Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: iptables: Devel

conntrack: Connection close event?

  

 
iptables devel RSS feed   Index | Next | Previous | View Threaded


netfilter at cedrix

Aug 22, 2007, 11:01 AM

Post #1 of 4 (1059 views)
Permalink
conntrack: Connection close event?
Hi,

this is my first request. I checked google, nf-faqs and conntrack-homepage
without sufficient results for this problem:

In Short: I need to know when a connection (TCP or UDP) gets closed. I want
to use conntrack, because I can track UDP more easily.

My thoughts so far: The /proc/net/ip_conntrack reacts very quick when a
close happens, but it's not conveniant to check in my C/C++ application. So,
in further reading I 've seen in the source some kind of "event-handling".
(Listening Event for new connection, etc.)

My question: What's the best method to see if a connection gets closed.
(Also, connection opened).

Btw: I use iptables -I FORWARD -m -state --NEW -m --LOG -log-prefix "New
Connection established: " to log established connections, so it would be
nice (but not necessary) if I can use the LOG for closing-connections, too -
OR alternatively - use a conntrack-event for detecting NEW connections, too.

Any help or comment is appreciated! Thanks.


Cedrix.



[--XCN-SF--]


ole at ans

Aug 22, 2007, 12:10 PM

Post #2 of 4 (1001 views)
Permalink
Re: conntrack: Connection close event? [In reply to]
On Wed, 22 Aug 2007, Cedrix wrote:

> Hi,
>
> this is my first request. I checked google, nf-faqs and conntrack-homepage
> without sufficient results for this problem:
>
> In Short: I need to know when a connection (TCP or UDP) gets closed. I want
> to use conntrack, because I can track UDP more easily.
>
> My thoughts so far: The /proc/net/ip_conntrack reacts very quick when a close
> happens, but it's not conveniant to check in my C/C++ application. So, in
> further reading I 've seen in the source some kind of "event-handling".
> (Listening Event for new connection, etc.)
>
> My question: What's the best method to see if a connection gets closed.
> (Also, connection opened).
>
> Btw: I use iptables -I FORWARD -m -state --NEW -m --LOG -log-prefix "New
> Connection established: " to log established connections, so it would be nice
> (but not necessary) if I can use the LOG for closing-connections, too - OR
> alternatively - use a conntrack-event for detecting NEW connections, too.
>
> Any help or comment is appreciated! Thanks.

Something like nfnetlink & "conntrack -E --event-mask NEW,DESTROY -o timestamp"?:

[1187809641.802599] [DESTROY] udp 17 src=192.168.194.11 dst=192.168.194.255 sport=138 dport=138 packets=1 bytes=233 src=192.168.194.255 dst=192.168.194.11 sport=138 dport=138 packets=0 bytes=0
[1187809641.963684] [DESTROY] tcp 6 src=192.168.50.13 dst=192.168.50.21 sport=40153 dport=80 packets=5 bytes=679 src=192.168.50.21 dst=192.168.50.13 sport=80 dport=40153 packets=3 bytes=1332
[1187809642.134908] [DESTROY] tcp 6 src=192.168.50.13 dst=192.168.50.21 sport=40154 dport=80 packets=5 bytes=519 src=192.168.50.21 dst=192.168.50.13 sport=80 dport=40154 packets=3 bytes=591
[1187809642.192142] [DESTROY] tcp 6 src=192.168.50.13 dst=192.168.50.21 sport=40155 dport=80 packets=5 bytes=515 src=192.168.50.21 dst=192.168.50.13 sport=80 dport=40155 packets=3 bytes=583
[1187809642.254526] [DESTROY] udp 17 src=192.168.148.3 dst=192.168.148.13 sport=36258 dport=137 packets=1 bytes=78 src=192.168.148.13 dst=192.168.148.3 sport=137 dport=36258 packets=1 bytes=90

I'm not sure if it is possible just to grab udp events, if not you can
filter it in an application.

Best regards,

Krzysztof Olêdzki


eric at inl

Aug 22, 2007, 2:48 PM

Post #3 of 4 (999 views)
Permalink
Re: conntrack: Connection close event? [In reply to]
Hi,

Le mercredi 22 août 2007 à 20:01 +0200, Cedrix a écrit :
> Hi,
>
> this is my first request. I checked google, nf-faqs and conntrack-homepage
> without sufficient results for this problem:
>
> In Short: I need to know when a connection (TCP or UDP) gets closed. I want
> to use conntrack, because I can track UDP more easily.

The result of "conntrack -E -e DESTROY" is what you want. You can thus
look at the code to build what you want.

You can also look at NuFW (http://www.nufw.org/) which handle conntrack
destroy event. The concerned source code is browsable here:
http://software.inl.fr/trac/trac.cgi/browser/mirror/edenwall/nufw/trunk/nufw/src/nufw/conntrack.c

Hope this help,
--
Eric Leblond


netfilter at cedrix

Aug 22, 2007, 4:17 PM

Post #4 of 4 (1007 views)
Permalink
Re: Re: conntrack: Connection close event? [In reply to]
>> In Short: I need to know when a connection (TCP or UDP) gets closed. I
>> want
>> to use conntrack, because I can track UDP more easily.
>>
>> Any help or comment is appreciated! Thanks.

>Something like nfnetlink & "conntrack -E --event-mask NEW,DESTROY -o
>timestamp"?:
>
>I'm not sure if it is possible just to grab udp events, if not you can
>filter it in an application.
>

That's perfect! Thanks Krzystof, Thanks Eric!

Cedrix.

iptables devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.