conntrack

README

conntrack-go

conntrack-go implements a go native implementation for the conntrack netlink interface provided by Linux to the in-kernel connection tracking state table.

The library implements a subset of the functionality provided by https://www.netfilter.org/projects/libnetfilter_conntrack/

The library implements the following APIs

• Listing/flushing Conntrack entries from kernel connection tracking table
• Updating entries from kernel connection tracking table (currently supports Mark and Labels*)

Documentation

Overview

nolint

Index

• Constants
• type Conntrack
  • func NewHandle() Conntrack
• type Handles
  • func (h *Handles) ConntrackTableFlush(table netlink.ConntrackTableType) error
  • func (h *Handles) ConntrackTableList(table netlink.ConntrackTableType) ([]*netlink.ConntrackFlow, error)
  • func (h *Handles) ConntrackTableUpdateLabel(table netlink.ConntrackTableType, flows []*netlink.ConntrackFlow, ...) (int, error)
  • func (h *Handles) ConntrackTableUpdateMark(ipSrc, ipDst string, protonum uint8, srcport, dstport uint16, newmark uint32) error
  • func (h *Handles) ConntrackTableUpdateMarkForAvailableFlow(flows []*netlink.ConntrackFlow, ipSrc, ipDst string, protonum uint8, ...) (int, error)
  • func (h *Handles) SendMessage(hdr *syscall.NlMsghdr, data []byte) error
• type SockHandle
• type SockHandles

Constants

const (
	CTA_TUPLE_ORIG  = 1
	CTA_TUPLE_REPLY = 2
	CTA_STATUS      = 3
	CTA_TIMEOUT     = 7
	CTA_MARK        = 8
	CTA_PROTOINFO   = 4
	CTA_LABELS      = 22
)

enum ctattr_type {
	CTA_UNSPEC,
	CTA_TUPLE_ORIG,
	CTA_TUPLE_REPLY,
	CTA_STATUS,
	CTA_PROTOINFO,
	CTA_HELP,
	CTA_NAT_SRC,

#define CTA_NAT CTA_NAT_SRC /* backwards compatibility */

	CTA_TIMEOUT,
	CTA_MARK,
	CTA_COUNTERS_ORIG,
	CTA_COUNTERS_REPLY,
	CTA_USE,
	CTA_ID,
	CTA_NAT_DST,
	CTA_TUPLE_MASTER,
	CTA_SEQ_ADJ_ORIG,
	CTA_NAT_SEQ_ADJ_ORIG	= CTA_SEQ_ADJ_ORIG,
	CTA_SEQ_ADJ_REPLY,
	CTA_NAT_SEQ_ADJ_REPLY	= CTA_SEQ_ADJ_REPLY,
	CTA_SECMARK,		/* obsolete */
	CTA_ZONE,
	CTA_SECCTX,
	CTA_TIMESTAMP,
	CTA_MARK_MASK,
	CTA_LABELS,
	CTA_LABELS_MASK,
	__CTA_MAX
};

const (
	CTA_TUPLE_IP    = 1
	CTA_TUPLE_PROTO = 2
)

enum ctattr_tuple {
	CTA_TUPLE_UNSPEC,
	CTA_TUPLE_IP,
	CTA_TUPLE_PROTO,
	CTA_TUPLE_ZONE,
	__CTA_TUPLE_MAX
};

#define CTA_TUPLE_MAX (__CTA_TUPLE_MAX - 1)

const (
	CTA_IP_V4_SRC = 1
	CTA_IP_V4_DST = 2
	CTA_IP_V6_SRC = 3
	CTA_IP_V6_DST = 4
)

enum ctattr_ip {
	CTA_IP_UNSPEC,
	CTA_IP_V4_SRC,
	CTA_IP_V4_DST,
	CTA_IP_V6_SRC,
	CTA_IP_V6_DST,
	__CTA_IP_MAX
};

#define CTA_IP_MAX (__CTA_IP_MAX - 1)

const (
	CTA_PROTO_NUM      = 1
	CTA_PROTO_SRC_PORT = 2
	CTA_PROTO_DST_PORT = 3
)

enum ctattr_l4proto {
	CTA_PROTO_UNSPEC,
	CTA_PROTO_NUM,
	CTA_PROTO_SRC_PORT,
	CTA_PROTO_DST_PORT,
	CTA_PROTO_ICMP_ID,
	CTA_PROTO_ICMP_TYPE,
	CTA_PROTO_ICMP_CODE,
	CTA_PROTO_ICMPV6_ID,
	CTA_PROTO_ICMPV6_TYPE,
	CTA_PROTO_ICMPV6_CODE,
	__CTA_PROTO_MAX
};

#define CTA_PROTO_MAX (__CTA_PROTO_MAX - 1)

const (
	CTA_PROTOINFO_TCP_STATE           = 1
	CTA_PROTOINFO_TCP_WSCALE_ORIGINAL = 2
	CTA_PROTOINFO_TCP_WSCALE_REPLY    = 3
	CTA_PROTOINFO_TCP_FLAGS_ORIGINAL  = 4
	CTA_PROTOINFO_TCP_FLAGS_REPLY     = 5
)

enum ctattr_protoinfo_tcp {
	CTA_PROTOINFO_TCP_UNSPEC,
	CTA_PROTOINFO_TCP_STATE,
	CTA_PROTOINFO_TCP_WSCALE_ORIGINAL,
	CTA_PROTOINFO_TCP_WSCALE_REPLY,
	CTA_PROTOINFO_TCP_FLAGS_ORIGINAL,
	CTA_PROTOINFO_TCP_FLAGS_REPLY,
	__CTA_PROTOINFO_TCP_MAX
};

#define CTA_PROTOINFO_TCP_MAX (__CTA_PROTOINFO_TCP_MAX - 1)

const (

	//NOTE: THE BELOW VALUES ARE JUST FOR CHANGING MARK. IF NEEDED, THE SIZE HAS TO BE CHANGED WHEN ADDING NEW ATTRIBUTES
	SizeOfNestedTupleOrig uint32 = 48

	SizeOfNestedTupleIP uint32 = 16

	SizeOfNestedTupleProto uint32 = 24

	SizeofNestedProtoInfo uint32 = 20

	SizeofNestedProtoInfoTCP uint32 = 16
)

const (

	//NOTE: THE BELOW CONSTANTS SHOULD BE IN /etc/xtables/connlabel.conf, if for instance ENCRYPTED here is 2, then in connlabel.conf ENCRYPTED should be 1
	ENCRYPTED = 1
	DECRYPTED = 2
)

const (
	CTA_PROTOINFO_TCP = 1
)

enum ctattr_protoinfo {
	CTA_PROTOINFO_UNSPEC,
	CTA_PROTOINFO_TCP,
	CTA_PROTOINFO_DCCP,
	CTA_PROTOINFO_SCTP,
	__CTA_PROTOINFO_MAX
};

#define CTA_PROTOINFO_MAX (__CTA_PROTOINFO_MAX - 1)

const (
	NLA_F_NESTED = (1 << 15)
)

#define NLA_F_NESTED (1 << 15)

Types

type Conntrack

type Conntrack interface {
	// ConntrackTableList is used to retrieve the conntrack entries from kernel
	ConntrackTableList(table netlink.ConntrackTableType) ([]*netlink.ConntrackFlow, error)
	// ConntrackTableFlush is used to flush the conntrack entries
	ConntrackTableFlush(table netlink.ConntrackTableType) error
	// ConntrackTableUpdateMarkForAvailableFlow will update mark only if the flow is present
	ConntrackTableUpdateMarkForAvailableFlow(flows []*netlink.ConntrackFlow, ipSrc, ipDst string, protonum uint8, srcport, dstport uint16, newmark uint32) (int, error)
	// ConntrackTableUpdateMark is used to update conntrack mark attribute in the kernel
	ConntrackTableUpdateMark(ipSrc, ipDst string, protonum uint8, srcport, dstport uint16, newmark uint32) error
	// ConntrackTableUpdateLabel is used to update conntrack label attribute in the kernel
	ConntrackTableUpdateLabel(table netlink.ConntrackTableType, flows []*netlink.ConntrackFlow, ipSrc, ipDst string, protonum uint8, srcport, dstport uint16, newlabels uint32) (int, error)
}

Conntrack interface has Conntrack manipulations (get/set/flush)

func NewHandle

func NewHandle() Conntrack

NewHandle which returns interface which implements Conntrack table get/set/flush

type Handles

type Handles struct {
	Syscalls syscallwrappers.Syscalls
	SockHandles
}

Handles -- Handle for Conntrack table manipulations (get/set) SockHandles -- Sock handle of netlink socket

func (*Handles) ConntrackTableFlush

func (h *Handles) ConntrackTableFlush(table netlink.ConntrackTableType) error

ConntrackTableFlush will flush the Conntrack table entries Using vishvananda/netlink and nl packages for flushing entries

func (*Handles) ConntrackTableList

func (h *Handles) ConntrackTableList(table netlink.ConntrackTableType) ([]*netlink.ConntrackFlow, error)

ConntrackTableList retrieves entries from Conntract table and parse it in the conntrack flow struct Using vishvananda/netlink and nl packages for parsing returns an array of ConntrackFlow with 4 tuples, protocol and mark

func (*Handles) ConntrackTableUpdateLabel

func (h *Handles) ConntrackTableUpdateLabel(table netlink.ConntrackTableType, flows []*netlink.ConntrackFlow, ipSrc, ipDst string, protonum uint8, srcport, dstport uint16, newlabels uint32) (int, error)

ConntrackTableUpdateLabel will update conntrack table label attribute Specific to protocol (TCP or UDP) Also returns number of entries updated

func (*Handles) ConntrackTableUpdateMark

func (h *Handles) ConntrackTableUpdateMark(ipSrc, ipDst string, protonum uint8, srcport, dstport uint16, newmark uint32) error

ConntrackTableUpdateMark will update conntrack table mark attribute

func (*Handles) ConntrackTableUpdateMarkForAvailableFlow

func (h *Handles) ConntrackTableUpdateMarkForAvailableFlow(flows []*netlink.ConntrackFlow, ipSrc, ipDst string, protonum uint8, srcport, dstport uint16, newmark uint32) (int, error)

ConntrackTableUpdateMarkForAvailableFlow will update conntrack table mark attribute only if the flow is present Also returns number of entries updated

func (*Handles) SendMessage

func (h *Handles) SendMessage(hdr *syscall.NlMsghdr, data []byte) error

SendMessage -- To send and receive netlink messages calls the private function sendmessage

type SockHandle

type SockHandle interface {
	// contains filtered or unexported methods
}

SockHandle Opaque interface with unexported functions

type SockHandles

type SockHandles struct {
	Syscalls syscallwrappers.Syscalls
	// contains filtered or unexported fields
}

SockHandles -- Sock handle of netlink socket fd -- fd of socket rcvbufSize -- rcv buffer Size lsa -- local address