#!/usr/local/bin/perl
#
# Check the size of the /proc/net/nf_conntrack table
#
# $Header: /opt/home/doke/work/nagios/RCS/check_nf_conntrack,v 1.2 2015/08/29 19:30:47 doke Exp $


use strict;
use warnings;
use Getopt::Long;

use vars qw( $warn_threshold $crit_threshold $verbose $help
    $nf_conntrack_file @crits @warns @unknowns @oks @ignores );

$ENV{PATH}='/usr/local/bin:/opt/sfw/bin:/usr/sfw/bin:/usr/bin:/bin:/usr/sbin:/sbin';

$warn_threshold = 5000;
$crit_threshold = 10000;
$nf_conntrack_file = "/proc/net/nf_conntrack";
$verbose = 0;
$help = 0;


sub usage {
    my( $rc ) = @_;
    print "Usage: $0 [options]
    -w n  warning threshold [$warn_threshold]
    -c n  critical threshold [$crit_threshold]
    -v    verbose
    -h    help
";
    exit $rc;
    }

Getopt::Long::Configure ("bundling");
GetOptions(
    'w=i' => \$warn_threshold,
    'c=i' => \$crit_threshold,
    'v+' => \$verbose,
    'h' => \$help,
    );
&usage( 0 ) if ( $help );

if ( $warn_threshold > $crit_threshold ) {
    print "critical threshold must be higher than warning threshold\n";
    usage( 1 );
    }

&check_nf_conntrack();

my $rc = 0;
my $sep = '';
if ( $#crits >= 0 ) {
    $rc = 2;
    print "CRITICAL ", join( ", ", @crits );
    $sep = '; ';
    }
if ( $#warns >= 0 ) {
    $rc = 1 if ( $rc == 0 );
    print $sep, "Warning ", join( ", ", @warns );
    $sep = '; ';
    }
if ( $#unknowns >= 0 ) {
    $rc = -1 if ( $rc == 0 );
    print $sep, "Unknown ", join( ", ", @unknowns );
    $sep = '; ';
    }
if ( $rc == 0 ) {
    print "Ok ", join( ", ", @oks );
    $sep = '; ';
    }
if ( $#ignores >= 0 ) {
    print $sep, "Ignoring ", join( ", ", @ignores );
    }
print "\n";
exit $rc;


##################


sub check_nf_conntrack {
    my( $cmd, $n );

    if ( ! -f $nf_conntrack_file ) {
	push @oks, "not applicable, no nf_conntrack file";
	return;
	}

    $cmd = "sudo wc -l $nf_conntrack_file";
    $verbose && print "+ $cmd\n";
    $n = `$cmd`;
    # now we should have something like "80 /proc/net/nf_conntrack\n" 
    $verbose && print "got: $n\n";

    if ( $n =~ m/^\s*(\d+)\s*/ ) { 
	$n = $1;
	}
    else { 
	push @unknowns, "unable to wc $nf_conntrack_file: $!";
	return;
	}
    $verbose && print "n = $n\n";

    if ( $n > $crit_threshold ) {
	push @crits, "$n state entries in nf_conntrack";
	}
    elsif ( $n > $warn_threshold ) {
	push @warns, "$n state entries in nf_conntrack";
	}
    else {
	push @oks, "$n state entries in nf_conntrack";
	}
    }