Skip to content

Commit

Permalink
capture and return errors in ConntrackDeleteFilters
Browse files Browse the repository at this point in the history
Signed-off-by: Daman Arora <aroradaman@gmail.com>
  • Loading branch information
aroradaman committed Sep 5, 2024
1 parent e194da5 commit ce9042d
Showing 1 changed file with 12 additions and 5 deletions.
17 changes: 12 additions & 5 deletions conntrack_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"errors"
"fmt"
"net"
"strings"
"time"

"github.com/vishvananda/netlink/nl"
Expand Down Expand Up @@ -158,21 +159,27 @@ func (h *Handle) ConntrackDeleteFilters(table ConntrackTableType, family InetFam
}

var matched uint
var errMsgs []string
for _, dataRaw := range res {
flow := parseRawData(dataRaw)
for _, filter := range filters {
if match := filter.MatchConntrackFlow(flow); match {
req2 := h.newConntrackRequest(table, family, nl.IPCTNL_MSG_CT_DELETE, unix.NLM_F_ACK)
// skip the first 4 byte that are the netfilter header, the newConntrackRequest is adding it already
req2.AddRawData(dataRaw[4:])
req2.Execute(unix.NETLINK_NETFILTER, 0)
matched++
// flow is already deleted, no need to match on other filters and continue to the next flow.
break
if _, err = req2.Execute(unix.NETLINK_NETFILTER, 0); err != nil {
errMsgs = append(errMsgs, fmt.Sprintf("failed to delete conntrack flow '%s': %s", flow.String(), err.Error()))
} else {
matched++
// flow is already deleted, no need to match on other filters and continue to the next flow.
break
}
}
}
}

if len(errMsgs) > 0 {
return matched, fmt.Errorf(strings.Join(errMsgs, "; "))
}
return matched, nil
}

Expand Down

0 comments on commit ce9042d

Please sign in to comment.