Tile: Add missing libapache2-mod-tile dep

[chef.git] / cookbooks / munin / files / default / plugins / fw_conntrack

#!/bin/sh
# -*- sh -*-

: << =cut

=head1 NAME

fw_conntrack - Plugin to monitor the number of tracked connections
through a Linux 2.4/2.6 firewall

=head1 CONFIGURATION

This plugin must run with root privileges

=head2 CONFIGURATION EXAMPLE

/etc/munin/plugin-conf.d/global or other file in that dir must contain:

 [fw*]
  user root

=head1 NOTES

ESTABLISHED+FIN_WAIT+TIME_WAIT+SYN_SENT+UDP is the most interesting
connections.

The total list also includes SYN_RECV, CLOSE, CLOSE_WAIT, LAST_ACK and
LISTEN, but these were not (often) observed on my firewall.

TOTAL is the total number of tracked connections.

ASSURED and UNREPLIED connections are complimentary subsets of
ESTABLISHED.

ASSURED is after ACK is seen after SYN_RECV.  Therefore ASSURED is
plotted but not UNREPLIED.

NATed will almost always be the same as the total

=head1 BUGS

=over 4

=item full connection table

The connections tables can run full, but where is the limits found?
If we can find them then we can send warnings to nagios.

=back

=head1 AUTHORS

2004.05.05: Initial version by Nicolai Langfeldt, Linpro AS, Oslo, Norway

=head2 CONTRIBUTORS

=over 4

=item Xavier

2004.05.06: Enhanced to count NATed connections after input from Xavier on munin-users list

=back

=head1 LICENSE

GPL

=head1 MAGIC MARKERS

 #%# family=auto
 #%# capabilities=autoconf

=cut

case $1 in
    config)

        cat <<EOF
graph_title Connections through firewall
graph_vlabel Connections
graph_category network
graph_args -l 0
established.label Established
established.type GAUGE
established.draw AREA
fin_wait.label FIN_WAIT
fin_wait.type GAUGE
fin_wait.draw STACK
time_wait.label TIME_WAIT
time_wait.type GAUGE
time_wait.draw STACK
syn_sent.label SYN_SENT
syn_sent.type GAUGE
syn_sent.draw STACK
udp.label UDP connections
udp.type GAUGE
udp.draw STACK
assured.label Assured
assured.type GAUGE
assured.draw LINE2
nated.label NATed
nated.type GAUGE
nated.draw LINE1
total.label Total
total.type GAUGE
total.graph no
EOF
        if [ -f /proc/sys/net/ipv4/ip_conntrack_max ] ; then
            MAX=`cat /proc/sys/net/ipv4/ip_conntrack_max`
        elif [ -f /proc/sys/net/ipv4/netfilter/ip_conntrack_max ]; then
            MAX=`cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max`
        fi
        if [ -n "$MAX" ]; then
            echo total.warning `expr $MAX \* 8 / 10`
            echo total.critical `expr $MAX \* 9 / 10`
        fi
        exit 0
        ;;
    autoconf)
        if [ -r /proc/net/ip_conntrack -o -r /proc/net/nf_conntrack ] ; then
            echo yes
            exit 0
        else
            echo no
            exit 0
        fi
esac

# Do the work, perform the deed

# INPUT /proc/net/ip_conntrack:
# tcp      6 225790 ESTABLISHED src=10.0.0.4 dst=198.144.194.12 sport=48580 dport=6667 src=198.144.194.12 dst=80.111.68.163 sport=6667 dport=48580 [ASSURED] use=1
# tcp      6 431918 ESTABLISHED src=10.0.0.2 dst=209.58.150.153 sport=33018 dport=6667 src=209.58.150.153 dst=80.111.68.163 sport=6667 dport=33018 [ASSURED] use=1
# tcp      6 123109 ESTABLISHED src=10.0.0.5 dst=198.144.194.12 sport=33846 dport=6667 [UNREPLIED] src=198.144.194.12 dst=80.111.68.163 sport=6667 dport=33846 use=1
# udp      17 53 src=80.111.68.163 dst=62.179.100.29 sport=34153 dport=53 src=62.179.100.29 dst=80.111.68.163 sport=53 dport=34153 [ASSURED] use=1
#
# INPUT /proc/net/nf_conntrack:
# ipv4     2 tcp      6 424416 ESTABLISHED src=192.168.1.53 dst=196.203.198.11 sport=1584 dport=22146 packets=13659 bytes=5426603 src=196.203.198.11 dst=83.24.222.252 sport=22146 dport=1584 packets=14757 bytes=15342572 [ASSURED] mark=0 use=1

if [ -f /proc/net/ip_conntrack ]; then
  cat /proc/net/ip_conntrack | awk '
  BEGIN  { STATE["ESTABLISHED"]=STATE["FIN_WAIT"]=STATE["TIME_WAIT"]=0;
           TOTAL=ASSURED=NOREPLY=NATED=STATE["SYN_SENT"]=STATE["UDP"]=0; }
  /^tcp/ { STATE[$4]++; }
  /^udp/ { STATE["UDP"]++; }
  /ASSURED/ { ASSURED++; }
  {
      TOTAL++;
      src1 = substr($5, 5); src2 = substr($9, 5);
      dst1 = substr($6, 5); dst2 = substr($10, 5);
      if (src1 != dst2 || dst1 != src2) NATED++;
  }
  END    { print "established.value " STATE["ESTABLISHED"];
           print "fin_wait.value " STATE["FIN_WAIT"];
           print "time_wait.value " STATE["TIME_WAIT"];
           print "syn_sent.value " STATE["SYN_SENT"];
           print "udp.value " STATE["UDP"];
           print "assured.value " ASSURED;
           print "nated.value " NATED;
           print "total.value " TOTAL;
         }'
else
  cat /proc/net/nf_conntrack | awk '
  BEGIN  { STATE["ESTABLISHED"]=STATE["FIN_WAIT"]=STATE["TIME_WAIT"]=0;
           TOTAL=ASSURED=NOREPLY=NATED=STATE["SYN_SENT"]=STATE["UDP"]=0; }
  / tcp / { STATE[$6]++; }
  / udp / { STATE["UDP"]++; }
  /ASSURED/ { ASSURED++; }
  {
      TOTAL++;
      src1 = substr($7, 5); src2 = substr($14, 5);
      dst1 = substr($8, 5); dst2 = substr($15, 5);
      if (src1 != dst2 || dst1 != src2) NATED++;
  }
  END    { print "established.value " STATE["ESTABLISHED"];
           print "fin_wait.value " STATE["FIN_WAIT"];
           print "time_wait.value " STATE["TIME_WAIT"];
           print "syn_sent.value " STATE["SYN_SENT"];
           print "udp.value " STATE["UDP"];
           print "assured.value " ASSURED;
           print "nated.value " NATED;
           print "total.value " TOTAL;
         }'
fi

# Hum, the total.value should be possible to do as a cdef.
# Or to use the builtin "total" support.

#  LocalWords:  expr