From 1f825c52ff966c110d3a6efbb60982c9045679e4 Mon Sep 17 00:00:00 2001 From: Alfonso Acosta Date: Fri, 29 Apr 2016 04:30:58 +0000 Subject: [PATCH] Correctly attribute DNAT-ed short-lived connections --- probe/endpoint/reporter.go | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/probe/endpoint/reporter.go b/probe/endpoint/reporter.go index d16e72a33..c1df1eedf 100644 --- a/probe/endpoint/reporter.go +++ b/probe/endpoint/reporter.go @@ -106,7 +106,7 @@ func (r *Reporter) Report() (report.Report, error) { rpt := report.MakeReport() seenTuples := map[string]fourTuple{} - // Consult the flowWalker for short-live connections + // Consult the flowWalker for short-lived connections { extraNodeInfo := map[string]string{ Conntracked: "true", @@ -120,6 +120,25 @@ func (r *Reporter) Report() (report.Report, error) { } seenTuples[tuple.key()] = tuple r.addConnection(&rpt, tuple, extraNodeInfo, extraNodeInfo) + + // Handle DNAT-ed short-lived connections. + // The NAT mapper won't help since it only runs periodically, + // missing the short-lived connections. + if f.Original.Layer3.DstIP != f.Reply.Layer3.SrcIP { + reply_tuple := fourTuple{ + f.Reply.Layer3.DstIP, + f.Reply.Layer3.SrcIP, + uint16(f.Reply.Layer4.DstPort), + uint16(f.Reply.Layer4.SrcPort), + } + // FIXME: For DNAT-ed connections the + // f.Original.Layer3.SrcIP -> f.Original.Layer3.DstIP connection above + // results in a unattributed dangling-edge to the Internet node. + // It could be enough to simply not add that connection, but + // it may not be correct in general. + r.addConnection(&rpt, reply_tuple, extraNodeInfo, extraNodeInfo) + } + }) }