On Fri, Feb 05, 2021 at 01:28:24PM +0100, Pablo Neira Ayuso wrote: > On Thu, Feb 04, 2021 at 11:32:06AM +0100, Arturo Borrero Gonzalez wrote: > > Separate conntrackd command line client functionalities into a different > > binary. > > > > This should help with several things: > > * avoid reading and parsing the config file, which can fail in some enviroments, for example if > > conntrackd is running inside a netns and the referenced interfaces/addresses doesn't exist in > > the namespace conntrackd client command is running from. > > * easily update conntrakdctl with more functionalities without polluting the daemon binary > > * easier code maintenance > [...] > > @@ -333,15 +151,6 @@ int main(int argc, char *argv[]) > > exit(EXIT_FAILURE); > > } > > > > - if (type == REQUEST) { > > - if (do_local_request(action, &conf.local, local_step) == -1) { > > - dlog(LOG_ERR, "can't connect: is conntrackd " > > - "running? appropriate permissions?"); > > - exit(EXIT_FAILURE); > > - } > > - exit(EXIT_SUCCESS); > > - } > > The existing interface needs to be in place to be backward compatible. > > I'm fine for you to add this, but we'll have to leave the existing > interface for quite a bit of time, it might take years before we can > deprecate the old way. You could probably update conntrackd to invoke conntrackdctl when you detect options that represent queries to the daemon. That would allow you to retain backward compatibility. Hence, old scripts still work while new ones might start using the new conntrackdctl command. If the problem is that you would like to skip the config parsing (which is what has triggered the errors when running things from the netns environment IIRC), then, you could update the code to skip the parsing: - the user does not specify a configuration file AND - the options refer to a query to the daemon via UNIX socket. That's another possibility to consider.