA_PROTO_ICMPV6_ID 101 | ctaProtoICMPv6Type // CTA_PROTO_ICMPV6_TYPE 102 | ctaProtoICMPv6Code // CTA_PROTO_ICMPV6_CODE 103 | ) 104 | 105 | // ipTupleType describes the type of IP address in this container. 106 | type ipTupleType uint8 107 | 108 | // enum ctattr_ip 109 | const ( 110 | ctaIPUnspec ipTupleType = iota // CTA_IP_UNSPEC 111 | ctaIPv4Src // CTA_IP_V4_SRC 112 | ctaIPv4Dst // CTA_IP_V4_DST 113 | ctaIPv6Src // CTA_IP_V6_SRC 114 | ctaIPv6Dst // CTA_IP_V6_DST 115 | ) 116 | 117 | // helperType describes the kind of helper in this container. 118 | type helperType uint8 119 | 120 | // enum ctattr_help 121 | const ( 122 | ctaHelpUnspec helperType = iota // CTA_HELP_UNSPEC 123 | ctaHelpName // CTA_HELP_NAME 124 | ctaHelpInfo // CTA_HELP_INFO 125 | ) 126 | 127 | // counterType describes the kind of counter in this container. 128 | type counterType uint8 129 | 130 | // enum ctattr_counters 131 | const ( 132 | ctaCountersUnspec counterType = iota // CTA_COUNTERS_UNSPEC 133 | ctaCountersPackets // CTA_COUNTERS_PACKETS 134 | ctaCountersBytes // CTA_COUNTERS_BYTES 135 | _ // CTA_COUNTERS32_PACKETS, old 32bit counters, unused 136 | _ // CTA_COUNTERS32_BYTES, old 32bit counters, unused 137 | ctaCountersPad // CTA_COUNTERS_PAD 138 | ) 139 | 140 | // timestampType describes the type of timestamp in this container. 141 | type timestampType uint8 142 | 143 | // enum ctattr_tstamp 144 | const ( 145 | ctaTimestampUnspec timestampType = iota // CTA_TIMESTAMP_UNSPEC 146 | ctaTimestampStart // CTA_TIMESTAMP_START 147 | ctaTimestampStop // CTA_TIMESTAMP_STOP 148 | ctaTimestampPad // CTA_TIMESTAMP_PAD 149 | ) 150 | 151 | // securityType describes the type of SecCtx value in this container. 152 | type securityType uint8 153 | 154 | // enum ctattr_secctx 155 | const ( 156 | ctaSecCtxUnspec securityType = iota // CTA_SECCTX_UNSPEC 157 | ctaSecCtxName // CTA_SECCTX_NAME 158 | ) 159 | 160 | // protoInfoType describes the kind of protocol info in this container. 161 | type protoInfoType uint8 162 | 163 | // enum ctattr_protoinfo 164 | const ( 165 | ctaProtoInfoUnspec protoInfoType = iota // CTA_PROTOINFO_UNSPEC 166 | ctaProtoInfoTCP // CTA_PROTOINFO_TCP 167 | ctaProtoInfoDCCP // CTA_PROTOINFO_DCCP 168 | ctaProtoInfoSCTP // CTA_PROTOINFO_SCTP 169 | ) 170 | 171 | // protoInfoTCPType describes the kind of TCP protocol info attribute in this container. 172 | type protoInfoTCPType uint8 173 | 174 | // enum ctattr_protoinfo_tcp 175 | const ( 176 | ctaProtoInfoTCPUnspec protoInfoTCPType = iota // CTA_PROTOINFO_TCP_UNSPEC 177 | ctaProtoInfoTCPState // CTA_PROTOINFO_TCP_STATE 178 | ctaProtoInfoTCPWScaleOriginal // CTA_PROTOINFO_TCP_WSCALE_ORIGINAL 179 | ctaProtoInfoTCPWScaleReply // CTA_PROTOINFO_TCP_WSCALE_REPLY 180 | ctaProtoInfoTCPFlagsOriginal // CTA_PROTOINFO_TCP_FLAGS_ORIGINAL 181 | ctaProtoInfoTCPFlagsReply // CTA_PROTOINFO_TCP_FLAGS_REPLY 182 | ) 183 | 184 | // protoInfoDCCPType describes the kind of DCCP protocol info attribute in this container. 185 | type protoInfoDCCPType uint8 186 | 187 | // enum ctattr_protoinfo_dccp 188 | const ( 189 | ctaProtoInfoDCCPUnspec protoInfoDCCPType = iota // CTA_PROTOINFO_DCCP_UNSPEC 190 | ctaProtoInfoDCCPState // CTA_PROTOINFO_DCCP_STATE 191 | ctaProtoInfoDCCPRole // CTA_PROTOINFO_DCCP_ROLE 192 | ctaProtoInfoDCCPHandshakeSeq // CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ 193 | ctaProtoInfoDCCPPad // CTA_PROTOINFO_DCCP_PAD (never sent by kernel) 194 | ) 195 | 196 | // protoInfoSCTPType describes the kind of SCTP protocol info attribute in this container. 197 | type protoInfoSCTPType uint8 198 | 199 | // enum ctattr_protoinfo_sctp 200 | const ( 201 | ctaProtoInfoSCTPUnspec protoInfoSCTPType = iota // CTA_PROTOINFO_SCTP_UNSPEC 202 | ctaProtoInfoSCTPState // CTA_PROTOINFO_SCTP_STATE 203 | ctaProtoInfoSCTPVTagOriginal // CTA_PROTOINFO_SCTP_VTAG_ORIGINAL 204 | ctaProtoInfoSCTPVtagReply // CTA_PROTOINFO_SCTP_VTAG_REPLY 205 | ) 206 | 207 | // seqAdjType describes the type of sequence adjustment in this container. 208 | type seqAdjType uint8 209 | 210 | // enum ctattr_seqadj 211 | const ( 212 | ctaSeqAdjUnspec seqAdjType = iota // CTA_SEQADJ_UNSPEC 213 | ctaSeqAdjCorrectionPos // CTA_SEQADJ_CORRECTION_POS 214 | ctaSeqAdjOffsetBefore // CTA_SEQADJ_OFFSET_BEFORE 215 | ctaSeqAdjOffsetAfter // CTA_SEQADJ_OFFSET_AFTER 216 | ) 217 | 218 | // synProxyType describes the type of SYNproxy attribute in this container. 219 | type synProxyType uint8 220 | 221 | // enum ctattr_synproxy 222 | const ( 223 | ctaSynProxyUnspec synProxyType = iota // CTA_SYNPROXY_UNSPEC 224 | ctaSynProxyISN // CTA_SYNPROXY_ISN 225 | ctaSynProxyITS // CTA_SYNPROXY_ITS 226 | ctaSynProxyTSOff // CTA_SYNPROXY_TSOFF 227 | ) 228 | 229 | // expectType describes the type of expect attribute in this container. 230 | type expectType uint8 231 | 232 | // enum ctattr_expect 233 | const ( 234 | ctaExpectUnspec expectType = iota // CTA_EXPECT_UNSPEC 235 | ctaExpectMaster // CTA_EXPECT_MASTER 236 | ctaExpectTuple // CTA_EXPECT_TUPLE 237 | ctaExpectMask // CTA_EXPECT_MASK 238 | ctaExpectTimeout // CTA_EXPECT_TIMEOUT 239 | ctaExpectID // CTA_EXPECT_ID 240 | ctaExpectHelpName // CTA_EXPECT_HELP_NAME 241 | ctaExpectZone // CTA_EXPECT_ZONE 242 | ctaExpectFlags // CTA_EXPECT_FLAGS 243 | ctaExpectClass // CTA_EXPECT_CLASS 244 | ctaExpectNAT // CTA_EXPECT_NAT 245 | ctaExpectFN // CTA_EXPECT_FN 246 | ) 247 | 248 | // expectNATType describes the type of NAT expect attribute in this container. 249 | type expectNATType uint8 250 | 251 | // enum ctattr_expect_nat 252 | const ( 253 | ctaExpectNATUnspec expectNATType = iota // CTA_EXPECT_NAT_UNSPEC 254 | ctaExpectNATDir // CTA_EXPECT_NAT_DIR 255 | ctaExpectNATTuple // CTA_EXPECT_NAT_TUPLE 256 | ) 257 | 258 | // cpuStatsType describes the type of CPU-specific conntrack statistics attribute in this container. 259 | type cpuStatsType uint8 260 | 261 | // ctattr_stats_cpu 262 | const ( 263 | ctaStatsUnspec cpuStatsType = iota // CTA_STATS_UNSPEC 264 | ctaStatsSearched // CTA_STATS_SEARCHED, no longer used 265 | ctaStatsFound // CTA_STATS_FOUND 266 | ctaStatsNew // CTA_STATS_NEW, no longer used 267 | ctaStatsInvalid // CTA_STATS_INVALID 268 | ctaStatsIgnore // CTA_STATS_IGNORE 269 | ctaStatsDelete // CTA_STATS_DELETE, no longer used 270 | ctaStatsDeleteList // CTA_STATS_DELETE_LIST, no longer used 271 | ctaStatsInsert // CTA_STATS_INSERT 272 | ctaStatsInsertFailed // CTA_STATS_INSERT_FAILED 273 | ctaStatsDrop // CTA_STATS_DROP 274 | ctaStatsEarlyDrop // CTA_STATS_EARLY_DROP 275 | ctaStatsError // CTA_STATS_ERROR 276 | ctaStatsSearchRestart // CTA_STATS_SEARCH_RESTART 277 | ) 278 | 279 | // globalStatsType describes the type of global conntrack statistics attribute in this container. 280 | type globalStatsType uint8 281 | 282 | // enum ctattr_stats_global 283 | const ( 284 | ctaStatsGlobalUnspec globalStatsType = iota // CTA_STATS_GLOBAL_UNSPEC 285 | ctaStatsGlobalEntries // CTA_STATS_GLOBAL_ENTRIES 286 | ctaStatsGlobalMaxEntries // CTA_STATS_GLOBAL_MAX_ENTRIES 287 | ) 288 | 289 | // expectStatsType describes the type of expectation statistics attribute in this container. 290 | type expectStatsType uint8 291 | 292 | // enum ctattr_expect_stats 293 | const ( 294 | ctaStatsExpUnspec expectStatsType = iota // CTA_STATS_EXP_UNSPEC 295 | ctaStatsExpNew // CTA_STATS_EXP_NEW 296 | ctaStatsExpCreate // CTA_STATS_EXP_CREATE 297 | ctaStatsExpDelete // CTA_STATS_EXP_DELETE 298 | ) 299 | 300 | // enum ctattr_natseq is unused in the kernel source 301 | 302 | // Unused unspec constants. 303 | var _ = []uint8{ 304 | uint8(ctaHelpUnspec), uint8(ctaCountersUnspec), uint8(ctaTimestampUnspec), 305 | uint8(ctaSecCtxUnspec), uint8(ctaProtoInfoTCPUnspec), uint8(ctaProtoInfoDCCPUnspec), 306 | uint8(ctaProtoInfoSCTPUnspec), uint8(ctaSeqAdjUnspec), uint8(ctaSynProxyUnspec), 307 | } 308 | -------------------------------------------------------------------------------- /errors.go: -------------------------------------------------------------------------------- 1 | package conntrack 2 | 3 | import "errors" 4 | 5 | var ( 6 | errNotConntrack = errors.New("trying to decode a non-conntrack or conntrack-exp message") 7 | errConnHasListeners = errors.New("Conn has existing listeners, open another to listen on more groups") 8 | errMultipartEvent = errors.New("received multicast event with more than one Netlink message") 9 | 10 | errUnknownAttribute = errors.New("unknown attribute") 11 | errUnknownEventType = errors.New("unknown event") 12 | 13 | errNotNested = errors.New("needs to be a nested attribute") 14 | errNeedSingleChild = errors.New("need (at least) 1 child attribute") 15 | errNeedChildren = errors.New("need (at least) 2 child attributes") 16 | errIncorrectSize = errors.New("binary attribute data has incorrect size") 17 | 18 | errReusedEvent = errors.New("cannot to unmarshal into existing Event") 19 | errReusedProtoInfo = errors.New("cannot to unmarshal into existing ProtoInfo") 20 | 21 | errBadIPTuple = errors.New("IPTuple source and destination must be valid addresses of the same family") 22 | 23 | errNeedTimeout = errors.New("Flow needs Timeout field set for this operation") 24 | errNeedTuples = errors.New("Flow needs Original and Reply Tuple set for this operation") 25 | 26 | errUpdateMaster = errors.New("cannot send TupleMaster in Flow update") 27 | 28 | errExpectNeedTuples = errors.New("Expect needs Tuple, Mask and TupleMaster Tuples set for this operation") 29 | 30 | errNoWorkers = errors.New("number of workers to start cannot be 0") 31 | ) 32 | -------------------------------------------------------------------------------- /event.go: -------------------------------------------------------------------------------- 1 | package conntrack 2 | 3 | import ( 4 | "fmt" 5 | 6 | "github.com/mdlayher/netlink" 7 | "github.com/ti-mo/netfilter" 8 | ) 9 | 10 | // Event holds information about a Conntrack event. 11 | type Event struct { 12 | Type eventType 13 | 14 | Flow *Flow 15 | Expect *Expect 16 | } 17 | 18 | // eventType is a custom type that describes the Conntrack event type. 19 | type eventType uint8 20 | 21 | // List of all types of Conntrack events. This is an internal representation 22 | // unrelated to any message types in the kernel source. 23 | const ( 24 | EventUnknown eventType = iota 25 | EventNew 26 | EventUpdate 27 | EventDestroy 28 | EventExpNew 29 | EventExpDestroy 30 | ) 31 | 32 | // unmarshal unmarshals a Conntrack EventType from a Netfilter header. 33 | func (et *eventType) unmarshal(h netfilter.Header) error { 34 | // Fail when the message is not a conntrack message 35 | switch h.SubsystemID { 36 | case netfilter.NFSubsysCTNetlink: 37 | switch messageType(h.MessageType) { 38 | case ctNew: 39 | // Since the MessageType is only of kind new, get or delete, 40 | // the header's flags are used to distinguish between NEW and UPDATE. 41 | if h.Flags&(netlink.Create|netlink.Excl) != 0 { 42 | *et = EventNew 43 | } else { 44 | *et = EventUpdate 45 | } 46 | case ctDelete: 47 | *et = EventDestroy 48 | default: 49 | return fmt.Errorf("type %d: %w", h.MessageType, errUnknownEventType) 50 | } 51 | case netfilter.NFSubsysCTNetlinkExp: 52 | switch expMessageType(h.MessageType) { 53 | case ctExpNew: 54 | *et = EventExpNew 55 | case ctExpDelete: 56 | *et = EventExpDestroy 57 | default: 58 | return fmt.Errorf("type %d: %w", h.MessageType, errUnknownEventType) 59 | } 60 | default: 61 | return errNotConntrack 62 | } 63 | 64 | return nil 65 | } 66 | 67 | // Unmarshal unmarshals a Netlink message into an Event structure. 68 | func (e *Event) Unmarshal(nlmsg netlink.Message) error { 69 | // Make sure we don't re-use an Event structure 70 | if e.Expect != nil || e.Flow != nil { 71 | return errReusedEvent 72 | } 73 | 74 | // Obtain the nlmsg's Netfilter header and AttributeDecoder. 75 | h, ad, err := netfilter.DecodeNetlink(nlmsg) 76 | if err != nil { 77 | return err 78 | } 79 | 80 | // Decode the header to make sure we're dealing with a Conntrack event. 81 | if err := e.Type.unmarshal(h); err != nil { 82 | return err 83 | } 84 | 85 | // Unmarshal Netfilter attributes into the event's Flow or Expect entry. 86 | switch id := h.SubsystemID; id { 87 | case netfilter.NFSubsysCTNetlink: 88 | var f Flow 89 | if err := f.unmarshal(ad); err != nil { 90 | return fmt.Errorf("unmarshal flow: %w", err) 91 | } 92 | e.Flow = &f 93 | case netfilter.NFSubsysCTNetlinkExp: 94 | var ex Expect 95 | if err := ex.unmarshal(ad); err != nil { 96 | return fmt.Errorf("unmarshal expect: %w", err) 97 | } 98 | e.Expect = &ex 99 | default: 100 | return fmt.Errorf("unmarshal message from non-conntrack subsystem: %s", id) 101 | } 102 | 103 | return nil 104 | } 105 | -------------------------------------------------------------------------------- /event_integration_test.go: -------------------------------------------------------------------------------- 1 | //go:build integration 2 | 3 | package conntrack 4 | 5 | import ( 6 | "net/netip" 7 | "testing" 8 | 9 | "github.com/mdlayher/netlink" 10 | "github.com/stretchr/testify/assert" 11 | "github.com/stretchr/testify/require" 12 | "golang.org/x/sys/unix" 13 | 14 | "github.com/ti-mo/netfilter" 15 | ) 16 | 17 | func TestConnListen(t *testing.T) { 18 | // Dial a send connection to Netlink in a new namespace. 19 | sc, nsid, err := makeNSConn() 20 | require.NoError(t, err) 21 | 22 | // Create a listener connection in the same namespace. 23 | lc, err := Dial(&netlink.Config{NetNS: nsid}) 24 | require.NoError(t, err) 25 | 26 | // Subscribe to new/update conntrack events using a single worker. 27 | ev := make(chan Event) 28 | errChan, err := lc.Listen(ev, 1, []netfilter.NetlinkGroup{ 29 | netfilter.GroupCTNew, 30 | netfilter.GroupCTUpdate, 31 | netfilter.GroupCTDestroy, 32 | }) 33 | require.NoError(t, err) 34 | 35 | go func() { 36 | err, ok := <-errChan 37 | if !ok { 38 | return 39 | } 40 | require.NoError(t, err) 41 | }() 42 | defer close(errChan) 43 | 44 | var warn bool 45 | 46 | ip := netip.MustParseAddr("::f00") 47 | for _, proto := range []uint8{unix.IPPROTO_TCP, unix.IPPROTO_UDP, unix.IPPROTO_DCCP, unix.IPPROTO_SCTP} { 48 | // Create the Flow. 49 | f := NewFlow( 50 | proto, 0, 51 | ip, ip, 123, 123, 52 | 120, 0, 53 | ) 54 | require.NoError(t, sc.Create(f)) 55 | 56 | // Read a new event from the channel. 57 | re := <-ev 58 | 59 | // Validate new event attributes 60 | // Kernels 4.10 and earlier have a bug in ctnetlink_new_conntrack() that incorrectly sets 61 | // the event type to 'update' when creating a new conntrack. 62 | if re.Type == EventUpdate { 63 | if !warn { 64 | t.Log("Received an Update event upon creating a Flow, this is a known bug in kernels <=4.10") 65 | warn = true // Disable futher warnings 66 | } 67 | } else { 68 | assert.Equal(t, EventNew, re.Type) 69 | } 70 | assert.Equal(t, ip, re.Flow.TupleOrig.IP.SourceAddress) 71 | 72 | // Update the Flow. 73 | f.Timeout = 240 74 | require.NoError(t, sc.Update(f)) 75 | 76 | // Read an update event from the channel. 77 | re = <-ev 78 | 79 | // Validate update event attributes. 80 | assert.Equal(t, EventUpdate, re.Type) 81 | assert.Equal(t, ip, re.Flow.TupleOrig.IP.SourceAddress) 82 | 83 | // Compare the timeout on the connection, but within a 2-second window. 84 | assert.GreaterOrEqual(t, re.Flow.Timeout, f.Timeout-2, "timeout") 85 | 86 | // Delete the Flow. 87 | require.NoError(t, sc.Delete(f)) 88 | 89 | // Read destroy event from the channel. 90 | re = <-ev 91 | assert.Equal(t, EventDestroy, re.Type) 92 | assert.Equal(t, ip, re.Flow.TupleOrig.IP.SourceAddress) 93 | } 94 | 95 | // Close the sockets, interrupting any blocked listeners. 96 | assert.NoError(t, lc.Close()) 97 | assert.NoError(t, sc.Close()) 98 | } 99 | 100 | func TestConnListenError(t *testing.T) { 101 | c, _, err := makeNSConn() 102 | require.NoError(t, err) 103 | 104 | // Too few listen workers 105 | _, err = c.Listen(make(chan Event), 0, nil) 106 | require.ErrorIs(t, err, errNoWorkers) 107 | 108 | // Successfully join a multicast group 109 | _, err = c.Listen(make(chan Event), 1, netfilter.GroupsCT) 110 | require.NoError(t, err) 111 | 112 | // Fail when joining another multicast group 113 | _, err = c.Listen(make(chan Event), 1, netfilter.GroupsCT) 114 | require.ErrorIs(t, err, errConnHasListeners) 115 | } 116 | -------------------------------------------------------------------------------- /event_test.go: -------------------------------------------------------------------------------- 1 | package conntrack 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/mdlayher/netlink" 7 | "github.com/stretchr/testify/assert" 8 | "github.com/stretchr/testify/require" 9 | "github.com/ti-mo/netfilter" 10 | ) 11 | 12 | var eventTypeTests = []struct { 13 | name string 14 | et eventType 15 | nfh netfilter.Header 16 | err error 17 | }{ 18 | { 19 | name: "error unmarshal not conntrack", 20 | err: errNotConntrack, 21 | }, 22 | { 23 | name: "conntrack new", 24 | nfh: netfilter.Header{ 25 | SubsystemID: netfilter.NFSubsysCTNetlink, 26 | MessageType: netfilter.MessageType(ctNew), 27 | Flags: netlink.Create | netlink.Excl, 28 | }, 29 | et: EventNew, 30 | }, 31 | { 32 | name: "conntrack update", 33 | nfh: netfilter.Header{ 34 | SubsystemID: netfilter.NFSubsysCTNetlink, 35 | MessageType: netfilter.MessageType(ctNew), 36 | }, 37 | et: EventUpdate, 38 | }, 39 | { 40 | name: "conntrack destroy", 41 | nfh: netfilter.Header{ 42 | SubsystemID: netfilter.NFSubsysCTNetlink, 43 | MessageType: netfilter.MessageType(ctDelete), 44 | }, 45 | et: EventDestroy, 46 | }, 47 | { 48 | name: "error unmarshal conntrack unknown event", 49 | nfh: netfilter.Header{ 50 | SubsystemID: netfilter.NFSubsysCTNetlink, 51 | MessageType: 255, 52 | }, 53 | err: errUnknownEventType, 54 | }, 55 | { 56 | name: "conntrack exp new", 57 | nfh: netfilter.Header{ 58 | SubsystemID: netfilter.NFSubsysCTNetlinkExp, 59 | MessageType: netfilter.MessageType(ctExpNew), 60 | }, 61 | et: EventExpNew, 62 | }, 63 | { 64 | name: "conntrack exp destroy", 65 | nfh: netfilter.Header{ 66 | SubsystemID: netfilter.NFSubsysCTNetlinkExp, 67 | MessageType: netfilter.MessageType(ctExpDelete), 68 | }, 69 | et: EventExpDestroy, 70 | }, 71 | { 72 | name: "error unmarshal conntrack exp unknown event", 73 | nfh: netfilter.Header{ 74 | SubsystemID: netfilter.NFSubsysCTNetlinkExp, 75 | MessageType: 255, 76 | }, 77 | err: errUnknownEventType, 78 | }, 79 | } 80 | 81 | func TestEventTypeUnmarshal(t *testing.T) { 82 | for _, tt := range eventTypeTests { 83 | t.Run(tt.name, func(t *testing.T) { 84 | var et eventType 85 | err := et.unmarshal(tt.nfh) 86 | if err != nil || tt.err != nil { 87 | require.ErrorIs(t, err, tt.err) 88 | return 89 | } 90 | 91 | assert.Equal(t, tt.et, et, "event type mismatch") 92 | }) 93 | } 94 | } 95 | 96 | func TestEventTypeString(t *testing.T) { 97 | assert.Equal(t, "eventType(255)", eventType(255).String()) 98 | } 99 | 100 | var eventTests = []struct { 101 | name string 102 | e Event 103 | nfh netfilter.Header 104 | nfattrs []netfilter.Attribute 105 | }{ 106 | { 107 | name: "correct empty new flow event", 108 | nfh: netfilter.Header{ 109 | SubsystemID: netfilter.NFSubsysCTNetlink, 110 | Flags: netlink.Create | netlink.Excl, 111 | }, 112 | e: Event{ 113 | Type: EventNew, 114 | Flow: &Flow{}, 115 | }, 116 | }, 117 | { 118 | name: "correct empty expect destroy event", 119 | nfh: netfilter.Header{ 120 | SubsystemID: netfilter.NFSubsysCTNetlinkExp, 121 | MessageType: netfilter.MessageType(ctExpDelete), 122 | }, 123 | e: Event{ 124 | Type: EventExpDestroy, 125 | Expect: &Expect{}, 126 | }, 127 | }, 128 | } 129 | 130 | func TestEventUnmarshal(t *testing.T) { 131 | for _, tt := range eventTests { 132 | t.Run(tt.name, func(t *testing.T) { 133 | // Re-use netfilter's MarshalNetlink because we don't want to roll binary netlink messages by hand. 134 | nlm, err := netfilter.MarshalNetlink(tt.nfh, tt.nfattrs) 135 | require.NoError(t, err) 136 | 137 | var e Event 138 | assert.NoError(t, e.Unmarshal(nlm)) 139 | assert.Equal(t, tt.e, e, "unexpected unmarshal") 140 | }) 141 | } 142 | } 143 | 144 | func TestEventUnmarshalError(t *testing.T) { 145 | // Unmarshal into event with existing Flow 146 | eventExistingFlow := Event{Flow: &Flow{}} 147 | assert.ErrorIs(t, eventExistingFlow.Unmarshal(netlink.Message{}), errReusedEvent) 148 | 149 | // EventType unmarshal error, blank SubsystemID 150 | var emptyEvent Event 151 | assert.ErrorIs(t, emptyEvent.Unmarshal(netlink.Message{ 152 | Header: netlink.Header{}, 153 | Data: []byte{1, 2, 3, 4}, 154 | }), errNotConntrack) 155 | 156 | // Cause a random error during Flow unmarshal 157 | assert.ErrorIs(t, emptyEvent.Unmarshal(netlink.Message{ 158 | Header: netlink.Header{Type: netlink.HeaderType(netfilter.NFSubsysCTNetlink) << 8}, 159 | Data: []byte{ 160 | 1, 2, 3, 4, // random 4-byte nfgenmsg 161 | 4, 0, 1, 0, // 4-byte (empty) netlink attribute of type 1 162 | }}), errNotNested) 163 | } 164 | -------------------------------------------------------------------------------- /eventtype_string.go: -------------------------------------------------------------------------------- 1 | // Code generated by "stringer -type=eventType"; DO NOT EDIT. 2 | 3 | package conntrack 4 | 5 | import "strconv" 6 | 7 | func _() { 8 | // An "invalid array index" compiler error signifies that the constant values have changed. 9 | // Re-run the stringer command to generate them again. 10 | var x [1]struct{} 11 | _ = x[EventUnknown-0] 12 | _ = x[EventNew-1] 13 | _ = x[EventUpdate-2] 14 | _ = x[EventDestroy-3] 15 | _ = x[EventExpNew-4] 16 | _ = x[EventExpDestroy-5] 17 | } 18 | 19 | const _eventType_name = "EventUnknownEventNewEventUpdateEventDestroyEventExpNewEventExpDestroy" 20 | 21 | var _eventType_index = [...]uint8{0, 12, 20, 31, 43, 54, 69} 22 | 23 | func (i eventType) String() string { 24 | if i >= eventType(len(_eventType_index)-1) { 25 | return "eventType(" + strconv.FormatInt(int64(i), 10) + ")" 26 | } 27 | return _eventType_name[_eventType_index[i]:_eventType_index[i+1]] 28 | } 29 | -------------------------------------------------------------------------------- /expect.go: -------------------------------------------------------------------------------- 1 | package conntrack 2 | 3 | import ( 4 | "fmt" 5 | 6 | "github.com/mdlayher/netlink" 7 | "github.com/ti-mo/netfilter" 8 | ) 9 | 10 | // Expect represents an 'expected' connection, created by Conntrack/IPTables helpers. 11 | // Active connections created by helpers are shown by the conntrack tooling as 'RELATED'. 12 | type Expect struct { 13 | ID, Timeout uint32 14 | 15 | TupleMaster, Tuple, Mask Tuple 16 | 17 | Zone uint16 18 | 19 | HelpName, Function string 20 | 21 | Flags, Class uint32 22 | 23 | NAT ExpectNAT 24 | } 25 | 26 | // ExpectNAT holds NAT information about an expected connection. 27 | type ExpectNAT struct { 28 | Direction bool 29 | Tuple Tuple 30 | } 31 | 32 | // unmarshal unmarshals a netfilter.Attribute into an ExpectNAT. 33 | func (en *ExpectNAT) unmarshal(ad *netlink.AttributeDecoder) error { 34 | if ad.Len() == 0 { 35 | return errNeedSingleChild 36 | } 37 | 38 | for ad.Next() { 39 | switch t := expectNATType(ad.Type()); t { 40 | case ctaExpectNATDir: 41 | en.Direction = ad.Uint32() == 1 42 | case ctaExpectNATTuple: 43 | ad.Nested(en.Tuple.unmarshal) 44 | if err := ad.Err(); err != nil { 45 | return fmt.Errorf("unmarshal %s: %w", t, err) 46 | } 47 | default: 48 | return fmt.Errorf("child type %d: %w", ad.Type(), errUnknownAttribute) 49 | } 50 | } 51 | 52 | return ad.Err() 53 | } 54 | 55 | func (en ExpectNAT) marshal() (netfilter.Attribute, error) { 56 | nfa := netfilter.Attribute{Type: uint16(ctaExpectNAT), Nested: true, Children: make([]netfilter.Attribute, 2)} 57 | 58 | var dir uint32 59 | if en.Direction { 60 | dir = 1 61 | } 62 | 63 | nfa.Children[0] = netfilter.Attribute{Type: uint16(ctaExpectNATDir), Data: netfilter.Uint32Bytes(dir)} 64 | 65 | ta, err := en.Tuple.marshal(uint16(ctaExpectNATTuple)) 66 | if err != nil { 67 | return nfa, err 68 | } 69 | nfa.Children[1] = ta 70 | 71 | return nfa, nil 72 | } 73 | 74 | // unmarshal unmarshals a list of netfilter.Attributes into an Expect structure. 75 | func (ex *Expect) unmarshal(ad *netlink.AttributeDecoder) error { 76 | for ad.Next() { 77 | // Attribute has nested flag set, decode it and its children. 78 | if err := ex.unmarshalNested(ad); err != nil { 79 | return err 80 | } 81 | 82 | switch expectType(ad.Type()) { 83 | case ctaExpectTimeout: 84 | ex.Timeout = ad.Uint32() 85 | case ctaExpectID: 86 | ex.ID = ad.Uint32() 87 | case ctaExpectHelpName: 88 | ex.HelpName = ad.String() 89 | case ctaExpectZone: 90 | ex.Zone = ad.Uint16() 91 | case ctaExpectFlags: 92 | ex.Flags = ad.Uint32() 93 | case ctaExpectClass: 94 | ex.Class = ad.Uint32() 95 | case ctaExpectFN: 96 | ex.Function = ad.String() 97 | } 98 | } 99 | 100 | return ad.Err() 101 | } 102 | 103 | func (ex *Expect) unmarshalNested(ad *netlink.AttributeDecoder) error { 104 | var fn func(nad *netlink.AttributeDecoder) error 105 | t := expectType(ad.Type()) 106 | switch t { 107 | case ctaExpectMaster: 108 | fn = ex.TupleMaster.unmarshal 109 | case ctaExpectTuple: 110 | fn = ex.Tuple.unmarshal 111 | case ctaExpectMask: 112 | fn = ex.Mask.unmarshal 113 | case ctaExpectNAT: 114 | fn = ex.NAT.unmarshal 115 | default: 116 | // No nested attributes matched, nothing to do. 117 | return nil 118 | } 119 | 120 | // Found nested attribute, but missing nested flag. 121 | if !nestedFlag(ad.TypeFlags()) { 122 | return fmt.Errorf("attribute %v: %w", t, errNotNested) 123 | } 124 | 125 | ad.Nested(fn) 126 | if err := ad.Err(); err != nil { 127 | return fmt.Errorf("unmarshal %s: %w", t, err) 128 | } 129 | 130 | return nil 131 | } 132 | 133 | func (ex Expect) marshal() ([]netfilter.Attribute, error) { 134 | // Expectations need Tuple, Mask and TupleMaster filled to be valid. 135 | if !ex.Tuple.filled() || !ex.Mask.filled() || !ex.TupleMaster.filled() { 136 | return nil, errExpectNeedTuples 137 | } 138 | 139 | attrs := make([]netfilter.Attribute, 4, 10) 140 | 141 | tm, err := ex.TupleMaster.marshal(uint16(ctaExpectMaster)) 142 | if err != nil { 143 | return nil, err 144 | } 145 | attrs[0] = tm 146 | 147 | tp, err := ex.Tuple.marshal(uint16(ctaExpectTuple)) 148 | if err != nil { 149 | return nil, err 150 | } 151 | attrs[1] = tp 152 | 153 | ts, err := ex.Mask.marshal(uint16(ctaExpectMask)) 154 | if err != nil { 155 | return nil, err 156 | } 157 | attrs[2] = ts 158 | 159 | attrs[3] = netfilter.Attribute{Type: uint16(ctaExpectTimeout), Data: netfilter.Uint32Bytes(ex.Timeout)} 160 | 161 | if ex.HelpName != "" { 162 | attrs = append(attrs, netfilter.Attribute{Type: uint16(ctaExpectHelpName), Data: []byte(ex.HelpName)}) 163 | } 164 | 165 | if ex.Zone != 0 { 166 | attrs = append(attrs, netfilter.Attribute{Type: uint16(ctaExpectZone), Data: netfilter.Uint16Bytes(ex.Zone)}) 167 | } 168 | 169 | if ex.Class != 0 { 170 | attrs = append(attrs, netfilter.Attribute{Type: uint16(ctaExpectClass), Data: netfilter.Uint32Bytes(ex.Class)}) 171 | } 172 | 173 | if ex.Flags != 0 { 174 | attrs = append(attrs, netfilter.Attribute{Type: uint16(ctaExpectFlags), Data: netfilter.Uint32Bytes(ex.Flags)}) 175 | } 176 | 177 | if ex.Function != "" { 178 | attrs = append(attrs, netfilter.Attribute{Type: uint16(ctaExpectFN), Data: []byte(ex.Function)}) 179 | } 180 | 181 | if ex.NAT.Tuple.filled() { 182 | en, err := ex.NAT.marshal() 183 | if err != nil { 184 | return nil, err 185 | } 186 | attrs = append(attrs, en) 187 | } 188 | 189 | return attrs, nil 190 | } 191 | 192 | // unmarshalExpect unmarshals an Expect from a netlink.Message. 193 | // The Message must contain valid attributes. 194 | func unmarshalExpect(nlm netlink.Message) (Expect, error) { 195 | var ex Expect 196 | _, ad, err := netfilter.DecodeNetlink(nlm) 197 | if err != nil { 198 | return ex, err 199 | } 200 | 201 | err = ex.unmarshal(ad) 202 | if err != nil { 203 | return ex, err 204 | } 205 | 206 | return ex, nil 207 | } 208 | 209 | // unmarshalExpects unmarshals a list of expected connections from a list of Netlink messages. 210 | // This method can be used to parse the result of a dump or get query. 211 | func unmarshalExpects(nlm []netlink.Message) ([]Expect, error) { 212 | // Pre-allocate to avoid re-allocating output slice on every op 213 | out := make([]Expect, 0, len(nlm)) 214 | 215 | for i := 0; i < len(nlm); i++ { 216 | 217 | ex, err := unmarshalExpect(nlm[i]) 218 | if err != nil { 219 | return nil, err 220 | } 221 | 222 | out = append(out, ex) 223 | } 224 | 225 | return out, nil 226 | } 227 | -------------------------------------------------------------------------------- /expect_integration_test.go: -------------------------------------------------------------------------------- 1 | //go:build integration 2 | 3 | package conntrack 4 | 5 | import ( 6 | "net/netip" 7 | "testing" 8 | 9 | "golang.org/x/sys/unix" 10 | 11 | "github.com/stretchr/testify/require" 12 | ) 13 | 14 | // No meaningful integration test possible until we can figure out how 15 | // to create expects from userspace. 16 | func TestConnDumpExpect(t *testing.T) { 17 | 18 | c, _, err := makeNSConn() 19 | require.NoError(t, err) 20 | 21 | _, err = c.DumpExpect() 22 | require.NoError(t, err, "unexpected error dumping expect table") 23 | } 24 | 25 | // Attempt at creating conntrack expectation from userspace. 26 | func TestConnCreateExpect(t *testing.T) { 27 | c, _, err := makeNSConn() 28 | require.NoError(t, err) 29 | 30 | f := NewFlow(6, 0, netip.MustParseAddr("1.2.3.4"), netip.MustParseAddr("5.6.7.8"), 42000, 21, 120, 0) 31 | 32 | err = c.Create(f) 33 | require.NoError(t, err, "unexpected error creating flow", f) 34 | 35 | ex := Expect{ 36 | Timeout: 300, 37 | TupleMaster: f.TupleOrig, 38 | Tuple: Tuple{ 39 | IP: IPTuple{ 40 | SourceAddress: netip.MustParseAddr("1.2.3.4"), 41 | DestinationAddress: netip.MustParseAddr("5.6.7.8"), 42 | }, 43 | Proto: ProtoTuple{ 44 | Protocol: 6, 45 | SourcePort: 0, 46 | DestinationPort: 30000, 47 | }, 48 | }, 49 | Mask: Tuple{ 50 | IP: IPTuple{ 51 | SourceAddress: netip.MustParseAddr("255.255.255.255"), 52 | DestinationAddress: netip.MustParseAddr("255.255.255.255"), 53 | }, 54 | Proto: ProtoTuple{ 55 | Protocol: 6, 56 | SourcePort: 0, 57 | DestinationPort: 65535, 58 | }, 59 | }, 60 | HelpName: "ftp", 61 | Class: 0x30, 62 | } 63 | 64 | require.ErrorIs(t, c.CreateExpect(ex), unix.EINVAL) 65 | } 66 | -------------------------------------------------------------------------------- /expect_test.go: -------------------------------------------------------------------------------- 1 | package conntrack 2 | 3 | import ( 4 | "net/netip" 5 | "testing" 6 | 7 | "github.com/stretchr/testify/assert" 8 | "github.com/stretchr/testify/require" 9 | "github.com/ti-mo/netfilter" 10 | ) 11 | 12 | var corpusExpect = []struct { 13 | name string 14 | attrs []netfilter.Attribute 15 | exp Expect 16 | }{ 17 | { 18 | name: "scalar and simple binary attributes", 19 | attrs: []netfilter.Attribute{ 20 | { 21 | Type: uint16(ctaExpectID), 22 | Data: []byte{0, 1, 2, 3}, 23 | }, 24 | { 25 | Type: uint16(ctaExpectTimeout), 26 | Data: []byte{0, 1, 2, 3}, 27 | }, 28 | { 29 | Type: uint16(ctaExpectZone), 30 | Data: []byte{4, 5}, 31 | }, 32 | { 33 | Type: uint16(ctaExpectFlags), 34 | Data: []byte{5, 6, 7, 8}, 35 | }, 36 | { 37 | Type: uint16(ctaExpectClass), 38 | Data: []byte{5, 6, 7, 8}, 39 | }, 40 | }, 41 | exp: Expect{ 42 | ID: 0x010203, 43 | Timeout: 0x010203, 44 | Zone: 0x0405, 45 | Flags: 0x05060708, 46 | Class: 0x05060708, 47 | }, 48 | }, 49 | { 50 | name: "master, tuple, mask tuple attributes", 51 | attrs: []netfilter.Attribute{ 52 | { 53 | Type: uint16(ctaExpectMaster), 54 | Nested: true, 55 | Children: []netfilter.Attribute{ 56 | { 57 | Type: uint16(ctaTupleIP), 58 | Nested: true, 59 | Children: []netfilter.Attribute{ 60 | { 61 | Type: uint16(ctaIPv4Src), 62 | Data: []byte{127, 0, 0, 1}, 63 | }, 64 | { 65 | Type: uint16(ctaIPv4Dst), 66 | Data: []byte{127, 0, 0, 2}, 67 | }, 68 | }, 69 | }, 70 | { 71 | Type: uint16(ctaTupleProto), 72 | Nested: true, 73 | Children: []netfilter.Attribute{ 74 | { 75 | Type: uint16(ctaProtoNum), 76 | Data: []byte{0x06}, 77 | }, 78 | { 79 | Type: uint16(ctaProtoSrcPort), 80 | Data: []byte{0xa6, 0xd2}, 81 | }, 82 | { 83 | Type: uint16(ctaProtoDstPort), 84 | Data: []byte{0x00, 0x0c}, 85 | }, 86 | }, 87 | }, 88 | }, 89 | }, 90 | { 91 | Type: uint16(ctaExpectTuple), 92 | Nested: true, 93 | Children: []netfilter.Attribute{ 94 | { 95 | Type: uint16(ctaTupleIP), 96 | Nested: true, 97 | Children: []netfilter.Attribute{ 98 | { 99 | Type: uint16(ctaIPv4Src), 100 | Data: []byte{127, 0, 0, 1}, 101 | }, 102 | { 103 | Type: uint16(ctaIPv4Dst), 104 | Data: []byte{127, 0, 0, 2}, 105 | }, 106 | }, 107 | }, 108 | { 109 | Type: uint16(ctaTupleProto), 110 | Nested: true, 111 | Children: []netfilter.Attribute{ 112 | { 113 | Type: uint16(ctaProtoNum), 114 | Data: []byte{0x06}, 115 | }, 116 | { 117 | Type: uint16(ctaProtoSrcPort), 118 | Data: []byte{0x0, 0x0}, 119 | }, 120 | { 121 | Type: uint16(ctaProtoDstPort), 122 | Data: []byte{0x75, 0x30}, 123 | }, 124 | }, 125 | }, 126 | }, 127 | }, 128 | { 129 | Type: uint16(ctaExpectMask), 130 | Nested: true, 131 | Children: []netfilter.Attribute{ 132 | { 133 | Type: uint16(ctaTupleIP), 134 | Nested: true, 135 | Children: []netfilter.Attribute{ 136 | { 137 | Type: uint16(ctaIPv4Src), 138 | Data: []byte{0xff, 0xff, 0xff, 0xff}, 139 | }, 140 | { 141 | Type: uint16(ctaIPv4Dst), 142 | Data: []byte{0xff, 0xff, 0xff, 0xff}, 143 | }, 144 | }, 145 | }, 146 | { 147 | Type: uint16(ctaTupleProto), 148 | Nested: true, 149 | Children: []netfilter.Attribute{ 150 | { 151 | Type: uint16(ctaProtoNum), 152 | Data: []byte{0x06}, 153 | }, 154 | { 155 | Type: uint16(ctaProtoSrcPort), 156 | Data: []byte{0x0, 0x0}, 157 | }, 158 | { 159 | Type: uint16(ctaProtoDstPort), 160 | Data: []byte{0xff, 0xff}, 161 | }, 162 | }, 163 | }, 164 | }, 165 | }, 166 | { 167 | Type: uint16(ctaExpectNAT), 168 | Nested: true, 169 | Children: []netfilter.Attribute{ 170 | { 171 | Type: uint16(ctaExpectNATDir), 172 | Data: []byte{0x00, 0x00, 0x00, 0x01}, 173 | }, 174 | { 175 | Type: uint16(ctaExpectNATTuple), 176 | Nested: true, 177 | Children: nfaIPPT, 178 | }, 179 | }, 180 | }, 181 | }, 182 | exp: Expect{ 183 | TupleMaster: Tuple{ 184 | IP: IPTuple{ 185 | SourceAddress: netip.MustParseAddr("127.0.0.1"), 186 | DestinationAddress: netip.MustParseAddr("127.0.0.2"), 187 | }, 188 | Proto: ProtoTuple{ 189 | Protocol: 6, 190 | SourcePort: 42706, 191 | DestinationPort: 12, 192 | }, 193 | }, 194 | Tuple: Tuple{ 195 | IP: IPTuple{ 196 | SourceAddress: netip.MustParseAddr("127.0.0.1"), 197 | DestinationAddress: netip.MustParseAddr("127.0.0.2"), 198 | }, 199 | Proto: ProtoTuple{ 200 | Protocol: 6, 201 | DestinationPort: 30000, 202 | }, 203 | }, 204 | Mask: Tuple{ 205 | IP: IPTuple{ 206 | SourceAddress: netip.MustParseAddr("255.255.255.255"), 207 | DestinationAddress: netip.MustParseAddr("255.255.255.255"), 208 | }, 209 | Proto: ProtoTuple{ 210 | Protocol: 6, 211 | DestinationPort: 0xffff, 212 | }, 213 | }, 214 | NAT: ExpectNAT{ 215 | Direction: true, 216 | Tuple: flowIPPT, 217 | }, 218 | }, 219 | }, 220 | { 221 | name: "string attributes", 222 | attrs: []netfilter.Attribute{ 223 | { 224 | Type: uint16(ctaExpectHelpName), 225 | Data: []byte("ftp"), 226 | }, 227 | { 228 | Type: uint16(ctaExpectFN), 229 | Data: []byte("func_name"), 230 | }, 231 | }, 232 | exp: Expect{ 233 | HelpName: "ftp", 234 | Function: "func_name", 235 | }, 236 | }, 237 | } 238 | 239 | var corpusExpectUnmarshalError = []struct { 240 | name string 241 | nfa netfilter.Attribute 242 | }{ 243 | { 244 | name: "error unmarshal invalid master tuple", 245 | nfa: netfilter.Attribute{Type: uint16(ctaExpectMaster)}, 246 | }, 247 | { 248 | name: "error unmarshal invalid tuple", 249 | nfa: netfilter.Attribute{Type: uint16(ctaExpectTuple)}, 250 | }, 251 | { 252 | name: "error unmarshal invalid mask tuple", 253 | nfa: netfilter.Attribute{Type: uint16(ctaExpectMask)}, 254 | }, 255 | { 256 | name: "error unmarshal invalid nat", 257 | nfa: netfilter.Attribute{Type: uint16(ctaExpectNAT)}, 258 | }, 259 | } 260 | 261 | func TestExpectUnmarshal(t *testing.T) { 262 | for _, tt := range corpusExpect { 263 | t.Run(tt.name, func(t *testing.T) { 264 | var ex Expect 265 | require.NoError(t, ex.unmarshal(mustDecodeAttributes(tt.attrs))) 266 | assert.Equal(t, tt.exp, ex, "unexpected unmarshal") 267 | }) 268 | } 269 | 270 | for _, tt := range corpusExpectUnmarshalError { 271 | t.Run(tt.name, func(t *testing.T) { 272 | var ex Expect 273 | err := ex.unmarshal(mustDecodeAttributes([]netfilter.Attribute{tt.nfa})) 274 | assert.ErrorIs(t, err, errNotNested) 275 | }) 276 | } 277 | } 278 | 279 | func TestExpectMarshal(t *testing.T) { 280 | ex := Expect{ 281 | TupleMaster: flowIPPT, Tuple: flowIPPT, Mask: flowIPPT, 282 | Timeout: 240, 283 | Zone: 5, 284 | HelpName: "ftp", 285 | Function: "func", 286 | Flags: 123, 287 | Class: 456, 288 | NAT: ExpectNAT{ 289 | Direction: true, 290 | Tuple: flowIPPT, 291 | }, 292 | } 293 | 294 | exm, err := ex.marshal() 295 | require.NoError(t, err, "Expect marshal") 296 | 297 | want := []netfilter.Attribute{ 298 | { 299 | Type: uint16(ctaExpectMaster), 300 | Nested: true, 301 | Children: nfaIPPT, 302 | }, 303 | { 304 | Type: uint16(ctaExpectTuple), 305 | Nested: true, 306 | Children: nfaIPPT, 307 | }, 308 | { 309 | Type: uint16(ctaExpectMask), 310 | Nested: true, 311 | Children: nfaIPPT, 312 | }, 313 | { 314 | Type: uint16(ctaExpectTimeout), 315 | Data: []byte{0x00, 0x00, 0x00, 0xf0}, 316 | }, 317 | { 318 | Type: uint16(ctaExpectHelpName), 319 | Data: []byte("ftp"), 320 | }, 321 | { 322 | Type: uint16(ctaExpectZone), 323 | Data: []byte{0x00, 0x05}, 324 | }, 325 | { 326 | Type: uint16(ctaExpectClass), 327 | Data: []byte{0x00, 0x00, 0x01, 0xc8}, 328 | }, 329 | { 330 | Type: uint16(ctaExpectFlags), 331 | Data: []byte{0x00, 0x00, 0x00, 0x7b}, 332 | }, 333 | { 334 | Type: uint16(ctaExpectFN), 335 | Data: []byte("func"), 336 | }, 337 | { 338 | Type: uint16(ctaExpectNAT), 339 | Nested: true, 340 | Children: []netfilter.Attribute{ 341 | { 342 | Type: uint16(ctaExpectNATDir), 343 | Data: []byte{0x0, 0x0, 0x0, 0x1}, 344 | }, 345 | { 346 | Type: uint16(ctaExpectNATTuple), 347 | Nested: true, 348 | Children: nfaIPPT, 349 | }, 350 | }, 351 | }, 352 | } 353 | 354 | assert.Equal(t, want, exm, "unexpected Expect marshal") 355 | 356 | // Cannot marshal without tuple/mask/master Tuples 357 | _, err = Expect{}.marshal() 358 | assert.ErrorIs(t, err, errExpectNeedTuples) 359 | 360 | // Return error from tuple/mask/master Tuple marshals 361 | _, err = Expect{TupleMaster: flowBadIPPT, Tuple: flowIPPT, Mask: flowIPPT}.marshal() 362 | assert.ErrorIs(t, err, errBadIPTuple) 363 | _, err = Expect{TupleMaster: flowIPPT, Tuple: flowBadIPPT, Mask: flowIPPT}.marshal() 364 | assert.ErrorIs(t, err, errBadIPTuple) 365 | _, err = Expect{TupleMaster: flowIPPT, Tuple: flowIPPT, Mask: flowBadIPPT}.marshal() 366 | assert.ErrorIs(t, err, errBadIPTuple) 367 | 368 | // Return error from Tuple marshal in ExpectNAT 369 | _, err = Expect{TupleMaster: flowIPPT, Tuple: flowIPPT, Mask: flowIPPT, NAT: ExpectNAT{Tuple: flowBadIPPT}}.marshal() 370 | assert.ErrorIs(t, err, errBadIPTuple) 371 | } 372 | 373 | var corpusExpectNAT = []struct { 374 | name string 375 | attr []netfilter.Attribute 376 | enat ExpectNAT 377 | err error 378 | }{ 379 | { 380 | name: "simple direction, tuple unmarshal", 381 | attr: []netfilter.Attribute{ 382 | { 383 | Type: uint16(ctaExpectNATDir), 384 | Data: []byte{0x00, 0x00, 0x00, 0x01}, 385 | }, 386 | { 387 | Type: uint16(ctaExpectNATTuple), 388 | Nested: true, 389 | Children: nfaIPPT, 390 | }, 391 | }, 392 | enat: ExpectNAT{ 393 | Direction: true, 394 | Tuple: flowIPPT, 395 | }, 396 | }, 397 | { 398 | name: "error unmarshal with incorrect amount of children", 399 | err: errNeedSingleChild, 400 | }, 401 | { 402 | name: "error unknown type", 403 | attr: []netfilter.Attribute{{Type: 255}}, 404 | err: errUnknownAttribute, 405 | }, 406 | } 407 | 408 | func TestExpectNATUnmarshal(t *testing.T) { 409 | for _, tt := range corpusExpectNAT { 410 | t.Run(tt.name, func(t *testing.T) { 411 | 412 | var enat ExpectNAT 413 | err := enat.unmarshal(mustDecodeAttributes(tt.attr)) 414 | 415 | if tt.err != nil { 416 | require.ErrorIs(t, err, tt.err) 417 | return 418 | } 419 | 420 | require.NoError(t, err) 421 | assert.Equal(t, tt.enat, enat, "unexpected unmarshal") 422 | }) 423 | } 424 | } 425 | 426 | func TestExpectNATMarshal(t *testing.T) { 427 | 428 | // Expect a marshal without errors 429 | en := ExpectNAT{ 430 | Direction: true, 431 | Tuple: Tuple{ 432 | IP: IPTuple{ 433 | SourceAddress: netip.MustParseAddr("baa:baa::b"), 434 | DestinationAddress: netip.MustParseAddr("ef00:3f00::ba13"), 435 | }, 436 | Proto: ProtoTuple{ 437 | Protocol: 13, 438 | SourcePort: 123, 439 | DestinationPort: 456, 440 | }, 441 | Zone: 5, 442 | }, 443 | } 444 | enm, err := en.marshal() 445 | require.NoError(t, err, "ExpectNAT marshal", en) 446 | 447 | _, err = ExpectNAT{}.marshal() 448 | assert.ErrorIs(t, err, errBadIPTuple) 449 | 450 | // Only verify first attribute (direction); Tuple marshal has its own tests 451 | want := netfilter.Attribute{Type: uint16(ctaExpectNATDir), Data: []byte{0, 0, 0, 1}} 452 | assert.Equal(t, want, enm.Children[0], "unexpected ExpectNAT marshal") 453 | } 454 | 455 | func TestExpectTypeString(t *testing.T) { 456 | if expectType(255).String() == "" { 457 | t.Fatal("ExpectType string representation empty - did you run `go generate`?") 458 | } 459 | 460 | assert.Equal(t, "ctaExpectFN", ctaExpectFN.String()) 461 | } 462 | 463 | func BenchmarkExpectUnmarshal(b *testing.B) { 464 | b.ReportAllocs() 465 | 466 | // Collect all test.attrs from corpus. 467 | var tests []netfilter.Attribute 468 | for _, test := range corpusExpect { 469 | tests = append(tests, test.attrs...) 470 | } 471 | 472 | // Marshal these netfilter attributes and return netlink.AttributeDecoder. 473 | ad := mustDecodeAttributes(tests) 474 | 475 | for n := 0; n < b.N; n++ { 476 | // Make a new copy of the AD to avoid reinstantiation. 477 | iad := ad 478 | 479 | var ex Expect 480 | _ = ex.unmarshal(iad) 481 | } 482 | } 483 | -------------------------------------------------------------------------------- /expectnattype_string.go: -------------------------------------------------------------------------------- 1 | // Code generated by "stringer -type=expectNATType"; DO NOT EDIT. 2 | 3 | package conntrack 4 | 5 | import "strconv" 6 | 7 | func _() { 8 | // An "invalid array index" compiler error signifies that the constant values have changed. 9 | // Re-run the stringer command to generate them again. 10 | var x [1]struct{} 11 | _ = x[ctaExpectNATUnspec-0] 12 | _ = x[ctaExpectNATDir-1] 13 | _ = x[ctaExpectNATTuple-2] 14 | } 15 | 16 | const _expectNATType_name = "ctaExpectNATUnspecctaExpectNATDirctaExpectNATTuple" 17 | 18 | var _expectNATType_index = [...]uint8{0, 18, 33, 50} 19 | 20 | func (i expectNATType) String() string { 21 | if i >= expectNATType(len(_expectNATType_index)-1) { 22 | return "expectNATType(" + strconv.FormatInt(int64(i), 10) + ")" 23 | } 24 | return _expectNATType_name[_expectNATType_index[i]:_expectNATType_index[i+1]] 25 | } 26 | -------------------------------------------------------------------------------- /expecttype_string.go: -------------------------------------------------------------------------------- 1 | // Code generated by "stringer -type=expectType"; DO NOT EDIT. 2 | 3 | package conntrack 4 | 5 | import "strconv" 6 | 7 | func _() { 8 | // An "invalid array index" compiler error signifies that the constant values have changed. 9 | // Re-run the stringer command to generate them again. 10 | var x [1]struct{} 11 | _ = x[ctaExpectUnspec-0] 12 | _ = x[ctaExpectMaster-1] 13 | _ = x[ctaExpectTuple-2] 14 | _ = x[ctaExpectMask-3] 15 | _ = x[ctaExpectTimeout-4] 16 | _ = x[ctaExpectID-5] 17 | _ = x[ctaExpectHelpName-6] 18 | _ = x[ctaExpectZone-7] 19 | _ = x[ctaExpectFlags-8] 20 | _ = x[ctaExpectClass-9] 21 | _ = x[ctaExpectNAT-10] 22 | _ = x[ctaExpectFN-11] 23 | } 24 | 25 | const _expectType_name = "ctaExpectUnspecctaExpectMasterctaExpectTuplectaExpectMaskctaExpectTimeoutctaExpectIDctaExpectHelpNamectaExpectZonectaExpectFlagsctaExpectClassctaExpectNATctaExpectFN" 26 | 27 | var _expectType_index = [...]uint8{0, 15, 30, 44, 57, 73, 84, 101, 114, 128, 142, 154, 165} 28 | 29 | func (i expectType) String() string { 30 | if i >= expectType(len(_expectType_index)-1) { 31 | return "expectType(" + strconv.FormatInt(int64(i), 10) + ")" 32 | } 33 | return _expectType_name[_expectType_index[i]:_expectType_index[i+1]] 34 | } 35 | -------------------------------------------------------------------------------- /filter.go: -------------------------------------------------------------------------------- 1 | package conntrack 2 | 3 | import ( 4 | "maps" 5 | 6 | "github.com/ti-mo/netfilter" 7 | ) 8 | 9 | // Filter is an object used to limit dump and flush operations to flows matching 10 | // certain fields. Use [NewFilter] to create a new filter, then chain methods to 11 | // set filter fields. 12 | // 13 | // Methods return a new Filter with the specified field set. 14 | // 15 | // Pass a filter to [Conn.DumpFilter] or [Conn.FlushFilter]. 16 | type Filter interface { 17 | // Family sets the address (L3) family to filter on, similar to conntrack's. 18 | // -f/--family. 19 | // 20 | // Common values are [netfilter.ProtoIPv4] and [netfilter.ProtoIPv6]. 21 | // 22 | // Requires Linux 4.20 or later for [Conn.DumpFilter] and Linux 5.3 for 23 | // [Conn.FlushFilter]. 24 | Family(l3 netfilter.ProtoFamily) Filter 25 | 26 | // Mark sets the connmark to filter on, similar to conntrack's --mark option. 27 | // 28 | // When not specifying a mark mask, the kernel defaults to 0xFFFFFFFF, meaning 29 | // the mark must match exactly. To specify a mark mask, use [Filter.MarkMask]. 30 | Mark(mark uint32) Filter 31 | 32 | // MarkMask sets the connmark mask to apply before filtering on connmark, 33 | // similar to conntrack's --mark / option. 34 | // 35 | // If not specified, the kernel defaults to 0xFFFFFFFF, meaning the mark must 36 | // match exactly. 37 | MarkMask(mask uint32) Filter 38 | 39 | // Status sets the conntrack status bits to filter on, similar to conntrack's 40 | // -u/--status option. 41 | // 42 | // Requires Linux 5.15 or later. 43 | Status(status Status) Filter 44 | 45 | // StatusMask overrides the mask to apply before filtering on flow status. 46 | // Since Status is a bitfield, mask defaults to the mark value itself since 47 | // matching on the entire field would typically yield few matches. It's 48 | // recommended to leave this unset unless you have a specific need. 49 | // 50 | // Doesn't have an equivalent in the conntrack CLI. 51 | // 52 | // Requires Linux 5.15 or later. 53 | StatusMask(mask uint32) Filter 54 | 55 | // Zone sets the conntrack zone to filter on, similar to conntrack's -w/--zone 56 | // option. 57 | // 58 | // If not specified, flows from all zones are returned. 59 | // 60 | // Requires Linux 6.8 or later. 61 | Zone(zone uint16) Filter 62 | 63 | family() netfilter.ProtoFamily 64 | 65 | marshal() []netfilter.Attribute 66 | } 67 | 68 | // NewFilter returns an empty Filter. 69 | func NewFilter() Filter { 70 | return &filter{f: make(map[attributeType][]byte)} 71 | } 72 | 73 | type filter struct { 74 | f map[attributeType][]byte 75 | 76 | l3 netfilter.ProtoFamily 77 | } 78 | 79 | func (f *filter) Family(l3 netfilter.ProtoFamily) Filter { 80 | return f.withClone(func(cpy *filter) { 81 | cpy.l3 = l3 82 | }) 83 | } 84 | 85 | func (f *filter) family() netfilter.ProtoFamily { 86 | return f.l3 87 | } 88 | 89 | func (f *filter) Mark(mark uint32) Filter { 90 | return f.withClone(func(cpy *filter) { 91 | cpy.f[ctaMark] = netfilter.Uint32Bytes(mark) 92 | }) 93 | } 94 | 95 | func (f *filter) MarkMask(mask uint32) Filter { 96 | return f.withClone(func(cpy *filter) { 97 | cpy.f[ctaMarkMask] = netfilter.Uint32Bytes(mask) 98 | }) 99 | } 100 | 101 | func (f *filter) Status(status Status) Filter { 102 | return f.withClone(func(cpy *filter) { 103 | cpy.f[ctaStatus] = netfilter.Uint32Bytes(uint32(status)) 104 | }) 105 | } 106 | 107 | func (f *filter) StatusMask(mask uint32) Filter { 108 | return f.withClone(func(cpy *filter) { 109 | cpy.f[ctaStatusMask] = netfilter.Uint32Bytes(mask) 110 | }) 111 | } 112 | 113 | func (f *filter) Zone(zone uint16) Filter { 114 | return f.withClone(func(cpy *filter) { 115 | cpy.f[ctaZone] = netfilter.Uint16Bytes(zone) 116 | }) 117 | } 118 | 119 | func (f *filter) withClone(fn func(cpy *filter)) *filter { 120 | clone := *f 121 | clone.f = maps.Clone(f.f) 122 | fn(&clone) 123 | return &clone 124 | } 125 | 126 | func (f *filter) marshal() []netfilter.Attribute { 127 | attrs := make([]netfilter.Attribute, 0, len(f.f)) 128 | 129 | for t, v := range f.f { 130 | attrs = append(attrs, netfilter.Attribute{Type: uint16(t), Data: v}) 131 | } 132 | 133 | return attrs 134 | } 135 | -------------------------------------------------------------------------------- /filter_test.go: -------------------------------------------------------------------------------- 1 | package conntrack 2 | 3 | import ( 4 | "slices" 5 | "testing" 6 | 7 | "github.com/stretchr/testify/assert" 8 | 9 | "github.com/ti-mo/netfilter" 10 | ) 11 | 12 | func TestFilterMarshal(t *testing.T) { 13 | f := NewFilter(). 14 | Mark(0xf0000000).MarkMask(0x0000000f). 15 | Zone(42). 16 | Status(StatusDying).StatusMask(0xdeadbeef) 17 | 18 | want := []netfilter.Attribute{ 19 | { 20 | Type: uint16(ctaStatus), 21 | Data: []byte{0, 0, 0x2, 0}, 22 | }, 23 | { 24 | Type: uint16(ctaMark), 25 | Data: []byte{0xf0, 0, 0, 0}, 26 | }, 27 | { 28 | Type: uint16(ctaZone), 29 | Data: []byte{0, 42}, 30 | }, 31 | { 32 | Type: uint16(ctaMarkMask), 33 | Data: []byte{0, 0, 0, 0x0f}, 34 | }, 35 | { 36 | Type: uint16(ctaStatusMask), 37 | Data: []byte{0xde, 0xad, 0xbe, 0xef}, 38 | }, 39 | } 40 | 41 | got := f.marshal() 42 | slices.SortStableFunc(got, func(a, b netfilter.Attribute) int { 43 | return int(a.Type) - int(b.Type) 44 | }) 45 | 46 | assert.Equal(t, want, got) 47 | } 48 | 49 | func TestFilterMutate(t *testing.T) { 50 | f := NewFilter(). 51 | Mark(1). 52 | Family(1) 53 | 54 | mod := f. 55 | Mark(2). 56 | Family(2) 57 | 58 | // Ensure original filter is unchanged. 59 | assert.NotEqual(t, f, mod) 60 | assert.Equal(t, []byte{0, 0, 0, 1}, f.(*filter).f[ctaMark]) 61 | assert.Equal(t, netfilter.ProtoFamily(1), f.(*filter).l3) 62 | 63 | assert.Equal(t, []byte{0, 0, 0, 2}, mod.(*filter).f[ctaMark]) 64 | assert.Equal(t, netfilter.ProtoFamily(2), mod.(*filter).l3) 65 | } 66 | -------------------------------------------------------------------------------- /flow.go: -------------------------------------------------------------------------------- 1 | package conntrack 2 | 3 | import ( 4 | "fmt" 5 | "net/netip" 6 | 7 | "github.com/mdlayher/netlink" 8 | "github.com/ti-mo/netfilter" 9 | ) 10 | 11 | // Flow represents a snapshot of a Conntrack connection. 12 | type Flow struct { 13 | ID uint32 14 | Timeout uint32 15 | Timestamp Timestamp 16 | 17 | Status Status 18 | ProtoInfo ProtoInfo 19 | Helper Helper 20 | 21 | Zone uint16 22 | 23 | CountersOrig, CountersReply Counter 24 | 25 | SecurityContext Security 26 | 27 | TupleOrig, TupleReply, TupleMaster Tuple 28 | 29 | SeqAdjOrig, SeqAdjReply SequenceAdjust 30 | 31 | Labels, LabelsMask []byte 32 | 33 | Mark, Use uint32 34 | 35 | SynProxy SynProxy 36 | } 37 | 38 | // NewFlow returns a new Flow object with the minimum necessary attributes to 39 | // create a Conntrack entry. Writes values into the Status, Timeout, TupleOrig 40 | // and TupleReply fields of the Flow. 41 | // 42 | // proto is the layer 4 protocol number of the connection. status is a 43 | // StatusFlag value, or an ORed combination thereof. srcAddr and dstAddr are the 44 | // source and destination addresses. srcPort and dstPort are the source and 45 | // destination ports. timeout is the non-zero time-to-live of a connection in 46 | // seconds. 47 | func NewFlow(proto uint8, status Status, srcAddr, destAddr netip.Addr, 48 | srcPort, destPort uint16, timeout, mark uint32) Flow { 49 | 50 | var f Flow 51 | 52 | f.Status = status 53 | 54 | f.Timeout = timeout 55 | f.Mark = mark 56 | 57 | f.TupleOrig.IP.SourceAddress = srcAddr 58 | f.TupleOrig.IP.DestinationAddress = destAddr 59 | f.TupleOrig.Proto.SourcePort = srcPort 60 | f.TupleOrig.Proto.DestinationPort = destPort 61 | f.TupleOrig.Proto.Protocol = proto 62 | 63 | // Set up TupleReply with source and destination inverted 64 | f.TupleReply.IP.SourceAddress = destAddr 65 | f.TupleReply.IP.DestinationAddress = srcAddr 66 | f.TupleReply.Proto.SourcePort = destPort 67 | f.TupleReply.Proto.DestinationPort = srcPort 68 | f.TupleReply.Proto.Protocol = proto 69 | 70 | return f 71 | } 72 | 73 | // unmarshal unmarshals netlink attributes into a Flow. 74 | func (f *Flow) unmarshal(ad *netlink.AttributeDecoder) error { 75 | for ad.Next() { 76 | // Attribute has nested flag set, decode it and its children. 77 | if err := f.unmarshalNested(ad); err != nil { 78 | return err 79 | } 80 | 81 | switch attributeType(ad.Type()) { 82 | // CTA_TIMEOUT is the time until the Conntrack entry is automatically destroyed. 83 | case ctaTimeout: 84 | f.Timeout = ad.Uint32() 85 | // CTA_ID is the tuple hash value generated by the kernel. It can be relied on for flow identification. 86 | case ctaID: 87 | f.ID = ad.Uint32() 88 | // CTA_USE is the flow's kernel-internal refcount. 89 | case ctaUse: 90 | f.Use = ad.Uint32() 91 | // CTA_MARK is the connection's connmark 92 | case ctaMark: 93 | f.Mark = ad.Uint32() 94 | // CTA_ZONE describes the Conntrack zone the flow is placed in. This can be combined with a CTA_TUPLE_ZONE 95 | // to specify which zone an event originates from. 96 | case ctaZone: 97 | f.Zone = ad.Uint16() 98 | // CTA_LABELS is a binary bitfield attached to a connection that is sent in 99 | // events when changed, as well as in response to dump queries. 100 | case ctaLabels: 101 | f.Labels = ad.Bytes() 102 | // CTA_LABELS_MASK is never sent by the kernel, but it can be used 103 | // in set / update queries to mask label operations on the kernel state table. 104 | // it needs to be exactly as wide as the CTA_LABELS field it intends to mask. 105 | case ctaLabelsMask: 106 | f.LabelsMask = ad.Bytes() 107 | // CTA_STATUS is a bitfield of the state of the connection 108 | // (eg. if packets are seen in both directions, etc.) 109 | case ctaStatus: 110 | f.Status = Status(ad.Uint32()) 111 | } 112 | } 113 | 114 | return ad.Err() 115 | } 116 | 117 | // unmarshalNested unmarshals nested netlink attributes. Returns errNotNested if 118 | // a nested attribute was recognized but its nested flag was not set. 119 | func (f *Flow) unmarshalNested(ad *netlink.AttributeDecoder) error { 120 | var fn func(nad *netlink.AttributeDecoder) error 121 | t := attributeType(ad.Type()) 122 | switch t { 123 | // CTA_TUPLE_* attributes are nested and contain source and destination values for: 124 | // - the IPv4/IPv6 addresses involved 125 | // - ports used in the connection 126 | // - (optional) the Conntrack Zone of the originating/replying side of the flow 127 | case ctaTupleOrig: 128 | fn = f.TupleOrig.unmarshal 129 | case ctaTupleReply: 130 | fn = f.TupleReply.unmarshal 131 | case ctaTupleMaster: 132 | fn = f.TupleMaster.unmarshal 133 | // CTA_PROTOINFO is sent for TCP, DCCP and SCTP protocols only. It conveys extra metadata 134 | // about the state flags seen on the wire. Update events are sent when these change. 135 | case ctaProtoInfo: 136 | fn = f.ProtoInfo.unmarshal 137 | case ctaHelp: 138 | fn = f.Helper.unmarshal 139 | // CTA_COUNTERS_* attributes are nested and contain byte and packet counters for flows in either direction. 140 | case ctaCountersOrig: 141 | fn = f.CountersOrig.unmarshal 142 | case ctaCountersReply: 143 | f.CountersReply.Direction = true 144 | fn = f.CountersReply.unmarshal 145 | // CTA_SECCTX is the SELinux security context of a Conntrack entry. 146 | case ctaSecCtx: 147 | fn = f.SecurityContext.unmarshal 148 | // CTA_TIMESTAMP is a nested attribute that describes the start and end timestamp of a flow. 149 | // It is sent by the kernel with dumps and DESTROY events. 150 | case ctaTimestamp: 151 | fn = f.Timestamp.unmarshal 152 | // CTA_SEQADJ_* is generalized TCP window adjustment metadata. It is not (yet) emitted in Conntrack events. 153 | // The reason for its introduction is outlined in https://lwn.net/Articles/563151. 154 | // Patch set is at http://www.spinics.net/lists/netdev/msg245785.html. 155 | case ctaSeqAdjOrig: 156 | fn = f.SeqAdjOrig.unmarshal 157 | case ctaSeqAdjReply: 158 | f.SeqAdjReply.Direction = true 159 | fn = f.SeqAdjReply.unmarshal 160 | // CTA_SYNPROXY are the connection's SYN proxy parameters 161 | case ctaSynProxy: 162 | fn = f.SynProxy.unmarshal 163 | default: 164 | // No nested attributes matched, nothing to do. 165 | return nil 166 | } 167 | 168 | // Found nested attribute, but missing nested flag. 169 | if !nestedFlag(ad.TypeFlags()) { 170 | return fmt.Errorf("attribute %v: %w", t, errNotNested) 171 | } 172 | 173 | ad.Nested(fn) 174 | if err := ad.Err(); err != nil { 175 | return fmt.Errorf("unmarshal %s: %w", t, err) 176 | } 177 | 178 | return nil 179 | } 180 | 181 | // marshal marshals a Flow object into a list of netfilter.Attributes. 182 | func (f Flow) marshal() ([]netfilter.Attribute, error) { 183 | // Flow updates need one of TupleOrig or TupleReply, 184 | // so we enforce having either of those. 185 | if !f.TupleOrig.filled() && !f.TupleReply.filled() { 186 | return nil, errNeedTuples 187 | } 188 | 189 | attrs := make([]netfilter.Attribute, 0, 14) 190 | 191 | if f.TupleOrig.filled() { 192 | to, err := f.TupleOrig.marshal(uint16(ctaTupleOrig)) 193 | if err != nil { 194 | return nil, err 195 | } 196 | attrs = append(attrs, to) 197 | } 198 | 199 | if f.TupleReply.filled() { 200 | tr, err := f.TupleReply.marshal(uint16(ctaTupleReply)) 201 | if err != nil { 202 | return nil, err 203 | } 204 | attrs = append(attrs, tr) 205 | } 206 | 207 | // Optional attributes appended to the list when filled 208 | if f.Timeout != 0 { 209 | a := netfilter.Attribute{Type: uint16(ctaTimeout)} 210 | a.PutUint32(f.Timeout) 211 | attrs = append(attrs, a) 212 | } 213 | 214 | if f.Status != 0 { 215 | attrs = append(attrs, f.Status.marshal()) 216 | } 217 | 218 | if f.Mark != 0 { 219 | a := netfilter.Attribute{Type: uint16(ctaMark)} 220 | a.PutUint32(f.Mark) 221 | attrs = append(attrs, a) 222 | } 223 | 224 | if f.Zone != 0 { 225 | a := netfilter.Attribute{Type: uint16(ctaZone)} 226 | a.PutUint16(f.Zone) 227 | attrs = append(attrs, a) 228 | } 229 | 230 | if f.ProtoInfo.filled() { 231 | attrs = append(attrs, f.ProtoInfo.marshal()) 232 | } 233 | 234 | if f.Helper.filled() { 235 | attrs = append(attrs, f.Helper.marshal()) 236 | } 237 | 238 | if f.TupleMaster.filled() { 239 | tm, err := f.TupleMaster.marshal(uint16(ctaTupleMaster)) 240 | if err != nil { 241 | return nil, err 242 | } 243 | attrs = append(attrs, tm) 244 | } 245 | 246 | if f.SeqAdjOrig.filled() { 247 | attrs = append(attrs, f.SeqAdjOrig.marshal(false)) 248 | } 249 | 250 | if f.SeqAdjReply.filled() { 251 | attrs = append(attrs, f.SeqAdjReply.marshal(true)) 252 | } 253 | 254 | if f.SynProxy.filled() { 255 | attrs = append(attrs, f.SynProxy.marshal()) 256 | } 257 | 258 | if len(f.Labels) > 0 { 259 | a := netfilter.Attribute{Type: uint16(ctaLabels)} 260 | a.Data = f.Labels 261 | attrs = append(attrs, a) 262 | } 263 | 264 | if len(f.LabelsMask) > 0 { 265 | a := netfilter.Attribute{Type: uint16(ctaLabelsMask)} 266 | a.Data = f.LabelsMask 267 | attrs = append(attrs, a) 268 | } 269 | 270 | return attrs, nil 271 | } 272 | 273 | // unmarshalFlow unmarshals a Flow from a netlink.Message. 274 | // The Message must contain valid attributes. 275 | func unmarshalFlow(nlm netlink.Message) (Flow, error) { 276 | var f Flow 277 | _, ad, err := netfilter.DecodeNetlink(nlm) 278 | if err != nil { 279 | return f, err 280 | } 281 | 282 | err = f.unmarshal(ad) 283 | if err != nil { 284 | return f, err 285 | } 286 | 287 | return f, nil 288 | } 289 | 290 | // unmarshalFlows unmarshals a list of flows from a list of Netlink messages. 291 | // This method can be used to parse the result of a dump or get query. 292 | func unmarshalFlows(nlm []netlink.Message) ([]Flow, error) { 293 | // Pre-allocate to avoid re-allocating output slice on every op 294 | out := make([]Flow, 0, len(nlm)) 295 | 296 | for i := 0; i < len(nlm); i++ { 297 | f, err := unmarshalFlow(nlm[i]) 298 | if err != nil { 299 | return nil, err 300 | } 301 | 302 | out = append(out, f) 303 | } 304 | 305 | return out, nil 306 | } 307 | -------------------------------------------------------------------------------- /flow_integration_test.go: -------------------------------------------------------------------------------- 1 | //go:build integration 2 | 3 | package conntrack 4 | 5 | import ( 6 | "net/netip" 7 | "testing" 8 | 9 | "golang.org/x/sys/unix" 10 | 11 | "github.com/stretchr/testify/assert" 12 | "github.com/stretchr/testify/require" 13 | "github.com/ti-mo/netfilter" 14 | ) 15 | 16 | // Create a given number of flows with a randomized component and check the amount 17 | // of flows present in the table. Clean up by flushing the table. 18 | func TestConnCreateFlows(t *testing.T) { 19 | 20 | c, _, err := makeNSConn() 21 | require.NoError(t, err) 22 | 23 | defer func() { 24 | err = c.Flush() 25 | assert.NoError(t, err, "error flushing table") 26 | }() 27 | 28 | // Expect empty result from empty table dump 29 | de, err := c.Dump(nil) 30 | require.NoError(t, err, "dumping empty table") 31 | require.Len(t, de, 0, "expecting 0-length dump from empty table") 32 | 33 | numFlows := 1337 34 | 35 | var f Flow 36 | 37 | // Create IPv4 flows 38 | for i := 1; i <= numFlows; i++ { 39 | f = NewFlow(6, 0, netip.MustParseAddr("1.2.3.4"), netip.MustParseAddr("5.6.7.8"), 1234, uint16(i), 120, 0) 40 | 41 | err = c.Create(f) 42 | require.NoError(t, err, "creating IPv4 flow", i) 43 | } 44 | 45 | // Create IPv6 flows 46 | for i := 1; i <= numFlows; i++ { 47 | err = c.Create(NewFlow( 48 | 17, 0, 49 | netip.MustParseAddr("2a00:1450:400e:804::200e"), 50 | netip.MustParseAddr("2a00:1450:400e:804::200f"), 51 | 1234, uint16(i), 120, 0, 52 | )) 53 | require.NoError(t, err, "creating IPv6 flow", i) 54 | } 55 | 56 | flows, err := c.Dump(nil) 57 | require.NoError(t, err, "dumping table") 58 | 59 | // Expect twice the amount of numFlows, both for IPv4 and IPv6 60 | assert.Equal(t, numFlows*2, len(flows)) 61 | } 62 | 63 | func TestConnCreateError(t *testing.T) { 64 | 65 | c, _, err := makeNSConn() 66 | require.NoError(t, err) 67 | 68 | err = c.Create(Flow{Timeout: 0}) 69 | require.ErrorIs(t, err, errNeedTimeout) 70 | } 71 | 72 | func TestConnFlush(t *testing.T) { 73 | 74 | c, _, err := makeNSConn() 75 | require.NoError(t, err) 76 | 77 | // Expect empty result from empty table dump 78 | de, err := c.Dump(nil) 79 | require.NoError(t, err, "dumping empty table") 80 | require.Len(t, de, 0, "expecting 0-length dump from empty table") 81 | 82 | // Create IPv4 flow 83 | err = c.Create(NewFlow( 84 | 6, 0, 85 | netip.MustParseAddr("1.2.3.4"), 86 | netip.MustParseAddr("5.6.7.8"), 87 | 1234, 80, 120, 0, 88 | )) 89 | require.NoError(t, err, "creating IPv4 flow") 90 | 91 | // Create IPv6 flow 92 | err = c.Create(NewFlow( 93 | 17, 0, 94 | netip.MustParseAddr("2a00:1450:400e:804::200e"), 95 | netip.MustParseAddr("2a00:1450:400e:804::200f"), 96 | 1234, 80, 120, 0, 97 | )) 98 | require.NoError(t, err, "creating IPv6 flow") 99 | 100 | // Expect both flows to be in the table 101 | flows, err := c.Dump(nil) 102 | require.NoError(t, err, "dumping table before flush") 103 | assert.Equal(t, 2, len(flows)) 104 | 105 | err = c.Flush() 106 | require.NoError(t, err, "flushing table") 107 | 108 | // Expect empty table 109 | flows, err = c.Dump(nil) 110 | require.NoError(t, err, "dumping table after flush") 111 | assert.Equal(t, 0, len(flows)) 112 | } 113 | 114 | func TestConnFlushFilter(t *testing.T) { 115 | // Kernels 3.x and earlier don't have filtered flush implemented yet. 116 | // This is implemented in a separate function, ctnetlink_flush_conntrack, 117 | // so we check if it is present before executing and checking the result. 118 | if !findKsym("ctnetlink_flush_iterate") { 119 | t.Skip("FlushFilter not supported in this kernel") 120 | } 121 | 122 | c, _, err := makeNSConn() 123 | require.NoError(t, err) 124 | 125 | // Expect empty result from empty table dump 126 | de, err := c.Dump(nil) 127 | require.NoError(t, err, "dumping empty table") 128 | require.Len(t, de, 0, "expecting 0-length dump from empty table") 129 | 130 | // Create IPv4 flow 131 | err = c.Create(NewFlow( 132 | 6, 0, 133 | netip.MustParseAddr("1.2.3.4"), 134 | netip.MustParseAddr("5.6.7.8"), 135 | 1234, 80, 120, 0, 136 | )) 137 | require.NoError(t, err, "creating IPv4 flow") 138 | 139 | // Create IPv6 flow with mark 140 | err = c.Create(NewFlow( 141 | 17, 0, 142 | netip.MustParseAddr("2a00:1450:400e:804::200e"), 143 | netip.MustParseAddr("2a00:1450:400e:804::200f"), 144 | 1234, 80, 120, 0xff00, 145 | )) 146 | require.NoError(t, err, "creating IPv6 flow") 147 | 148 | // Expect both flows to be in the table 149 | flows, err := c.Dump(nil) 150 | require.NoError(t, err, "dumping table before filtered flush") 151 | assert.Equal(t, 2, len(flows)) 152 | 153 | // Nil filter should not panic. 154 | require.Error(t, c.FlushFilter(nil)) 155 | 156 | // Flush only the flow matching the filter 157 | err = c.FlushFilter(NewFilter().Mark(0xff00)) 158 | require.NoError(t, err, "flushing table") 159 | 160 | // Expect only one flow to remain in the table 161 | flows, err = c.Dump(nil) 162 | require.NoError(t, err, "dumping table after filtered flush") 163 | assert.Equal(t, 1, len(flows)) 164 | } 165 | 166 | // Creates and deletes a number of flows with a randomized component. 167 | // Expects table to be empty at the end of the run. 168 | func TestConnCreateDeleteFlows(t *testing.T) { 169 | 170 | c, _, err := makeNSConn() 171 | require.NoError(t, err) 172 | 173 | numFlows := 42 174 | 175 | var f Flow 176 | 177 | for i := 1; i <= numFlows; i++ { 178 | f = NewFlow( 179 | 17, 0, 180 | netip.MustParseAddr("2a00:1450:400e:804::223e"), 181 | netip.MustParseAddr("2a00:1450:400e:804::223f"), 182 | 1234, uint16(i), 120, 0, 183 | ) 184 | 185 | err = c.Create(f) 186 | require.NoError(t, err, "creating flow", i) 187 | 188 | err = c.Delete(f) 189 | require.NoError(t, err, "deleting flow", i) 190 | } 191 | 192 | flows, err := c.Dump(nil) 193 | require.NoError(t, err, "dumping table") 194 | 195 | assert.Equal(t, 0, len(flows)) 196 | } 197 | 198 | // Creates a flow, updates it and checks the result. 199 | func TestConnCreateUpdateFlow(t *testing.T) { 200 | c, _, err := makeNSConn() 201 | require.NoError(t, err) 202 | 203 | f := NewFlow( 204 | 17, 0, 205 | netip.MustParseAddr("1.2.3.4"), 206 | netip.MustParseAddr("5.6.7.8"), 207 | 1234, 5678, 120, 0, 208 | ) 209 | 210 | err = c.Create(f) 211 | require.NoError(t, err, "creating flow") 212 | 213 | // Increase the flow's timeout from 120 in NewFlow(). 214 | f.Timeout = 210 215 | 216 | err = c.Update(f) 217 | require.NoError(t, err, "updating flow") 218 | 219 | flows, err := c.Dump(nil) 220 | require.NoError(t, err, "dumping table") 221 | 222 | if got := flows[0].Timeout; !(got > 200) { 223 | t.Fatalf("unexpected updated flow:\n- want: > 200\n- got: %d", got) 224 | } 225 | 226 | // Update the flow using only the TupleReply. 227 | // The kernel allows an existing flow to be updated 228 | // using only the TupleReply. 229 | fNoOrig := f 230 | fNoOrig.TupleOrig = Tuple{} 231 | fNoOrig.Timeout = 310 232 | 233 | err = c.Update(fNoOrig) 234 | require.NoError(t, err, "updating flow without TupleOrig") 235 | 236 | flows, err = c.Dump(nil) 237 | require.NoError(t, err, "dumping table") 238 | 239 | if got := flows[0].Timeout; !(got > 300) { 240 | t.Fatalf("unexpected updated flow:\n- want: > 300\n- got: %d", got) 241 | } 242 | 243 | // Update the flow using only the TupleOrig. 244 | // The kernel allows an existing flow to be updated 245 | // using only the TupleOrig. 246 | fNoReply := f 247 | fNoReply.TupleReply = Tuple{} 248 | fNoReply.Timeout = 410 249 | 250 | err = c.Update(fNoReply) 251 | require.NoError(t, err, "updating flow without TupleReply") 252 | 253 | flows, err = c.Dump(nil) 254 | require.NoError(t, err, "dumping table") 255 | 256 | if got := flows[0].Timeout; !(got > 400) { 257 | t.Fatalf("unexpected updated flow:\n- want: > 400\n- got: %d", got) 258 | } 259 | } 260 | 261 | func TestConnUpdateError(t *testing.T) { 262 | 263 | c, _, err := makeNSConn() 264 | require.NoError(t, err) 265 | 266 | f := NewFlow( 267 | 17, 0, 268 | netip.MustParseAddr("1.2.3.4"), 269 | netip.MustParseAddr("5.6.7.8"), 270 | 1234, 5678, 120, 0, 271 | ) 272 | 273 | f.TupleMaster = f.TupleOrig 274 | 275 | err = c.Update(f) 276 | require.ErrorIs(t, err, errUpdateMaster) 277 | } 278 | 279 | // Creates IPv4 and IPv6 flows and queries them using a simple get. 280 | func TestConnCreateGetFlow(t *testing.T) { 281 | 282 | c, _, err := makeNSConn() 283 | require.NoError(t, err) 284 | 285 | flows := map[string]Flow{ 286 | "v4m1": NewFlow(17, 0, netip.MustParseAddr("1.2.3.4"), netip.MustParseAddr("5.6.7.8"), 1234, 5678, 120, 0), 287 | "v4m2": NewFlow(17, 0, netip.MustParseAddr("10.0.0.1"), netip.MustParseAddr("10.0.0.2"), 24000, 80, 120, 0), 288 | "v6m1": NewFlow(17, 0, netip.MustParseAddr("2a12:1234:200f:600::200a"), netip.MustParseAddr("2a12:1234:200f:600::200b"), 6554, 53, 120, 0), 289 | "v6m2": NewFlow(17, 0, netip.MustParseAddr("900d:f00d:24::7"), netip.MustParseAddr("baad:beef:b00::b00"), 1323, 22, 120, 0), 290 | } 291 | 292 | for n, f := range flows { 293 | _, err := c.Get(f) 294 | require.ErrorIs(t, err, unix.ENOENT, "get flow before creating") 295 | 296 | err = c.Create(f) 297 | require.NoError(t, err, "creating flow", n) 298 | 299 | qflow, err := c.Get(f) 300 | require.NoError(t, err, "get flow after creating", n) 301 | 302 | assert.Equal(t, qflow.TupleOrig.IP.SourceAddress, f.TupleOrig.IP.SourceAddress) 303 | assert.Equal(t, qflow.TupleOrig.IP.DestinationAddress, f.TupleOrig.IP.DestinationAddress) 304 | 305 | fOrig := f 306 | fOrig.TupleReply = Tuple{} 307 | qflow, err = c.Get(fOrig) 308 | require.NoError(t, err, "get flow by TupleOrig", n) 309 | 310 | assert.Equal(t, qflow.TupleReply.IP.SourceAddress, f.TupleReply.IP.SourceAddress) 311 | assert.Equal(t, qflow.TupleReply.IP.DestinationAddress, f.TupleReply.IP.DestinationAddress) 312 | 313 | fReply := f 314 | fReply.TupleOrig = Tuple{} 315 | qflow, err = c.Get(fReply) 316 | require.NoError(t, err, "get flow by TupleReply", n) 317 | 318 | assert.Equal(t, qflow.TupleOrig.IP.SourceAddress, f.TupleOrig.IP.SourceAddress) 319 | assert.Equal(t, qflow.TupleOrig.IP.DestinationAddress, f.TupleOrig.IP.DestinationAddress) 320 | } 321 | } 322 | 323 | // Creates IPv4 and IPv6 flows and dumps them while zeroing the accounting counters. 324 | func TestDumpZero(t *testing.T) { 325 | c, _, err := makeNSConn() 326 | require.NoError(t, err) 327 | 328 | f := NewFlow(17, 0, netip.MustParseAddr("1.2.3.4"), netip.MustParseAddr("5.6.7.8"), 1234, 5678, 120, 0xff000000) 329 | 330 | f.CountersOrig.Bytes = 1337 331 | f.CountersReply.Bytes = 9001 332 | require.NoError(t, c.Create(f), "creating flow") 333 | 334 | df, err := c.Dump(&DumpOptions{ 335 | ZeroCounters: true, 336 | }) 337 | require.NoError(t, err, "dumping flows (zeroing enabled)") 338 | 339 | assert.Equal(t, df[0].CountersOrig.Bytes, uint64(0)) 340 | assert.Equal(t, df[0].CountersReply.Bytes, uint64(0)) 341 | } 342 | 343 | // Creates IPv4 and IPv6 flows with connmarks and queries them using a filtered dump. 344 | func TestConnDumpFilter(t *testing.T) { 345 | if !findKsym("ctnetlink_alloc_filter") { 346 | t.Skip("DumpFilter not supported in this kernel") 347 | } 348 | 349 | c, _, err := makeNSConn() 350 | require.NoError(t, err) 351 | 352 | flows := map[string]Flow{ 353 | "v4m1": NewFlow(17, 0, netip.MustParseAddr("1.2.3.4"), netip.MustParseAddr("5.6.7.8"), 1234, 5678, 120, 0xff000000), 354 | "v4m2": NewFlow(17, 0, netip.MustParseAddr("10.0.0.1"), netip.MustParseAddr("10.0.0.2"), 24000, 80, 120, 0xff00ff00), 355 | "v6m1": NewFlow(17, 0, netip.MustParseAddr("2a12:1234:200f:600::200a"), netip.MustParseAddr("2a12:1234:200f:600::200b"), 6554, 53, 120, 0x0000ff00), 356 | "v6m2": NewFlow(17, 0, netip.MustParseAddr("900d:f00d:24::7"), netip.MustParseAddr("baad:beef:b00::b00"), 1323, 22, 120, 0x000000ff), 357 | } 358 | 359 | // Nil filter should not panic. 360 | _, err = c.DumpFilter(nil, nil) 361 | require.Error(t, err) 362 | 363 | // Expect empty result from empty table dump with empty filter. 364 | de, err := c.DumpFilter(NewFilter(), nil) 365 | require.NoError(t, err, "dumping empty table") 366 | require.Len(t, de, 0, "expecting 0-length dump from empty table") 367 | 368 | for n, f := range flows { 369 | err = c.Create(f) 370 | require.NoError(t, err, "creating flow", n) 371 | 372 | df, err := c.DumpFilter(NewFilter().Mark(f.Mark), nil) 373 | require.NoError(t, err, "dumping filtered flows", n) 374 | 375 | assert.Len(t, df, 1) 376 | assert.Equal(t, df[0].TupleOrig.IP.SourceAddress, f.TupleOrig.IP.SourceAddress) 377 | assert.Equal(t, df[0].TupleOrig.IP.DestinationAddress, f.TupleOrig.IP.DestinationAddress) 378 | } 379 | 380 | // Expect two flows to match the filter (0xff000000 and 0xff00ff00) since the 381 | // rightmost 16 bits are masked off. 382 | df, err := c.DumpFilter(NewFilter().Mark(0xff000000).MarkMask(0xffff0000), nil) 383 | require.NoError(t, err) 384 | assert.Len(t, df, 2, "expecting 2 flows to match filter") 385 | 386 | // Expect table to be empty at end of run 387 | d, err := c.Dump(nil) 388 | require.NoError(t, err, "dumping flows") 389 | assert.Len(t, d, len(flows)) 390 | } 391 | 392 | // Bench scenario that calls Conn.Create and Conn.Delete on the same Flow once per iteration. 393 | // This includes two marshaling operations for create/delete, two syscalls and output validation. 394 | func BenchmarkCreateDeleteFlow(b *testing.B) { 395 | 396 | b.ReportAllocs() 397 | 398 | c, _, err := makeNSConn() 399 | if err != nil { 400 | b.Fatal(err) 401 | } 402 | 403 | f := NewFlow(6, 0, netip.MustParseAddr("1.2.3.4"), netip.MustParseAddr("5.6.7.8"), 1234, 80, 120, 0) 404 | 405 | for n := 0; n < b.N; n++ { 406 | err = c.Create(f) 407 | if err != nil { 408 | b.Fatalf("creating flow %d: %s", n, err) 409 | } 410 | err = c.Delete(f) 411 | if err != nil { 412 | b.Fatalf("deleting flow %d: %s", n, err) 413 | } 414 | } 415 | } 416 | 417 | func TestZoneFilter(t *testing.T) { 418 | c, _, err := makeNSConn() 419 | require.NoError(t, err) 420 | 421 | // One flow in the default zone (0). 422 | require.NoError(t, c.Create(NewFlow(6, 0, netip.MustParseAddr("1.2.3.4"), netip.MustParseAddr("5.6.7.8"), 1234, 80, 120, 0))) 423 | 424 | // Two flows in zone 100. 425 | f1 := NewFlow(6, 0, netip.MustParseAddr("1.2.3.4"), netip.MustParseAddr("5.6.7.8"), 1234, 80, 120, 0) 426 | f1.Zone = 100 427 | require.NoError(t, c.Create(f1)) 428 | 429 | f2 := NewFlow(17, 0, netip.MustParseAddr("2a00:1450:400e:804::200e"), netip.MustParseAddr("2a00:1450:400e:804::200f"), 1234, 80, 120, 0) 430 | f2.Zone = 100 431 | require.NoError(t, c.Create(f2)) 432 | 433 | z0 := NewFilter().Zone(0) 434 | z100 := NewFilter().Zone(100) 435 | 436 | // 3 flows in total. 437 | flows, err := c.Dump(nil) 438 | require.NoError(t, err) 439 | assert.Len(t, flows, 3, "expected 3 flows in total") 440 | 441 | // Zone 0 should contain 1 flow. 442 | flows, err = c.DumpFilter(z0, nil) 443 | require.NoError(t, err) 444 | assert.Len(t, flows, 1, "expected 1 flow in zone 0") 445 | 446 | // Zone 100 should contain 2 flows. 447 | flows, err = c.DumpFilter(z100, nil) 448 | require.NoError(t, err) 449 | assert.Len(t, flows, 2, "expected 2 flows in zone 100") 450 | 451 | // Flush zone 100. 452 | require.NoError(t, c.FlushFilter(z100)) 453 | 454 | // 1 flow should remain in total. 455 | flows, err = c.Dump(nil) 456 | require.NoError(t, err) 457 | assert.Len(t, flows, 1, "expected 1 flow in total after flush") 458 | 459 | // Zone 0 should still contain 1 flow. 460 | flows, err = c.DumpFilter(z0, nil) 461 | require.NoError(t, err) 462 | assert.Len(t, flows, 1, "expected 1 flow in zone 0 after flush") 463 | 464 | // Zone 100 should be empty. 465 | flows, err = c.DumpFilter(z100, nil) 466 | require.NoError(t, err) 467 | assert.Empty(t, flows, "expected no flows in zone 100 after flush") 468 | } 469 | 470 | func TestStatusFilter(t *testing.T) { 471 | c, _, err := makeNSConn() 472 | require.NoError(t, err) 473 | 474 | require.NoError(t, c.Create(NewFlow(6, StatusConfirmed, netip.MustParseAddr("1.2.3.4"), netip.MustParseAddr("0.0.0.0"), 1234, 80, 120, 0))) 475 | require.NoError(t, c.Create(NewFlow(6, StatusConfirmed, netip.MustParseAddr("5.6.7.8"), netip.MustParseAddr("0.0.0.0"), 1234, 80, 120, 0))) 476 | 477 | flows, err := c.Dump(nil) 478 | require.NoError(t, err) 479 | assert.Len(t, flows, 2, "expected 2 flows in total") 480 | 481 | flows, err = c.DumpFilter(NewFilter().Status(StatusConfirmed), nil) 482 | require.NoError(t, err) 483 | assert.Len(t, flows, 2) 484 | 485 | flows, err = c.DumpFilter(NewFilter().Status(StatusDying), nil) 486 | require.NoError(t, err) 487 | assert.Len(t, flows, 0) 488 | 489 | // This filter can never return anything since status and mask don't overlap. 490 | flows, err = c.DumpFilter(NewFilter().Status(StatusConfirmed).StatusMask(0x1), nil) 491 | require.NoError(t, err) 492 | assert.Len(t, flows, 0) 493 | } 494 | 495 | func TestFamilyFilter(t *testing.T) { 496 | c, _, err := makeNSConn() 497 | require.NoError(t, err) 498 | 499 | require.NoError(t, c.Create(NewFlow(unix.IPPROTO_TCP, 0, netip.MustParseAddr("1.2.3.4"), netip.MustParseAddr("5.6.7.8"), 1234, 80, 120, 0))) 500 | require.NoError(t, c.Create(NewFlow(unix.IPPROTO_UDP, 0, netip.MustParseAddr("2a00:1450:400e:804::200e"), netip.MustParseAddr("2a00:1450:400e:804::200f"), 1234, 80, 120, 0))) 501 | 502 | flows, err := c.Dump(nil) 503 | require.NoError(t, err) 504 | assert.Len(t, flows, 2, "expected 2 flows in total") 505 | 506 | flows, err = c.DumpFilter(NewFilter().Family(netfilter.ProtoIPv4), nil) 507 | require.NoError(t, err) 508 | assert.Len(t, flows, 1) 509 | assert.Equal(t, flows[0].TupleOrig.IP.SourceAddress, netip.MustParseAddr("1.2.3.4")) 510 | 511 | flows, err = c.DumpFilter(NewFilter().Family(netfilter.ProtoIPv6), nil) 512 | require.NoError(t, err) 513 | assert.Len(t, flows, 1) 514 | assert.Equal(t, flows[0].TupleOrig.IP.SourceAddress, netip.MustParseAddr("2a00:1450:400e:804::200e")) 515 | 516 | assert.NoError(t, c.FlushFilter(NewFilter().Family(netfilter.ProtoIPv4))) 517 | flows, err = c.Dump(nil) 518 | require.NoError(t, err) 519 | assert.Len(t, flows, 1, "expected 1 flow in total") 520 | 521 | flows, err = c.DumpFilter(NewFilter().Family(netfilter.ProtoIPv6), nil) 522 | require.NoError(t, err) 523 | assert.Len(t, flows, 1) 524 | assert.Equal(t, flows[0].TupleOrig.IP.SourceAddress, netip.MustParseAddr("2a00:1450:400e:804::200e")) 525 | } 526 | -------------------------------------------------------------------------------- /flow_test.go: -------------------------------------------------------------------------------- 1 | package conntrack 2 | 3 | import ( 4 | "net/netip" 5 | "testing" 6 | "time" 7 | 8 | "github.com/mdlayher/netlink" 9 | 10 | "github.com/stretchr/testify/assert" 11 | "github.com/stretchr/testify/require" 12 | 13 | "github.com/ti-mo/netfilter" 14 | ) 15 | 16 | var ( 17 | // Re-usable structures and netfilter atttibutes for tests 18 | nfaIPPT = []netfilter.Attribute{ 19 | { 20 | Type: uint16(ctaTupleIP), 21 | Nested: true, 22 | Children: []netfilter.Attribute{ 23 | { 24 | Type: uint16(ctaIPv4Src), 25 | Data: []byte{1, 2, 3, 4}, 26 | }, 27 | { 28 | Type: uint16(ctaIPv4Dst), 29 | Data: []byte{4, 3, 2, 1}, 30 | }, 31 | }, 32 | }, 33 | { 34 | Type: uint16(ctaTupleProto), 35 | Nested: true, 36 | Children: []netfilter.Attribute{ 37 | { 38 | Type: uint16(ctaProtoNum), 39 | Data: []byte{0x06}, 40 | }, 41 | { 42 | Type: uint16(ctaProtoSrcPort), 43 | Data: []byte{0xff, 0x00}, 44 | }, 45 | { 46 | Type: uint16(ctaProtoDstPort), 47 | Data: []byte{0x00, 0xff}, 48 | }, 49 | }, 50 | }, 51 | } 52 | flowIPPT = Tuple{ 53 | IP: IPTuple{ 54 | SourceAddress: netip.MustParseAddr("1.2.3.4"), 55 | DestinationAddress: netip.MustParseAddr("4.3.2.1"), 56 | }, 57 | Proto: ProtoTuple{ 58 | Protocol: 6, 59 | SourcePort: 65280, 60 | DestinationPort: 255, 61 | }, 62 | } 63 | flowBadIPPT = Tuple{ 64 | IP: IPTuple{ 65 | SourceAddress: netip.MustParseAddr("1.2.3.4"), 66 | DestinationAddress: netip.MustParseAddr("::1"), 67 | }, 68 | Proto: ProtoTuple{ 69 | Protocol: 6, 70 | SourcePort: 65280, 71 | DestinationPort: 255, 72 | }, 73 | } 74 | 75 | corpusFlow = []struct { 76 | name string 77 | attrs []netfilter.Attribute 78 | flow Flow 79 | }{ 80 | { 81 | name: "scalar and simple binary attributes", 82 | attrs: []netfilter.Attribute{ 83 | { 84 | Type: uint16(ctaTimeout), 85 | Data: []byte{0, 1, 2, 3}, 86 | }, 87 | { 88 | Type: uint16(ctaID), 89 | Data: []byte{0, 1, 2, 3}, 90 | }, 91 | { 92 | Type: uint16(ctaUse), 93 | Data: []byte{0, 1, 2, 3}, 94 | }, 95 | { 96 | Type: uint16(ctaMark), 97 | Data: []byte{0, 1, 2, 3}, 98 | }, 99 | { 100 | Type: uint16(ctaZone), 101 | Data: []byte{4, 5}, 102 | }, 103 | { 104 | Type: uint16(ctaLabels), 105 | Data: []byte{0x4b, 0x1d, 0xbe, 0xef}, 106 | }, 107 | { 108 | Type: uint16(ctaLabelsMask), 109 | Data: []byte{0x00, 0xba, 0x1b, 0xe1}, 110 | }, 111 | }, 112 | flow: Flow{ 113 | ID: 0x010203, Timeout: 0x010203, Zone: 0x0405, 114 | Labels: []byte{0x4b, 0x1d, 0xbe, 0xef}, LabelsMask: []byte{0x00, 0xba, 0x1b, 0xe1}, 115 | Mark: 0x010203, Use: 0x010203, 116 | }, 117 | }, 118 | { 119 | name: "ip/port/proto tuple attributes as orig/reply/master", 120 | attrs: []netfilter.Attribute{ 121 | { 122 | Type: uint16(ctaTupleOrig), 123 | Nested: true, 124 | Children: nfaIPPT, 125 | }, 126 | { 127 | Type: uint16(ctaTupleReply), 128 | Nested: true, 129 | Children: nfaIPPT, 130 | }, 131 | { 132 | Type: uint16(ctaTupleMaster), 133 | Nested: true, 134 | Children: nfaIPPT, 135 | }, 136 | }, 137 | flow: Flow{ 138 | TupleOrig: flowIPPT, 139 | TupleReply: flowIPPT, 140 | TupleMaster: flowIPPT, 141 | }, 142 | }, 143 | { 144 | name: "status attribute", 145 | attrs: []netfilter.Attribute{ 146 | { 147 | Type: uint16(ctaStatus), 148 | Data: []byte{0xff, 0x00, 0xff, 0x00}, 149 | }, 150 | }, 151 | flow: Flow{Status: 0xff00ff00}, 152 | }, 153 | { 154 | name: "protoinfo attribute w/ tcp info", 155 | attrs: []netfilter.Attribute{ 156 | { 157 | Type: uint16(ctaProtoInfo), 158 | Nested: true, 159 | Children: []netfilter.Attribute{ 160 | { 161 | Type: uint16(ctaProtoInfoTCP), 162 | Nested: true, 163 | Children: []netfilter.Attribute{ 164 | { 165 | Type: uint16(ctaProtoInfoTCPState), 166 | Data: []byte{1}, 167 | }, 168 | { 169 | Type: uint16(ctaProtoInfoTCPFlagsOriginal), 170 | Data: []byte{2, 3}, 171 | }, 172 | { 173 | Type: uint16(ctaProtoInfoTCPFlagsReply), 174 | Data: []byte{4, 5}, 175 | }, 176 | }, 177 | }, 178 | }, 179 | }, 180 | }, 181 | flow: Flow{ProtoInfo: ProtoInfo{TCP: &ProtoInfoTCP{State: 1, OriginalFlags: 0x0203, ReplyFlags: 0x0405}}}, 182 | }, 183 | { 184 | name: "helper attribute", 185 | attrs: []netfilter.Attribute{ 186 | { 187 | Type: uint16(ctaHelp), 188 | Nested: true, 189 | Children: []netfilter.Attribute{ 190 | { 191 | Type: uint16(ctaHelpName), 192 | Data: []byte("helper"), 193 | }, 194 | { 195 | Type: uint16(ctaHelpInfo), 196 | Data: []byte("info"), 197 | }, 198 | }, 199 | }, 200 | }, 201 | flow: Flow{Helper: Helper{Name: "helper", Info: []byte("info")}}, 202 | }, 203 | { 204 | name: "counter attribute", 205 | attrs: []netfilter.Attribute{ 206 | { 207 | Type: uint16(ctaCountersOrig), 208 | Nested: true, 209 | Children: []netfilter.Attribute{ 210 | { 211 | Type: uint16(ctaCountersPackets), 212 | Data: []byte{0x00, 0x00, 0x00, 0x00, 0xf0, 0x0d, 0x00, 0x00}, 213 | }, 214 | { 215 | Type: uint16(ctaCountersBytes), 216 | Data: []byte{0xba, 0xaa, 0xaa, 0x00, 0x00, 0x00, 0x00, 0x00}, 217 | }, 218 | }, 219 | }, 220 | { 221 | Type: uint16(ctaCountersReply), 222 | Nested: true, 223 | Children: []netfilter.Attribute{ 224 | { 225 | Type: uint16(ctaCountersPackets), 226 | Data: []byte{0xb0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d}, 227 | }, 228 | { 229 | Type: uint16(ctaCountersBytes), 230 | Data: []byte{0xfa, 0xaa, 0xaa, 0x00, 0x00, 0x00, 0x00, 0xce}, 231 | }, 232 | }, 233 | }, 234 | }, 235 | flow: Flow{ 236 | CountersOrig: Counter{Packets: 0xf00d0000, Bytes: 0xbaaaaa0000000000}, 237 | CountersReply: Counter{Packets: 0xb00000000000000d, Bytes: 0xfaaaaa00000000ce, Direction: true}, 238 | }, 239 | }, 240 | { 241 | name: "security attribute", 242 | attrs: []netfilter.Attribute{ 243 | { 244 | Type: uint16(ctaSecCtx), 245 | Nested: true, 246 | Children: []netfilter.Attribute{ 247 | { 248 | Type: uint16(ctaSecCtxName), 249 | Data: []byte("jail"), 250 | }, 251 | }, 252 | }, 253 | }, 254 | flow: Flow{SecurityContext: "jail"}, 255 | }, 256 | { 257 | name: "timestamp attribute", 258 | attrs: []netfilter.Attribute{ 259 | { 260 | Type: uint16(ctaTimestamp), 261 | Nested: true, 262 | Children: []netfilter.Attribute{ 263 | { 264 | Type: uint16(ctaTimestampStart), 265 | Data: []byte{ 266 | 0x0f, 0x12, 0x34, 0x56, 267 | 0x78, 0x9a, 0xbc, 0xde}, 268 | }, 269 | { 270 | Type: uint16(ctaTimestampStop), 271 | Data: []byte{ 272 | 0xff, 0x12, 0x34, 0x56, 273 | 0x78, 0x9a, 0xbc, 0xde}, 274 | }, 275 | }, 276 | }, 277 | }, 278 | flow: Flow{Timestamp: Timestamp{ 279 | Start: time.Unix(0, 0x0f123456789abcde), 280 | Stop: time.Unix(0, -66933498461897506)}}, 281 | }, 282 | { 283 | name: "sequence adjust attribute", 284 | attrs: []netfilter.Attribute{ 285 | { 286 | Type: uint16(ctaSeqAdjOrig), 287 | Nested: true, 288 | Children: []netfilter.Attribute{ 289 | { 290 | Type: uint16(ctaSeqAdjCorrectionPos), 291 | Data: []byte{0x0f, 0x12, 0x34, 0x56}, 292 | }, 293 | { 294 | Type: uint16(ctaSeqAdjOffsetAfter), 295 | Data: []byte{0x0f, 0x12, 0x34, 0x99}, 296 | }, 297 | }, 298 | }, 299 | { 300 | Type: uint16(ctaSeqAdjReply), 301 | Nested: true, 302 | Children: []netfilter.Attribute{ 303 | { 304 | Type: uint16(ctaSeqAdjCorrectionPos), 305 | Data: []byte{0x0f, 0x12, 0x34, 0x56}, 306 | }, 307 | { 308 | Type: uint16(ctaSeqAdjOffsetAfter), 309 | Data: []byte{0x0f, 0x12, 0x34, 0x99}, 310 | }, 311 | }, 312 | }, 313 | }, 314 | flow: Flow{ 315 | SeqAdjOrig: SequenceAdjust{Position: 0x0f123456, OffsetAfter: 0x0f123499}, 316 | SeqAdjReply: SequenceAdjust{Direction: true, Position: 0x0f123456, OffsetAfter: 0x0f123499}, 317 | }, 318 | }, 319 | { 320 | name: "synproxy attribute", 321 | attrs: []netfilter.Attribute{ 322 | { 323 | Type: uint16(ctaSynProxy), 324 | Nested: true, 325 | Children: []netfilter.Attribute{ 326 | { 327 | Type: uint16(ctaSynProxyISN), 328 | Data: []byte{0x12, 0x34, 0x56, 0x78}, 329 | }, 330 | { 331 | Type: uint16(ctaSynProxyITS), 332 | Data: []byte{0x87, 0x65, 0x43, 0x21}, 333 | }, 334 | { 335 | Type: uint16(ctaSynProxyTSOff), 336 | Data: []byte{0xab, 0xcd, 0xef, 0x00}, 337 | }, 338 | }, 339 | }, 340 | }, 341 | flow: Flow{SynProxy: SynProxy{ISN: 0x12345678, ITS: 0x87654321, TSOff: 0xabcdef00}}, 342 | }, 343 | } 344 | 345 | corpusFlowUnmarshalError = []struct { 346 | name string 347 | nfa netfilter.Attribute 348 | }{ 349 | { 350 | name: "error unmarshal original tuple", 351 | nfa: netfilter.Attribute{Type: uint16(ctaTupleOrig)}, 352 | }, 353 | { 354 | name: "error unmarshal reply tuple", 355 | nfa: netfilter.Attribute{Type: uint16(ctaTupleReply)}, 356 | }, 357 | { 358 | name: "error unmarshal master tuple", 359 | nfa: netfilter.Attribute{Type: uint16(ctaTupleMaster)}, 360 | }, 361 | { 362 | name: "error unmarshal protoinfo", 363 | nfa: netfilter.Attribute{Type: uint16(ctaProtoInfo)}, 364 | }, 365 | { 366 | name: "error unmarshal helper", 367 | nfa: netfilter.Attribute{Type: uint16(ctaHelp)}, 368 | }, 369 | { 370 | name: "error unmarshal original counter", 371 | nfa: netfilter.Attribute{Type: uint16(ctaCountersOrig)}, 372 | }, 373 | { 374 | name: "error unmarshal reply counter", 375 | nfa: netfilter.Attribute{Type: uint16(ctaCountersReply)}, 376 | }, 377 | { 378 | name: "error unmarshal security context", 379 | nfa: netfilter.Attribute{Type: uint16(ctaSecCtx)}, 380 | }, 381 | { 382 | name: "error unmarshal timestamp", 383 | nfa: netfilter.Attribute{Type: uint16(ctaTimestamp)}, 384 | }, 385 | { 386 | name: "error unmarshal original seqadj", 387 | nfa: netfilter.Attribute{Type: uint16(ctaSeqAdjOrig)}, 388 | }, 389 | { 390 | name: "error unmarshal reply seqadj", 391 | nfa: netfilter.Attribute{Type: uint16(ctaSeqAdjReply)}, 392 | }, 393 | { 394 | name: "error unmarshal synproxy", 395 | nfa: netfilter.Attribute{Type: uint16(ctaSynProxy)}, 396 | }, 397 | } 398 | ) 399 | 400 | func TestFlowUnmarshal(t *testing.T) { 401 | for _, tt := range corpusFlow { 402 | t.Run(tt.name, func(t *testing.T) { 403 | var f Flow 404 | require.NoError(t, f.unmarshal(mustDecodeAttributes(tt.attrs))) 405 | assert.Equal(t, tt.flow, f, "unexpected unmarshal") 406 | }) 407 | } 408 | 409 | for _, tt := range corpusFlowUnmarshalError { 410 | t.Run(tt.name, func(t *testing.T) { 411 | var f Flow 412 | err := f.unmarshal(mustDecodeAttributes([]netfilter.Attribute{tt.nfa})) 413 | assert.ErrorIs(t, err, errNotNested) 414 | }) 415 | } 416 | } 417 | 418 | func TestFlowMarshal(t *testing.T) { 419 | // Expect a marshal without errors 420 | attrs, err := Flow{ 421 | TupleOrig: flowIPPT, TupleReply: flowIPPT, TupleMaster: flowIPPT, 422 | ProtoInfo: ProtoInfo{TCP: &ProtoInfoTCP{State: 42}}, 423 | Timeout: 123, Status: 1234, Mark: 0x1234, Zone: 2, 424 | Helper: Helper{Name: "ftp"}, 425 | SeqAdjOrig: SequenceAdjust{Position: 1, OffsetBefore: 2, OffsetAfter: 3}, 426 | SeqAdjReply: SequenceAdjust{Position: 5, OffsetBefore: 6, OffsetAfter: 7}, 427 | SynProxy: SynProxy{ISN: 0x12345678, ITS: 0x87654321, TSOff: 0xabcdef00}, 428 | Labels: []byte{0x13, 0x37}, 429 | LabelsMask: []byte{0xff, 0xff}, 430 | }.marshal() 431 | assert.NoError(t, err) 432 | 433 | want := []netfilter.Attribute{ 434 | {Type: uint16(ctaTupleOrig), Nested: true, Children: []netfilter.Attribute{ 435 | {Type: uint16(ctaTupleIP), Nested: true, Children: []netfilter.Attribute{ 436 | {Type: uint16(ctaIPv4Src), Data: []byte{0x1, 0x2, 0x3, 0x4}}, 437 | {Type: uint16(ctaIPv4Dst), Data: []byte{0x4, 0x3, 0x2, 0x1}}, 438 | }}, 439 | {Type: uint16(ctaTupleProto), Nested: true, Children: []netfilter.Attribute{ 440 | {Type: uint16(ctaProtoNum), Data: []byte{0x6}}, 441 | {Type: uint16(ctaProtoSrcPort), Data: []byte{0xff, 0x0}}, 442 | {Type: uint16(ctaProtoDstPort), Data: []byte{0x0, 0xff}}}}, 443 | }}, 444 | {Type: uint16(ctaTupleReply), Nested: true, Children: []netfilter.Attribute{ 445 | {Type: uint16(ctaTupleIP), Nested: true, Children: []netfilter.Attribute{ 446 | {Type: uint16(ctaIPv4Src), Data: []byte{0x1, 0x2, 0x3, 0x4}}, 447 | {Type: uint16(ctaIPv4Dst), Data: []byte{0x4, 0x3, 0x2, 0x1}}}}, 448 | {Type: uint16(ctaTupleProto), Nested: true, Children: []netfilter.Attribute{ 449 | {Type: uint16(ctaProtoNum), Data: []byte{0x6}}, 450 | {Type: uint16(ctaProtoSrcPort), Data: []byte{0xff, 0x0}}, 451 | {Type: uint16(ctaProtoDstPort), Data: []byte{0x0, 0xff}}}}}}, 452 | {Type: uint16(ctaTimeout), Data: []byte{0x0, 0x0, 0x0, 0x7b}}, 453 | {Type: uint16(ctaStatus), Data: []byte{0x0, 0x0, 0x4, 0xd2}}, 454 | {Type: uint16(ctaMark), Data: []byte{0x0, 0x0, 0x12, 0x34}}, 455 | {Type: uint16(ctaZone), Data: []byte{0x0, 0x2}}, 456 | {Type: uint16(ctaProtoInfo), Nested: true, Children: []netfilter.Attribute{ 457 | {Type: uint16(ctaProtoInfoTCP), Nested: true, Children: []netfilter.Attribute{ 458 | {Type: uint16(ctaProtoInfoTCPState), Data: []byte{0x2a}}, 459 | {Type: uint16(ctaProtoInfoTCPWScaleOriginal), Data: []byte{0x0}}, 460 | {Type: uint16(ctaProtoInfoTCPWScaleReply), Data: []byte{0x0}}}}}}, 461 | {Type: uint16(ctaHelp), Nested: true, Children: []netfilter.Attribute{ 462 | {Type: uint16(ctaHelpName), Data: []byte{0x66, 0x74, 0x70}}}}, 463 | {Type: uint16(ctaTupleMaster), Nested: true, Children: []netfilter.Attribute{ 464 | {Type: uint16(ctaTupleIP), Nested: true, Children: []netfilter.Attribute{ 465 | {Type: uint16(ctaIPv4Src), Data: []byte{0x1, 0x2, 0x3, 0x4}}, 466 | {Type: uint16(ctaIPv4Dst), Data: []byte{0x4, 0x3, 0x2, 0x1}}}}, 467 | {Type: uint16(ctaTupleProto), Nested: true, Children: []netfilter.Attribute{ 468 | {Type: uint16(ctaProtoNum), Data: []byte{0x6}}, 469 | {Type: uint16(ctaProtoSrcPort), Data: []byte{0xff, 0x0}}, 470 | {Type: uint16(ctaProtoDstPort), Data: []byte{0x0, 0xff}}}}}}, 471 | {Type: uint16(ctaSeqAdjOrig), Nested: true, Children: []netfilter.Attribute{ 472 | {Type: uint16(ctaSeqAdjCorrectionPos), Data: []byte{0x0, 0x0, 0x0, 0x1}}, 473 | {Type: uint16(ctaSeqAdjOffsetBefore), Data: []byte{0x0, 0x0, 0x0, 0x2}}, 474 | {Type: uint16(ctaSeqAdjOffsetAfter), Data: []byte{0x0, 0x0, 0x0, 0x3}}}}, 475 | {Type: uint16(ctaSeqAdjReply), Nested: true, Children: []netfilter.Attribute{ 476 | {Type: uint16(ctaSeqAdjCorrectionPos), Data: []byte{0x0, 0x0, 0x0, 0x5}}, 477 | {Type: uint16(ctaSeqAdjOffsetBefore), Data: []byte{0x0, 0x0, 0x0, 0x6}}, 478 | {Type: uint16(ctaSeqAdjOffsetAfter), Data: []byte{0x0, 0x0, 0x0, 0x7}}}}, 479 | {Type: uint16(ctaSynProxy), Nested: true, Children: []netfilter.Attribute{ 480 | {Type: uint16(ctaSynProxyISN), Data: []byte{0x12, 0x34, 0x56, 0x78}}, 481 | {Type: uint16(ctaSynProxyITS), Data: []byte{0x87, 0x65, 0x43, 0x21}}, 482 | {Type: uint16(ctaSynProxyTSOff), Data: []byte{0xab, 0xcd, 0xef, 0x0}}}}, 483 | {Type: uint16(ctaLabels), Data: []byte{0x13, 0x37}}, 484 | {Type: uint16(ctaLabelsMask), Data: []byte{0xff, 0xff}}} 485 | 486 | assert.Equal(t, attrs, want) 487 | 488 | // Can marshal with either orig or reply tuple available 489 | _, err = Flow{TupleOrig: flowIPPT}.marshal() 490 | assert.NoError(t, err) 491 | _, err = Flow{TupleReply: flowIPPT}.marshal() 492 | assert.NoError(t, err) 493 | 494 | // Cannot marshal with both orig and reply tuples empty. 495 | _, err = Flow{}.marshal() 496 | assert.ErrorIs(t, err, errNeedTuples) 497 | 498 | // Return error from orig/reply/master IPTuple marshals 499 | _, err = Flow{TupleOrig: flowBadIPPT, TupleReply: flowIPPT}.marshal() 500 | assert.ErrorIs(t, err, errBadIPTuple) 501 | _, err = Flow{TupleOrig: flowIPPT, TupleReply: flowBadIPPT}.marshal() 502 | assert.ErrorIs(t, err, errBadIPTuple) 503 | _, err = Flow{TupleOrig: flowIPPT, TupleReply: flowIPPT, TupleMaster: flowBadIPPT}.marshal() 504 | assert.ErrorIs(t, err, errBadIPTuple) 505 | } 506 | 507 | func TestUnmarshalFlowsError(t *testing.T) { 508 | // Use netfilter.MarshalNetlink to assemble a Netlink message with a single attribute with empty data. 509 | // Cause a random error in unmarshalFlows to cover error return. 510 | nlm, _ := netfilter.MarshalNetlink(netfilter.Header{}, []netfilter.Attribute{{Type: 1}}) 511 | _, err := unmarshalFlows([]netlink.Message{nlm}) 512 | assert.ErrorIs(t, err, errNotNested) 513 | } 514 | 515 | func TestNewFlow(t *testing.T) { 516 | f := NewFlow( 517 | 13, StatusNATMask, netip.MustParseAddr("2a01:1450:200e:985::200e"), 518 | netip.MustParseAddr("2a12:1250:200e:123::100d"), 64732, 443, 400, 0xf00, 519 | ) 520 | 521 | want := Flow{ 522 | Status: StatusNATMask, 523 | Timeout: 400, 524 | TupleOrig: Tuple{ 525 | IP: IPTuple{ 526 | SourceAddress: netip.MustParseAddr("2a01:1450:200e:985::200e"), 527 | DestinationAddress: netip.MustParseAddr("2a12:1250:200e:123::100d"), 528 | }, 529 | Proto: ProtoTuple{ 530 | Protocol: 13, 531 | SourcePort: 64732, 532 | DestinationPort: 443, 533 | }, 534 | }, 535 | TupleReply: Tuple{ 536 | IP: IPTuple{ 537 | DestinationAddress: netip.MustParseAddr("2a01:1450:200e:985::200e"), 538 | SourceAddress: netip.MustParseAddr("2a12:1250:200e:123::100d"), 539 | }, 540 | Proto: ProtoTuple{ 541 | Protocol: 13, 542 | DestinationPort: 64732, 543 | SourcePort: 443, 544 | }, 545 | }, 546 | Mark: 0xf00, 547 | } 548 | 549 | assert.Equal(t, want, f, "unexpected builder output") 550 | } 551 | 552 | func BenchmarkFlowUnmarshal(b *testing.B) { 553 | b.ReportAllocs() 554 | 555 | // Collect all test.attrs from corpus. This amounts to unmarshaling a flow 556 | // with all attributes (including extensions) sent by the kernel. 557 | var tests []netfilter.Attribute 558 | for _, test := range corpusFlow { 559 | tests = append(tests, test.attrs...) 560 | } 561 | 562 | // Marshal these netfilter attributes and return netlink.AttributeDecoder. 563 | ad := mustDecodeAttributes(tests) 564 | 565 | b.ResetTimer() 566 | 567 | for n := 0; n < b.N; n++ { 568 | // Make a new copy of the AD to avoid reinstantiation. 569 | iad := *ad 570 | 571 | var f Flow 572 | _ = f.unmarshal(&iad) 573 | } 574 | } 575 | -------------------------------------------------------------------------------- /gen.go: -------------------------------------------------------------------------------- 1 | package conntrack 2 | 3 | //go:generate stringer -type=attributeType 4 | //go:generate stringer -type=tupleType 5 | //go:generate stringer -type=protoInfoType 6 | //go:generate stringer -type=expectType 7 | //go:generate stringer -type=expectNATType 8 | //go:generate stringer -type=eventType 9 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/ti-mo/conntrack 2 | 3 | go 1.23.0 4 | 5 | toolchain go1.24.2 6 | 7 | require ( 8 | github.com/mdlayher/netlink v1.7.2 9 | github.com/pkg/errors v0.9.1 10 | github.com/stretchr/testify v1.8.4 11 | github.com/ti-mo/netfilter v0.5.3 12 | github.com/vishvananda/netns v0.0.4 13 | golang.org/x/sys v0.33.0 14 | ) 15 | 16 | require ( 17 | github.com/davecgh/go-spew v1.1.1 // indirect 18 | github.com/google/go-cmp v0.7.0 // indirect 19 | github.com/josharian/native v1.1.0 // indirect 20 | github.com/mdlayher/socket v0.5.1 // indirect 21 | github.com/pmezard/go-difflib v1.0.0 // indirect 22 | golang.org/x/net v0.39.0 // indirect 23 | golang.org/x/sync v0.14.0 // indirect 24 | gopkg.in/yaml.v3 v3.0.1 // indirect 25 | ) 26 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= 2 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 3 | github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= 4 | github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= 5 | github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA= 6 | github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w= 7 | github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g= 8 | github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw= 9 | github.com/mdlayher/socket v0.5.1 h1:VZaqt6RkGkt2OE9l3GcC6nZkqD3xKeQLyfleW/uBcos= 10 | github.com/mdlayher/socket v0.5.1/go.mod h1:TjPLHI1UgwEv5J1B5q0zTZq12A/6H7nKmtTanQE37IQ= 11 | github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= 12 | github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= 13 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= 14 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 15 | github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= 16 | github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= 17 | github.com/ti-mo/netfilter v0.5.3 h1:ikzduvnaUMwre5bhbNwWOd6bjqLMVb33vv0XXbK0xGQ= 18 | github.com/ti-mo/netfilter v0.5.3/go.mod h1:08SyBCg6hu1qyQk4s3DjjJKNrm3RTb32nm6AzyT972E= 19 | github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8= 20 | github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM= 21 | golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY= 22 | golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E= 23 | golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ= 24 | golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= 25 | golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= 26 | golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= 27 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= 28 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 29 | gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= 30 | gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 31 | -------------------------------------------------------------------------------- /helpers.md: -------------------------------------------------------------------------------- 1 | # Conntrack Helpers 2 | 3 | Support was planned originally for creating helper entries from userspace. After some experimentation, 4 | creating expectations from userspace does not seem possible, even with upstream tools. (`conntrack`) 5 | The library code to assemble and marshal expectations will be kept around in case this becomes possible 6 | later on in the kernel. (probably not) 7 | 8 | Expectations follow a specific pattern, and can be created as follows (simple example using FTP server) 9 | w/ client in passive mode. 10 | 11 | ``` 12 | sudo modprobe nf_conntrack_ftp 13 | echo "1" | sudo tee /proc/sys/net/netfilter/nf_conntrack_helper 14 | sudo iptables -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d 127.0.0.1 -p tcp --dport 30000:30009 -j ACCEPT 15 | 16 | docker run -d --rm -e FTP_USER_NAME=bob -e FTP_USER_PASS=12345 -e FTP_USER_HOME=/home/bob -p 21:21 -p 30000-30009:30000-30009 stilliard/pure-ftpd 17 | 18 | ftp 127.0.0.1 21 -p 19 | ``` 20 | 21 | Log in with: `bob/12345` and send a file to the server. 22 | 23 | This should yield records like follows: 24 | 25 | ``` 26 | [EventExpNew] 27 | Timeout: 300, 28 | Master: , 29 | Tuple: , 30 | Mask: , 31 | Zone: {0 0}, Helper: ftp, Class: 0x30 32 | 33 | [EventExpDestroy] Timeout: 300, Master: , Tuple: , Mask: , Zone: {0 0}, Helper: ftp, Class: 0x30 34 | ``` 35 | -------------------------------------------------------------------------------- /protoinfotype_string.go: -------------------------------------------------------------------------------- 1 | // Code generated by "stringer -type=protoInfoType"; DO NOT EDIT. 2 | 3 | package conntrack 4 | 5 | import "strconv" 6 | 7 | func _() { 8 | // An "invalid array index" compiler error signifies that the constant values have changed. 9 | // Re-run the stringer command to generate them again. 10 | var x [1]struct{} 11 | _ = x[ctaProtoInfoUnspec-0] 12 | _ = x[ctaProtoInfoTCP-1] 13 | _ = x[ctaProtoInfoDCCP-2] 14 | _ = x[ctaProtoInfoSCTP-3] 15 | } 16 | 17 | const _protoInfoType_name = "ctaProtoInfoUnspecctaProtoInfoTCPctaProtoInfoDCCPctaProtoInfoSCTP" 18 | 19 | var _protoInfoType_index = [...]uint8{0, 18, 33, 49, 65} 20 | 21 | func (i protoInfoType) String() string { 22 | if i >= protoInfoType(len(_protoInfoType_index)-1) { 23 | return "protoInfoType(" + strconv.FormatInt(int64(i), 10) + ")" 24 | } 25 | return _protoInfoType_name[_protoInfoType_index[i]:_protoInfoType_index[i+1]] 26 | } 27 | -------------------------------------------------------------------------------- /stats.go: -------------------------------------------------------------------------------- 1 | package conntrack 2 | 3 | import ( 4 | "fmt" 5 | 6 | "github.com/mdlayher/netlink" 7 | 8 | "github.com/ti-mo/netfilter" 9 | ) 10 | 11 | // Stats represents the Conntrack performance counters of a single CPU (core). 12 | // It indicates which and how many Flow operations took place on each CPU. 13 | type Stats struct { 14 | CPUID uint16 15 | Found uint32 16 | Invalid uint32 17 | Ignore uint32 18 | Insert uint32 19 | InsertFailed uint32 20 | Drop uint32 21 | EarlyDrop uint32 22 | Error uint32 23 | SearchRestart uint32 24 | } 25 | 26 | func (s Stats) String() string { 27 | return fmt.Sprintf( 28 | "", 30 | s.CPUID, s.Found, s.Invalid, s.Ignore, s.Insert, s.InsertFailed, 31 | s.Drop, s.EarlyDrop, s.Error, s.SearchRestart, 32 | ) 33 | } 34 | 35 | // unmarshal unmarshals a list of netfilter.Attributes into a Stats structure. 36 | func (s *Stats) unmarshal(attrs []netfilter.Attribute) { 37 | for _, attr := range attrs { 38 | switch at := cpuStatsType(attr.Type); at { 39 | case ctaStatsFound: 40 | s.Found = attr.Uint32() 41 | case ctaStatsInvalid: 42 | s.Invalid = attr.Uint32() 43 | case ctaStatsIgnore: 44 | s.Ignore = attr.Uint32() 45 | case ctaStatsInsert: 46 | s.Insert = attr.Uint32() 47 | case ctaStatsInsertFailed: 48 | s.InsertFailed = attr.Uint32() 49 | case ctaStatsDrop: 50 | s.Drop = attr.Uint32() 51 | case ctaStatsEarlyDrop: 52 | s.EarlyDrop = attr.Uint32() 53 | case ctaStatsError: 54 | s.Error = attr.Uint32() 55 | case ctaStatsSearchRestart: 56 | s.SearchRestart = attr.Uint32() 57 | case ctaStatsSearched, ctaStatsNew, ctaStatsDelete, ctaStatsDeleteList: 58 | // Deprecated performance counters, not parsed into Stats. 59 | // See torvalds/linux@8e8118f. 60 | } 61 | } 62 | } 63 | 64 | // StatsExpect represents the Conntrack Expect performance counters of a single CPU (core). 65 | // It indicates how many Expect entries were initialized, created or deleted on each CPU. 66 | type StatsExpect struct { 67 | CPUID uint16 68 | New, Create, Delete uint32 69 | } 70 | 71 | // unmarshal unmarshals a list of netfilter.Attributes into a StatsExpect structure. 72 | func (se *StatsExpect) unmarshal(attrs []netfilter.Attribute) { 73 | 74 | for _, attr := range attrs { 75 | switch at := expectStatsType(attr.Type); at { 76 | case ctaStatsExpNew: 77 | se.New = attr.Uint32() 78 | case ctaStatsExpCreate: 79 | se.Create = attr.Uint32() 80 | case ctaStatsExpDelete: 81 | se.Delete = attr.Uint32() 82 | } 83 | } 84 | } 85 | 86 | // StatsGlobal represents global statistics about the conntrack subsystem. 87 | type StatsGlobal struct { 88 | Entries, MaxEntries uint32 89 | } 90 | 91 | // unmarshal unmarshals a list of netfilter.Attributes into a Stats structure. 92 | func (sg *StatsGlobal) unmarshal(attrs []netfilter.Attribute) { 93 | 94 | for _, attr := range attrs { 95 | switch at := globalStatsType(attr.Type); at { 96 | case ctaStatsGlobalEntries: 97 | sg.Entries = attr.Uint32() 98 | case ctaStatsGlobalMaxEntries: 99 | sg.MaxEntries = attr.Uint32() 100 | } 101 | } 102 | } 103 | 104 | // unmarshalStats unmarshals a list of Stats from a list of netlink.Messages. 105 | func unmarshalStats(nlm []netlink.Message) ([]Stats, error) { 106 | 107 | stats := make([]Stats, len(nlm)) 108 | 109 | for idx, m := range nlm { 110 | 111 | hdr, nfa, err := netfilter.UnmarshalNetlink(m) 112 | if err != nil { 113 | return nil, err 114 | } 115 | 116 | s := Stats{CPUID: hdr.ResourceID} 117 | s.unmarshal(nfa) 118 | 119 | stats[idx] = s 120 | } 121 | 122 | return stats, nil 123 | } 124 | 125 | // unmarshalStatsExpect unmarshals a list of StatsExpect from a list of netlink.Messages. 126 | func unmarshalStatsExpect(nlm []netlink.Message) ([]StatsExpect, error) { 127 | 128 | stats := make([]StatsExpect, len(nlm)) 129 | 130 | for idx, m := range nlm { 131 | 132 | hdr, nfa, err := netfilter.UnmarshalNetlink(m) 133 | if err != nil { 134 | return nil, err 135 | } 136 | 137 | se := StatsExpect{CPUID: hdr.ResourceID} 138 | se.unmarshal(nfa) 139 | 140 | stats[idx] = se 141 | } 142 | 143 | return stats, nil 144 | } 145 | 146 | // unmarshalStatsGlobal unmarshals a StatsGlobal from a netlink.Message. 147 | func unmarshalStatsGlobal(nlm netlink.Message) (StatsGlobal, error) { 148 | 149 | var sg StatsGlobal 150 | 151 | _, nfa, err := netfilter.UnmarshalNetlink(nlm) 152 | if err != nil { 153 | return sg, err 154 | } 155 | 156 | sg.unmarshal(nfa) 157 | 158 | return sg, nil 159 | } 160 | -------------------------------------------------------------------------------- /stats_integration_test.go: -------------------------------------------------------------------------------- 1 | //go:build integration 2 | 3 | package conntrack 4 | 5 | import ( 6 | "net/netip" 7 | "testing" 8 | 9 | "github.com/stretchr/testify/assert" 10 | "github.com/stretchr/testify/require" 11 | ) 12 | 13 | func TestConnStats(t *testing.T) { 14 | 15 | if !findKsym("ctnetlink_ct_stat_cpu_dump") { 16 | t.Skip("Per-CPU stats not implemented in this kernel") 17 | } 18 | 19 | c, _, err := makeNSConn() 20 | require.NoError(t, err) 21 | 22 | stats, err := c.Stats() 23 | require.NoError(t, err) 24 | 25 | for i, s := range stats { 26 | // Make sure the array index corresponds to the CPUID of each entry. 27 | assert.EqualValues(t, i, s.CPUID) 28 | } 29 | } 30 | 31 | func TestConnStatsExpect(t *testing.T) { 32 | 33 | if !findKsym("ctnetlink_exp_stat_cpu_dump") { 34 | t.Skip("Per-CPU Expect stats not implemented in this kernel") 35 | } 36 | 37 | c, _, err := makeNSConn() 38 | require.NoError(t, err) 39 | 40 | statsExpect, err := c.StatsExpect() 41 | require.NoError(t, err) 42 | 43 | for i, s := range statsExpect { 44 | // Make sure the array index corresponds to the CPUID of each entry. 45 | assert.EqualValues(t, i, s.CPUID) 46 | } 47 | } 48 | 49 | func TestConnStatsGlobal(t *testing.T) { 50 | 51 | if !findKsym("ctnetlink_stat_ct") { 52 | t.Skip("Global stats not implemented in this kernel") 53 | } 54 | 55 | c, _, err := makeNSConn() 56 | require.NoError(t, err) 57 | 58 | numFlows := 42 59 | 60 | var f Flow 61 | 62 | // Create IPv4 flows 63 | for i := 1; i <= numFlows; i++ { 64 | f = NewFlow(6, 0, netip.MustParseAddr("1.2.3.4"), netip.MustParseAddr("5.6.7.8"), 1234, uint16(i), 120, 0) 65 | 66 | err = c.Create(f) 67 | require.NoError(t, err, "creating IPv4 flow", i) 68 | } 69 | 70 | // Create IPv6 flows 71 | for i := 1; i <= numFlows; i++ { 72 | err = c.Create(NewFlow( 73 | 17, 0, 74 | netip.MustParseAddr("2a00:1450:400e:804::200e"), 75 | netip.MustParseAddr("2a00:1450:400e:804::200f"), 76 | 1234, uint16(i), 120, 0, 77 | )) 78 | require.NoError(t, err, "creating IPv6 flow", i) 79 | } 80 | 81 | sg, err := c.StatsGlobal() 82 | require.NoError(t, err, "query StatsGlobal") 83 | 84 | assert.EqualValues(t, numFlows*2, sg.Entries) 85 | } 86 | -------------------------------------------------------------------------------- /stats_test.go: -------------------------------------------------------------------------------- 1 | package conntrack 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/stretchr/testify/assert" 7 | 8 | "github.com/ti-mo/netfilter" 9 | ) 10 | 11 | func TestStatsUnmarshal(t *testing.T) { 12 | 13 | nfa := []netfilter.Attribute{ 14 | { 15 | Type: uint16(ctaStatsFound), 16 | Data: []byte{0x01, 0xab, 0xcd, 0xef}, 17 | }, 18 | { 19 | Type: uint16(ctaStatsInvalid), 20 | Data: []byte{0x02, 0xab, 0xcd, 0xef}, 21 | }, 22 | { 23 | Type: uint16(ctaStatsIgnore), 24 | Data: []byte{0x03, 0xab, 0xcd, 0xef}, 25 | }, 26 | { 27 | Type: uint16(ctaStatsInsert), 28 | Data: []byte{0x04, 0xab, 0xcd, 0xef}, 29 | }, 30 | { 31 | Type: uint16(ctaStatsInsertFailed), 32 | Data: []byte{0x05, 0xab, 0xcd, 0xef}, 33 | }, 34 | { 35 | Type: uint16(ctaStatsDrop), 36 | Data: []byte{0x06, 0xab, 0xcd, 0xef}, 37 | }, 38 | { 39 | Type: uint16(ctaStatsEarlyDrop), 40 | Data: []byte{0x07, 0xab, 0xcd, 0xef}, 41 | }, 42 | { 43 | Type: uint16(ctaStatsError), 44 | Data: []byte{0x08, 0xab, 0xcd, 0xef}, 45 | }, 46 | { 47 | Type: uint16(ctaStatsSearchRestart), 48 | Data: []byte{0x09, 0xab, 0xcd, 0xef}, 49 | }, 50 | {Type: uint16(ctaStatsSearched)}, 51 | {Type: uint16(ctaStatsNew)}, 52 | {Type: uint16(ctaStatsDelete)}, 53 | {Type: uint16(ctaStatsDeleteList)}, 54 | } 55 | 56 | want := Stats{ 57 | Found: 0x01abcdef, 58 | Invalid: 0x02abcdef, 59 | Ignore: 0x03abcdef, 60 | Insert: 0x04abcdef, 61 | InsertFailed: 0x05abcdef, 62 | Drop: 0x06abcdef, 63 | EarlyDrop: 0x07abcdef, 64 | Error: 0x08abcdef, 65 | SearchRestart: 0x09abcdef, 66 | } 67 | 68 | var s Stats 69 | s.unmarshal(nfa) 70 | assert.Equal(t, want, s, "unexpected unmarshal") 71 | } 72 | 73 | func TestStatsExpectUnmarshal(t *testing.T) { 74 | 75 | nfa := []netfilter.Attribute{ 76 | { 77 | Type: uint16(ctaStatsExpNew), 78 | Data: []byte{0x01, 0xab, 0xcd, 0xef}, 79 | }, 80 | { 81 | Type: uint16(ctaStatsExpCreate), 82 | Data: []byte{0x02, 0xab, 0xcd, 0xef}, 83 | }, 84 | { 85 | Type: uint16(ctaStatsExpDelete), 86 | Data: []byte{0x03, 0xab, 0xcd, 0xef}, 87 | }, 88 | } 89 | 90 | want := StatsExpect{ 91 | New: 0x01abcdef, 92 | Create: 0x02abcdef, 93 | Delete: 0x03abcdef, 94 | } 95 | 96 | var se StatsExpect 97 | se.unmarshal(nfa) 98 | assert.Equal(t, want, se, "unexpected unmarshal") 99 | } 100 | 101 | func TestStatsGlobalUnmarshal(t *testing.T) { 102 | 103 | nfa := []netfilter.Attribute{ 104 | { 105 | Type: uint16(ctaStatsGlobalEntries), 106 | Data: []byte{0x01, 0xab, 0xcd, 0xef}, 107 | }, 108 | { 109 | Type: uint16(ctaStatsGlobalMaxEntries), 110 | Data: []byte{0x02, 0xab, 0xcd, 0xef}, 111 | }, 112 | } 113 | 114 | want := StatsGlobal{ 115 | Entries: 0x01abcdef, 116 | MaxEntries: 0x02abcdef, 117 | } 118 | 119 | var sg StatsGlobal 120 | sg.unmarshal(nfa) 121 | assert.Equal(t, want, sg, "unexpected unmarshal") 122 | } 123 | -------------------------------------------------------------------------------- /status.go: -------------------------------------------------------------------------------- 1 | package conntrack 2 | 3 | import ( 4 | "github.com/mdlayher/netlink" 5 | "github.com/ti-mo/netfilter" 6 | ) 7 | 8 | // unmarshal unmarshals a Status from ad. 9 | func (s *Status) unmarshal(ad *netlink.AttributeDecoder) error { 10 | if ad.Len() != 1 { 11 | return errNeedSingleChild 12 | } 13 | 14 | if !ad.Next() { 15 | return ad.Err() 16 | } 17 | 18 | if len(ad.Bytes()) != 4 { 19 | return errIncorrectSize 20 | } 21 | 22 | *s = Status(ad.Uint32()) 23 | 24 | return ad.Err() 25 | } 26 | 27 | // marshal marshals a Status into a netfilter.Attribute. 28 | func (s Status) marshal() netfilter.Attribute { 29 | return netfilter.Attribute{ 30 | Type: uint16(ctaStatus), 31 | Data: netfilter.Uint32Bytes(uint32(s)), 32 | } 33 | } 34 | 35 | // Expected indicates that this connection is an expected connection, 36 | // created by Conntrack helpers based on the state of another, related connection. 37 | func (s Status) Expected() bool { 38 | return s&StatusExpected != 0 39 | } 40 | 41 | // SeenReply is set when the flow has seen traffic both ways. 42 | func (s Status) SeenReply() bool { 43 | return s&StatusSeenReply != 0 44 | } 45 | 46 | // Assured is set when eg. three-way handshake is completed on a TCP flow. 47 | func (s Status) Assured() bool { 48 | return s&StatusAssured != 0 49 | } 50 | 51 | // Confirmed is set when the original packet has left the box. 52 | func (s Status) Confirmed() bool { 53 | return s&StatusConfirmed != 0 54 | } 55 | 56 | // SrcNAT means the connection needs source NAT in the original direction. 57 | func (s Status) SrcNAT() bool { 58 | return s&StatusSrcNAT != 0 59 | } 60 | 61 | // DstNAT means the connection needs destination NAT in the original direction. 62 | func (s Status) DstNAT() bool { 63 | return s&StatusDstNAT != 0 64 | } 65 | 66 | // SeqAdjust means the connection needs its TCP sequence to be adjusted. 67 | func (s Status) SeqAdjust() bool { 68 | return s&StatusSeqAdjust != 0 69 | } 70 | 71 | // SrcNATDone is set when source NAT was applied onto the connection. 72 | func (s Status) SrcNATDone() bool { 73 | return s&StatusSrcNATDone != 0 74 | } 75 | 76 | // DstNATDone is set when destination NAT was applied onto the connection. 77 | func (s Status) DstNATDone() bool { 78 | return s&StatusDstNATDone != 0 79 | } 80 | 81 | // Dying means the connection has concluded and needs to be cleaned up by GC. 82 | func (s Status) Dying() bool { 83 | return s&StatusDying != 0 84 | } 85 | 86 | // FixedTimeout means the connection's timeout value cannot be changed. 87 | func (s Status) FixedTimeout() bool { 88 | return s&StatusFixedTimeout != 0 89 | } 90 | 91 | // Template indicates if the connection is a template. 92 | func (s Status) Template() bool { 93 | return s&StatusTemplate != 0 94 | } 95 | 96 | // Helper is set when a helper was explicitly attached using a Conntrack target. 97 | func (s Status) Helper() bool { 98 | return s&StatusHelper != 0 99 | } 100 | 101 | // Offload is set when the connection was offloaded to flow table. 102 | func (s Status) Offload() bool { 103 | return s&StatusOffload != 0 104 | } 105 | 106 | // Status is a bitfield describing the state of a Flow. 107 | type Status uint32 108 | 109 | // Conntrack connection's status flags, from enum ip_conntrack_status. 110 | // uapi/linux/netfilter/nf_conntrack_common.h 111 | const ( 112 | StatusExpected Status = 1 // IPS_EXPECTED 113 | StatusSeenReply Status = 1 << 1 // IPS_SEEN_REPLY 114 | StatusAssured Status = 1 << 2 // IPS_ASSURED 115 | StatusConfirmed Status = 1 << 3 // IPS_CONFIRMED 116 | StatusSrcNAT Status = 1 << 4 // IPS_SRC_NAT 117 | StatusDstNAT Status = 1 << 5 // IPS_DST_NAT 118 | 119 | StatusNATMask = StatusDstNAT | StatusSrcNAT // IPS_NAT_MASK 120 | 121 | StatusSeqAdjust Status = 1 << 6 // IPS_SEQ_ADJUST 122 | StatusSrcNATDone Status = 1 << 7 // IPS_SRC_NAT_DONE 123 | StatusDstNATDone Status = 1 << 8 // IPS_DST_NAT_DONE 124 | 125 | StatusNATDoneMask = StatusDstNATDone | StatusSrcNATDone // IPS_NAT_DONE_MASK 126 | 127 | StatusDying Status = 1 << 9 128 | StatusFixedTimeout Status = 1 << 10 // IPS_FIXED_TIMEOUT 129 | StatusTemplate Status = 1 << 11 // IPS_TEMPLATE 130 | StatusUntracked Status = 1 << 12 // IPS_UNTRACKED 131 | StatusHelper Status = 1 << 13 // IPS_HELPER 132 | StatusOffload Status = 1 << 14 // IPS_OFFLOAD 133 | ) 134 | -------------------------------------------------------------------------------- /status_test.go: -------------------------------------------------------------------------------- 1 | package conntrack 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/mdlayher/netlink" 7 | "github.com/mdlayher/netlink/nlenc" 8 | "github.com/mdlayher/netlink/nltest" 9 | "github.com/stretchr/testify/assert" 10 | "github.com/stretchr/testify/require" 11 | "github.com/ti-mo/netfilter" 12 | ) 13 | 14 | var nfaUnspecU16 = netfilter.Attribute{Type: uint16(ctaUnspec), Data: []byte{0, 0}} 15 | 16 | func TestStatusError(t *testing.T) { 17 | var s Status 18 | assert.ErrorIs(t, s.unmarshal(adEmpty), errNeedSingleChild) 19 | assert.ErrorIs(t, s.unmarshal(mustDecodeAttribute(nfaUnspecU16)), errIncorrectSize) 20 | 21 | // Exhaust the AttributeDecoder before passing to unmarshal. 22 | ad := mustDecodeAttribute(nfaUnspecU16) 23 | ad.Next() 24 | assert.NoError(t, s.unmarshal(ad)) 25 | } 26 | 27 | func TestStatusMarshalTwoWay(t *testing.T) { 28 | tests := []struct { 29 | name string 30 | b []byte 31 | status Status 32 | err error 33 | }{ 34 | { 35 | name: "default values", 36 | b: []byte{0x00, 0x00, 0x00, 0x00}, 37 | status: 0, 38 | }, 39 | { 40 | name: "assured", 41 | b: []byte{0x00, 0x00, 0x00, 0xc}, 42 | status: StatusAssured | StatusConfirmed, 43 | }, 44 | { 45 | name: "out of range, only highest bits flipped", 46 | b: []byte{0xFF, 0xFF, 0x80, 0x00}, 47 | status: 0xFFFF8000, 48 | }, 49 | { 50 | name: "error, byte array too short", 51 | b: []byte{0xBE, 0xEF}, 52 | err: errIncorrectSize, 53 | }, 54 | { 55 | name: "error, byte array too long", 56 | b: []byte{0xDE, 0xAD, 0xC0, 0xDE, 0x00, 0x00}, 57 | err: errIncorrectSize, 58 | }, 59 | } 60 | 61 | for _, tt := range tests { 62 | t.Run(tt.name, func(t *testing.T) { 63 | // Wrap in status attribute container 64 | nfa := netfilter.Attribute{ 65 | Type: uint16(ctaStatus), 66 | Data: tt.b, 67 | } 68 | 69 | var s Status 70 | err := s.unmarshal(mustDecodeAttribute(nfa)) 71 | if err != nil || tt.err != nil { 72 | require.ErrorIs(t, err, tt.err) 73 | return 74 | } 75 | 76 | require.Equal(t, tt.status, s, "unexpected unmarshal") 77 | 78 | ms := s.marshal() 79 | assert.Equal(t, nfa, ms, "unexpected marshal") 80 | }) 81 | } 82 | } 83 | 84 | func TestStatusFieldTest(t *testing.T) { 85 | assert.Equal(t, true, StatusExpected.Expected(), "expected") 86 | assert.Equal(t, true, StatusSeenReply.SeenReply(), "seenreply") 87 | assert.Equal(t, true, StatusAssured.Assured(), "assured") 88 | assert.Equal(t, true, StatusConfirmed.Confirmed(), "confirmed") 89 | assert.Equal(t, true, StatusSrcNAT.SrcNAT(), "srcnat") 90 | assert.Equal(t, true, StatusDstNAT.DstNAT(), "dstnat") 91 | assert.Equal(t, true, StatusSeqAdjust.SeqAdjust(), "seqadjust") 92 | assert.Equal(t, true, StatusSrcNATDone.SrcNATDone(), "srcnatdone") 93 | assert.Equal(t, true, StatusDstNATDone.DstNATDone(), "dstnatdone") 94 | assert.Equal(t, true, StatusDying.Dying(), "dying") 95 | assert.Equal(t, true, StatusFixedTimeout.FixedTimeout(), "fixedtimeout") 96 | assert.Equal(t, true, StatusTemplate.Template(), "template") 97 | assert.Equal(t, true, StatusHelper.Helper(), "helper") 98 | assert.Equal(t, true, StatusOffload.Offload(), "offload") 99 | } 100 | 101 | func TestStatusString(t *testing.T) { 102 | full, empty := Status(0xffffffff), Status(0) 103 | 104 | wantFull := "EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED|SRC_NAT|DST_NAT|SEQ_ADJUST|SRC_NAT_DONE|DST_NAT_DONE|" + 105 | "DYING|FIXED_TIMEOUT|TEMPLATE|UNTRACKED|HELPER|OFFLOAD" 106 | if want, got := wantFull, full.String(); want != got { 107 | t.Errorf("unexpected string:\n- want: %s\n- got: %s", wantFull, got) 108 | } 109 | 110 | wantEmpty := "NONE" 111 | if want, got := wantEmpty, empty.String(); wantEmpty != got { 112 | t.Errorf("unexpected string:\n- want: %s\n- got: %s", want, got) 113 | } 114 | 115 | } 116 | 117 | func BenchmarkStatusUnmarshalAttribute(b *testing.B) { 118 | 119 | var ads []netlink.AttributeDecoder 120 | for i := 1; i <= 8; i++ { 121 | nla := netlink.Attribute{Data: nlenc.Uint32Bytes(uint32(i))} 122 | ad, err := netfilter.NewAttributeDecoder(nltest.MustMarshalAttributes([]netlink.Attribute{nla})) 123 | if err != nil { 124 | b.Error(err) 125 | } 126 | ads = append(ads, *ad) 127 | } 128 | 129 | var ss Status 130 | var ad netlink.AttributeDecoder 131 | adl := len(ads) 132 | 133 | for n := 0; n < b.N; n++ { 134 | // Make a fresh copy of the AttributeDecoder. 135 | ad = ads[n%adl] 136 | if err := ss.unmarshal(&ad); err != nil { 137 | b.Fatal(err) 138 | } 139 | } 140 | } 141 | -------------------------------------------------------------------------------- /string.go: -------------------------------------------------------------------------------- 1 | package conntrack 2 | 3 | import ( 4 | "fmt" 5 | "strconv" 6 | ) 7 | 8 | // protoLookup translates a protocol integer into its string representation. 9 | func protoLookup(p uint8) string { 10 | protos := map[uint8]string{ 11 | 1: "icmp", 12 | 2: "igmp", 13 | 6: "tcp", 14 | 17: "udp", 15 | 33: "dccp", 16 | 47: "gre", 17 | 58: "ipv6-icmp", 18 | 94: "ipip", 19 | 115: "l2tp", 20 | 132: "sctp", 21 | 136: "udplite", 22 | } 23 | 24 | if val, ok := protos[p]; ok { 25 | return val 26 | } 27 | 28 | return strconv.FormatUint(uint64(p), 10) 29 | } 30 | 31 | func (s Status) String() string { 32 | names := []string{ 33 | "EXPECTED", 34 | "SEEN_REPLY", 35 | "ASSURED", 36 | "CONFIRMED", 37 | "SRC_NAT", 38 | "DST_NAT", 39 | "SEQ_ADJUST", 40 | "SRC_NAT_DONE", 41 | "DST_NAT_DONE", 42 | "DYING", 43 | "FIXED_TIMEOUT", 44 | "TEMPLATE", 45 | "UNTRACKED", 46 | "HELPER", 47 | "OFFLOAD", 48 | } 49 | 50 | var rs string 51 | 52 | // Loop over the field's bits 53 | for i, name := range names { 54 | if s&(1<", e.Flow.Labels, e.Flow.LabelsMask) 87 | } 88 | 89 | // Mark/mask 90 | mark := "" 91 | if e.Flow.Mark != 0 { 92 | mark = fmt.Sprintf("Mark: <%#x>", e.Flow.Mark) 93 | } 94 | 95 | // SeqAdj 96 | seqadjo := "" 97 | if e.Flow.SeqAdjOrig.filled() { 98 | seqadjo = fmt.Sprintf("SeqAdjOrig: %s", e.Flow.SeqAdjOrig) 99 | } 100 | seqadjr := "" 101 | if e.Flow.SeqAdjReply.filled() { 102 | seqadjr = fmt.Sprintf("SeqAdjReply: %s", e.Flow.SeqAdjReply) 103 | } 104 | 105 | // Security Context 106 | secctx := "" 107 | if e.Flow.SecurityContext != "" { 108 | secctx = fmt.Sprintf("SecCtx: %s", e.Flow.SecurityContext) 109 | } 110 | 111 | return fmt.Sprintf("[%s]%s Timeout: %d, %s, Zone %d, %s, %s, %s, %s, %s, %s", 112 | e.Type, status, 113 | e.Flow.Timeout, 114 | e.Flow.TupleOrig, 115 | e.Flow.Zone, 116 | acct, labels, mark, 117 | seqadjo, seqadjr, secctx) 118 | } 119 | 120 | if e.Expect != nil { 121 | return fmt.Sprintf("[%s] Timeout: %d, Master: %s, Tuple: %s, Mask: %s, Zone: %d, Helper: '%s', Class: %#x", 122 | e.Type, e.Expect.Timeout, 123 | e.Expect.TupleMaster, e.Expect.Tuple, e.Expect.Mask, 124 | e.Expect.Zone, e.Expect.HelpName, e.Expect.Class, 125 | ) 126 | } 127 | 128 | return fmt.Sprintf("[%s] ", e.Type) 129 | } 130 | -------------------------------------------------------------------------------- /string_test.go: -------------------------------------------------------------------------------- 1 | package conntrack 2 | 3 | import ( 4 | "net/netip" 5 | "testing" 6 | 7 | "github.com/stretchr/testify/assert" 8 | ) 9 | 10 | func TestProtoLookup(t *testing.T) { 11 | 12 | // Existing proto 13 | if got := protoLookup(6); got != "tcp" { 14 | t.Fatalf("unexpected string representation of proto 6: %s", got) 15 | } 16 | 17 | // Non-existent proto 18 | if got := protoLookup(255); got != "255" { 19 | t.Fatalf("unexpected string representation of proto 255: %s", got) 20 | } 21 | } 22 | 23 | func TestEventString(t *testing.T) { 24 | tpl := Tuple{ 25 | IP: IPTuple{ 26 | SourceAddress: netip.MustParseAddr("1.2.3.4"), 27 | DestinationAddress: netip.MustParseAddr("fe80::1"), 28 | }, 29 | Proto: ProtoTuple{ 30 | SourcePort: 54321, 31 | DestinationPort: 80, 32 | }, 33 | } 34 | 35 | // Empty event 36 | e := Event{} 37 | 38 | assert.Equal(t, "[EventUnknown] ", e.String()) 39 | 40 | // Event with Flow 41 | ef := Event{Flow: &Flow{}} 42 | 43 | ef.Flow.Status = StatusAssured 44 | 45 | ef.Flow.TupleOrig = tpl 46 | 47 | ef.Flow.CountersOrig.Bytes = 42 48 | ef.Flow.CountersOrig.Packets = 1 49 | 50 | ef.Flow.CountersReply.Direction = true 51 | 52 | ef.Flow.Labels = []byte{0xf0, 0xf0} 53 | ef.Flow.LabelsMask = []byte{0xff, 0xff} 54 | 55 | ef.Flow.Mark = 0xf000baaa 56 | 57 | ef.Flow.SeqAdjOrig = SequenceAdjust{OffsetBefore: 80, OffsetAfter: 747811, Position: 42} 58 | ef.Flow.SeqAdjReply = SequenceAdjust{Direction: true, OffsetBefore: 123, OffsetAfter: 456, Position: 889999} 59 | 60 | ef.Flow.SecurityContext = "selinux_t" 61 | 62 | assert.Equal(t, 63 | "[EventUnknown] (Unreplied) Timeout: 0, <0, Src: 1.2.3.4:54321, Dst: [fe80::1]:80>, "+ 64 | "Zone 0, Acct: [orig: 1 pkts/42 B] [reply: 0 pkts/0 B], Label: <0xf0f0/0xffff>, "+ 65 | "Mark: <0xf000baaa>, SeqAdjOrig: [dir: orig, pos: 42, before: 80, after: 747811], "+ 66 | "SeqAdjReply: [dir: reply, pos: 889999, before: 123, after: 456], SecCtx: selinux_t", 67 | ef.String()) 68 | 69 | // Event with Expect 70 | ee := Event{Type: EventExpDestroy, Expect: &Expect{}} 71 | 72 | ee.Expect.TupleMaster = tpl 73 | ee.Expect.Tuple = tpl 74 | ee.Expect.Mask = tpl 75 | 76 | ee.Expect.HelpName = "ftp" 77 | ee.Expect.Class = 0x42 78 | 79 | assert.Equal(t, "[EventExpDestroy] Timeout: 0, Master: <0, Src: 1.2.3.4:54321, Dst: [fe80::1]:80>, "+ 80 | "Tuple: <0, Src: 1.2.3.4:54321, Dst: [fe80::1]:80>, Mask: <0, Src: 1.2.3.4:54321, Dst: [fe80::1]:80>, "+ 81 | "Zone: 0, Helper: 'ftp', Class: 0x42", 82 | ee.String()) 83 | } 84 | 85 | func TestStatsString(t *testing.T) { 86 | s := Stats{CPUID: 42, Found: 2, SearchRestart: 999} 87 | assert.Equal(t, "", s.String()) 89 | } 90 | -------------------------------------------------------------------------------- /tuple.go: -------------------------------------------------------------------------------- 1 | package conntrack 2 | 3 | import ( 4 | "fmt" 5 | "net" 6 | "net/netip" 7 | "strconv" 8 | "syscall" 9 | 10 | "github.com/mdlayher/netlink" 11 | "golang.org/x/sys/unix" 12 | 13 | "github.com/ti-mo/netfilter" 14 | ) 15 | 16 | // A Tuple holds an IPTuple, ProtoTuple and a Zone. 17 | type Tuple struct { 18 | IP IPTuple 19 | Proto ProtoTuple 20 | Zone uint16 21 | } 22 | 23 | // Filled returns true if the Tuple's IP and Proto members are filled. 24 | // The Zone attribute is not considered, because it is zero in most cases. 25 | func (t Tuple) filled() bool { 26 | return t.IP.filled() && t.Proto.filled() 27 | } 28 | 29 | // String returns a string representation of a Tuple. 30 | func (t Tuple) String() string { 31 | return fmt.Sprintf("<%s, Src: %s, Dst: %s>", 32 | protoLookup(t.Proto.Protocol), 33 | net.JoinHostPort(t.IP.SourceAddress.String(), strconv.Itoa(int(t.Proto.SourcePort))), 34 | net.JoinHostPort(t.IP.DestinationAddress.String(), strconv.Itoa(int(t.Proto.DestinationPort))), 35 | ) 36 | } 37 | 38 | // unmarshal unmarshals netlink attributes into a Tuple. 39 | func (t *Tuple) unmarshal(ad *netlink.AttributeDecoder) error { 40 | if ad.Len() < 2 { 41 | return errNeedChildren 42 | } 43 | 44 | for ad.Next() { 45 | tt := tupleType(ad.Type()) 46 | switch tt { 47 | case ctaTupleIP: 48 | var ti IPTuple 49 | ad.Nested(ti.unmarshal) 50 | t.IP = ti 51 | case ctaTupleProto: 52 | var tp ProtoTuple 53 | ad.Nested(tp.unmarshal) 54 | t.Proto = tp 55 | case ctaTupleZone: 56 | t.Zone = ad.Uint16() 57 | default: 58 | return fmt.Errorf("child type %d: %w", ad.Type(), errUnknownAttribute) 59 | } 60 | 61 | if err := ad.Err(); err != nil { 62 | return fmt.Errorf("unmarshal %s: %w", tt, err) 63 | } 64 | } 65 | 66 | return ad.Err() 67 | } 68 | 69 | // marshal marshals a Tuple to a netfilter.Attribute. 70 | func (t Tuple) marshal(at uint16) (netfilter.Attribute, error) { 71 | nfa := netfilter.Attribute{Type: at, Nested: true, Children: make([]netfilter.Attribute, 2, 3)} 72 | 73 | ipt, err := t.IP.marshal() 74 | if err != nil { 75 | return netfilter.Attribute{}, err 76 | } 77 | 78 | nfa.Children[0] = ipt 79 | nfa.Children[1] = t.Proto.marshal() 80 | 81 | if t.Zone != 0 { 82 | nfa.Children = append(nfa.Children, netfilter.Attribute{ 83 | Type: uint16(ctaTupleZone), Data: netfilter.Uint16Bytes(t.Zone), 84 | }) 85 | } 86 | 87 | return nfa, nil 88 | } 89 | 90 | // An IPTuple encodes a source and destination address. 91 | type IPTuple struct { 92 | SourceAddress netip.Addr 93 | DestinationAddress netip.Addr 94 | } 95 | 96 | // Filled returns true if the IPTuple's fields are non-zero. 97 | func (ipt IPTuple) filled() bool { 98 | return ipt.SourceAddress.IsValid() && ipt.DestinationAddress.IsValid() 99 | } 100 | 101 | // unmarshal unmarshals netlink attributes into an IPTuple. 102 | func (ipt *IPTuple) unmarshal(ad *netlink.AttributeDecoder) error { 103 | if ad.Len() != 2 { 104 | return errNeedChildren 105 | } 106 | 107 | for ad.Next() { 108 | addr, ok := netip.AddrFromSlice(ad.Bytes()) 109 | if !ok { 110 | return errIncorrectSize 111 | } 112 | 113 | switch ipTupleType(ad.Type()) { 114 | case ctaIPv4Src, ctaIPv6Src: 115 | ipt.SourceAddress = addr 116 | case ctaIPv4Dst, ctaIPv6Dst: 117 | ipt.DestinationAddress = addr 118 | default: 119 | return fmt.Errorf("child type %d: %w", ad.Type(), errUnknownAttribute) 120 | } 121 | } 122 | 123 | return ad.Err() 124 | } 125 | 126 | // marshal marshals an IPTuple to a netfilter.Attribute. 127 | func (ipt IPTuple) marshal() (netfilter.Attribute, error) { 128 | if !ipt.SourceAddress.IsValid() || !ipt.DestinationAddress.IsValid() { 129 | return netfilter.Attribute{}, errBadIPTuple 130 | } 131 | 132 | nfa := netfilter.Attribute{Type: uint16(ctaTupleIP), Nested: true, Children: make([]netfilter.Attribute, 2)} 133 | 134 | switch { 135 | case ipt.SourceAddress.Is4() && ipt.DestinationAddress.Is4(): 136 | nfa.Children[0] = netfilter.Attribute{Type: uint16(ctaIPv4Src), Data: ipt.SourceAddress.AsSlice()} 137 | nfa.Children[1] = netfilter.Attribute{Type: uint16(ctaIPv4Dst), Data: ipt.DestinationAddress.AsSlice()} 138 | case ipt.SourceAddress.Is6() && ipt.DestinationAddress.Is6(): 139 | nfa.Children[0] = netfilter.Attribute{Type: uint16(ctaIPv6Src), Data: ipt.SourceAddress.AsSlice()} 140 | nfa.Children[1] = netfilter.Attribute{Type: uint16(ctaIPv6Dst), Data: ipt.DestinationAddress.AsSlice()} 141 | default: 142 | // not the same IP family for source and destination 143 | return netfilter.Attribute{}, errBadIPTuple 144 | } 145 | 146 | return nfa, nil 147 | } 148 | 149 | // IsIPv6 returns true if the IPTuple contains source and destination addresses that are both IPv6. 150 | func (ipt IPTuple) IsIPv6() bool { 151 | return ipt.SourceAddress.Is6() && ipt.DestinationAddress.Is6() 152 | } 153 | 154 | // A ProtoTuple encodes a protocol number, source port and destination port. 155 | type ProtoTuple struct { 156 | Protocol uint8 157 | SourcePort uint16 158 | DestinationPort uint16 159 | 160 | ICMPv4 bool 161 | ICMPv6 bool 162 | 163 | ICMPID uint16 164 | ICMPType uint8 165 | ICMPCode uint8 166 | } 167 | 168 | // Filled returns true if the ProtoTuple's protocol is non-zero. 169 | func (pt ProtoTuple) filled() bool { 170 | return pt.Protocol != 0 171 | } 172 | 173 | // unmarshal unmarshals a netfilter.Attribute into a ProtoTuple. 174 | func (pt *ProtoTuple) unmarshal(ad *netlink.AttributeDecoder) error { 175 | if ad.Len() == 0 { 176 | return errNeedSingleChild 177 | } 178 | 179 | for ad.Next() { 180 | switch protoTupleType(ad.Type()) { 181 | case ctaProtoNum: 182 | pt.Protocol = ad.Uint8() 183 | 184 | switch pt.Protocol { 185 | case syscall.IPPROTO_ICMP: 186 | pt.ICMPv4 = true 187 | case syscall.IPPROTO_ICMPV6: 188 | pt.ICMPv6 = true 189 | } 190 | case ctaProtoSrcPort: 191 | pt.SourcePort = ad.Uint16() 192 | case ctaProtoDstPort: 193 | pt.DestinationPort = ad.Uint16() 194 | case ctaProtoICMPID, ctaProtoICMPv6ID: 195 | pt.ICMPID = ad.Uint16() 196 | case ctaProtoICMPType, ctaProtoICMPv6Type: 197 | pt.ICMPType = ad.Uint8() 198 | case ctaProtoICMPCode, ctaProtoICMPv6Code: 199 | pt.ICMPCode = ad.Uint8() 200 | default: 201 | return fmt.Errorf("child type %d: %w", ad.Type(), errUnknownAttribute) 202 | } 203 | } 204 | 205 | return ad.Err() 206 | } 207 | 208 | // marshal marshals a ProtoTuple into a netfilter.Attribute. 209 | func (pt ProtoTuple) marshal() netfilter.Attribute { 210 | nfa := netfilter.Attribute{Type: uint16(ctaTupleProto), Nested: true, Children: make([]netfilter.Attribute, 3, 4)} 211 | 212 | nfa.Children[0] = netfilter.Attribute{Type: uint16(ctaProtoNum), Data: []byte{pt.Protocol}} 213 | 214 | switch pt.Protocol { 215 | case unix.IPPROTO_ICMP: 216 | nfa.Children[1] = netfilter.Attribute{Type: uint16(ctaProtoICMPType), Data: []byte{pt.ICMPType}} 217 | nfa.Children[2] = netfilter.Attribute{Type: uint16(ctaProtoICMPCode), Data: []byte{pt.ICMPCode}} 218 | nfa.Children = append(nfa.Children, netfilter.Attribute{ 219 | Type: uint16(ctaProtoICMPID), Data: netfilter.Uint16Bytes(pt.ICMPID), 220 | }) 221 | case unix.IPPROTO_ICMPV6: 222 | nfa.Children[1] = netfilter.Attribute{Type: uint16(ctaProtoICMPv6Type), Data: []byte{pt.ICMPType}} 223 | nfa.Children[2] = netfilter.Attribute{Type: uint16(ctaProtoICMPv6Code), Data: []byte{pt.ICMPCode}} 224 | nfa.Children = append(nfa.Children, netfilter.Attribute{ 225 | Type: uint16(ctaProtoICMPv6ID), Data: netfilter.Uint16Bytes(pt.ICMPID), 226 | }) 227 | default: 228 | nfa.Children[1] = netfilter.Attribute{ 229 | Type: uint16(ctaProtoSrcPort), Data: netfilter.Uint16Bytes(pt.SourcePort), 230 | } 231 | nfa.Children[2] = netfilter.Attribute{ 232 | Type: uint16(ctaProtoDstPort), Data: netfilter.Uint16Bytes(pt.DestinationPort), 233 | } 234 | } 235 | 236 | return nfa 237 | } 238 | -------------------------------------------------------------------------------- /tuple_test.go: -------------------------------------------------------------------------------- 1 | package conntrack 2 | 3 | import ( 4 | "net/netip" 5 | "testing" 6 | 7 | "golang.org/x/sys/unix" 8 | 9 | "github.com/stretchr/testify/assert" 10 | "github.com/stretchr/testify/require" 11 | 12 | "github.com/ti-mo/netfilter" 13 | ) 14 | 15 | var ( 16 | // Template attribute with Nested disabled 17 | attrDefault = netfilter.Attribute{Nested: false} 18 | // Attribute with random, unused type 16383 19 | attrUnknown = netfilter.Attribute{Type: 0x3FFF} 20 | // Nested structure of attributes with random, unused type 65535 21 | attrTupleUnknownNested = netfilter.Attribute{Type: uint16(ctaTupleOrig), 22 | Nested: true, Children: []netfilter.Attribute{attrUnknown, attrUnknown}} 23 | // Tuple attribute with Nested flag 24 | attrTupleNestedOneChild = netfilter.Attribute{Type: uint16(ctaTupleOrig), 25 | Nested: true, Children: []netfilter.Attribute{attrDefault}} 26 | 27 | nfaTupleIPv4 = netfilter.Attribute{ 28 | Type: uint16(ctaTupleIP), 29 | Nested: true, 30 | Children: []netfilter.Attribute{ 31 | { 32 | // CTA_IP_V4_SRC 33 | Type: 0x1, 34 | Data: []byte{0x1, 0x2, 0x3, 0x4}, 35 | }, 36 | { 37 | // CTA_IP_V4_DST 38 | Type: 0x2, 39 | Data: []byte{0x4, 0x3, 0x2, 0x1}, 40 | }, 41 | }, 42 | } 43 | 44 | nfaTupleIPv6 = netfilter.Attribute{ 45 | Type: uint16(ctaTupleIP), 46 | Nested: true, 47 | Children: []netfilter.Attribute{ 48 | { 49 | // CTA_IP_V6_SRC 50 | Type: 0x3, 51 | Data: []byte{0x0, 0x1, 0x0, 0x1, 52 | 0x0, 0x2, 0x0, 0x2, 53 | 0x0, 0x3, 0x0, 0x3, 54 | 0x0, 0x4, 0x0, 0x4}, 55 | }, 56 | { 57 | // CTA_IP_V6_DST 58 | Type: 0x4, 59 | Data: []byte{0x0, 0x4, 0x0, 0x4, 60 | 0x0, 0x3, 0x0, 0x3, 61 | 0x0, 0x2, 0x0, 0x2, 62 | 0x0, 0x1, 0x0, 0x1}, 63 | }, 64 | }, 65 | } 66 | ) 67 | 68 | var ipTupleTests = []struct { 69 | name string 70 | nfa netfilter.Attribute 71 | cta IPTuple 72 | err error 73 | }{ 74 | { 75 | name: "correct ipv4 tuple", 76 | nfa: nfaTupleIPv4, 77 | cta: IPTuple{ 78 | SourceAddress: netip.MustParseAddr("1.2.3.4"), 79 | DestinationAddress: netip.MustParseAddr("4.3.2.1"), 80 | }, 81 | }, 82 | { 83 | name: "correct ipv6 tuple", 84 | nfa: nfaTupleIPv6, 85 | cta: IPTuple{ 86 | SourceAddress: netip.MustParseAddr("1:1:2:2:3:3:4:4"), 87 | DestinationAddress: netip.MustParseAddr("4:4:3:3:2:2:1:1"), 88 | }, 89 | }, 90 | { 91 | name: "error incorrect amount of children", 92 | nfa: netfilter.Attribute{ 93 | Type: uint16(ctaTupleIP), 94 | Nested: true, 95 | Children: []netfilter.Attribute{attrDefault}, 96 | }, 97 | err: errNeedChildren, 98 | }, 99 | { 100 | name: "error child incorrect length", 101 | nfa: netfilter.Attribute{ 102 | Type: uint16(ctaTupleIP), 103 | Nested: true, 104 | Children: []netfilter.Attribute{ 105 | { 106 | // CTA_IP_V4_SRC 107 | Type: 0x1, 108 | Data: []byte{0x1, 0x2, 0x3, 0x4, 0x5}, 109 | }, 110 | attrDefault, 111 | }, 112 | }, 113 | err: errIncorrectSize, 114 | }, 115 | { 116 | name: "error iptuple unmarshal with unknown IPTupleType", 117 | nfa: netfilter.Attribute{ 118 | Type: uint16(ctaTupleIP), 119 | Nested: true, 120 | Children: []netfilter.Attribute{ 121 | { 122 | // Unknown type 123 | Type: 0x3FFF, 124 | // Correct IP address length 125 | Data: []byte{0, 0, 0, 0}, 126 | }, 127 | // Padding 128 | attrDefault, 129 | }, 130 | }, 131 | err: errUnknownAttribute, 132 | }, 133 | } 134 | 135 | func TestIPTupleMarshalTwoWay(t *testing.T) { 136 | for _, tt := range ipTupleTests { 137 | t.Run(tt.name, func(t *testing.T) { 138 | var ipt IPTuple 139 | err := ipt.unmarshal(mustDecodeAttributes(tt.nfa.Children)) 140 | if tt.err != nil { 141 | require.ErrorIs(t, err, tt.err) 142 | return 143 | } 144 | 145 | require.NoError(t, err) 146 | require.Equal(t, tt.cta, ipt, "unexpected unmarshal") 147 | 148 | mipt, err := ipt.marshal() 149 | require.NoError(t, err, "error during marshal:", ipt) 150 | assert.Equal(t, tt.nfa, mipt, "unexpected marshal") 151 | }) 152 | } 153 | } 154 | 155 | func TestIPTupleMarshalError(t *testing.T) { 156 | v4v6Mismatch := IPTuple{ 157 | SourceAddress: netip.MustParseAddr("1.2.3.4"), 158 | DestinationAddress: netip.MustParseAddr("::1"), 159 | } 160 | 161 | _, err := v4v6Mismatch.marshal() 162 | require.ErrorIs(t, err, errBadIPTuple) 163 | } 164 | 165 | var protoTupleTests = []struct { 166 | name string 167 | nfa netfilter.Attribute 168 | cta ProtoTuple 169 | err error 170 | }{ 171 | { 172 | name: "error unmarshal with wrong type", 173 | nfa: netfilter.Attribute{ 174 | Type: uint16(ctaTupleProto), 175 | Nested: true, 176 | Children: []netfilter.Attribute{attrUnknown}, 177 | }, 178 | err: errUnknownAttribute, 179 | }, 180 | { 181 | name: "error unmarshal with incorrect amount of children", 182 | nfa: netfilter.Attribute{ 183 | Type: uint16(ctaTupleProto), 184 | Nested: true, 185 | }, 186 | err: errNeedSingleChild, 187 | }, 188 | { 189 | name: "error unmarshal unknown ProtoTupleType", 190 | nfa: netfilter.Attribute{ 191 | Type: uint16(ctaTupleProto), 192 | Nested: true, 193 | Children: []netfilter.Attribute{ 194 | attrUnknown, 195 | attrDefault, 196 | attrDefault, 197 | }, 198 | }, 199 | err: errUnknownAttribute, 200 | }, 201 | { 202 | name: "correct icmpv4 prototuple", 203 | nfa: netfilter.Attribute{ 204 | Type: uint16(ctaTupleProto), 205 | Nested: true, 206 | Children: []netfilter.Attribute{ 207 | { 208 | Type: uint16(ctaProtoNum), 209 | Data: []byte{unix.IPPROTO_ICMP}, 210 | }, 211 | { 212 | Type: uint16(ctaProtoICMPType), 213 | Data: []byte{0x1}, 214 | }, 215 | { 216 | Type: uint16(ctaProtoICMPCode), 217 | Data: []byte{0xf}, 218 | }, 219 | { 220 | Type: uint16(ctaProtoICMPID), 221 | Data: []byte{0x12, 0x34}, 222 | }, 223 | }, 224 | }, 225 | cta: ProtoTuple{ 226 | Protocol: unix.IPPROTO_ICMP, 227 | ICMPv4: true, 228 | ICMPType: 1, 229 | ICMPCode: 0xf, 230 | ICMPID: 0x1234, 231 | }, 232 | }, 233 | { 234 | name: "correct icmpv6 prototuple", 235 | nfa: netfilter.Attribute{ 236 | Type: uint16(ctaTupleProto), 237 | Nested: true, 238 | Children: []netfilter.Attribute{ 239 | { 240 | Type: uint16(ctaProtoNum), 241 | Data: []byte{unix.IPPROTO_ICMPV6}, 242 | }, 243 | { 244 | Type: uint16(ctaProtoICMPv6Type), 245 | Data: []byte{0x2}, 246 | }, 247 | { 248 | Type: uint16(ctaProtoICMPv6Code), 249 | Data: []byte{0xe}, 250 | }, 251 | { 252 | Type: uint16(ctaProtoICMPv6ID), 253 | Data: []byte{0x56, 0x78}, 254 | }, 255 | }, 256 | }, 257 | cta: ProtoTuple{ 258 | Protocol: unix.IPPROTO_ICMPV6, 259 | ICMPv6: true, 260 | ICMPType: 2, 261 | ICMPCode: 0xe, 262 | ICMPID: 0x5678, 263 | }, 264 | }, 265 | } 266 | 267 | func TestProtoTupleMarshalTwoWay(t *testing.T) { 268 | for _, tt := range protoTupleTests { 269 | t.Run(tt.name, func(t *testing.T) { 270 | var pt ProtoTuple 271 | err := pt.unmarshal(mustDecodeAttributes(tt.nfa.Children)) 272 | if tt.err != nil { 273 | require.ErrorIs(t, err, tt.err) 274 | return 275 | } 276 | 277 | require.NoError(t, err) 278 | require.Equal(t, tt.cta, pt, "unexpected unmarshal") 279 | 280 | mpt := pt.marshal() 281 | assert.Equal(t, tt.nfa, mpt, "unexpected marshal") 282 | }) 283 | } 284 | } 285 | 286 | var tupleTests = []struct { 287 | name string 288 | nfa netfilter.Attribute 289 | cta Tuple 290 | err error 291 | }{ 292 | { 293 | name: "complete orig dir tuple with ip, proto and zone", 294 | nfa: netfilter.Attribute{ 295 | // CTA_TUPLE_ORIG 296 | Type: 0x1, 297 | Nested: true, 298 | Children: []netfilter.Attribute{ 299 | { 300 | // CTA_TUPLE_IP 301 | Type: 0x1, 302 | Nested: true, 303 | Children: []netfilter.Attribute{ 304 | { 305 | // CTA_IP_V6_SRC 306 | Type: 0x3, 307 | Data: []byte{0x0, 0x0, 0x0, 0x0, 308 | 0x0, 0x0, 0x0, 0x0, 309 | 0x0, 0x0, 0x0, 0x0, 310 | 0x0, 0x0, 0x0, 0x1}, 311 | }, 312 | { 313 | // CTA_IP_V6_DST 314 | Type: 0x4, 315 | Data: []byte{0x0, 0x0, 0x0, 0x0, 316 | 0x0, 0x0, 0x0, 0x0, 317 | 0x0, 0x0, 0x0, 0x0, 318 | 0x0, 0x0, 0x0, 0x1}, 319 | }, 320 | }, 321 | }, 322 | { 323 | // CTA_TUPLE_PROTO 324 | Type: 0x2, 325 | Nested: true, 326 | Children: []netfilter.Attribute{ 327 | { 328 | // CTA_PROTO_NUM 329 | Type: 0x1, 330 | Data: []byte{0x6}, 331 | }, 332 | { 333 | // CTA_PROTO_SRC_PORT 334 | Type: 0x2, 335 | Data: []byte{0x80, 0xc}, 336 | }, 337 | { 338 | // CTA_PROTO_DST_PORT 339 | Type: 0x3, 340 | Data: []byte{0x0, 0x50}, 341 | }, 342 | }, 343 | }, 344 | { 345 | // CTA_TUPLE_ZONE 346 | Type: 0x3, 347 | Data: []byte{0x00, 0x7B}, // Zone 123 348 | }, 349 | }, 350 | }, 351 | cta: Tuple{ 352 | IP: IPTuple{ 353 | SourceAddress: netip.MustParseAddr("::1"), 354 | DestinationAddress: netip.MustParseAddr("::1"), 355 | }, 356 | Proto: ProtoTuple{6, 32780, 80, false, false, 0, 0, 0}, 357 | Zone: 0x7B, // Zone 123 358 | }, 359 | }, 360 | { 361 | name: "error too few children", 362 | nfa: attrTupleNestedOneChild, 363 | err: errNeedChildren, 364 | }, 365 | { 366 | name: "error unknown nested tuple type", 367 | nfa: attrTupleUnknownNested, 368 | err: errUnknownAttribute, 369 | }, 370 | } 371 | 372 | func TestTupleMarshalTwoWay(t *testing.T) { 373 | for _, tt := range tupleTests { 374 | t.Run(tt.name, func(t *testing.T) { 375 | var tpl Tuple 376 | err := tpl.unmarshal(mustDecodeAttributes(tt.nfa.Children)) 377 | if tt.err != nil { 378 | require.ErrorIs(t, err, tt.err) 379 | return 380 | } 381 | 382 | require.NoError(t, err) 383 | require.Equal(t, tt.cta, tpl, "unexpected unmarshal") 384 | 385 | mtpl, err := tpl.marshal(tt.nfa.Type) 386 | require.NoError(t, err, "error during marshal:", tpl) 387 | assert.Equal(t, tt.nfa, mtpl, "unexpected marshal") 388 | }) 389 | } 390 | } 391 | 392 | func TestTupleMarshalError(t *testing.T) { 393 | 394 | ipTupleError := Tuple{ 395 | IP: IPTuple{ 396 | SourceAddress: netip.MustParseAddr("1.2.3.4"), 397 | DestinationAddress: netip.MustParseAddr("::1"), 398 | }, 399 | } 400 | 401 | _, err := ipTupleError.marshal(uint16(ctaTupleOrig)) 402 | require.ErrorIs(t, err, errBadIPTuple) 403 | } 404 | 405 | func TestTupleFilled(t *testing.T) { 406 | // Empty Tuple 407 | assert.False(t, Tuple{}.filled()) 408 | 409 | // Tuple with empty IPTuple and ProtoTuples 410 | assert.False(t, Tuple{IP: IPTuple{}, Proto: ProtoTuple{}}.filled()) 411 | 412 | // Tuple with empty ProtoTuple 413 | assert.False(t, Tuple{ 414 | IP: IPTuple{DestinationAddress: netip.MustParseAddr("127.0.0.1"), SourceAddress: netip.MustParseAddr("127.0.0.1")}, 415 | Proto: ProtoTuple{}, 416 | }.filled()) 417 | 418 | // Tuple with empty IPTuple 419 | assert.False(t, Tuple{ 420 | IP: IPTuple{}, 421 | Proto: ProtoTuple{Protocol: 6}, 422 | }.filled()) 423 | 424 | // Filled tuple with all minimum required fields set 425 | assert.True(t, Tuple{ 426 | IP: IPTuple{DestinationAddress: netip.MustParseAddr("127.0.0.1"), SourceAddress: netip.MustParseAddr("127.0.0.1")}, 427 | Proto: ProtoTuple{Protocol: 6}, 428 | }.filled()) 429 | } 430 | 431 | func TestTupleIPv6(t *testing.T) { 432 | var ipt IPTuple 433 | 434 | // Uninitialized Tuple cannot be IPv6 (nor IPv4) 435 | assert.Equal(t, false, ipt.IsIPv6()) 436 | 437 | // Non-matching address lengths are not considered an IPv6 tuple 438 | ipt.SourceAddress = netip.MustParseAddr("1.2.3.4") 439 | ipt.DestinationAddress = netip.MustParseAddr("::1") 440 | assert.Equal(t, false, ipt.IsIPv6()) 441 | 442 | ipt.SourceAddress = netip.MustParseAddr("::2") 443 | assert.Equal(t, true, ipt.IsIPv6()) 444 | } 445 | 446 | func TestTupleTypeString(t *testing.T) { 447 | if tupleType(255).String() == "" { 448 | t.Fatal("TupleType string representation empty - did you run `go generate`?") 449 | } 450 | } 451 | 452 | func BenchmarkIPTupleUnmarshal(b *testing.B) { 453 | bench := func(b *testing.B, attr netfilter.Attribute) { 454 | b.ReportAllocs() 455 | ad := mustDecodeAttributes(attr.Children) 456 | b.ResetTimer() 457 | for n := 0; n < b.N; n++ { 458 | // Make a new copy of the AD to avoid reinstantiation. 459 | iad := *ad 460 | var ipt IPTuple 461 | require.NoError(b, ipt.unmarshal(&iad)) 462 | } 463 | } 464 | 465 | b.Run("ipv4", func(b *testing.B) { bench(b, nfaTupleIPv4) }) 466 | b.Run("ipv6", func(b *testing.B) { bench(b, nfaTupleIPv6) }) 467 | } 468 | -------------------------------------------------------------------------------- /tupletype_string.go: -------------------------------------------------------------------------------- 1 | // Code generated by "stringer -type=tupleType"; DO NOT EDIT. 2 | 3 | package conntrack 4 | 5 | import "strconv" 6 | 7 | func _() { 8 | // An "invalid array index" compiler error signifies that the constant values have changed. 9 | // Re-run the stringer command to generate them again. 10 | var x [1]struct{} 11 | _ = x[ctaTupleUnspec-0] 12 | _ = x[ctaTupleIP-1] 13 | _ = x[ctaTupleProto-2] 14 | _ = x[ctaTupleZone-3] 15 | } 16 | 17 | const _tupleType_name = "ctaTupleUnspecctaTupleIPctaTupleProtoctaTupleZone" 18 | 19 | var _tupleType_index = [...]uint8{0, 14, 24, 37, 49} 20 | 21 | func (i tupleType) String() string { 22 | if i >= tupleType(len(_tupleType_index)-1) { 23 | return "tupleType(" + strconv.FormatInt(int64(i), 10) + ")" 24 | } 25 | return _tupleType_name[_tupleType_index[i]:_tupleType_index[i+1]] 26 | } 27 | --------------------------------------------------------------------------------