The following command:
# conntrack -E -o userspace &
# conntrack -F
[DESTROY] tcp 6 src=122.127.186.172 dst=192.168.10.195 sport=443 dport=48232 packets=56 bytes=5313 src=192.168.10.195 dst=122.127.186.172 sport=48232 dport=443 packets=49 bytes=5174 [ASSURED] [USERSPACE]
prints the [USERSPACE] tag at the end of the event, this tells users if
this event has been triggered by process, eg. via conntrack command
invocation.
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
conntrack.8 | 3 ++-
src/conntrack.c | 19 ++++++++++++++-----
2 files changed, 16 insertions(+), 6 deletions(-)
diff --git a/conntrack.8 b/conntrack.8
index e069dfe3809e..3c1e960e910e 100644
--- a/conntrack.8
+++ b/conntrack.8
@@ -109,13 +109,14 @@ Show the in-kernel connection tracking system statistics.
Atomically zero counters after reading them. This option is only valid in
combination with the "\-L, \-\-dump" command options.
.TP
-.BI "-o, --output [extended,xml,timestamp,id,ktimestamp,labels] "
+.BI "-o, --output [extended,xml,timestamp,id,ktimestamp,labels,userspace] "
Display output in a certain format. With the extended output option, this tool
displays the layer 3 information. With ktimestamp, it displays the in-kernel
timestamp available since 2.6.38 (you can enable it via the \fBsysctl(8)\fP
key \fBnet.netfilter.nf_conntrack_timestamp\fP).
The labels output option tells \fBconntrack\fP to show the names of connection
tracking labels that might be present.
+The userspace output options tells if the event has been triggered by a process.
.TP
.BI "-e, --event-mask " "[ALL|NEW|UPDATES|DESTROY][,...]"
Set the bitmask of events that are to be generated by the in-kernel ctnetlink
diff --git a/src/conntrack.c b/src/conntrack.c
index e3abe9ff698e..daa93dbbdfe2 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -854,6 +854,7 @@ enum {
_O_ID = (1 << 3),
_O_KTMS = (1 << 4),
_O_CL = (1 << 5),
+ _O_US = (1 << 6),
};
enum {
@@ -864,16 +865,16 @@ enum {
};
static struct parse_parameter {
- const char *parameter[6];
+ const char *parameter[7];
size_t size;
- unsigned int value[6];
+ unsigned int value[7];
} parse_array[PARSE_MAX] = {
{ {"ASSURED", "SEEN_REPLY", "UNSET", "FIXED_TIMEOUT", "EXPECTED"}, 5,
{ IPS_ASSURED, IPS_SEEN_REPLY, 0, IPS_FIXED_TIMEOUT, IPS_EXPECTED} },
{ {"ALL", "NEW", "UPDATES", "DESTROY"}, 4,
{ CT_EVENT_F_ALL, CT_EVENT_F_NEW, CT_EVENT_F_UPD, CT_EVENT_F_DEL } },
- { {"xml", "extended", "timestamp", "id", "ktimestamp", "labels", }, 6,
- { _O_XML, _O_EXT, _O_TMS, _O_ID, _O_KTMS, _O_CL },
+ { {"xml", "extended", "timestamp", "id", "ktimestamp", "labels", "userspace" }, 7,
+ { _O_XML, _O_EXT, _O_TMS, _O_ID, _O_KTMS, _O_CL, _O_US },
},
};
@@ -1427,6 +1428,7 @@ static int event_cb(const struct nlmsghdr *nlh, void *data)
enum nf_conntrack_msg_type type;
unsigned int op_flags = 0;
struct nf_conntrack *ct;
+ bool userspace = false;
char buf[1024];
switch(nlh->nlmsg_type & 0xff) {
@@ -1480,7 +1482,14 @@ static int event_cb(const struct nlmsghdr *nlh, void *data)
nfct_snprintf_labels(buf, sizeof(buf), ct, type, op_type, op_flags, labelmap);
- printf("%s\n", buf);
+ if (output_mask & _O_US) {
+ if (nlh->nlmsg_pid)
+ userspace = true;
+ else
+ userspace = false;
+ }
+
+ printf("%s%s\n", buf, userspace ? " [USERSPACE]" : "");
fflush(stdout);
counter++;
--
2.11.0
