How to register conntrack notifier

How to register conntrack notifier

[Nils Rennebarth]

Hi,

The help text for NF_CONNTRACK_EVENTS reads:
  If this option is enabled, the connection tracking code will
  provide a notifier chain that can be used by other kernel code
  to get notified about changes in the connection tracking state.
which sounds just like what I need: I want to execute a callback
whenever a conntrack gets destroyed. However studying
nf_conntrack_netlink.c, nf_conntrack_ecache.c and related header files
for quite a while now, i am still unable to figure out how to do that.

Can someone enlighten me?


______________________________________________________
GRATIS für alle WEB.DE-Nutzer: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://movieflat.web.de

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: How to register conntrack notifier

[Pablo Neira Ayuso]

Nils Rennebarth wrote:
> Hi,
> 
> The help text for NF_CONNTRACK_EVENTS reads:
>   If this option is enabled, the connection tracking code will
>   provide a notifier chain that can be used by other kernel code
>   to get notified about changes in the connection tracking state.
> which sounds just like what I need: I want to execute a callback
> whenever a conntrack gets destroyed. However studying
> nf_conntrack_netlink.c, nf_conntrack_ecache.c and related header files
> for quite a while now, i am still unable to figure out how to do that.
> 
> Can someone enlighten me?

You have to register a structure nf_ct_event_notifier with the callback
function, you have to look at nf_conntrack_ecache.c and
nf_conntrack_netlink.c. There one problem though since you can only
register one callback and that one is usually used by nf_conntrack_netlink.c

You can also catch events from user-space by means of
libnetfilter_conntrack, have a look at utils/, it includes some examples.

Re: How to register conntrack notifier

[Luca Pesce]

Hi Pablo,
   I was looking at conntrack events callbacks and conntrack tools too.
As you said in your mail, only one callback can be registered, so if
nf_conntrack_netlink module is loaded, no other modules can register a
callback for events.

If I correctly undertand the code, it seems that in the past kernels
this limitation was not there. For example, 2.6.21.5 version had a
notifier chain declared in nf_conntrack_ecache.c:

ATOMIC_NOTIFIER_HEAD(nf_conntrack_chain);

and nf_conntrack_register_notifier() simply adds an entry (callback
block) to the chain, so many callbacks could be registered for
conntrack events. Am I right?
Why has this been changed nowadays?

Thanks!
Luca


On Wed, Oct 28, 2009 at 1:14 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> Nils Rennebarth wrote:
>> Hi,
>>
>> The help text for NF_CONNTRACK_EVENTS reads:
>>   If this option is enabled, the connection tracking code will
>>   provide a notifier chain that can be used by other kernel code
>>   to get notified about changes in the connection tracking state.
>> which sounds just like what I need: I want to execute a callback
>> whenever a conntrack gets destroyed. However studying
>> nf_conntrack_netlink.c, nf_conntrack_ecache.c and related header files
>> for quite a while now, i am still unable to figure out how to do that.
>>
>> Can someone enlighten me?
>
> You have to register a structure nf_ct_event_notifier with the callback
> function, you have to look at nf_conntrack_ecache.c and
> nf_conntrack_netlink.c. There one problem though since you can only
> register one callback and that one is usually used by nf_conntrack_netlink.c
>
> You can also catch events from user-space by means of
> libnetfilter_conntrack, have a look at utils/, it includes some examples.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: How to register conntrack notifier

[Pablo Neira Ayuso]

Luca Pesce wrote:
> Hi Pablo,
>    I was looking at conntrack events callbacks and conntrack tools too.
> As you said in your mail, only one callback can be registered, so if
> nf_conntrack_netlink module is loaded, no other modules can register a
> callback for events.
> 
> If I correctly undertand the code, it seems that in the past kernels
> this limitation was not there.

Indeed. This limitation was introduced recently

> For example, 2.6.21.5 version had a
> notifier chain declared in nf_conntrack_ecache.c:
> 
> ATOMIC_NOTIFIER_HEAD(nf_conntrack_chain);
> 
> and nf_conntrack_register_notifier() simply adds an entry (callback
> block) to the chain, so many callbacks could be registered for
> conntrack events. Am I right?

Yes.

> Why has this been changed nowadays?

Because the notifier chain added too much overhead for the only single 
client (nf_conntrack_netlink) in the kernel code.

Re: How to register conntrack notifier

[Luca Pesce]

Ok, so newer kernels opted for performance, giving that on 99% of the
time only nf_conntrack_netlink uses event notifier callbacks, which is
usually the case...
But I am curious...what if another kernel module needs to receive
conntrack events? Are there any way to keep track of events in kernel
space while nf_conntrack_netlink is holding the one and only callback
hook?
Thanks Pablo!
Luca

On Thu, Nov 12, 2009 at 1:13 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> Luca Pesce wrote:
>>
>> Hi Pablo,
>>   I was looking at conntrack events callbacks and conntrack tools too.
>> As you said in your mail, only one callback can be registered, so if
>> nf_conntrack_netlink module is loaded, no other modules can register a
>> callback for events.
>>
>> If I correctly undertand the code, it seems that in the past kernels
>> this limitation was not there.
>
> Indeed. This limitation was introduced recently
>
>> For example, 2.6.21.5 version had a
>> notifier chain declared in nf_conntrack_ecache.c:
>>
>> ATOMIC_NOTIFIER_HEAD(nf_conntrack_chain);
>>
>> and nf_conntrack_register_notifier() simply adds an entry (callback
>> block) to the chain, so many callbacks could be registered for
>> conntrack events. Am I right?
>
> Yes.
>
>> Why has this been changed nowadays?
>
> Because the notifier chain added too much overhead for the only single
> client (nf_conntrack_netlink) in the kernel code.
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: How to register conntrack notifier

[Pablo Neira Ayuso]

Luca Pesce wrote:
> Ok, so newer kernels opted for performance, giving that on 99% of the
> time only nf_conntrack_netlink uses event notifier callbacks, which is
> usually the case...

Looking at the kernel code, there's no other client of that notifier 
chain that ctnetlink.

> But I am curious...what if another kernel module needs to receive
> conntrack events? Are there any way to keep track of events in kernel
> space while nf_conntrack_netlink is holding the one and only callback
> hook?

Then, that new module would need to be submitted to mainline. Of course 
it should be something that proves to be useful for the general public. 
Sorry, we won't introduce the notifier chain again for an out-of-tree 
module.

Re: How to register conntrack notifier

[Luca Pesce]

Ok, perfectly clear.
Thanks Pablo!
Luca

On Fri, Nov 13, 2009 at 11:50 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> Luca Pesce wrote:
>>
>> Ok, so newer kernels opted for performance, giving that on 99% of the
>> time only nf_conntrack_netlink uses event notifier callbacks, which is
>> usually the case...
>
> Looking at the kernel code, there's no other client of that notifier chain
> that ctnetlink.
>
>> But I am curious...what if another kernel module needs to receive
>> conntrack events? Are there any way to keep track of events in kernel
>> space while nf_conntrack_netlink is holding the one and only callback
>> hook?
>
> Then, that new module would need to be submitted to mainline. Of course it
> should be something that proves to be useful for the general public. Sorry,
> we won't introduce the notifier chain again for an out-of-tree module.
>