I need to maintain a log of SNAT'd connections/disconnections which contain the source/dest ip/port of the host before SNAT'ing. As discussed on this list before, the POSTROUTING -j LOG target doesnt provide this information, so I've written a crude logger of my own. This logger is a perl script which does the following: Every second: . Reads the content of /proc/net/ip_conntrack. . Searches for entries in the ip_conntrack data which it doesnt have in its own list, adds them to its own list and logs a 'connect' for that entry. . Searches for entries in its own list which no longer appear in the ip_conntrack data, removes them from its own list and logs a 'disconnect' for that entry. This seems to work OK apart from one thing. From time to time, the output from /proc/net/ip_conntrack seems to get truncated. This means that I erroneously flag all the missing items as 'disconnected', and then next time I read ip_conntrack (this time without truncation) all the previously missing entries reapper and then get flagged as 'connected' again. I can also experience the truncation if I repeatedly grep for a known src= + dst= line in ip_conntrack. Occasionally grep doesnt find it. What happens if the ip_conntrack data is being updated at the instant /proc/net/ip_conntrack is being read? Is there the possibility of a race condition here which might explain what I'm seeing? Any suggestions welcome. Cheers, Terry.
