From 2b7cc2e09ce5109e882a578437a33ee69b57b91a Mon Sep 17 00:00:00 2001 From: Timo Beckers Date: Wed, 11 Oct 2023 12:20:15 +0200 Subject: [PATCH 1/4] go: Update x/sys and x/net Signed-off-by: Timo Beckers --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index ccfb338..4004443 100644 --- a/go.mod +++ b/go.mod @@ -9,7 +9,7 @@ require ( github.com/stretchr/testify v1.8.1 github.com/ti-mo/netfilter v0.5.0 github.com/vishvananda/netns v0.0.0-20180720170159-13995c7128cc - golang.org/x/sys v0.2.0 + golang.org/x/sys v0.13.0 ) require ( @@ -17,7 +17,7 @@ require ( github.com/josharian/native v1.0.0 // indirect github.com/mdlayher/socket v0.4.0 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect - golang.org/x/net v0.2.0 // indirect + golang.org/x/net v0.17.0 // indirect golang.org/x/sync v0.1.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/go.sum b/go.sum index 0fbda72..d9aa31f 100644 --- a/go.sum +++ b/go.sum @@ -24,12 +24,12 @@ github.com/ti-mo/netfilter v0.5.0 h1:MZmsUw5bFRecOb0AeyjOPxTHg4UxYzyEs0Ek/6Lxoy8 github.com/ti-mo/netfilter v0.5.0/go.mod h1:nt+8B9hx/QpqHr7Hazq+2qMCCA8u2OTkyc/7+U9ARz8= github.com/vishvananda/netns v0.0.0-20180720170159-13995c7128cc h1:R83G5ikgLMxrBvLh22JhdfI8K6YXEPHx5P03Uu3DRs4= github.com/vishvananda/netns v0.0.0-20180720170159-13995c7128cc/go.mod h1:ZjcWmFBXmLKZu9Nxj3WKYEafiSqer2rnvPr0en9UNpI= -golang.org/x/net v0.2.0 h1:sZfSu1wtKLGlWI4ZZayP0ck9Y73K1ynO6gqzTdBVdPU= -golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= +golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= +golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A= -golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= +golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= From 30223498ebb79fc71659047e1ba87981bf755461 Mon Sep 17 00:00:00 2001 From: Timo Beckers Date: Wed, 11 Oct 2023 12:16:26 +0200 Subject: [PATCH 2/4] Remove enum_test.go Signed-off-by: Timo Beckers --- enum_test.go | 32 -------------------------------- 1 file changed, 32 deletions(-) delete mode 100644 enum_test.go diff --git a/enum_test.go b/enum_test.go deleted file mode 100644 index ca4f599..0000000 --- a/enum_test.go +++ /dev/null @@ -1,32 +0,0 @@ -package conntrack - -import ( - "fmt" - "testing" -) - -// Create references to unused enums (deprecated or other) to avoid tripping go-unused. -// These consts cannot be removed as they would break the iota sequence. -func TestUnusedEnums(t *testing.T) { - _ = fmt.Sprint( - ctGetCtrZero, // TODO(timo): Could be added as feature - ctGetDying, // Narrow time window for query - ctGetUnconfirmed, // Narrow time window for query - ctExpGet, // Haven't figured out how to create expects, so there's nothing to Get() - ctaNatSrc, // Deprecated - ctaNatDst, // Deprecated - ctaSecMark, // Deprecated - - // All the below is unused - ctaTupleUnspec, - ctaProtoUnspec, - ctaIPUnspec, - ctaTimestampPad, - ctaProtoInfoDCCPPad, - ctaExpectUnspec, - ctaExpectNATUnspec, - ctaStatsUnspec, - ctaStatsGlobalUnspec, - ctaStatsExpUnspec, - ) -} From 6379a82f8ede0feb2fbf4c8c553619447fbdda94 Mon Sep 17 00:00:00 2001 From: Timo Beckers Date: Wed, 11 Oct 2023 12:16:53 +0200 Subject: [PATCH 3/4] flow: automatically set SequenceAdjust.Direction flag when marshaling Setting the Direction flag on Flow.SeqAdjReply is no longer needed, the marshaler takes care of this. Signed-off-by: Timo Beckers --- attribute_types.go | 5 ++--- attribute_types_test.go | 2 +- enum.go | 2 +- flow.go | 4 ++-- 4 files changed, 6 insertions(+), 7 deletions(-) diff --git a/attribute_types.go b/attribute_types.go index d8eb5fb..97f92ba 100644 --- a/attribute_types.go +++ b/attribute_types.go @@ -426,11 +426,10 @@ func (seq *SequenceAdjust) unmarshal(ad *netlink.AttributeDecoder) error { } // marshal marshals a SequenceAdjust into a netfilter.Attribute. -func (seq SequenceAdjust) marshal() netfilter.Attribute { - +func (seq SequenceAdjust) marshal(reply bool) netfilter.Attribute { // Set orig/reply AttributeType at := ctaSeqAdjOrig - if seq.Direction { + if seq.Direction || reply { at = ctaSeqAdjReply } diff --git a/attribute_types_test.go b/attribute_types_test.go index 7c29bbe..49b388e 100644 --- a/attribute_types_test.go +++ b/attribute_types_test.go @@ -439,7 +439,7 @@ func TestAttributeSeqAdj(t *testing.T) { sa.Direction = false } - assert.EqualValues(t, nfaSeqAdj, sa.marshal()) + assert.EqualValues(t, nfaSeqAdj, sa.marshal(false)) }) } } diff --git a/enum.go b/enum.go index 23668d1..b76b015 100644 --- a/enum.go +++ b/enum.go @@ -76,7 +76,7 @@ type tupleType uint8 // enum ctattr_tuple const ( - ctaTupleUnspec tupleType = iota //CTA_TUPLE_UNSPEC + ctaTupleUnspec tupleType = iota // CTA_TUPLE_UNSPEC ctaTupleIP // CTA_TUPLE_IP ctaTupleProto // CTA_TUPLE_PROTO ctaTupleZone // CTA_TUPLE_ZONE diff --git a/flow.go b/flow.go index 859a4c5..4867f2a 100644 --- a/flow.go +++ b/flow.go @@ -244,11 +244,11 @@ func (f Flow) marshal() ([]netfilter.Attribute, error) { } if f.SeqAdjOrig.filled() { - attrs = append(attrs, f.SeqAdjOrig.marshal()) + attrs = append(attrs, f.SeqAdjOrig.marshal(false)) } if f.SeqAdjReply.filled() { - attrs = append(attrs, f.SeqAdjReply.marshal()) + attrs = append(attrs, f.SeqAdjReply.marshal(true)) } if f.SynProxy.filled() { From e3871765a112ded83011ddf5f297fb00e5622d00 Mon Sep 17 00:00:00 2001 From: Timo Beckers Date: Wed, 11 Oct 2023 12:15:22 +0200 Subject: [PATCH 4/4] flow: marshal Labels and LabelsMask fields, add e2e Flow marshaling test Signed-off-by: Timo Beckers --- flow.go | 14 ++++++++++++- flow_test.go | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 71 insertions(+), 2 deletions(-) diff --git a/flow.go b/flow.go index 4867f2a..99d6ee7 100644 --- a/flow.go +++ b/flow.go @@ -186,7 +186,7 @@ func (f Flow) marshal() ([]netfilter.Attribute, error) { return nil, errNeedTuples } - attrs := make([]netfilter.Attribute, 0, 12) + attrs := make([]netfilter.Attribute, 0, 14) if f.TupleOrig.filled() { to, err := f.TupleOrig.marshal(uint16(ctaTupleOrig)) @@ -255,6 +255,18 @@ func (f Flow) marshal() ([]netfilter.Attribute, error) { attrs = append(attrs, f.SynProxy.marshal()) } + if len(f.Labels) > 0 { + a := netfilter.Attribute{Type: uint16(ctaLabels)} + a.Data = f.Labels + attrs = append(attrs, a) + } + + if len(f.LabelsMask) > 0 { + a := netfilter.Attribute{Type: uint16(ctaLabelsMask)} + a.Data = f.LabelsMask + attrs = append(attrs, a) + } + return attrs, nil } diff --git a/flow_test.go b/flow_test.go index 2b8c698..faebbd2 100644 --- a/flow_test.go +++ b/flow_test.go @@ -422,7 +422,7 @@ func TestFlowUnmarshal(t *testing.T) { func TestFlowMarshal(t *testing.T) { // Expect a marshal without errors - _, err := Flow{ + attrs, err := Flow{ TupleOrig: flowIPPT, TupleReply: flowIPPT, TupleMaster: flowIPPT, ProtoInfo: ProtoInfo{TCP: &ProtoInfoTCP{State: 42}}, Timeout: 123, Status: Status{Value: 1234}, Mark: 0x1234, Zone: 2, @@ -430,9 +430,66 @@ func TestFlowMarshal(t *testing.T) { SeqAdjOrig: SequenceAdjust{Position: 1, OffsetBefore: 2, OffsetAfter: 3}, SeqAdjReply: SequenceAdjust{Position: 5, OffsetBefore: 6, OffsetAfter: 7}, SynProxy: SynProxy{ISN: 0x12345678, ITS: 0x87654321, TSOff: 0xabcdef00}, + Labels: []byte{0x13, 0x37}, + LabelsMask: []byte{0xff, 0xff}, }.marshal() assert.NoError(t, err) + want := []netfilter.Attribute{ + {Type: uint16(ctaTupleOrig), Nested: true, Children: []netfilter.Attribute{ + {Type: uint16(ctaTupleIP), Nested: true, Children: []netfilter.Attribute{ + {Type: uint16(ctaIPv4Src), Data: []byte{0x1, 0x2, 0x3, 0x4}}, + {Type: uint16(ctaIPv4Dst), Data: []byte{0x4, 0x3, 0x2, 0x1}}, + }}, + {Type: uint16(ctaTupleProto), Nested: true, Children: []netfilter.Attribute{ + {Type: uint16(ctaProtoNum), Data: []byte{0x6}}, + {Type: uint16(ctaProtoSrcPort), Data: []byte{0xff, 0x0}}, + {Type: uint16(ctaProtoDstPort), Data: []byte{0x0, 0xff}}}}, + }}, + {Type: uint16(ctaTupleReply), Nested: true, Children: []netfilter.Attribute{ + {Type: uint16(ctaTupleIP), Nested: true, Children: []netfilter.Attribute{ + {Type: uint16(ctaIPv4Src), Data: []byte{0x1, 0x2, 0x3, 0x4}}, + {Type: uint16(ctaIPv4Dst), Data: []byte{0x4, 0x3, 0x2, 0x1}}}}, + {Type: uint16(ctaTupleProto), Nested: true, Children: []netfilter.Attribute{ + {Type: uint16(ctaProtoNum), Data: []byte{0x6}}, + {Type: uint16(ctaProtoSrcPort), Data: []byte{0xff, 0x0}}, + {Type: uint16(ctaProtoDstPort), Data: []byte{0x0, 0xff}}}}}}, + {Type: uint16(ctaTimeout), Data: []byte{0x0, 0x0, 0x0, 0x7b}}, + {Type: uint16(ctaStatus), Data: []byte{0x0, 0x0, 0x4, 0xd2}}, + {Type: uint16(ctaMark), Data: []byte{0x0, 0x0, 0x12, 0x34}}, + {Type: uint16(ctaZone), Data: []byte{0x0, 0x2}}, + {Type: uint16(ctaProtoInfo), Nested: true, Children: []netfilter.Attribute{ + {Type: uint16(ctaProtoInfoTCP), Nested: true, Children: []netfilter.Attribute{ + {Type: uint16(ctaProtoInfoTCPState), Data: []byte{0x2a}}, + {Type: uint16(ctaProtoInfoTCPWScaleOriginal), Data: []byte{0x0}}, + {Type: uint16(ctaProtoInfoTCPWScaleReply), Data: []byte{0x0}}}}}}, + {Type: uint16(ctaHelp), Nested: true, Children: []netfilter.Attribute{ + {Type: uint16(ctaHelpName), Data: []byte{0x66, 0x74, 0x70}}}}, + {Type: uint16(ctaTupleMaster), Nested: true, Children: []netfilter.Attribute{ + {Type: uint16(ctaTupleIP), Nested: true, Children: []netfilter.Attribute{ + {Type: uint16(ctaIPv4Src), Data: []byte{0x1, 0x2, 0x3, 0x4}}, + {Type: uint16(ctaIPv4Dst), Data: []byte{0x4, 0x3, 0x2, 0x1}}}}, + {Type: uint16(ctaTupleProto), Nested: true, Children: []netfilter.Attribute{ + {Type: uint16(ctaProtoNum), Data: []byte{0x6}}, + {Type: uint16(ctaProtoSrcPort), Data: []byte{0xff, 0x0}}, + {Type: uint16(ctaProtoDstPort), Data: []byte{0x0, 0xff}}}}}}, + {Type: uint16(ctaSeqAdjOrig), Nested: true, Children: []netfilter.Attribute{ + {Type: uint16(ctaSeqAdjCorrectionPos), Data: []byte{0x0, 0x0, 0x0, 0x1}}, + {Type: uint16(ctaSeqAdjOffsetBefore), Data: []byte{0x0, 0x0, 0x0, 0x2}}, + {Type: uint16(ctaSeqAdjOffsetAfter), Data: []byte{0x0, 0x0, 0x0, 0x3}}}}, + {Type: uint16(ctaSeqAdjReply), Nested: true, Children: []netfilter.Attribute{ + {Type: uint16(ctaSeqAdjCorrectionPos), Data: []byte{0x0, 0x0, 0x0, 0x5}}, + {Type: uint16(ctaSeqAdjOffsetBefore), Data: []byte{0x0, 0x0, 0x0, 0x6}}, + {Type: uint16(ctaSeqAdjOffsetAfter), Data: []byte{0x0, 0x0, 0x0, 0x7}}}}, + {Type: uint16(ctaSynProxy), Nested: true, Children: []netfilter.Attribute{ + {Type: uint16(ctaSynProxyISN), Data: []byte{0x12, 0x34, 0x56, 0x78}}, + {Type: uint16(ctaSynProxyITS), Data: []byte{0x87, 0x65, 0x43, 0x21}}, + {Type: uint16(ctaSynProxyTSOff), Data: []byte{0xab, 0xcd, 0xef, 0x0}}}}, + {Type: uint16(ctaLabels), Data: []byte{0x13, 0x37}}, + {Type: uint16(ctaLabelsMask), Data: []byte{0xff, 0xff}}} + + assert.Equal(t, attrs, want) + // Can marshal with either orig or reply tuple available _, err = Flow{TupleOrig: flowIPPT}.marshal() assert.NoError(t, err)