Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New module to monitor firewall parameters #4

Open
israel-lugo opened this issue Dec 2, 2016 · 4 comments
Open

New module to monitor firewall parameters #4

israel-lugo opened this issue Dec 2, 2016 · 4 comments
Assignees
@israel-lugo
Labels
enhancement

Comments

@israel-lugo
Copy link
Owner

We need to create something that knows how to monitor for events like the connection table being full, and so on, and react to them.
@israel-lugo
Copy link
Owner Author

For the Linux implementation, we can just read from a /proc/sys file to get the connection table count. For other operations, we can go for one of two approaches:

  1. Use a Python binding to interact with Netlink at a low level, e.g. pynetfilter_conntrack. This is more flexible and lets us do everything from within our firewall module. On the other hand, it's yet another external Python module, with its own update cycle (and this one in particular wasn't updated for 6 years, only gained a new maintainer recently).

  2. Use an existing CLI tool such as conntrack. This requires generating commands and executing them, but should be safe since we're the ones generating everything. Just be sure to validate the settings. Also, conntrack has an option to output in XML format, so we can take advantage of that instead of screen scraping. xml.etree.ElementTree gives us a pretty practical way to process the XML.

pynetfilter_conntrack is actually a binding for libnetfilter_conntrack, so that needs to be installed too. Might as well use conntrack, I think (which in itself also uses libnetfilter_conntrack).

@israel-lugo israel-lugo self-assigned this Feb 2, 2017
@israel-lugo
Copy link
Owner Author 

>>> import xml.etree.ElementTree
>>> tree = xml.etree.ElementTree.parse("/tmp/bla.xml")
>>> root = tree.getroot()
>>> root[0].find("./meta[@direction='original']/layer3/src").text
'10.10.1.81'

We could store this information in an sqlite database, for quickly finding things such as who has the most connections, and so on.

@israel-lugo
Copy link
Owner Author

If we do go with sqlite, be sure to convert IP addresses to numeric form, to store them as integers. Comparisons should be much faster than strings. IPv6 will require splitting into two 8-byte columns, since sqlite only has up to 8-byte integers.

@israel-lugo
Copy link
Owner Author

Come to think of it, unless we want some fancy features, we don't really need to model the conntrack table per se. Just to get the connection counts by IP, we can use a Python dict, which is already very well optimized. We could have a flowcount_by_src and a flowcount_by_dst. Of course, we may end up wanting fancier features... we'll see.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@israel-lugo israel-lugo

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@israel-lugo