netlink: specs: add conntrack dump and stats dump support

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This adds support to dump the connection tracking table
("conntrack -L") and the conntrack statistics, ("conntrack -S").

Example conntrack dump:
tools/net/ynl/pyynl/cli.py --spec Documentation/netlink/specs/conntrack.yaml --dump get
[{'id': 59489769,
'mark': 0,
'nfgen-family': 2,
'protoinfo': {'protoinfo-tcp': {'tcp-flags-original': {'flags': {'maxack',
'sack-perm',
'window-scale'},
'mask': set()},
'tcp-flags-reply': {'flags': {'maxack',
'sack-perm',
'window-scale'},
'mask': set()},
'tcp-state': 'established',
'tcp-wscale-original': 7,
'tcp-wscale-reply': 8}},
'res-id': 0,
'secctx': {'secctx-name': 'system_u:object_r:unlabeled_t:s0'},
'status': {'assured',
'confirmed',
'dst-nat-done',
'seen-reply',
'src-nat-done'},
'timeout': 431949,
'tuple-orig': {'tuple-ip': {'ip-v4-dst': '34.107.243.93',
'ip-v4-src': '192.168.0.114'},
'tuple-proto': {'proto-dst-port': 443,
'proto-num': 6,
'proto-src-port': 37104}},
'tuple-reply': {'tuple-ip': {'ip-v4-dst': '192.168.0.114',
'ip-v4-src': '34.107.243.93'},
'tuple-proto': {'proto-dst-port': 37104,
'proto-num': 6,
'proto-src-port': 443}},
'use': 1,
'version': 0},
{'id': 3402229480,

Example stats dump:
tools/net/ynl/pyynl/cli.py --spec Documentation/netlink/specs/conntrack.yaml --dump get-stats
[{'chain-toolong': 0,
'clash-resolve': 3,
'drop': 0,
....

Changes since last iteration:
- Address comments from Donald Hunter, in particular, fixup "get" and
"get-stats" descriptions, the former operation supports both dump
and normal request (returns a single entry, if found), the latter
only supports dumps.

Signed-off-by: Florian Westphal <fw@strlen.de>
Link: https://patch.msgid.link/20250210152159.41077-1-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Florian Westphal and committed by

Jakub Kicinski 1 year ago 23fc9311 f0e70409

+643

1 changed file

expand all

Documentation

netlink

specs

conntrack.yaml

+643

Documentation/netlink/specs/conntrack.yaml

··· 1 + # SPDX-License-Identifier: ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) 2 + 3 + name: conntrack 4 + protocol: netlink-raw 5 + protonum: 12 6 + 7 + doc: 8 + Netfilter connection tracking subsystem over nfnetlink 9 + 10 + definitions: 11 + - 12 + name: nfgenmsg 13 + type: struct 14 + members: 15 + - 16 + name: nfgen-family 17 + type: u8 18 + - 19 + name: version 20 + type: u8 21 + - 22 + name: res-id 23 + byte-order: big-endian 24 + type: u16 25 + - 26 + name: nf-ct-tcp-flags-mask 27 + type: struct 28 + members: 29 + - 30 + name: flags 31 + type: u8 32 + enum: nf-ct-tcp-flags 33 + enum-as-flags: true 34 + - 35 + name: mask 36 + type: u8 37 + enum: nf-ct-tcp-flags 38 + enum-as-flags: true 39 + - 40 + name: nf-ct-tcp-flags 41 + type: flags 42 + entries: 43 + - window-scale 44 + - sack-perm 45 + - close-init 46 + - be-liberal 47 + - unacked 48 + - maxack 49 + - challenge-ack 50 + - simultaneous-open 51 + - 52 + name: nf-ct-tcp-state 53 + type: enum 54 + entries: 55 + - none 56 + - syn-sent 57 + - syn-recv 58 + - established 59 + - fin-wait 60 + - close-wait 61 + - last-ack 62 + - time-wait 63 + - close 64 + - syn-sent2 65 + - max 66 + - ignore 67 + - retrans 68 + - unack 69 + - timeout-max 70 + - 71 + name: nf-ct-sctp-state 72 + type: enum 73 + entries: 74 + - none 75 + - cloned 76 + - cookie-wait 77 + - cookie-echoed 78 + - established 79 + - shutdown-sent 80 + - shutdown-received 81 + - shutdown-ack-sent 82 + - shutdown-heartbeat-sent 83 + - 84 + name: nf-ct-status 85 + type: flags 86 + entries: 87 + - expected 88 + - seen-reply 89 + - assured 90 + - confirmed 91 + - src-nat 92 + - dst-nat 93 + - seq-adj 94 + - src-nat-done 95 + - dst-nat-done 96 + - dying 97 + - fixed-timeout 98 + - template 99 + - nat-clash 100 + - helper 101 + - offload 102 + - hw-offload 103 + 104 + attribute-sets: 105 + - 106 + name: counter-attrs 107 + attributes: 108 + - 109 + name: packets 110 + type: u64 111 + byte-order: big-endian 112 + - 113 + name: bytes 114 + type: u64 115 + byte-order: big-endian 116 + - 117 + name: packets-old 118 + type: u32 119 + - 120 + name: bytes-old 121 + type: u32 122 + - 123 + name: pad 124 + type: pad 125 + - 126 + name: tuple-proto-attrs 127 + attributes: 128 + - 129 + name: proto-num 130 + type: u8 131 + doc: l4 protocol number 132 + - 133 + name: proto-src-port 134 + type: u16 135 + byte-order: big-endian 136 + doc: l4 source port 137 + - 138 + name: proto-dst-port 139 + type: u16 140 + byte-order: big-endian 141 + doc: l4 source port 142 + - 143 + name: proto-icmp-id 144 + type: u16 145 + byte-order: big-endian 146 + doc: l4 icmp id 147 + - 148 + name: proto-icmp-type 149 + type: u8 150 + - 151 + name: proto-icmp-code 152 + type: u8 153 + - 154 + name: proto-icmpv6-id 155 + type: u16 156 + byte-order: big-endian 157 + doc: l4 icmp id 158 + - 159 + name: proto-icmpv6-type 160 + type: u8 161 + - 162 + name: proto-icmpv6-code 163 + type: u8 164 + - 165 + name: tuple-ip-attrs 166 + attributes: 167 + - 168 + name: ip-v4-src 169 + type: u32 170 + byte-order: big-endian 171 + display-hint: ipv4 172 + doc: ipv4 source address 173 + - 174 + name: ip-v4-dst 175 + type: u32 176 + byte-order: big-endian 177 + display-hint: ipv4 178 + doc: ipv4 destination address 179 + - 180 + name: ip-v6-src 181 + type: binary 182 + checks: 183 + min-len: 16 184 + byte-order: big-endian 185 + display-hint: ipv6 186 + doc: ipv6 source address 187 + - 188 + name: ip-v6-dst 189 + type: binary 190 + checks: 191 + min-len: 16 192 + byte-order: big-endian 193 + display-hint: ipv6 194 + doc: ipv6 destination address 195 + - 196 + name: tuple-attrs 197 + attributes: 198 + - 199 + name: tuple-ip 200 + type: nest 201 + nested-attributes: tuple-ip-attrs 202 + doc: conntrack l3 information 203 + - 204 + name: tuple-proto 205 + type: nest 206 + nested-attributes: tuple-proto-attrs 207 + doc: conntrack l4 information 208 + - 209 + name: tuple-zone 210 + type: u16 211 + byte-order: big-endian 212 + doc: conntrack zone id 213 + - 214 + name: protoinfo-tcp-attrs 215 + attributes: 216 + - 217 + name: tcp-state 218 + type: u8 219 + enum: nf-ct-tcp-state 220 + doc: tcp connection state 221 + - 222 + name: tcp-wscale-original 223 + type: u8 224 + doc: window scaling factor in original direction 225 + - 226 + name: tcp-wscale-reply 227 + type: u8 228 + doc: window scaling factor in reply direction 229 + - 230 + name: tcp-flags-original 231 + type: binary 232 + struct: nf-ct-tcp-flags-mask 233 + - 234 + name: tcp-flags-reply 235 + type: binary 236 + struct: nf-ct-tcp-flags-mask 237 + - 238 + name: protoinfo-dccp-attrs 239 + attributes: 240 + - 241 + name: dccp-state 242 + type: u8 243 + doc: dccp connection state 244 + - 245 + name: dccp-role 246 + type: u8 247 + - 248 + name: dccp-handshake-seq 249 + type: u64 250 + byte-order: big-endian 251 + - 252 + name: dccp-pad 253 + type: pad 254 + - 255 + name: protoinfo-sctp-attrs 256 + attributes: 257 + - 258 + name: sctp-state 259 + type: u8 260 + doc: sctp connection state 261 + enum: nf-ct-sctp-state 262 + - 263 + name: vtag-original 264 + type: u32 265 + byte-order: big-endian 266 + - 267 + name: vtag-reply 268 + type: u32 269 + byte-order: big-endian 270 + - 271 + name: protoinfo-attrs 272 + attributes: 273 + - 274 + name: protoinfo-tcp 275 + type: nest 276 + nested-attributes: protoinfo-tcp-attrs 277 + doc: conntrack tcp state information 278 + - 279 + name: protoinfo-dccp 280 + type: nest 281 + nested-attributes: protoinfo-dccp-attrs 282 + doc: conntrack dccp state information 283 + - 284 + name: protoinfo-sctp 285 + type: nest 286 + nested-attributes: protoinfo-sctp-attrs 287 + doc: conntrack sctp state information 288 + - 289 + name: help-attrs 290 + attributes: 291 + - 292 + name: help-name 293 + type: string 294 + doc: helper name 295 + - 296 + name: nat-proto-attrs 297 + attributes: 298 + - 299 + name: nat-port-min 300 + type: u16 301 + byte-order: big-endian 302 + - 303 + name: nat-port-max 304 + type: u16 305 + byte-order: big-endian 306 + - 307 + name: nat-attrs 308 + attributes: 309 + - 310 + name: nat-v4-minip 311 + type: u32 312 + byte-order: big-endian 313 + - 314 + name: nat-v4-maxip 315 + type: u32 316 + byte-order: big-endian 317 + - 318 + name: nat-v6-minip 319 + type: binary 320 + - 321 + name: nat-v6-maxip 322 + type: binary 323 + - 324 + name: nat-proto 325 + type: nest 326 + nested-attributes: nat-proto-attrs 327 + - 328 + name: seqadj-attrs 329 + attributes: 330 + - 331 + name: correction-pos 332 + type: u32 333 + byte-order: big-endian 334 + - 335 + name: offset-before 336 + type: u32 337 + byte-order: big-endian 338 + - 339 + name: offset-after 340 + type: u32 341 + byte-order: big-endian 342 + - 343 + name: secctx-attrs 344 + attributes: 345 + - 346 + name: secctx-name 347 + type: string 348 + - 349 + name: synproxy-attrs 350 + attributes: 351 + - 352 + name: isn 353 + type: u32 354 + byte-order: big-endian 355 + - 356 + name: its 357 + type: u32 358 + byte-order: big-endian 359 + - 360 + name: tsoff 361 + type: u32 362 + byte-order: big-endian 363 + - 364 + name: conntrack-attrs 365 + attributes: 366 + - 367 + name: tuple-orig 368 + type: nest 369 + nested-attributes: tuple-attrs 370 + doc: conntrack l3+l4 protocol information, original direction 371 + - 372 + name: tuple-reply 373 + type: nest 374 + nested-attributes: tuple-attrs 375 + doc: conntrack l3+l4 protocol information, reply direction 376 + - 377 + name: status 378 + type: u32 379 + byte-order: big-endian 380 + enum: nf-ct-status 381 + enum-as-flags: true 382 + doc: conntrack flag bits 383 + - 384 + name: protoinfo 385 + type: nest 386 + nested-attributes: protoinfo-attrs 387 + - 388 + name: help 389 + type: nest 390 + nested-attributes: help-attrs 391 + - 392 + name: nat-src 393 + type: nest 394 + nested-attributes: nat-attrs 395 + - 396 + name: timeout 397 + type: u32 398 + byte-order: big-endian 399 + - 400 + name: mark 401 + type: u32 402 + byte-order: big-endian 403 + - 404 + name: counters-orig 405 + type: nest 406 + nested-attributes: counter-attrs 407 + - 408 + name: counters-reply 409 + type: nest 410 + nested-attributes: counter-attrs 411 + - 412 + name: use 413 + type: u32 414 + byte-order: big-endian 415 + - 416 + name: id 417 + type: u32 418 + byte-order: big-endian 419 + - 420 + name: nat-dst 421 + type: nest 422 + nested-attributes: nat-attrs 423 + - 424 + name: tuple-master 425 + type: nest 426 + nested-attributes: tuple-attrs 427 + - 428 + name: seq-adj-orig 429 + type: nest 430 + nested-attributes: seqadj-attrs 431 + - 432 + name: seq-adj-reply 433 + type: nest 434 + nested-attributes: seqadj-attrs 435 + - 436 + name: secmark 437 + type: binary 438 + doc: obsolete 439 + - 440 + name: zone 441 + type: u16 442 + byte-order: big-endian 443 + doc: conntrack zone id 444 + - 445 + name: secctx 446 + type: nest 447 + nested-attributes: secctx-attrs 448 + - 449 + name: timestamp 450 + type: u64 451 + byte-order: big-endian 452 + - 453 + name: mark-mask 454 + type: u32 455 + byte-order: big-endian 456 + - 457 + name: labels 458 + type: binary 459 + - 460 + name: labels mask 461 + type: binary 462 + - 463 + name: synproxy 464 + type: nest 465 + nested-attributes: synproxy-attrs 466 + - 467 + name: filter 468 + type: nest 469 + nested-attributes: tuple-attrs 470 + - 471 + name: status-mask 472 + type: u32 473 + byte-order: big-endian 474 + enum: nf-ct-status 475 + enum-as-flags: true 476 + doc: conntrack flag bits to change 477 + - 478 + name: timestamp-event 479 + type: u64 480 + byte-order: big-endian 481 + - 482 + name: conntrack-stats-attrs 483 + attributes: 484 + - 485 + name: searched 486 + type: u32 487 + byte-order: big-endian 488 + doc: obsolete 489 + - 490 + name: found 491 + type: u32 492 + byte-order: big-endian 493 + - 494 + name: new 495 + type: u32 496 + byte-order: big-endian 497 + doc: obsolete 498 + - 499 + name: invalid 500 + type: u32 501 + byte-order: big-endian 502 + doc: obsolete 503 + - 504 + name: ignore 505 + type: u32 506 + byte-order: big-endian 507 + doc: obsolete 508 + - 509 + name: delete 510 + type: u32 511 + byte-order: big-endian 512 + doc: obsolete 513 + - 514 + name: delete-list 515 + type: u32 516 + byte-order: big-endian 517 + doc: obsolete 518 + - 519 + name: insert 520 + type: u32 521 + byte-order: big-endian 522 + - 523 + name: insert-failed 524 + type: u32 525 + byte-order: big-endian 526 + - 527 + name: drop 528 + type: u32 529 + byte-order: big-endian 530 + - 531 + name: early-drop 532 + type: u32 533 + byte-order: big-endian 534 + - 535 + name: error 536 + type: u32 537 + byte-order: big-endian 538 + - 539 + name: search-restart 540 + type: u32 541 + byte-order: big-endian 542 + - 543 + name: clash-resolve 544 + type: u32 545 + byte-order: big-endian 546 + - 547 + name: chain-toolong 548 + type: u32 549 + byte-order: big-endian 550 + 551 + operations: 552 + enum-model: directional 553 + list: 554 + - 555 + name: get 556 + doc: get / dump entries 557 + attribute-set: conntrack-attrs 558 + fixed-header: nfgenmsg 559 + do: 560 + request: 561 + value: 0x101 562 + attributes: 563 + - tuple-orig 564 + - tuple-reply 565 + - zone 566 + reply: 567 + value: 0x100 568 + attributes: 569 + - tuple-orig 570 + - tuple-reply 571 + - status 572 + - protoinfo 573 + - help 574 + - nat-src 575 + - nat-dst 576 + - timeout 577 + - mark 578 + - counter-orig 579 + - counter-reply 580 + - use 581 + - id 582 + - nat-dst 583 + - tuple-master 584 + - seq-adj-orig 585 + - seq-adj-reply 586 + - zone 587 + - secctx 588 + - labels 589 + - synproxy 590 + dump: 591 + request: 592 + value: 0x101 593 + attributes: 594 + - nfgen-family 595 + - mark 596 + - filter 597 + - status 598 + - zone 599 + reply: 600 + value: 0x100 601 + attributes: 602 + - tuple-orig 603 + - tuple-reply 604 + - status 605 + - protoinfo 606 + - help 607 + - nat-src 608 + - nat-dst 609 + - timeout 610 + - mark 611 + - counter-orig 612 + - counter-reply 613 + - use 614 + - id 615 + - nat-dst 616 + - tuple-master 617 + - seq-adj-orig 618 + - seq-adj-reply 619 + - zone 620 + - secctx 621 + - labels 622 + - synproxy 623 + - 624 + name: get-stats 625 + doc: dump pcpu conntrack stats 626 + attribute-set: conntrack-stats-attrs 627 + fixed-header: nfgenmsg 628 + dump: 629 + request: 630 + value: 0x104 631 + reply: 632 + value: 0x104 633 + attributes: 634 + - searched 635 + - found 636 + - insert 637 + - insert-failed 638 + - drop 639 + - early-drop 640 + - error 641 + - search-restart 642 + - clash-resolve 643 + - chain-toolong