This PR adds a new module for conntrack, "ct", for brevity.
Currently it extracts some information from the struct nf_conn liked to each skb printing it in a format that resembles that of conntrack -L utility.
The functionality is fairly simple and there is plenty of room for extension and improvement, some ideas:
Tuple Optimization: Connection tuples are fairly static so we're sending mostly the same data on each skb. We could consider building a cache that reduces the amount of data sent through the rings
Protocol extension: Currently the module sends TCP protocol state since that's the protocol with the more interesting state machine. Since it was just 8bits it didn't feel necessary to add a new event section. If more protocol-specific data is to be sent we should consider splitting the event.
Conntrack entry tracking. Some changes in the connection information do not come from an skb event, e.g: a timeout. We could get the nf_conn pointer and track it the same way we track skbs. However, there is complexity associated: filtering, sorting alongside skb events, etc. Currently this complexity does not seem to be compensated with use-cases.
This PR adds a new module for conntrack, "ct", for brevity.
Currently it extracts some information from the
struct nf_connliked to each skb printing it in a format that resembles that ofconntrack -Lutility.The functionality is fairly simple and there is plenty of room for extension and improvement, some ideas:
nf_connpointer and track it the same way we track skbs. However, there is complexity associated: filtering, sorting alongside skb events, etc. Currently this complexity does not seem to be compensated with use-cases.