Allow zoneID to be netfilter attribute about conntrack HOT 5 CLOSED

@srikartati Flow.Zone is implemented and taken into account when marshaling and unmarshaling. Could you elaborate on any missing feature or functionality?

from conntrack.

Hi @ti-mo , Missing feature is passing the zone into conn.DumpFilter function.
I think this struct has to be extended to support zone along with mark and mask: https://github.com/ti-mo/conntrack/blob/master/filter.go#L11
This is probably a small change. Let me know if I am missing something.

from conntrack.

Hi @srikartati, that makes sense, thanks. I've investigated if this is possible before, but the kernel doesn't seem to support filtering dumps based on zone ID. The conntrack tool seems to do this in userspace as well, as demonstrated by this dump for the arbitrary zone 123:

~ sudo strace -esendto,recvfrom conntrack -L -w 123
sendto(3, {{len=20, type=NFNL_SUBSYS_CTNETLINK<<8|IPCTNL_MSG_CT_GET, flags=NLM_F_REQUEST|NLM_F_DUMP, seq=0, pid=0}, {nfgen_family=AF_INET, version=NFNETLINK_V0, res_id=htons(0)}, 20, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 20
recvfrom(3, [{{len=212, type=NFNL_SUBSYS_CTNETLINK<<8|IPCTNL_MSG_CT_NEW, flags=NLM_F_MULTI, seq=0, pid=107063}, {nfgen_family=AF_INET, version=NFNETLINK_V0, res_id=htons(0), [{{nla_len=52, nla_type=NLA_F_NESTED|NFNETLINK_V1}, "\x14\x00\x01\x80\x08\x00\x01\x00\x0a\x01\x01\x77\x08\x00\x02\x00....
...
(payload with flows being sent to userspace)
...
conntrack v1.4.6 (conntrack-tools): 0 flow entries have been shown.

And a dump of the default zone 0:

~ sudo strace -esendto,recvfrom conntrack -L -w 0
... (same payload) ...
udp      17 11 src=10.1.1.2 dst=10.1.1.1 sport=33529 dport=53 src=10.1.1.1 dst=10.1.1.2 sport=53 dport=33529 [ASSURED] mark=0 use=1
...
conntrack v1.4.6 (conntrack-tools): 36 flow entries have been shown.

For now, I think your best bet is to filter in userspace as well. I'll likely implement the feature requested in #13 which would allow for only the zone ID to be unmarshaled, skipping entries you're not interested in.

I'll keep this issue open to have a better look into it later. I might be able to get some more eyes on the kernel side of things, I find the implementation there rather difficult to understand, so it's likely that I'm missing something.

Sorry for the slow comms, was on an extended break. :) Thanks for your patience.

from conntrack.

@ti-mo Makes sense to do this in userspace. Thanks for looking in to this. Looking forward to the decoder feature to unmarshal the netattributes.

from conntrack.

Closing this, nothing actionable for zoneIDs specifically.

from conntrack.