Skip to content

Conntrack get netlink netfilter message types #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Conntrack get netlink netfilter message types #12

wants to merge 3 commits into from
+1,136 −59

Conversation

@shivkr6
Copy link
Contributor

@shivkr6 shivkr6 commented Oct 3, 2025

Depends on #11

Implemented the following types required to successfully construct a conntrack get request:

  • iptuple
  • protoinfo
  • protoinfotcp
  • prototuple
  • tcp_flags
  • tuple

Also wrote tests to construct a conntrack get and dump request.

@shivkr6 shivkr6 force-pushed the conntrack-get branch 4 times, most recently from eaaa88f to c7c6939 Compare October 7, 2025 10:42
cathay4t
cathay4t requested changes Oct 11, 2025
View reviewed changes
@shivkr6 shivkr6 force-pushed the conntrack-get branch 2 times, most recently from f89a9cd to e171eca Compare October 19, 2025 17:04
@shivkr6 shivkr6 requested a review from cathay4t October 19, 2025 17:05
@shivkr6
Copy link
Contributor Author

shivkr6 commented Oct 19, 2025

Thanks for the review @cathay4t . I've updated the tests and moved the conntrack constants to be private as you suggested.

I noticed the nflog module still exposes public constants. Let me know if you want those refactored as well to hide the implementation details. Happy to do it in a follow up PR.

I also added one more conntrack get UDP IPv6 test.

cathay4t
cathay4t reviewed Oct 21, 2025
View reviewed changes
cathay4t
cathay4t reviewed Oct 21, 2025
View reviewed changes
cathay4t
cathay4t reviewed Oct 21, 2025
View reviewed changes
cathay4t
cathay4t reviewed Oct 21, 2025
View reviewed changes
cathay4t
cathay4t reviewed Oct 21, 2025
View reviewed changes
cathay4t
cathay4t requested changes Oct 21, 2025
View reviewed changes
Copy link
Member

@cathay4t cathay4t left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All public data type should be protected by #[non_exhaustive] unless you are sure it will never changes in the future of Linux kernel.

@shivkr6 shivkr6 requested a review from cathay4t October 22, 2025 13:15
cathay4t
cathay4t reviewed Oct 25, 2025
View reviewed changes
cathay4t
cathay4t reviewed Oct 25, 2025
View reviewed changes
cathay4t
cathay4t requested changes Oct 25, 2025
View reviewed changes
Copy link
Member

@cathay4t cathay4t left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The netlink-packet-routes has changed nlas to attributes for better understanding.

The nlas is for hard for new developer to understand.

@shivkr6 shivkr6 force-pushed the conntrack-get branch 4 times, most recently from f002e81 to c9d7dc3 Compare October 28, 2025 08:00
@shivkr6 shivkr6 requested a review from cathay4t October 28, 2025 08:02
@shivkr6
Copy link
Contributor Author

shivkr6 commented Oct 28, 2025

Hi @cathay4t, I've addressed all of the feedback.

NOTE:
In the tests, you'll see we're manually building the message type from enums because we have removed netlink message header from raw: Vec<u8> which contains the message type.
I.e.,

    let message_type = ((u8::from(Subsystem::Conntrack) as u16) << 8)
        | (u8::from(ConntrackMessageType::Get) as u16);

a normal crate user would not have to do this type of stuff.

@shivkr6 shivkr6 mentioned this pull request Oct 30, 2025
Open
cathay4t
cathay4t requested changes Nov 3, 2025
View reviewed changes
@shivkr6
feat: conntrack get netlink netfilter message types
627221a 
Implemented the following attributes required to successfully construct a conntrack get request:
* iptuple
* protoinfo
* protoinfotcp
* prototuple
* tcp_flags
* tuple

Signed-off-by: Shivang K Raghuvanshi <[email protected]>
@shivkr6 shivkr6 force-pushed the conntrack-get branch 2 times, most recently from 450e8b4 to 3fd1242 Compare November 21, 2025 09:12
@shivkr6
refactor: use enums for subsystem and message types
d45921c 
This refactors the crate to use type-safe enums for netfilter subsystems and message types, for a safer and more idiomatic API.

- Introduces a `Subsystem` enum to replace raw `u8` identifiers for `NfLog` and `Conntrack` subsystems.

- Introduces `ULogMessageType` and `ConntrackMessageType` enums to provide type safety for messages within each subsystem.

- Makes the top-level `NetfilterMessage::message_type()` function private to guide users towards the safer pattern of matching on `NetfilterMessageInner`.

- Updates the internal parsing logic in `buffer.rs` to use the new `Subsystem` enum.

Signed-off-by: Shivang K Raghuvanshi <[email protected]>
@shivkr6 shivkr6 requested a review from cathay4t November 21, 2025 09:14
@shivkr6
examples: add conntrack dump example
bcc740a 
Add examples/dump_conntrack.rs to demonstrate how to dump connection tracking entries using the NLM_F_DUMP flag.

Signed-off-by: Shivang K Raghuvanshi <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cathay4t cathay4t Awaiting requested review from cathay4t

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@shivkr6 @cathay4t