1a1b59f0c5ec4d8ad0fe67bbb0f29538006989b3
[chef.git] / cookbooks / munin / files / default / plugins / fw_conntrack
1 #!/bin/sh
2 # -*- sh -*-
3
4 : << =cut
5
6 =head1 NAME
7
8 fw_conntrack - Plugin to monitor the number of tracked connections
9 through a Linux 2.4/2.6 firewall
10
11 =head1 CONFIGURATION
12
13 This plugin must run with root privileges
14
15 =head2 CONFIGURATION EXAMPLE
16
17 /etc/munin/plugin-conf.d/global or other file in that dir must contain:
18
19  [fw*]
20   user root
21
22 =head1 NOTES
23
24 ESTABLISHED+FIN_WAIT+TIME_WAIT+SYN_SENT+UDP is the most interesting
25 connections.
26
27 The total list also includes SYN_RECV, CLOSE, CLOSE_WAIT, LAST_ACK and
28 LISTEN, but these were not (often) observed on my firewall.
29
30 TOTAL is the total number of tracked connections.
31
32 ASSURED and UNREPLIED connections are complimentary subsets of
33 ESTABLISHED.
34
35 ASSURED is after ACK is seen after SYN_RECV.  Therefore ASSURED is
36 plotted but not UNREPLIED.
37
38 NATed will almost always be the same as the total
39
40 =head1 BUGS
41
42 =over 4
43
44 =item full connection table
45
46 The connections tables can run full, but where is the limits found?
47 If we can find them then we can send warnings to nagios.
48
49 =back
50
51 =head1 AUTHORS
52
53 2004.05.05: Initial version by Nicolai Langfeldt, Linpro AS, Oslo, Norway
54
55 =head2 CONTRIBUTORS
56
57 =over 4
58
59 =item Xavier
60
61 2004.05.06: Enhanced to count NATed connections after input from Xavier on munin-users list
62
63 =back
64
65 =head1 LICENSE
66
67 GPL
68
69 =head1 MAGIC MARKERS
70
71  #%# family=auto
72  #%# capabilities=autoconf
73
74 =cut
75
76 case $1 in
77     config)
78
79         cat <<EOF
80 graph_title Connections through firewall
81 graph_vlabel Connections
82 graph_category network
83 graph_args -l 0
84 established.label Established
85 established.type GAUGE
86 established.draw AREA
87 fin_wait.label FIN_WAIT
88 fin_wait.type GAUGE
89 fin_wait.draw STACK
90 time_wait.label TIME_WAIT
91 time_wait.type GAUGE
92 time_wait.draw STACK
93 syn_sent.label SYN_SENT
94 syn_sent.type GAUGE
95 syn_sent.draw STACK
96 udp.label UDP connections
97 udp.type GAUGE
98 udp.draw STACK
99 assured.label Assured
100 assured.type GAUGE
101 assured.draw LINE2
102 nated.label NATed
103 nated.type GAUGE
104 nated.draw LINE1
105 total.label Total
106 total.type GAUGE
107 total.graph no
108 EOF
109         if [ -f /proc/sys/net/ipv4/ip_conntrack_max ] ; then
110             MAX=`cat /proc/sys/net/ipv4/ip_conntrack_max`
111         elif [ -f /proc/sys/net/ipv4/netfilter/ip_conntrack_max ]; then
112             MAX=`cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max`
113         fi
114         if [ -n "$MAX" ]; then
115             echo total.warning `expr $MAX \* 8 / 10`
116             echo total.critical `expr $MAX \* 9 / 10`
117         fi
118         exit 0
119         ;;
120     autoconf)
121         if [ -r /proc/net/ip_conntrack -o -r /proc/net/nf_conntrack ] ; then
122             echo yes
123             exit 0
124         else
125             echo no
126             exit 0
127         fi
128 esac
129
130 # Do the work, perform the deed
131
132 # INPUT /proc/net/ip_conntrack:
133 # tcp      6 225790 ESTABLISHED src=10.0.0.4 dst=198.144.194.12 sport=48580 dport=6667 src=198.144.194.12 dst=80.111.68.163 sport=6667 dport=48580 [ASSURED] use=1
134 # tcp      6 431918 ESTABLISHED src=10.0.0.2 dst=209.58.150.153 sport=33018 dport=6667 src=209.58.150.153 dst=80.111.68.163 sport=6667 dport=33018 [ASSURED] use=1
135 # tcp      6 123109 ESTABLISHED src=10.0.0.5 dst=198.144.194.12 sport=33846 dport=6667 [UNREPLIED] src=198.144.194.12 dst=80.111.68.163 sport=6667 dport=33846 use=1
136 # udp      17 53 src=80.111.68.163 dst=62.179.100.29 sport=34153 dport=53 src=62.179.100.29 dst=80.111.68.163 sport=53 dport=34153 [ASSURED] use=1
137 #
138 # INPUT /proc/net/nf_conntrack:
139 # ipv4     2 tcp      6 424416 ESTABLISHED src=192.168.1.53 dst=196.203.198.11 sport=1584 dport=22146 packets=13659 bytes=5426603 src=196.203.198.11 dst=83.24.222.252 sport=22146 dport=1584 packets=14757 bytes=15342572 [ASSURED] mark=0 use=1
140
141 if [ -f /proc/net/ip_conntrack ]; then
142   cat /proc/net/ip_conntrack | awk '
143   BEGIN  { STATE["ESTABLISHED"]=STATE["FIN_WAIT"]=STATE["TIME_WAIT"]=0;
144            TOTAL=ASSURED=NOREPLY=NATED=STATE["SYN_SENT"]=STATE["UDP"]=0; }
145   /^tcp/ { STATE[$4]++; }
146   /^udp/ { STATE["UDP"]++; }
147   /ASSURED/ { ASSURED++; }
148   {
149       TOTAL++;
150       src1 = substr($5, 5); src2 = substr($9, 5);
151       dst1 = substr($6, 5); dst2 = substr($10, 5);
152       if (src1 != dst2 || dst1 != src2) NATED++;
153   }
154   END    { print "established.value " STATE["ESTABLISHED"];
155            print "fin_wait.value " STATE["FIN_WAIT"];
156            print "time_wait.value " STATE["TIME_WAIT"];
157            print "syn_sent.value " STATE["SYN_SENT"];
158            print "udp.value " STATE["UDP"];
159            print "assured.value " ASSURED;
160            print "nated.value " NATED;
161            print "total.value " TOTAL;
162          }'
163 else
164   cat /proc/net/nf_conntrack | awk '
165   BEGIN  { STATE["ESTABLISHED"]=STATE["FIN_WAIT"]=STATE["TIME_WAIT"]=0;
166            TOTAL=ASSURED=NOREPLY=NATED=STATE["SYN_SENT"]=STATE["UDP"]=0; }
167   / tcp / { STATE[$6]++; }
168   / udp / { STATE["UDP"]++; }
169   /ASSURED/ { ASSURED++; }
170   {
171       TOTAL++;
172       src1 = substr($7, 5); src2 = substr($14, 5);
173       dst1 = substr($8, 5); dst2 = substr($15, 5);
174       if (src1 != dst2 || dst1 != src2) NATED++;
175   }
176   END    { print "established.value " STATE["ESTABLISHED"];
177            print "fin_wait.value " STATE["FIN_WAIT"];
178            print "time_wait.value " STATE["TIME_WAIT"];
179            print "syn_sent.value " STATE["SYN_SENT"];
180            print "udp.value " STATE["UDP"];
181            print "assured.value " ASSURED;
182            print "nated.value " NATED;
183            print "total.value " TOTAL;
184          }'
185 fi
186
187 # Hum, the total.value should be possible to do as a cdef.
188 # Or to use the builtin "total" support.
189
190 #  LocalWords:  expr
191