conntrack

package
v1.52.17 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 30, 2020 License: Apache-2.0 Imports: 6 Imported by: 8

README

conntrack-go

conntrack-go implements a go native implementation for the conntrack netlink interface provided by Linux to the in-kernel connection tracking state table.

The library implements a subset of the functionality provided by https://www.netfilter.org/projects/libnetfilter_conntrack/

The library implements the following APIs

  • Listing/flushing Conntrack entries from kernel connection tracking table
  • Updating entries from kernel connection tracking table (currently supports Mark and Labels*)

Documentation

Overview

nolint

Index

Constants

View Source
const (
	CTA_TUPLE_ORIG  = 1
	CTA_TUPLE_REPLY = 2
	CTA_STATUS      = 3
	CTA_TIMEOUT     = 7
	CTA_MARK        = 8
	CTA_PROTOINFO   = 4
	CTA_LABELS      = 22
)
enum ctattr_type {
	CTA_UNSPEC,
	CTA_TUPLE_ORIG,
	CTA_TUPLE_REPLY,
	CTA_STATUS,
	CTA_PROTOINFO,
	CTA_HELP,
	CTA_NAT_SRC,

#define CTA_NAT CTA_NAT_SRC /* backwards compatibility */

	CTA_TIMEOUT,
	CTA_MARK,
	CTA_COUNTERS_ORIG,
	CTA_COUNTERS_REPLY,
	CTA_USE,
	CTA_ID,
	CTA_NAT_DST,
	CTA_TUPLE_MASTER,
	CTA_SEQ_ADJ_ORIG,
	CTA_NAT_SEQ_ADJ_ORIG	= CTA_SEQ_ADJ_ORIG,
	CTA_SEQ_ADJ_REPLY,
	CTA_NAT_SEQ_ADJ_REPLY	= CTA_SEQ_ADJ_REPLY,
	CTA_SECMARK,		/* obsolete */
	CTA_ZONE,
	CTA_SECCTX,
	CTA_TIMESTAMP,
	CTA_MARK_MASK,
	CTA_LABELS,
	CTA_LABELS_MASK,
	__CTA_MAX
};
View Source
const (
	CTA_TUPLE_IP    = 1
	CTA_TUPLE_PROTO = 2
)
enum ctattr_tuple {
	CTA_TUPLE_UNSPEC,
	CTA_TUPLE_IP,
	CTA_TUPLE_PROTO,
	CTA_TUPLE_ZONE,
	__CTA_TUPLE_MAX
};

#define CTA_TUPLE_MAX (__CTA_TUPLE_MAX - 1)

View Source
const (
	CTA_IP_V4_SRC = 1
	CTA_IP_V4_DST = 2
	CTA_IP_V6_SRC = 3
	CTA_IP_V6_DST = 4
)
enum ctattr_ip {
	CTA_IP_UNSPEC,
	CTA_IP_V4_SRC,
	CTA_IP_V4_DST,
	CTA_IP_V6_SRC,
	CTA_IP_V6_DST,
	__CTA_IP_MAX
};

#define CTA_IP_MAX (__CTA_IP_MAX - 1)

View Source
const (
	CTA_PROTO_NUM      = 1
	CTA_PROTO_SRC_PORT = 2
	CTA_PROTO_DST_PORT = 3
)
enum ctattr_l4proto {
	CTA_PROTO_UNSPEC,
	CTA_PROTO_NUM,
	CTA_PROTO_SRC_PORT,
	CTA_PROTO_DST_PORT,
	CTA_PROTO_ICMP_ID,
	CTA_PROTO_ICMP_TYPE,
	CTA_PROTO_ICMP_CODE,
	CTA_PROTO_ICMPV6_ID,
	CTA_PROTO_ICMPV6_TYPE,
	CTA_PROTO_ICMPV6_CODE,
	__CTA_PROTO_MAX
};

#define CTA_PROTO_MAX (__CTA_PROTO_MAX - 1)

View Source
const (
	CTA_PROTOINFO_TCP_STATE           = 1
	CTA_PROTOINFO_TCP_WSCALE_ORIGINAL = 2
	CTA_PROTOINFO_TCP_WSCALE_REPLY    = 3
	CTA_PROTOINFO_TCP_FLAGS_ORIGINAL  = 4
	CTA_PROTOINFO_TCP_FLAGS_REPLY     = 5
)
enum ctattr_protoinfo_tcp {
	CTA_PROTOINFO_TCP_UNSPEC,
	CTA_PROTOINFO_TCP_STATE,
	CTA_PROTOINFO_TCP_WSCALE_ORIGINAL,
	CTA_PROTOINFO_TCP_WSCALE_REPLY,
	CTA_PROTOINFO_TCP_FLAGS_ORIGINAL,
	CTA_PROTOINFO_TCP_FLAGS_REPLY,
	__CTA_PROTOINFO_TCP_MAX
};

#define CTA_PROTOINFO_TCP_MAX (__CTA_PROTOINFO_TCP_MAX - 1)

View Source
const (

	//NOTE: THE BELOW VALUES ARE JUST FOR CHANGING MARK. IF NEEDED, THE SIZE HAS TO BE CHANGED WHEN ADDING NEW ATTRIBUTES
	SizeOfNestedTupleOrig uint32 = 48

	SizeOfNestedTupleIP uint32 = 16

	SizeOfNestedTupleProto uint32 = 24

	SizeofNestedProtoInfo uint32 = 20

	SizeofNestedProtoInfoTCP uint32 = 16
)
View Source
const (

	//NOTE: THE BELOW CONSTANTS SHOULD BE IN /etc/xtables/connlabel.conf, if for instance ENCRYPTED here is 2, then in connlabel.conf ENCRYPTED should be 1
	ENCRYPTED = 1
	DECRYPTED = 2
)
View Source
const (
	PROTO_NUM_LEN      = 5
	PROTO_SRC_PORT_LEN = 6
	PROTO_DST_PORT_LEN = 6
)

Padded attribute lengths

View Source
const (
	CTA_PROTOINFO_TCP = 1
)
enum ctattr_protoinfo {
	CTA_PROTOINFO_UNSPEC,
	CTA_PROTOINFO_TCP,
	CTA_PROTOINFO_DCCP,
	CTA_PROTOINFO_SCTP,
	__CTA_PROTOINFO_MAX
};

#define CTA_PROTOINFO_MAX (__CTA_PROTOINFO_MAX - 1)

View Source
const (
	NLA_F_NESTED = (1 << 15)
)

#define NLA_F_NESTED (1 << 15)

Variables

This section is empty.

Functions

func UDPFlowCreate added in v1.33.0

func UDPFlowCreate(flows, srcPort int, dstIP string, dstPort int) error

UDPFlowCreate creates udp flows

Types

type Conntrack

type Conntrack interface {
	// ConntrackTableList is used to retrieve the conntrack entries from kernel
	ConntrackTableList(table netlink.ConntrackTableType) ([]*netlink.ConntrackFlow, error)
	// ConntrackTableFlush is used to flush the conntrack entries
	ConntrackTableFlush(table netlink.ConntrackTableType) error
	// ConntrackTableUpdateMarkForAvailableFlow will update mark only if the flow is present
	ConntrackTableUpdateMarkForAvailableFlow(flows []*netlink.ConntrackFlow, ipSrc, ipDst string, protonum uint8, srcport, dstport uint16, newmark uint32) (int, error)
	// ConntrackTableUpdateMark is used to update conntrack mark attribute in the kernel
	ConntrackTableUpdateMark(ipSrc, ipDst string, protonum uint8, srcport, dstport uint16, newmark uint32) error
	// ConntrackTableUpdateLabel is used to update conntrack label attribute in the kernel
	ConntrackTableUpdateLabel(table netlink.ConntrackTableType, flows []*netlink.ConntrackFlow, ipSrc, ipDst string, protonum uint8, srcport, dstport uint16, newlabels uint32) (int, error)
}

Conntrack interface has Conntrack manipulations (get/set/flush)

func NewHandle

func NewHandle() Conntrack

NewHandle which returns interface which implements Conntrack table get/set/flush

type Handles

type Handles struct {
	Syscalls syscallwrappers.Syscalls
	SockHandles
}

Handles -- Handle for Conntrack table manipulations (get/set) SockHandles -- Sock handle of netlink socket

func (*Handles) ConntrackTableFlush

func (h *Handles) ConntrackTableFlush(table netlink.ConntrackTableType) error

ConntrackTableFlush will flush the Conntrack table entries Using vishvananda/netlink and nl packages for flushing entries

func (*Handles) ConntrackTableList

func (h *Handles) ConntrackTableList(table netlink.ConntrackTableType) ([]*netlink.ConntrackFlow, error)

ConntrackTableList retrieves entries from Conntract table and parse it in the conntrack flow struct Using vishvananda/netlink and nl packages for parsing returns an array of ConntrackFlow with 4 tuples, protocol and mark

func (*Handles) ConntrackTableUpdateLabel added in v0.0.4

func (h *Handles) ConntrackTableUpdateLabel(table netlink.ConntrackTableType, flows []*netlink.ConntrackFlow, ipSrc, ipDst string, protonum uint8, srcport, dstport uint16, newlabels uint32) (int, error)

ConntrackTableUpdateLabel will update conntrack table label attribute Specific to protocol (TCP or UDP) Also returns number of entries updated

func (*Handles) ConntrackTableUpdateMark added in v0.0.4

func (h *Handles) ConntrackTableUpdateMark(ipSrc, ipDst string, protonum uint8, srcport, dstport uint16, newmark uint32) error

ConntrackTableUpdateMark will update conntrack table mark attribute

func (*Handles) ConntrackTableUpdateMarkForAvailableFlow added in v0.0.4

func (h *Handles) ConntrackTableUpdateMarkForAvailableFlow(flows []*netlink.ConntrackFlow, ipSrc, ipDst string, protonum uint8, srcport, dstport uint16, newmark uint32) (int, error)

ConntrackTableUpdateMarkForAvailableFlow will update conntrack table mark attribute only if the flow is present Also returns number of entries updated

type SockHandle

type SockHandle interface {
	// contains filtered or unexported methods
}

SockHandle Opaque interface with unexported functions

type SockHandles

type SockHandles struct {
	Syscalls syscallwrappers.Syscalls
	// contains filtered or unexported fields
}

SockHandles -- Sock handle of netlink socket fd -- fd of socket rcvbufSize -- rcv buffer Size lsa -- local address

Directories

Path Synopsis
examples
example
This is a sample conntrack mark update which uses the conntrack library In this example we update the first entry in the conntrack with the given mark For this example to work the conntrack should not be empty Use conntrack -L or print the updated table by calling display
This is a sample conntrack mark update which uses the conntrack library In this example we update the first entry in the conntrack with the given mark For this example to work the conntrack should not be empty Use conntrack -L or print the updated table by calling display

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL