feat: conntrack delete message type and attributes

Implemented the `Delete`/`IPCTNL_MSG_CT_DELETE` conntrack message type and the following attributes, which are required to describe a conntrack entry for deletion:

* mark
* status
* timeout
* tuple_reply

Added tests for deleting TCP/IPv4 and UDP/IPv6 conntrack entries.

The bitflags dependency was also bumped to v2.10.0.

Signed-off-by: Shivang K Raghuvanshi <[email protected]>

Author: shivkr6

Cargo.toml

@@ -13,7 +13,7 @@ description = "netlink packet types for the netfilter subprotocol"
 
 [dependencies]
 netlink-packet-core = { version = "0.8.1" }
-bitflags = "2.3"
+bitflags = "2.10.0"
 libc = "0.2.77"
 derive_more = "0.99.16"
 

src/conntrack/attributes/attribute.rs

@@ -1,20 +1,30 @@
 // SPDX-License-Identifier: MIT
 
 use netlink_packet_core::{
-    DecodeError, DefaultNla, Emitable, ErrorContext, Nla, NlaBuffer,
-    NlasIterator, Parseable,
+    emit_u32_be, parse_u32_be, DecodeError, DefaultNla, Emitable, ErrorContext,
+    Nla, NlaBuffer, NlasIterator, Parseable,
 };
 
-use crate::conntrack::attributes::{protoinfo::ProtoInfo, tuple::Tuple};
+use crate::conntrack::attributes::{
+    protoinfo::ProtoInfo, status::Status, tuple::Tuple,
+};
 
 const CTA_TUPLE_ORIG: u16 = 1;
+const CTA_TUPLE_REPLY: u16 = 2;
 const CTA_PROTOINFO: u16 = 4;
+const CTA_STATUS: u16 = 3;
+const CTA_TIMEOUT: u16 = 7;
+const CTA_MARK: u16 = 8;
 
 #[derive(Clone, Debug, PartialEq, Eq)]
 #[non_exhaustive]
 pub enum ConntrackNla {
     CtaTupleOrig(Vec<Tuple>),
+    CtaTupleReply(Vec<Tuple>),
     CtaProtoInfo(Vec<ProtoInfo>),
+    CtaStatus(Status),
+    CtaTimeout(u32),
+    CtaMark(u32),
     Other(DefaultNla),
 }
 
@@ -24,17 +34,27 @@ impl Nla for ConntrackNla {
             ConntrackNla::CtaTupleOrig(attr) => {
                 attr.iter().map(|op| op.buffer_len()).sum()
             }
+            ConntrackNla::CtaTupleReply(attr) => {
+                attr.iter().map(|op| op.buffer_len()).sum()
+            }
             ConntrackNla::CtaProtoInfo(attr) => {
                 attr.iter().map(|op| op.buffer_len()).sum()
             }
+            ConntrackNla::CtaStatus(_) => size_of::<u32>(),
+            ConntrackNla::CtaTimeout(attr) => size_of_val(attr),
+            ConntrackNla::CtaMark(attr) => size_of_val(attr),
             ConntrackNla::Other(attr) => attr.value_len(),
         }
     }
 
     fn kind(&self) -> u16 {
         match self {
             ConntrackNla::CtaTupleOrig(_) => CTA_TUPLE_ORIG,
+            ConntrackNla::CtaTupleReply(_) => CTA_TUPLE_REPLY,
             ConntrackNla::CtaProtoInfo(_) => CTA_PROTOINFO,
+            ConntrackNla::CtaStatus(_) => CTA_STATUS,
+            ConntrackNla::CtaTimeout(_) => CTA_TIMEOUT,
+            ConntrackNla::CtaMark(_) => CTA_MARK,
             ConntrackNla::Other(attr) => attr.kind(),
         }
     }
@@ -48,20 +68,36 @@ impl Nla for ConntrackNla {
                     len += op.buffer_len();
                 }
             }
+            ConntrackNla::CtaTupleReply(attr) => {
+                let mut len = 0;
+                for op in attr {
+                    op.emit(&mut buffer[len..]);
+                    len += op.buffer_len();
+                }
+            }
             ConntrackNla::CtaProtoInfo(attr) => {
                 let mut len = 0;
                 for op in attr {
                     op.emit(&mut buffer[len..]);
                     len += op.buffer_len();
                 }
             }
+            ConntrackNla::CtaStatus(attr) => {
+                emit_u32_be(buffer, (*attr).bits()).unwrap()
+            }
+            ConntrackNla::CtaTimeout(attr) => {
+                emit_u32_be(buffer, *attr).unwrap()
+            }
+            ConntrackNla::CtaMark(attr) => emit_u32_be(buffer, *attr).unwrap(),
             ConntrackNla::Other(attr) => attr.emit_value(buffer),
         }
     }
     fn is_nested(&self) -> bool {
         matches!(
             self,
-            ConntrackNla::CtaTupleOrig(_) | ConntrackNla::CtaProtoInfo(_)
+            ConntrackNla::CtaTupleOrig(_)
+                | ConntrackNla::CtaTupleReply(_)
+                | ConntrackNla::CtaProtoInfo(_)
         )
     }
 }
@@ -81,6 +117,16 @@ impl<'buffer, T: AsRef<[u8]> + ?Sized> Parseable<NlaBuffer<&'buffer T>>
                 }
                 ConntrackNla::CtaTupleOrig(tuples)
             }
+            CTA_TUPLE_REPLY => {
+                let mut tuples = Vec::new();
+                for nlas in NlasIterator::new(payload) {
+                    let nlas =
+                        &nlas.context("invalid CTA_TUPLE_REPLY value")?;
+
+                    tuples.push(Tuple::parse(nlas)?);
+                }
+                ConntrackNla::CtaTupleReply(tuples)
+            }
             CTA_PROTOINFO => {
                 let mut proto_infos = Vec::new();
                 for nlas in NlasIterator::new(payload) {
@@ -89,6 +135,15 @@ impl<'buffer, T: AsRef<[u8]> + ?Sized> Parseable<NlaBuffer<&'buffer T>>
                 }
                 ConntrackNla::CtaProtoInfo(proto_infos)
             }
+            CTA_STATUS => ConntrackNla::CtaStatus(Status::from_bits_retain(
+                parse_u32_be(payload).context("invalid CTA_STATUS value")?,
+            )),
+            CTA_TIMEOUT => ConntrackNla::CtaTimeout(
+                parse_u32_be(payload).context("invalid CTA_TIMEOUT value")?,
+            ),
+            CTA_MARK => ConntrackNla::CtaMark(
+                parse_u32_be(payload).context("invalid CTA_MARK value")?,
+            ),
             _ => ConntrackNla::Other(DefaultNla::parse(buf)?),
         };
         Ok(nla)

src/conntrack/attributes/mod.rs

@@ -5,6 +5,7 @@ mod iptuple;
 mod protoinfo;
 mod protoinfotcp;
 mod prototuple;
+mod status;
 mod tcp_flags;
 mod tuple;
 
@@ -13,5 +14,6 @@ pub use iptuple::IPTuple;
 pub use protoinfo::ProtoInfo;
 pub use protoinfotcp::ProtoInfoTCP;
 pub use prototuple::{ProtoTuple, Protocol};
+pub use status::Status;
 pub use tcp_flags::TCPFlags;
 pub use tuple::Tuple;

src/conntrack/attributes/status.rs

@@ -0,0 +1,48 @@
+// SPDX-License-Identifier: MIT
+
+use bitflags::bitflags;
+
+// Conntrack status flags from uapi/linux/netfilter/nf_conntrack_common.h
+const IPS_EXPECTED: u32 = 1;
+const IPS_SEEN_REPLY: u32 = 1 << 1;
+const IPS_ASSURED: u32 = 1 << 2;
+const IPS_CONFIRMED: u32 = 1 << 3;
+const IPS_SRC_NAT: u32 = 1 << 4;
+const IPS_DST_NAT: u32 = 1 << 5;
+const IPS_SEQ_ADJUST: u32 = 1 << 6;
+const IPS_SRC_NAT_DONE: u32 = 1 << 7;
+const IPS_DST_NAT_DONE: u32 = 1 << 8;
+const IPS_DYING: u32 = 1 << 9;
+const IPS_FIXED_TIMEOUT: u32 = 1 << 10;
+const IPS_TEMPLATE: u32 = 1 << 11;
+const IPS_UNTRACKED: u32 = 1 << 12;
+const IPS_HELPER: u32 = 1 << 13;
+const IPS_OFFLOAD: u32 = 1 << 14;
+
+const IPS_NAT_MASK: u32 = IPS_SRC_NAT | IPS_DST_NAT;
+const IPS_NAT_DONE_MASK: u32 = IPS_SRC_NAT_DONE | IPS_DST_NAT_DONE;
+
+bitflags! {
+    #[non_exhaustive]
+    #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
+    pub struct Status: u32 {
+        const Expected      = IPS_EXPECTED;
+        const SeenReply     = IPS_SEEN_REPLY;
+        const Assured       = IPS_ASSURED;
+        const Confirmed     = IPS_CONFIRMED;
+        const SrcNat        = IPS_SRC_NAT;
+        const DstNat        = IPS_DST_NAT;
+        const SeqAdjust     = IPS_SEQ_ADJUST;
+        const SrcNatDone    = IPS_SRC_NAT_DONE;
+        const DstNatDone    = IPS_DST_NAT_DONE;
+        const Dying         = IPS_DYING;
+        const FixedTimeout  = IPS_FIXED_TIMEOUT;
+        const Template      = IPS_TEMPLATE;
+        const Untracked     = IPS_UNTRACKED;
+        const Helper        = IPS_HELPER;
+        const Offload       = IPS_OFFLOAD;
+        const NatMask       = IPS_NAT_MASK;
+        const NatDoneMask   = IPS_NAT_DONE_MASK;
+        const _ = !0;
+    }
+}

src/conntrack/message.rs

@@ -9,25 +9,29 @@ use netlink_packet_core::{
 #[non_exhaustive]
 pub enum ConntrackMessage {
     Get(Vec<ConntrackNla>),
+    Delete(Vec<ConntrackNla>),
     Other {
         message_type: u8,
         attributes: Vec<DefaultNla>,
     },
 }
 
 const IPCTNL_MSG_CT_GET: u8 = 1;
+const IPCTNL_MSG_CT_DELETE: u8 = 2;
 
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 #[non_exhaustive]
 pub enum ConntrackMessageType {
     Get,
+    Delete,
     Other(u8),
 }
 
 impl From<u8> for ConntrackMessageType {
     fn from(value: u8) -> Self {
         match value {
             IPCTNL_MSG_CT_GET => Self::Get,
+            IPCTNL_MSG_CT_DELETE => Self::Delete,
             v => Self::Other(v),
         }
     }
@@ -37,6 +41,7 @@ impl From<ConntrackMessageType> for u8 {
     fn from(value: ConntrackMessageType) -> Self {
         match value {
             ConntrackMessageType::Get => IPCTNL_MSG_CT_GET,
+            ConntrackMessageType::Delete => IPCTNL_MSG_CT_DELETE,
             ConntrackMessageType::Other(v) => v,
         }
     }
@@ -46,6 +51,7 @@ impl ConntrackMessage {
     pub fn message_type(&self) -> ConntrackMessageType {
         match self {
             ConntrackMessage::Get(_) => ConntrackMessageType::Get,
+            ConntrackMessage::Delete(_) => ConntrackMessageType::Delete,
             ConntrackMessage::Other { message_type, .. } => {
                 (*message_type).into()
             }
@@ -59,6 +65,9 @@ impl Emitable for ConntrackMessage {
             ConntrackMessage::Get(attributes) => {
                 attributes.as_slice().buffer_len()
             }
+            ConntrackMessage::Delete(attributes) => {
+                attributes.as_slice().buffer_len()
+            }
             ConntrackMessage::Other { attributes, .. } => {
                 attributes.as_slice().buffer_len()
             }
@@ -70,6 +79,9 @@ impl Emitable for ConntrackMessage {
             ConntrackMessage::Get(attributes) => {
                 attributes.as_slice().emit(buffer)
             }
+            ConntrackMessage::Delete(attributes) => {
+                attributes.as_slice().emit(buffer)
+            }
             ConntrackMessage::Other { attributes, .. } => {
                 attributes.as_slice().emit(buffer)
             }
@@ -90,6 +102,11 @@ impl<'a, T: AsRef<[u8]> + ?Sized>
                     .parse_all_nlas(|nla_buf| ConntrackNla::parse(&nla_buf))?;
                 ConntrackMessage::Get(attributes)
             }
+            ConntrackMessageType::Delete => {
+                let nlas = buf
+                    .parse_all_nlas(|nla_buf| ConntrackNla::parse(&nla_buf))?;
+                ConntrackMessage::Delete(nlas)
+            }
             ConntrackMessageType::Other(message_type) => {
                 ConntrackMessage::Other {
                     message_type,

src/conntrack/mod.rs

@@ -5,5 +5,5 @@ pub use message::{ConntrackMessage, ConntrackMessageType};
 mod attributes;
 pub use attributes::{
     ConntrackNla, IPTuple, ProtoInfo, ProtoInfoTCP, ProtoTuple, Protocol,
-    TCPFlags, Tuple,
+    Status, TCPFlags, Tuple,
 };