[PATCH 0/5] conntrack: documentation updates

[PATCH 0/5] conntrack: documentation updates

[Mart Frauenlob]

Good day,

this series includes some documentation updates for conntrack.

Best regards,
Mart

[PATCH 1/5] conntrack: add --proto to usage output.

[Mart Frauenlob]

Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
---
 src/conntrack.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/conntrack.c b/src/conntrack.c
index dadbea5..162caa9 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -551,7 +551,7 @@ static const char usage_parameters[] =
 	"  -d, --orig-dst ip\t\tDestination address from original direction\n"
 	"  -r, --reply-src ip\t\tSource addres from reply direction\n"
 	"  -q, --reply-dst ip\t\tDestination address from reply direction\n"
-	"  -p, --protonum proto\t\tLayer 4 Protocol, eg. 'tcp'\n"
+	"  -p, --proto, --protonum proto\t\tLayer 4 Protocol, eg. 'tcp'\n"
 	"  -f, --family proto\t\tLayer 3 Protocol, eg. 'ipv6'\n"
 	"  -t, --timeout timeout\t\tSet timeout\n"
 	"  -u, --status status\t\tSet status, eg. ASSURED\n"
-- 
1.7.2.5

[PATCH 2/5] conntrack: man: add --protonum option.

[Mart Frauenlob]

Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
---
 conntrack.8 |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/conntrack.8 b/conntrack.8
index f2c1ca5..184e51c 100644
--- a/conntrack.8
+++ b/conntrack.8
@@ -129,7 +129,7 @@ Match only entries whose source address in the reply direction equals the one sp
 .BI "-q, --reply-dst " IP_ADDRESS
 Match only entries whose destination address in the reply direction equals the one specified as argument.
 .TP
-.BI "-p, --proto " "PROTO "
+.BI "-p, --proto, --protonum " "PROTO"
 Specify layer four (TCP, UDP, ...) protocol.
 .TP
 .BI "-f, --family " "PROTO"
-- 
1.7.2.5

[PATCH 3/5] conntrack: show --src and --dst options in usage output.

[Mart Frauenlob]

Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
---
 src/conntrack.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/conntrack.c b/src/conntrack.c
index 162caa9..0312166 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -547,8 +547,8 @@ static const char usage_update_parameters[] =
 
 static const char usage_parameters[] =
 	"Common parameters and options:\n"
-	"  -s, --orig-src ip\t\tSource address from original direction\n"
-	"  -d, --orig-dst ip\t\tDestination address from original direction\n"
+	"  -s, --src, --orig-src ip\t\tSource address from original direction\n"
+	"  -d, --dst, --orig-dst ip\t\tDestination address from original direction\n"
 	"  -r, --reply-src ip\t\tSource addres from reply direction\n"
 	"  -q, --reply-dst ip\t\tDestination address from reply direction\n"
 	"  -p, --proto, --protonum proto\t\tLayer 4 Protocol, eg. 'tcp'\n"
-- 
1.7.2.5

[PATCH 4/5] conntrack: man: add options --src and --dst.

[Mart Frauenlob]

Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
---
 conntrack.8 |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/conntrack.8 b/conntrack.8
index 184e51c..e54951a 100644
--- a/conntrack.8
+++ b/conntrack.8
@@ -115,11 +115,11 @@ however, this results in more memory consumption.
 This option can only be used in conjunction with "\-E, \-\-event".
 .SS FILTER PARAMETERS
 .TP
-.BI "-s, --orig-src " IP_ADDRESS
+.BI "-s, --src, --orig-src " IP_ADDRESS
 Match only entries whose source address in the original direction equals the one specified as argument.
 Implies "--mask-src" when CIDR notation is used.
 .TP
-.BI "-d, --orig-dst " IP_ADDRESS
+.BI "-d, --dst, --orig-dst " IP_ADDRESS
 Match only entries whose destination address in the original direction equals the one specified as argument.
 Implies "--mask-dst" when CIDR notation is used.
 .TP
-- 
1.7.2.5

[PATCH 5/5] conntrack: man: Add description of tables dying and unconfirmed.

[Mart Frauenlob]

Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
---
 conntrack.8 |   17 +++++++++++++++++
 1 files changed, 17 insertions(+), 0 deletions(-)

diff --git a/conntrack.8 b/conntrack.8
index e54951a..dfde9f0 100644
--- a/conntrack.8
+++ b/conntrack.8
@@ -48,6 +48,23 @@ mechanism used to "expect" RELATED connections to existing ones.  Expectations
 are generally used by "connection tracking helpers" (sometimes called
 application level gateways [ALGs]) for more complex protocols such as FTP,
 SIP, H.323.
+.TP
+.BR "dying" :
+This table shows the conntrack entries, that have expired and that have been
+destroyed by the connection tracking system itself, or via the conntrack utility.
+.TP
+.BR "unconfirmed" :
+This table shows new entries, that are not yet inserted into the conntrack table.
+These entries are attached to packets that are traversing the stack,
+but did not reach the confirmation point at the postrouting hook.
+.PP
+The tables "dying" and "unconfirmed" are basically only useful for debugging purposes.
+Under normal operation, it is hard to see entries in any of them.
+There are corner cases, where it is valid to see entries in the
+unconfirmed table:
+1) when packets that are enqueued via nfqueue, or
+2) when conntrackd runs in event reliable mode.
+.PP
 .SH OPTIONS
 The options recognized by 
 .B conntrack
-- 
1.7.2.5

Re: [PATCH 1/5] conntrack: add --proto to usage output.

[Pablo Neira Ayuso]

On Thu, Apr 07, 2016 at 08:31:38PM +0200, Mart Frauenlob wrote:
> 
> Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
> ---
>  src/conntrack.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/src/conntrack.c b/src/conntrack.c
> index dadbea5..162caa9 100644
> --- a/src/conntrack.c
> +++ b/src/conntrack.c
> @@ -551,7 +551,7 @@ static const char usage_parameters[] =
>  	"  -d, --orig-dst ip\t\tDestination address from original direction\n"
>  	"  -r, --reply-src ip\t\tSource addres from reply direction\n"
>  	"  -q, --reply-dst ip\t\tDestination address from reply direction\n"
> -	"  -p, --protonum proto\t\tLayer 4 Protocol, eg. 'tcp'\n"
> +	"  -p, --proto, --protonum proto\t\tLayer 4 Protocol, eg. 'tcp'\n"

This works too:

# conntrack --pr tcp -L
tcp      6 431998 ESTABLISHED src=10.123.10.20 dst=1.2.3.4
sport=47488 dport=80 src=1.2.3.4 dst=10.123.10.20 sport=80
dport=47488 [ASSURED] mark=0 use=1

Really, I wouldn't worry about this.

Re: [PATCH 3/5] conntrack: show --src and --dst options in usage output.

[Pablo Neira Ayuso]

Applied.

Re: [PATCH 4/5] conntrack: man: add options --src and --dst.

[Pablo Neira Ayuso]

Also applied.

Re: [PATCH 5/5] conntrack: man: Add description of tables dying and unconfirmed.

[Pablo Neira Ayuso]

Applied, thanks.

On Thu, Apr 07, 2016 at 08:31:42PM +0200, Mart Frauenlob wrote:
> 
> Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
> ---
>  conntrack.8 |   17 +++++++++++++++++
>  1 files changed, 17 insertions(+), 0 deletions(-)
> 
> diff --git a/conntrack.8 b/conntrack.8
> index e54951a..dfde9f0 100644
> --- a/conntrack.8
> +++ b/conntrack.8
> @@ -48,6 +48,23 @@ mechanism used to "expect" RELATED connections to existing ones.  Expectations
>  are generally used by "connection tracking helpers" (sometimes called
>  application level gateways [ALGs]) for more complex protocols such as FTP,
>  SIP, H.323.
> +.TP
> +.BR "dying" :
> +This table shows the conntrack entries, that have expired and that have been
> +destroyed by the connection tracking system itself, or via the conntrack utility.
> +.TP
> +.BR "unconfirmed" :
> +This table shows new entries, that are not yet inserted into the conntrack table.
> +These entries are attached to packets that are traversing the stack,
> +but did not reach the confirmation point at the postrouting hook.
> +.PP
> +The tables "dying" and "unconfirmed" are basically only useful for debugging purposes.
> +Under normal operation, it is hard to see entries in any of them.
> +There are corner cases, where it is valid to see entries in the
> +unconfirmed table:
> +1) when packets that are enqueued via nfqueue, or
> +2) when conntrackd runs in event reliable mode.
> +.PP
>  .SH OPTIONS
>  The options recognized by 
>  .B conntrack
> -- 
> 1.7.2.5
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 5/5] conntrack: man: Add description of tables dying and unconfirmed.

[Pablo Neira Ayuso]

On Fri, Apr 08, 2016 at 12:19:21PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Apr 07, 2016 at 08:31:42PM +0200, Mart Frauenlob wrote:
> > +.PP
> > +The tables "dying" and "unconfirmed" are basically only useful for debugging purposes.
> > +Under normal operation, it is hard to see entries in any of them.
> > +There are corner cases, where it is valid to see entries in the
> > +unconfirmed table:
> > +1) when packets that are enqueued via nfqueue, or
> > +2) when conntrackd runs in event reliable mode.

BTW, I have reworded this:

"The tables "dying" and "unconfirmed" are basically only useful for
debugging purposes.  Under normal operation, it is hard to see entries
in any of them.  There are corner cases, where it is valid to see
entries in the unconfirmed table, eg. when packets that are enqueued
via nfqueue, and the dying table, eg. when conntrackd runs in event
reliable mode."

Actually, you can see entries in the dying table when conntrackd
reliable event mode is on, instead of the unconfirmed table.

Sorry about that.