Question about getting counters for transparent terminated flows

Question about getting counters for transparent terminated flows

[Tarun Khanna]

Hi,

I have an application that acts as a transparent proxy for tcp flows. I 
need to get packet and byte counters for these tcp flows on both sides 
of the proxy application. I looked at pulling the counters from the 
kernel using libnetfilter_conntrack. However I noticed that the 
conntrack library only shows one entry for flows that are terminated 
transparently. This is an issue, as I am not able to see byte and packet 
counters for the two sides of the flow separately. Is there a way to get 
the separate counters for flows that are transparently terminated?

If the flow is terminated but not transparently, I do get two separate 
entries from libnetfilter_conntrack, and the counters are as I would 
expect them to be.

Thank you.

Tarun

Re: Question about getting counters for transparent terminated flows

[Florian Westphal]

Tarun Khanna <tkhanna@akamai.com> wrote:
> I have an application that acts as a transparent proxy for tcp flows. I need
> to get packet and byte counters for these tcp flows on both sides of the
> proxy application. I looked at pulling the counters from the kernel using
> libnetfilter_conntrack. However I noticed that the conntrack library only
> shows one entry for flows that are terminated transparently. This is an
> issue, as I am not able to see byte and packet counters for the two sides of
> the flow separately. Is there a way to get the separate counters for flows
> that are transparently terminated?
> 
> If the flow is terminated but not transparently, I do get two separate
> entries from libnetfilter_conntrack, and the counters are as I would expect
> them to be.

In transparent case conntrack cannot tell the two connections apart as
they use the same addresses.

You could try to place one side into another conntrack zone using
'-j CT --zone $x' in the raw table.

Re: Question about getting counters for transparent terminated flows

[Tarun Khanna]

> Tarun Khanna <tkhanna@akamai.com> wrote:
>> I have an application that acts as a transparent proxy for tcp flows. I need
>> to get packet and byte counters for these tcp flows on both sides of the
>> proxy application. I looked at pulling the counters from the kernel using
>> libnetfilter_conntrack. However I noticed that the conntrack library only
>> shows one entry for flows that are terminated transparently. This is an
>> issue, as I am not able to see byte and packet counters for the two sides of
>> the flow separately. Is there a way to get the separate counters for flows
>> that are transparently terminated?
>>
>> If the flow is terminated but not transparently, I do get two separate
>> entries from libnetfilter_conntrack, and the counters are as I would expect
>> them to be.
> In transparent case conntrack cannot tell the two connections apart as
> they use the same addresses.
>
> You could try to place one side into another conntrack zone using
> '-j CT --zone $x' in the raw table.
Thank you. That sounds promising. I'll give it a shot.