5 fw_conntrack - Plugin to monitor the number of tracked connections
6 through a Linux 2.4/2.6 firewall
10 This plugin must run with root privileges
12 =head2 CONFIGURATION EXAMPLE
14 /etc/munin/plugin-conf.d/global or other file in that dir must contain:
21 ESTABLISHED+FIN_WAIT+TIME_WAIT+SYN_SENT+UDP are the most interesting
24 The total list also includes SYN_RECV, CLOSE, CLOSE_WAIT, LAST_ACK and
25 LISTEN, but these were not (often) observed on my firewall.
27 TOTAL is the total number of tracked connections.
29 ASSURED and UNREPLIED connections are complementary subsets of
32 ASSURED is after ACK is seen after SYN_RECV. Therefore ASSURED is
33 plotted but not UNREPLIED.
35 Note that the plugin depends on the netfilter "conntrack" userspace tool.
36 It comes from http://conntrack-tools.netfilter.org/
42 =item 2004.05.05: Initial version by Nicolai Langfeldt, Linpro AS, Oslo, Norway
44 =item 2004.05.06: Enhanced to count NATed connections after input from Xavier on munin-users list
46 =item 2011.09.23: Perl version by Alex Tomlins
57 #%# capabilities=autoconf
64 my $conntrack = '/usr/sbin/conntrack';
65 my $nf_conntrack_file = '/proc/net/nf_conntrack';
66 my $ip_conntrack_file = '/proc/net/ip_conntrack';
67 my @conntrack_max_files = qw(
68 /proc/sys/net/nf_conntrack_max
69 /proc/sys/net/netfilter/nf_conntrack_max
70 /proc/sys/net/ipv4/ip_conntrack_max
71 /proc/sys/net/ipv4/netfilter/ip_conntrack_max
74 if ( defined($ARGV[0]) and $ARGV[0] eq "autoconf" ) {
75 if ( -x $conntrack or -r $nf_conntrack_file or -r $ip_conntrack_file) {
78 print "no (command $conntrack or file $nf_conntrack_file or file $ip_conntrack_file not found)\n";
83 if ( defined($ARGV[0]) and $ARGV[0] eq "config" ) {
85 graph_title Connections through firewall
86 graph_vlabel Connections
87 graph_category network
89 established.label Established
90 established.type GAUGE
92 fin_wait.label FIN_WAIT
95 time_wait.label TIME_WAIT
98 syn_sent.label SYN_SENT
101 udp.label UDP connections
104 assured.label Assured
115 foreach (@conntrack_max_files) {
117 chomp($max = `cat $_`);
122 print "total.warning ", $max * 8 / 10, "\n";
123 print "total.critical ", $max * 9 / 10, "\n";
129 if ( -x $conntrack) {
130 $command = "$conntrack -L -o extended -f ipv4 2>/dev/null | grep -e 'dport=123 ' -e 'src=185.144.161.170 '; $conntrack -L -o extended -f ipv6 2>/dev/null | grep -e 'dport=123 '";
131 } elsif ( -r $nf_conntrack_file ) {
132 $command = "cat $nf_conntrack_file";
134 $command = "cat $ip_conntrack_file";
147 open CMD, "$command|";
150 $state{'UDP'} ++ if /udp /;
151 $state{'ASSURED'} ++ if /ASSURED/;
152 if (/tcp \s*\d+\s+\d+\s+(\S+)/) {
155 if (/src=(\S+)\s+dst=(\S+)\s+sport.*src=(\S+)\s+dst=(\S+)/) {
156 $state{'NATTED'} ++ if $1 ne $4 or $2 ne $3;
161 print "established.value $state{'ESTABLISHED'}\n";
162 print "fin_wait.value $state{'FIN_WAIT'}\n";
163 print "time_wait.value $state{'TIME_WAIT'}\n";
164 print "syn_sent.value $state{'SYN_SENT'}\n";
165 print "udp.value $state{'UDP'}\n";
166 print "assured.value $state{'ASSURED'}\n";
167 print "nated.value $state{'NATTED'}\n";
168 print "total.value $state{'TOTAL'}\n";