Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a992ca2a authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso Committed by Patrick McHardy
Browse files

netfilter: nf_conntrack_tstamp: add flow-based timestamp extension 



This patch adds flow-based timestamping for conntracks. This
conntrack extension is disabled by default. Basically, we use
two 64-bits variables to store the creation timestamp once the
conntrack has been confirmed and the other to store the deletion
time. This extension is disabled by default, to enable it, you
have to:

echo 1 > /proc/sys/net/netfilter/nf_conntrack_timestamp

This patch allows to save memory for user-space flow-based
loogers such as ulogd2. In short, ulogd2 does not need to
keep a hashtable with the conntrack in user-space to know
when they were created and destroyed, instead we use the
kernel timestamp. If we want to have a sane IPFIX implementation
in user-space, this nanosecs resolution timestamps are also
useful. Other custom user-space applications can benefit from
this via libnetfilter_conntrack.

This patch modifies the /proc output to display the delta time
in seconds since the flow start. You can also obtain the
flow-start date by means of the conntrack-tools.

Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent 93557f53

include/linux/netfilter/nfnetlink_conntrack.h

+9 −0
Original line number Original line Diff line number Diff line
@@ -42,6 +42,7 @@ enum ctattr_type { 
	CTA_SECMARK,		/* obsolete */

	CTA_SECMARK,		/* obsolete */

	CTA_ZONE,

	CTA_ZONE,

	CTA_SECCTX,

	CTA_SECCTX,

	CTA_TIMESTAMP,

	__CTA_MAX

	__CTA_MAX

};

};

#define CTA_MAX (__CTA_MAX - 1)

#define CTA_MAX (__CTA_MAX - 1)
@@ -127,6 +128,14 @@ enum ctattr_counters { 
};

};

#define CTA_COUNTERS_MAX (__CTA_COUNTERS_MAX - 1)

#define CTA_COUNTERS_MAX (__CTA_COUNTERS_MAX - 1)





enum ctattr_tstamp {

	CTA_TIMESTAMP_UNSPEC,

	CTA_TIMESTAMP_START,

	CTA_TIMESTAMP_STOP,

	__CTA_TIMESTAMP_MAX

};

#define CTA_TIMESTAMP_MAX (__CTA_TIMESTAMP_MAX - 1)



enum ctattr_nat {

enum ctattr_nat {

	CTA_NAT_UNSPEC,

	CTA_NAT_UNSPEC,

	CTA_NAT_MINIP,

	CTA_NAT_MINIP,

include/net/netfilter/nf_conntrack_extend.h

+4 −0
Original line number Original line Diff line number Diff line
@@ -16,6 +16,9 @@ enum nf_ct_ext_id { 
#endif

#endif

#ifdef CONFIG_NF_CONNTRACK_ZONES

#ifdef CONFIG_NF_CONNTRACK_ZONES

	NF_CT_EXT_ZONE,

	NF_CT_EXT_ZONE,

#endif

#ifdef CONFIG_NF_CONNTRACK_TIMESTAMP

	NF_CT_EXT_TSTAMP,

#endif

#endif

	NF_CT_EXT_NUM,

	NF_CT_EXT_NUM,

};

};
@@ -25,6 +28,7 @@ enum nf_ct_ext_id { 
#define NF_CT_EXT_ACCT_TYPE struct nf_conn_counter

#define NF_CT_EXT_ACCT_TYPE struct nf_conn_counter

#define NF_CT_EXT_ECACHE_TYPE struct nf_conntrack_ecache

#define NF_CT_EXT_ECACHE_TYPE struct nf_conntrack_ecache

#define NF_CT_EXT_ZONE_TYPE struct nf_conntrack_zone

#define NF_CT_EXT_ZONE_TYPE struct nf_conntrack_zone

#define NF_CT_EXT_TSTAMP_TYPE struct nf_conn_tstamp





/* Extensions: optional stuff which isn't permanently in struct. */

/* Extensions: optional stuff which isn't permanently in struct. */

struct nf_ct_ext {

struct nf_ct_ext {

include/net/netfilter/nf_conntrack_timestamp.h

0 → 100644
+53 −0
Original line number Original line Diff line number Diff line 
#ifndef _NF_CONNTRACK_TSTAMP_H

#define _NF_CONNTRACK_TSTAMP_H



#include <net/net_namespace.h>

#include <linux/netfilter/nf_conntrack_common.h>

#include <linux/netfilter/nf_conntrack_tuple_common.h>

#include <net/netfilter/nf_conntrack.h>

#include <net/netfilter/nf_conntrack_extend.h>



struct nf_conn_tstamp {

	u_int64_t start;

	u_int64_t stop;

};



static inline

struct nf_conn_tstamp *nf_conn_tstamp_find(const struct nf_conn *ct)

{

#ifdef CONFIG_NF_CONNTRACK_TIMESTAMP

	return nf_ct_ext_find(ct, NF_CT_EXT_TSTAMP);

#else

	return NULL;

#endif

}



static inline

struct nf_conn_tstamp *nf_ct_tstamp_ext_add(struct nf_conn *ct, gfp_t gfp)

{

#ifdef CONFIG_NF_CONNTRACK_TIMESTAMP

	struct net *net = nf_ct_net(ct);



	if (!net->ct.sysctl_tstamp)

		return NULL;



	return nf_ct_ext_add(ct, NF_CT_EXT_TSTAMP, gfp);

#else

	return NULL;

#endif

};



static inline bool nf_ct_tstamp_enabled(struct net *net)

{

	return net->ct.sysctl_tstamp != 0;

}



static inline void nf_ct_set_tstamp(struct net *net, bool enable)

{

	net->ct.sysctl_tstamp = enable;

}



extern int nf_conntrack_tstamp_init(struct net *net);

extern void nf_conntrack_tstamp_fini(struct net *net);



#endif /* _NF_CONNTRACK_TSTAMP_H */

include/net/netns/conntrack.h

+2 −0
Original line number Original line Diff line number Diff line
@@ -21,11 +21,13 @@ struct netns_ct { 
	int			sysctl_events;

	int			sysctl_events;

	unsigned int		sysctl_events_retry_timeout;

	unsigned int		sysctl_events_retry_timeout;

	int			sysctl_acct;

	int			sysctl_acct;

	int			sysctl_tstamp;

	int			sysctl_checksum;

	int			sysctl_checksum;

	unsigned int		sysctl_log_invalid; /* Log invalid packets */

	unsigned int		sysctl_log_invalid; /* Log invalid packets */

#ifdef CONFIG_SYSCTL

#ifdef CONFIG_SYSCTL

	struct ctl_table_header	*sysctl_header;

	struct ctl_table_header	*sysctl_header;

	struct ctl_table_header	*acct_sysctl_header;

	struct ctl_table_header	*acct_sysctl_header;

	struct ctl_table_header	*tstamp_sysctl_header;

	struct ctl_table_header	*event_sysctl_header;

	struct ctl_table_header	*event_sysctl_header;

#endif

#endif

	char			*slabname;

	char			*slabname;

net/netfilter/Kconfig

+11 −0
Original line number Original line Diff line number Diff line
@@ -85,6 +85,17 @@ config NF_CONNTRACK_EVENTS 




	  If unsure, say `N'.

	  If unsure, say `N'.





config NF_CONNTRACK_TIMESTAMP

	bool  'Connection tracking timestamping'

	depends on NETFILTER_ADVANCED

	help

	  This option enables support for connection tracking timestamping.

	  This allows you to store the flow start-time and to obtain

	  the flow-stop time (once it has been destroyed) via Connection

	  tracking events.



	  If unsure, say `N'.



config NF_CT_PROTO_DCCP

config NF_CT_PROTO_DCCP

	tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)'

	tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)'

	depends on EXPERIMENTAL

	depends on EXPERIMENTAL