diff mbox series

[v2,net-next] netlink: specs: add conntrack dump and stats dump support

Message ID 20250210152159.41077-1-fw@strlen.de (mailing list archive)
State Accepted
Commit 23fc9311a526aa3874ebf1fed4d8b8757d2a6bdb
Delegated to: Netdev Maintainers
Headers show
Series [v2,net-next] netlink: specs: add conntrack dump and stats dump support | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net-next
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers warning 4 maintainers not CCed: pabeni@redhat.com kuba@kernel.org horms@kernel.org edumazet@google.com
netdev/build_clang success Errors and warnings before: 47 this patch: 47
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 10 this patch: 10
netdev/checkpatch warning WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2025-02-11--00-00 (tests: 889)

Commit Message

Florian Westphal Feb. 10, 2025, 3:21 p.m. UTC 
This adds support to dump the connection tracking table
("conntrack -L") and the conntrack statistics, ("conntrack -S").

Example conntrack dump:
tools/net/ynl/pyynl/cli.py --spec Documentation/netlink/specs/conntrack.yaml --dump get
[{'id': 59489769,
  'mark': 0,
  'nfgen-family': 2,
  'protoinfo': {'protoinfo-tcp': {'tcp-flags-original': {'flags': {'maxack',
                                                                   'sack-perm',
                                                                   'window-scale'},
                                                         'mask': set()},
                                  'tcp-flags-reply': {'flags': {'maxack',
                                                                'sack-perm',
                                                                'window-scale'},
                                                      'mask': set()},
                                  'tcp-state': 'established',
                                  'tcp-wscale-original': 7,
                                  'tcp-wscale-reply': 8}},
  'res-id': 0,
  'secctx': {'secctx-name': 'system_u:object_r:unlabeled_t:s0'},
  'status': {'assured',
             'confirmed',
             'dst-nat-done',
             'seen-reply',
             'src-nat-done'},
  'timeout': 431949,
  'tuple-orig': {'tuple-ip': {'ip-v4-dst': '34.107.243.93',
                              'ip-v4-src': '192.168.0.114'},
                 'tuple-proto': {'proto-dst-port': 443,
                                 'proto-num': 6,
                                 'proto-src-port': 37104}},
  'tuple-reply': {'tuple-ip': {'ip-v4-dst': '192.168.0.114',
                               'ip-v4-src': '34.107.243.93'},
                  'tuple-proto': {'proto-dst-port': 37104,
                                  'proto-num': 6,
                                  'proto-src-port': 443}},
  'use': 1,
  'version': 0},
 {'id': 3402229480,

Example stats dump:
tools/net/ynl/pyynl/cli.py --spec Documentation/netlink/specs/conntrack.yaml --dump get-stats
[{'chain-toolong': 0,
  'clash-resolve': 3,
  'drop': 0,
 ....

Changes since last iteration:
 - Address comments from Donald Hunter, in particular, fixup "get" and
   "get-stats" descriptions, the former operation supports both dump
   and normal request (returns a single entry, if found), the latter
   only supports dumps.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 Documentation/netlink/specs/conntrack.yaml | 643 +++++++++++++++++++++
 1 file changed, 643 insertions(+)
 create mode 100644 Documentation/netlink/specs/conntrack.yaml

Comments

Jakub Kicinski Feb. 10, 2025, 6:39 p.m. UTC | #1 
On Mon, 10 Feb 2025 16:21:52 +0100 Florian Westphal wrote:
> This adds support to dump the connection tracking table
> ("conntrack -L") and the conntrack statistics, ("conntrack -S").

Hi Florian!

Some unhappiness in the HTML doc generation coming from this spec:

/home/doc-build/testing/Documentation/networking/netlink_spec/ctnetlink.rst:68: WARNING: duplicate label conntrack-definition-nfgenmsg, other instance in /home/doc-build/testing/Documentation/networking/netlink_spec/conntrack.rst
/home/doc-build/testing/Documentation/networking/netlink_spec/ctnetlink.rst:81: WARNING: duplicate label conntrack-definition-nf-ct-tcp-flags-mask, other instance in /home/doc-build/testing/Documentation/networking/netlink_spec/conntrack.rst
/home/doc-build/testing/Documentation/networking/netlink_spec/ctnetlink.rst:93: WARNING: duplicate label conntrack-definition-nf-ct-tcp-flags, other instance in /home/doc-build/testing/Documentation/networking/netlink_spec/conntrack.rst
/home/doc-build/testing/Documentation/networking/netlink_spec/ctnetlink.rst:111: WARNING: duplicate label conntrack-definition-nf-ct-tcp-state, other instance in /home/doc-build/testing/Documentation/networking/netlink_spec/conntrack.rst
/home/doc-build/testing/Documentation/networking/netlink_spec/ctnetlink.rst:136: WARNING: duplicate label conntrack-definition-nf-ct-sctp-state, other instance in /home/doc-build/testing/Documentation/networking/netlink_spec/conntrack.rst
/home/doc-build/testing/Documentation/networking/netlink_spec/ctnetlink.rst:155: WARNING: duplicate label conntrack-definition-nf-ct-status, other instance in /home/doc-build/testing/Documentation/networking/netlink_spec/conntrack.rst

Could be either the codegen or the spec that's to blame..
Florian Westphal Feb. 10, 2025, 8:27 p.m. UTC | #2 
Jakub Kicinski <kuba@kernel.org> wrote:
> On Mon, 10 Feb 2025 16:21:52 +0100 Florian Westphal wrote:
> > This adds support to dump the connection tracking table
> > ("conntrack -L") and the conntrack statistics, ("conntrack -S").
> 
> Hi Florian!
> 
> Some unhappiness in the HTML doc generation coming from this spec:
> 
> /home/doc-build/testing/Documentation/networking/netlink_spec/ctnetlink.rst:68: WARNING: duplicate label conntrack-definition-nfgenmsg, other instance in /home/doc-build/testing/Documentation/networking/netlink_spec/conntrack.rst

Looks like the tree has both v1 and v2 appliedto it.

v1 added 'ctnetlink.yaml', I renamed it to 'conntrack.yaml' in v2 as
thats what Donald requested.
Jakub Kicinski Feb. 10, 2025, 8:54 p.m. UTC | #3 
On Mon, 10 Feb 2025 21:27:03 +0100 Florian Westphal wrote:
> Jakub Kicinski <kuba@kernel.org> wrote:
> > On Mon, 10 Feb 2025 16:21:52 +0100 Florian Westphal wrote:  
> > > This adds support to dump the connection tracking table
> > > ("conntrack -L") and the conntrack statistics, ("conntrack -S").  
> > 
> > Hi Florian!
> > 
> > Some unhappiness in the HTML doc generation coming from this spec:
> > 
> > /home/doc-build/testing/Documentation/networking/netlink_spec/ctnetlink.rst:68: WARNING: duplicate label conntrack-definition-nfgenmsg, other instance in /home/doc-build/testing/Documentation/networking/netlink_spec/conntrack.rst  
> 
> Looks like the tree has both v1 and v2 appliedto it.
> 
> v1 added 'ctnetlink.yaml', I renamed it to 'conntrack.yaml' in v2 as
> thats what Donald requested.

I see. We need to clean the HTML output more thoroughly in the CI
Donald Hunter Feb. 11, 2025, 11:11 a.m. UTC | #4 
Florian Westphal <fw@strlen.de> writes:

> This adds support to dump the connection tracking table
> ("conntrack -L") and the conntrack statistics, ("conntrack -S").
>
> Example conntrack dump:
> tools/net/ynl/pyynl/cli.py --spec Documentation/netlink/specs/conntrack.yaml --dump get

Hi Florian,

Updates all look good, with one minor new point below.

Reviewed-by: Donald Hunter <donald.hunter@gmail.com>

> +operations:
> +  enum-model: directional
> +  list:
> +    -
> +      name: get
> +      doc: get / dump entries
> +      attribute-set: conntrack-attrs
> +      fixed-header: nfgenmsg
> +      do:
> +        request:
> +          value: 0x101
> +          attributes:
> +            - tuple-orig
> +            - tuple-reply
> +            - zone
> +        reply:
> +          value: 0x100
> +          attributes:

To avoid duplicating the attribute list in the dump reply, you can
reference this definition:

@@ -565,7 +565,7 @@ operations:
             - zone
         reply:
           value: 0x100
-          attributes:
+          attributes: &entries-attrs
             - tuple-orig
             - tuple-reply
             - status
@@ -598,28 +598,7 @@ operations:
             - zone
         reply:
           value: 0x100
-          attributes:
-            - tuple-orig
-            - tuple-reply
-            - status
-            - protoinfo
-            - help
-            - nat-src
-            - nat-dst
-            - timeout
-            - mark
-            - counter-orig
-            - counter-reply
-            - use
-            - id
-            - nat-dst
-            - tuple-master
-            - seq-adj-orig
-            - seq-adj-reply
-            - zone
-            - secctx
-            - labels
-            - synproxy
+          attributes: *entries-attrs
     -
       name: get-stats
       doc: dump pcpu conntrack stats
Simon Horman Feb. 12, 2025, 6:20 p.m. UTC | #5 
On Mon, Feb 10, 2025 at 12:54:38PM -0800, Jakub Kicinski wrote:
> On Mon, 10 Feb 2025 21:27:03 +0100 Florian Westphal wrote:
> > Jakub Kicinski <kuba@kernel.org> wrote:
> > > On Mon, 10 Feb 2025 16:21:52 +0100 Florian Westphal wrote:  
> > > > This adds support to dump the connection tracking table
> > > > ("conntrack -L") and the conntrack statistics, ("conntrack -S").  
> > > 
> > > Hi Florian!
> > > 
> > > Some unhappiness in the HTML doc generation coming from this spec:
> > > 
> > > /home/doc-build/testing/Documentation/networking/netlink_spec/ctnetlink.rst:68: WARNING: duplicate label conntrack-definition-nfgenmsg, other instance in /home/doc-build/testing/Documentation/networking/netlink_spec/conntrack.rst  
> > 
> > Looks like the tree has both v1 and v2 appliedto it.
> > 
> > v1 added 'ctnetlink.yaml', I renamed it to 'conntrack.yaml' in v2 as
> > thats what Donald requested.
> 
> I see. We need to clean the HTML output more thoroughly in the CI
Jakub Kicinski Feb. 12, 2025, 6:58 p.m. UTC | #6 
On Wed, 12 Feb 2025 18:20:07 +0000 Simon Horman wrote:
> > > Looks like the tree has both v1 and v2 appliedto it.
> > > 
> > > v1 added 'ctnetlink.yaml', I renamed it to 'conntrack.yaml' in v2 as
> > > thats what Donald requested.  
> > 
> > I see. We need to clean the HTML output more thoroughly in the CI
patchwork-bot+netdevbpf@kernel.org Feb. 13, 2025, 4:10 a.m. UTC | #7 
Hello:

This patch was applied to netdev/net-next.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Mon, 10 Feb 2025 16:21:52 +0100 you wrote:
> This adds support to dump the connection tracking table
> ("conntrack -L") and the conntrack statistics, ("conntrack -S").
> 
> Example conntrack dump:
> tools/net/ynl/pyynl/cli.py --spec Documentation/netlink/specs/conntrack.yaml --dump get
> [{'id': 59489769,
>   'mark': 0,
>   'nfgen-family': 2,
>   'protoinfo': {'protoinfo-tcp': {'tcp-flags-original': {'flags': {'maxack',
>                                                                    'sack-perm',
>                                                                    'window-scale'},
>                                                          'mask': set()},
>                                   'tcp-flags-reply': {'flags': {'maxack',
>                                                                 'sack-perm',
>                                                                 'window-scale'},
>                                                       'mask': set()},
>                                   'tcp-state': 'established',
>                                   'tcp-wscale-original': 7,
>                                   'tcp-wscale-reply': 8}},
>   'res-id': 0,
>   'secctx': {'secctx-name': 'system_u:object_r:unlabeled_t:s0'},
>   'status': {'assured',
>              'confirmed',
>              'dst-nat-done',
>              'seen-reply',
>              'src-nat-done'},
>   'timeout': 431949,
>   'tuple-orig': {'tuple-ip': {'ip-v4-dst': '34.107.243.93',
>                               'ip-v4-src': '192.168.0.114'},
>                  'tuple-proto': {'proto-dst-port': 443,
>                                  'proto-num': 6,
>                                  'proto-src-port': 37104}},
>   'tuple-reply': {'tuple-ip': {'ip-v4-dst': '192.168.0.114',
>                                'ip-v4-src': '34.107.243.93'},
>                   'tuple-proto': {'proto-dst-port': 37104,
>                                   'proto-num': 6,
>                                   'proto-src-port': 443}},
>   'use': 1,
>   'version': 0},
>  {'id': 3402229480,
> 
> [...]

Here is the summary with links:
  - [v2,net-next] netlink: specs: add conntrack dump and stats dump support
    https://git.kernel.org/netdev/net-next/c/23fc9311a526

You are awesome, thank you!
diff mbox series

Patch

diff --git a/Documentation/netlink/specs/conntrack.yaml b/Documentation/netlink/specs/conntrack.yaml
new file mode 100644
index 000000000000..840dc4504216
--- /dev/null
+++ b/Documentation/netlink/specs/conntrack.yaml
@@ -0,0 +1,643 @@ 
+# SPDX-License-Identifier: ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause)
+
+name: conntrack
+protocol: netlink-raw
+protonum: 12
+
+doc:
+  Netfilter connection tracking subsystem over nfnetlink
+
+definitions:
+  -
+    name: nfgenmsg
+    type: struct
+    members:
+      -
+        name: nfgen-family
+        type: u8
+      -
+        name: version
+        type: u8
+      -
+        name: res-id
+        byte-order: big-endian
+        type: u16
+  -
+    name: nf-ct-tcp-flags-mask
+    type: struct
+    members:
+      -
+        name: flags
+        type: u8
+        enum: nf-ct-tcp-flags
+        enum-as-flags: true
+      -
+        name: mask
+        type: u8
+        enum: nf-ct-tcp-flags
+        enum-as-flags: true
+  -
+    name: nf-ct-tcp-flags
+    type: flags
+    entries:
+      - window-scale
+      - sack-perm
+      - close-init
+      - be-liberal
+      - unacked
+      - maxack
+      - challenge-ack
+      - simultaneous-open
+  -
+    name: nf-ct-tcp-state
+    type: enum
+    entries:
+      - none
+      - syn-sent
+      - syn-recv
+      - established
+      - fin-wait
+      - close-wait
+      - last-ack
+      - time-wait
+      - close
+      - syn-sent2
+      - max
+      - ignore
+      - retrans
+      - unack
+      - timeout-max
+  -
+    name: nf-ct-sctp-state
+    type: enum
+    entries:
+      - none
+      - cloned
+      - cookie-wait
+      - cookie-echoed
+      - established
+      - shutdown-sent
+      - shutdown-received
+      - shutdown-ack-sent
+      - shutdown-heartbeat-sent
+  -
+    name: nf-ct-status
+    type: flags
+    entries:
+      - expected
+      - seen-reply
+      - assured
+      - confirmed
+      - src-nat
+      - dst-nat
+      - seq-adj
+      - src-nat-done
+      - dst-nat-done
+      - dying
+      - fixed-timeout
+      - template
+      - nat-clash
+      - helper
+      - offload
+      - hw-offload
+
+attribute-sets:
+  -
+    name: counter-attrs
+    attributes:
+      -
+        name: packets
+        type: u64
+        byte-order: big-endian
+      -
+        name: bytes
+        type: u64
+        byte-order: big-endian
+      -
+        name: packets-old
+        type: u32
+      -
+        name: bytes-old
+        type: u32
+      -
+        name: pad
+        type: pad
+  -
+    name: tuple-proto-attrs
+    attributes:
+      -
+        name: proto-num
+        type: u8
+        doc: l4 protocol number
+      -
+        name: proto-src-port
+        type: u16
+        byte-order: big-endian
+        doc: l4 source port
+      -
+        name: proto-dst-port
+        type: u16
+        byte-order: big-endian
+        doc: l4 source port
+      -
+        name: proto-icmp-id
+        type: u16
+        byte-order: big-endian
+        doc: l4 icmp id
+      -
+        name: proto-icmp-type
+        type: u8
+      -
+        name: proto-icmp-code
+        type: u8
+      -
+        name: proto-icmpv6-id
+        type: u16
+        byte-order: big-endian
+        doc: l4 icmp id
+      -
+        name: proto-icmpv6-type
+        type: u8
+      -
+        name: proto-icmpv6-code
+        type: u8
+  -
+    name: tuple-ip-attrs
+    attributes:
+      -
+        name: ip-v4-src
+        type: u32
+        byte-order: big-endian
+        display-hint: ipv4
+        doc: ipv4 source address
+      -
+        name: ip-v4-dst
+        type: u32
+        byte-order: big-endian
+        display-hint: ipv4
+        doc: ipv4 destination address
+      -
+        name: ip-v6-src
+        type: binary
+        checks:
+          min-len: 16
+        byte-order: big-endian
+        display-hint: ipv6
+        doc: ipv6 source address
+      -
+        name: ip-v6-dst
+        type: binary
+        checks:
+          min-len: 16
+        byte-order: big-endian
+        display-hint: ipv6
+        doc: ipv6 destination address
+  -
+    name: tuple-attrs
+    attributes:
+    -
+        name: tuple-ip
+        type: nest
+        nested-attributes: tuple-ip-attrs
+        doc: conntrack l3 information
+    -
+        name: tuple-proto
+        type: nest
+        nested-attributes: tuple-proto-attrs
+        doc: conntrack l4 information
+    -
+        name: tuple-zone
+        type: u16
+        byte-order: big-endian
+        doc: conntrack zone id
+  -
+    name: protoinfo-tcp-attrs
+    attributes:
+    -
+        name: tcp-state
+        type: u8
+        enum: nf-ct-tcp-state
+        doc: tcp connection state
+    -
+        name: tcp-wscale-original
+        type: u8
+        doc: window scaling factor in original direction
+    -
+        name: tcp-wscale-reply
+        type: u8
+        doc: window scaling factor in reply direction
+    -
+        name: tcp-flags-original
+        type: binary
+        struct: nf-ct-tcp-flags-mask
+    -
+        name: tcp-flags-reply
+        type: binary
+        struct: nf-ct-tcp-flags-mask
+  -
+    name: protoinfo-dccp-attrs
+    attributes:
+    -
+        name: dccp-state
+        type: u8
+        doc: dccp connection state
+    -
+        name: dccp-role
+        type: u8
+    -
+        name: dccp-handshake-seq
+        type: u64
+        byte-order: big-endian
+    -
+        name: dccp-pad
+        type: pad
+  -
+    name: protoinfo-sctp-attrs
+    attributes:
+    -
+        name: sctp-state
+        type: u8
+        doc: sctp connection state
+        enum: nf-ct-sctp-state
+    -
+        name: vtag-original
+        type: u32
+        byte-order: big-endian
+    -
+        name: vtag-reply
+        type: u32
+        byte-order: big-endian
+  -
+    name: protoinfo-attrs
+    attributes:
+    -
+        name: protoinfo-tcp
+        type: nest
+        nested-attributes: protoinfo-tcp-attrs
+        doc: conntrack tcp state information
+    -
+        name: protoinfo-dccp
+        type: nest
+        nested-attributes: protoinfo-dccp-attrs
+        doc: conntrack dccp state information
+    -
+        name: protoinfo-sctp
+        type: nest
+        nested-attributes: protoinfo-sctp-attrs
+        doc: conntrack sctp state information
+  -
+    name: help-attrs
+    attributes:
+      -
+        name: help-name
+        type: string
+        doc: helper name
+  -
+    name: nat-proto-attrs
+    attributes:
+      -
+        name: nat-port-min
+        type: u16
+        byte-order: big-endian
+      -
+        name: nat-port-max
+        type: u16
+        byte-order: big-endian
+  -
+    name: nat-attrs
+    attributes:
+      -
+        name: nat-v4-minip
+        type: u32
+        byte-order: big-endian
+      -
+        name: nat-v4-maxip
+        type: u32
+        byte-order: big-endian
+      -
+        name: nat-v6-minip
+        type: binary
+      -
+        name: nat-v6-maxip
+        type: binary
+      -
+        name: nat-proto
+        type: nest
+        nested-attributes: nat-proto-attrs
+  -
+    name: seqadj-attrs
+    attributes:
+      -
+        name: correction-pos
+        type: u32
+        byte-order: big-endian
+      -
+        name: offset-before
+        type: u32
+        byte-order: big-endian
+      -
+        name: offset-after
+        type: u32
+        byte-order: big-endian
+  -
+    name: secctx-attrs
+    attributes:
+      -
+        name: secctx-name
+        type: string
+  -
+    name: synproxy-attrs
+    attributes:
+      -
+        name: isn
+        type: u32
+        byte-order: big-endian
+      -
+        name: its
+        type: u32
+        byte-order: big-endian
+      -
+        name: tsoff
+        type: u32
+        byte-order: big-endian
+  -
+    name: conntrack-attrs
+    attributes:
+      -
+        name: tuple-orig
+        type: nest
+        nested-attributes: tuple-attrs
+        doc: conntrack l3+l4 protocol information, original direction
+      -
+        name: tuple-reply
+        type: nest
+        nested-attributes: tuple-attrs
+        doc: conntrack l3+l4 protocol information, reply direction
+      -
+        name: status
+        type: u32
+        byte-order: big-endian
+        enum: nf-ct-status
+        enum-as-flags: true
+        doc: conntrack flag bits
+      -
+        name: protoinfo
+        type: nest
+        nested-attributes: protoinfo-attrs
+      -
+        name: help
+        type: nest
+        nested-attributes: help-attrs
+      -
+        name: nat-src
+        type: nest
+        nested-attributes: nat-attrs
+      -
+        name: timeout
+        type: u32
+        byte-order: big-endian
+      -
+        name: mark
+        type: u32
+        byte-order: big-endian
+      -
+        name: counters-orig
+        type: nest
+        nested-attributes: counter-attrs
+      -
+        name: counters-reply
+        type: nest
+        nested-attributes: counter-attrs
+      -
+        name: use
+        type: u32
+        byte-order: big-endian
+      -
+        name: id
+        type: u32
+        byte-order: big-endian
+      -
+        name: nat-dst
+        type: nest
+        nested-attributes: nat-attrs
+      -
+        name: tuple-master
+        type: nest
+        nested-attributes: tuple-attrs
+      -
+        name: seq-adj-orig
+        type: nest
+        nested-attributes: seqadj-attrs
+      -
+        name: seq-adj-reply
+        type: nest
+        nested-attributes: seqadj-attrs
+      -
+        name: secmark
+        type: binary
+        doc: obsolete
+      -
+        name: zone
+        type: u16
+        byte-order: big-endian
+        doc: conntrack zone id
+      -
+        name: secctx
+        type: nest
+        nested-attributes: secctx-attrs
+      -
+        name: timestamp
+        type: u64
+        byte-order: big-endian
+      -
+        name: mark-mask
+        type: u32
+        byte-order: big-endian
+      -
+        name: labels
+        type: binary
+      -
+        name: labels mask
+        type: binary
+      -
+        name: synproxy
+        type: nest
+        nested-attributes: synproxy-attrs
+      -
+        name: filter
+        type: nest
+        nested-attributes: tuple-attrs
+      -
+        name: status-mask
+        type: u32
+        byte-order: big-endian
+        enum: nf-ct-status
+        enum-as-flags: true
+        doc: conntrack flag bits to change
+      -
+        name: timestamp-event
+        type: u64
+        byte-order: big-endian
+  -
+    name: conntrack-stats-attrs
+    attributes:
+      -
+        name: searched
+        type: u32
+        byte-order: big-endian
+        doc: obsolete
+      -
+        name: found
+        type: u32
+        byte-order: big-endian
+      -
+        name: new
+        type: u32
+        byte-order: big-endian
+        doc: obsolete
+      -
+        name: invalid
+        type: u32
+        byte-order: big-endian
+        doc: obsolete
+      -
+        name: ignore
+        type: u32
+        byte-order: big-endian
+        doc: obsolete
+      -
+        name: delete
+        type: u32
+        byte-order: big-endian
+        doc: obsolete
+      -
+        name: delete-list
+        type: u32
+        byte-order: big-endian
+        doc: obsolete
+      -
+        name: insert
+        type: u32
+        byte-order: big-endian
+      -
+        name: insert-failed
+        type: u32
+        byte-order: big-endian
+      -
+        name: drop
+        type: u32
+        byte-order: big-endian
+      -
+        name: early-drop
+        type: u32
+        byte-order: big-endian
+      -
+        name: error
+        type: u32
+        byte-order: big-endian
+      -
+        name: search-restart
+        type: u32
+        byte-order: big-endian
+      -
+        name: clash-resolve
+        type: u32
+        byte-order: big-endian
+      -
+        name: chain-toolong
+        type: u32
+        byte-order: big-endian
+
+operations:
+  enum-model: directional
+  list:
+    -
+      name: get
+      doc: get / dump entries
+      attribute-set: conntrack-attrs
+      fixed-header: nfgenmsg
+      do:
+        request:
+          value: 0x101
+          attributes:
+            - tuple-orig
+            - tuple-reply
+            - zone
+        reply:
+          value: 0x100
+          attributes:
+            - tuple-orig
+            - tuple-reply
+            - status
+            - protoinfo
+            - help
+            - nat-src
+            - nat-dst
+            - timeout
+            - mark
+            - counter-orig
+            - counter-reply
+            - use
+            - id
+            - nat-dst
+            - tuple-master
+            - seq-adj-orig
+            - seq-adj-reply
+            - zone
+            - secctx
+            - labels
+            - synproxy
+      dump:
+        request:
+          value: 0x101
+          attributes:
+            - nfgen-family
+            - mark
+            - filter
+            - status
+            - zone
+        reply:
+          value: 0x100
+          attributes:
+            - tuple-orig
+            - tuple-reply
+            - status
+            - protoinfo
+            - help
+            - nat-src
+            - nat-dst
+            - timeout
+            - mark
+            - counter-orig
+            - counter-reply
+            - use
+            - id
+            - nat-dst
+            - tuple-master
+            - seq-adj-orig
+            - seq-adj-reply
+            - zone
+            - secctx
+            - labels
+            - synproxy
+    -
+      name: get-stats
+      doc: dump pcpu conntrack stats
+      attribute-set: conntrack-stats-attrs
+      fixed-header: nfgenmsg
+      dump:
+        request:
+          value: 0x104
+        reply:
+          value: 0x104
+          attributes:
+            - searched
+            - found
+            - insert
+            - insert-failed
+            - drop
+            - early-drop
+            - error
+            - search-restart
+            - clash-resolve
+            - chain-toolong