Conntrack get netlink netfilter message types #12

shivkr6 · 2025-10-03T10:55:28Z

Depends on #11

Implemented the following types required to successfully construct a conntrack get request:

iptuple
protoinfo
protoinfotcp
prototuple
tcp_flags
tuple

Also wrote tests to construct a conntrack get and dump request.

src/tests.rs

src/constants.rs

shivkr6 · 2025-10-19T17:05:54Z

Thanks for the review @cathay4t . I've updated the tests and moved the conntrack constants to be private as you suggested.

I noticed the nflog module still exposes public constants. Let me know if you want those refactored as well to hide the implementation details. Happy to do it in a follow up PR.

I also added one more conntrack get UDP IPv6 test.

src/conntrack/nlas/nla.rs

src/conntrack/nlas/iptuple.rs

src/conntrack/nlas/protoinfotcp.rs

src/conntrack/message.rs

src/constants.rs

cathay4t

All public data type should be protected by #[non_exhaustive] unless you are sure it will never changes in the future of Linux kernel.

src/conntrack/nlas/mod.rs

src/conntrack/message.rs

cathay4t

The netlink-packet-routes has changed nlas to attributes for better understanding.

The nlas is for hard for new developer to understand.

src/conntrack/mod.rs

src/message.rs

Implemented the following attributes required to successfully construct a conntrack get request: * iptuple * protoinfo * protoinfotcp * prototuple * tcp_flags * tuple Signed-off-by: Shivang K Raghuvanshi <shivangraghuvanshi2005@gmail.com>

This refactors the crate to use type-safe enums for netfilter subsystems and message types, for a safer and more idiomatic API. - Introduces a `Subsystem` enum to replace raw `u8` identifiers for `NfLog` and `Conntrack` subsystems. - Introduces `NfLogMessageType` and `ConntrackMessageType` enums to provide type safety for messages within each subsystem. - Makes the top-level `NetfilterMessage::message_type()` function private to guide users towards the safer pattern of matching on `NetfilterMessageInner`. - Updates the internal parsing logic in `buffer.rs` to use the new `Subsystem` enum. Signed-off-by: Shivang K Raghuvanshi <shivangraghuvanshi2005@gmail.com>

shivkr6 · 2025-10-28T08:12:07Z

Hi @cathay4t, I've addressed all of the feedback.

NOTE:
In the tests, you'll see we're manually building the message type from enums because we have removed netlink message header from raw: Vec<u8> which contains the message type.
I.e.,

    let message_type = ((u8::from(Subsystem::Conntrack) as u16) << 8)
        | (u8::from(ConntrackMessageType::Get) as u16);

a normal crate user would not have to do this type of stuff.

cathay4t · 2025-11-03T10:14:56Z

src/message.rs

 }

+const NFNL_SUBSYS_CTNETLINK: u8 = libc::NFNL_SUBSYS_CTNETLINK as u8;
+const NFNL_SUBSYS_ULOG: u8 = libc::NFNL_SUBSYS_ULOG as u8;


do not use libc constant, use hard coded number instead. I have to check libc code and kernel code to make sure your are correct.

cathay4t · 2025-11-03T10:15:42Z

src/message.rs

+impl From<u8> for Subsystem {
+    fn from(value: u8) -> Self {
+        match value {
+            NFNL_SUBSYS_ULOG => Self::NfLog,


A proper explanation command is required for this inconsistency on naming.

cathay4t · 2025-11-03T10:16:34Z

src/conntrack/attributes/attribute.rs

+
+#[derive(Clone, Debug, PartialEq, Eq)]
+#[non_exhaustive]
+pub enum ConntrackNla {


how about ContrackAttribute like LinkAttribute in netlink-packet-route.

shivkr6 force-pushed the conntrack-get branch 4 times, most recently from eaaa88f to c7c6939 Compare October 7, 2025 10:42

cathay4t force-pushed the conntrack-get branch from c7c6939 to 568f8d5 Compare October 7, 2025 12:32

cathay4t requested changes Oct 11, 2025

View reviewed changes

src/tests.rs Outdated Show resolved Hide resolved

src/tests.rs Outdated Show resolved Hide resolved

src/constants.rs Outdated Show resolved Hide resolved

shivkr6 force-pushed the conntrack-get branch 2 times, most recently from f89a9cd to e171eca Compare October 19, 2025 17:04

shivkr6 requested a review from cathay4t October 19, 2025 17:05