netfilter/ct: support optional CTA_TIMESTAMP attribute

Recent kernels support conntrack time stamping, which is a helpful
feature to determine the duration of a flow without building a flow
cache in your user space application, just to keep the 'start' time of
your flow.

Timestamps are recorded with nanosecond resolution once this feature
is enabled.

This patch adds optional support for the CTA_TIMESTAMP, then
modifies the dump routine to write that info in a format similar
to /proc/net/nf_conntrack.  This is an example output when using
NL_DUMP_LINE:

  udp 10.128.128.28:56836 <-> 10.128.129.255:8612 delta-time 30

Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
Signed-off-by: Thomas Graf <tgraf@suug.ch>

2 files changed, 58 insertions, 0 deletions

diff --git a/lib/netfilter/ct.c b/lib/netfilter/ct.c
index 794932fc..362cd288 100644
--- a/lib/netfilter/ct.c
+++ b/lib/netfilter/ct.c
@@ -102,6 +102,11 @@ static struct nla_policy ct_counters_policy[CTA_COUNTERS_MAX+1] = {
 	[CTA_COUNTERS32_BYTES]	= { .type = NLA_U32 },
 };
 
+static struct nla_policy ct_timestamp_policy[CTA_TIMESTAMP_MAX + 1] = {
+	[CTA_TIMESTAMP_START]	= { .type = NLA_U64 },
+	[CTA_TIMESTAMP_STOP]	= { .type = NLA_U64 },
+};
+
 static int ct_parse_ip(struct nfnl_ct *ct, int repl, struct nlattr *attr)
 {
 	struct nlattr *tb[CTA_IP_MAX+1];
@@ -300,6 +305,24 @@ int nfnlmsg_ct_group(struct nlmsghdr *nlh)
 	}
 }
 
+static int ct_parse_timestamp(struct nfnl_ct *ct, struct nlattr *attr)
+{
+	struct nlattr *tb[CTA_TIMESTAMP_MAX + 1];
+	int err;
+
+	err = nla_parse_nested(tb, CTA_TIMESTAMP_MAX, attr,
+			       ct_timestamp_policy);
+	if (err < 0)
+		return err;
+
+	if (tb[CTA_TIMESTAMP_START] && tb[CTA_TIMESTAMP_STOP])
+		nfnl_ct_set_timestamp(ct,
+			      ntohll(nla_get_u64(tb[CTA_TIMESTAMP_START])),
+			      ntohll(nla_get_u64(tb[CTA_TIMESTAMP_STOP])));
+
+	return 0;
+}
+
 int nfnlmsg_ct_parse(struct nlmsghdr *nlh, struct nfnl_ct **result)
 {
 	struct nfnl_ct *ct;
@@ -359,6 +382,12 @@ int nfnlmsg_ct_parse(struct nlmsghdr *nlh, struct nfnl_ct **result)
 			goto errout;
 	}
 
+	if (tb[CTA_TIMESTAMP]) {
+		err = ct_parse_timestamp(ct, tb[CTA_TIMESTAMP]);
+		if (err < 0)
+			goto errout;
+	}
+
 	*result = ct;
 	return 0;
 
diff --git a/lib/netfilter/ct_obj.c b/lib/netfilter/ct_obj.c
index bac775bf..685879b2 100644
--- a/lib/netfilter/ct_obj.c
+++ b/lib/netfilter/ct_obj.c
@@ -51,6 +51,7 @@
 #define CT_ATTR_REPL_ICMP_CODE	(1UL << 23)
 #define CT_ATTR_REPL_PACKETS	(1UL << 24)
 #define CT_ATTR_REPL_BYTES	(1UL << 25)
+#define CT_ATTR_TIMESTAMP	(1UL << 26)
 /** @endcond */
 
 static void ct_free_data(struct nl_object *c)
@@ -192,6 +193,17 @@ static void ct_dump_line(struct nl_object *a, struct nl_dump_params *p)
 	if (nfnl_ct_test_mark(ct) && nfnl_ct_get_mark(ct))
 		nl_dump(p, "mark %u ", nfnl_ct_get_mark(ct));
 
+	if (nfnl_ct_test_timestamp(ct)) {
+		const struct nfnl_ct_timestamp *tstamp = nfnl_ct_get_timestamp(ct);
+		int64_t delta_time = tstamp->stop - tstamp->start;
+
+		if (delta_time > 0)
+			delta_time /= NSEC_PER_SEC;
+		else
+			delta_time = 0;
+		nl_dump(p, "delta-time %llu ", delta_time);
+	}
+
 	nl_dump(p, "\n");
 }
 
@@ -777,6 +789,23 @@ uint64_t nfnl_ct_get_bytes(const struct nfnl_ct *ct, int repl)
 	return dir->bytes;
 }
 
+void nfnl_ct_set_timestamp(struct nfnl_ct *ct, uint64_t start, uint64_t stop)
+{
+	ct->ct_tstamp.start = start;
+	ct->ct_tstamp.stop = stop;
+	ct->ce_mask |= CT_ATTR_TIMESTAMP;
+}
+
+int nfnl_ct_test_timestamp(const struct nfnl_ct *ct)
+{
+	return !!(ct->ce_mask & CT_ATTR_TIMESTAMP);
+}
+
+const struct nfnl_ct_timestamp *nfnl_ct_get_timestamp(const struct nfnl_ct *ct)
+{
+	return &ct->ct_tstamp;
+}
+
 /** @} */
 
 struct nl_object_ops ct_obj_ops = {