Re: [RFC conntrack-tools PATCH] conntrack-tools: introduce conntrackdctl

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Feb 05, 2021 at 01:28:24PM +0100, Pablo Neira Ayuso wrote:
> On Thu, Feb 04, 2021 at 11:32:06AM +0100, Arturo Borrero Gonzalez wrote:
> > Separate conntrackd command line client functionalities into a different
> > binary.
> > 
> > This should help with several things:
> >  * avoid reading and parsing the config file, which can fail in some enviroments, for example if
> >    conntrackd is running inside a netns and the referenced interfaces/addresses doesn't exist in
> >    the namespace conntrackd client command is running from.
> >  * easily update conntrakdctl with more functionalities without polluting the daemon binary
> >  * easier code maintenance
> [...]
> > @@ -333,15 +151,6 @@ int main(int argc, char *argv[])
> >  		exit(EXIT_FAILURE);
> >  	}
> >  
> > -	if (type == REQUEST) {
> > -		if (do_local_request(action, &conf.local, local_step) == -1) {
> > -			dlog(LOG_ERR, "can't connect: is conntrackd "
> > -			     "running? appropriate permissions?");
> > -			exit(EXIT_FAILURE);
> > -		}
> > -		exit(EXIT_SUCCESS);
> > -	}
> 
> The existing interface needs to be in place to be backward compatible.
> 
> I'm fine for you to add this, but we'll have to leave the existing
> interface for quite a bit of time, it might take years before we can
> deprecate the old way.

You could probably update conntrackd to invoke conntrackdctl when you
detect options that represent queries to the daemon. That would allow
you to retain backward compatibility. Hence, old scripts still work
while new ones might start using the new conntrackdctl command.

If the problem is that you would like to skip the config parsing
(which is what has triggered the errors when running things from the
netns environment IIRC), then, you could update the code to skip the
parsing:

- the user does not specify a configuration file

AND

- the options refer to a query to the daemon via UNIX socket.

That's another possibility to consider.



[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux