From: Ken-ichirou MATSUZAWA <chamaken@gmail.com>
To: netfilter-devel@vger.kernel.org
Subject: [ulogd PATCH 3/3] add mark dump filter
Date: Tue, 8 Apr 2014 19:34:22 +0900 [thread overview]
Message-ID: <20140408103420.GD29462@gmail.com> (raw)
In-Reply-To: <20140408102614.GA29462@gmail.com>
This patch makes enable to filter dump by mark.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
---
input/flow/ulogd_inpflow_NFCT.c | 63 +++++++++++++++++++++++++++--------------
1 file changed, 42 insertions(+), 21 deletions(-)
diff --git a/input/flow/ulogd_inpflow_NFCT.c b/input/flow/ulogd_inpflow_NFCT.c
index a5cf854..37b45e8 100644
--- a/input/flow/ulogd_inpflow_NFCT.c
+++ b/input/flow/ulogd_inpflow_NFCT.c
@@ -71,6 +71,7 @@ struct nfct_pluginstance {
struct ulogd_timer ov_timer; /* overrun retry timer */
struct hashtable *ct_active;
int nlbufsiz; /* current netlink buffer size */
+ struct nfct_filter_dump *filter_dump;
struct nf_conntrack *ct;
};
@@ -1003,8 +1004,9 @@ dump_reset_handler(enum nf_conntrack_msg_type type,
static void get_ctr_zero(struct ulogd_pluginstance *upi)
{
+ struct nfct_pluginstance *cpi =
+ (struct nfct_pluginstance *)upi->private;
struct nfct_handle *h;
- int family = AF_UNSPEC;
h = nfct_open(CONNTRACK, 0);
if (h == NULL) {
@@ -1012,7 +1014,7 @@ static void get_ctr_zero(struct ulogd_pluginstance *upi)
return;
}
nfct_callback_register(h, NFCT_T_ALL, &dump_reset_handler, upi);
- if (nfct_query(h, NFCT_Q_DUMP_RESET, &family) == -1)
+ if (nfct_query(h, NFCT_Q_DUMP_FILTER_RESET, cpi->filter_dump) == -1)
ulogd_log(ULOGD_FATAL, "Cannot dump and reset counters\n");
nfct_close(h);
@@ -1023,9 +1025,8 @@ static void polling_timer_cb(struct ulogd_timer *t, void *data)
struct ulogd_pluginstance *upi = data;
struct nfct_pluginstance *cpi =
(struct nfct_pluginstance *)upi->private;
- int family = AF_UNSPEC;
- nfct_query(cpi->pgh, NFCT_Q_DUMP, &family);
+ nfct_query(cpi->pgh, NFCT_Q_DUMP_FILTER, cpi->filter_dump);
hashtable_iterate(cpi->ct_active, upi, do_purge);
ulogd_add_timer(&cpi->timer, pollint_ce(upi->config_kset).u.value);
}
@@ -1044,12 +1045,11 @@ static int configure_nfct(struct ulogd_pluginstance *upi,
static void overrun_timeout(struct ulogd_timer *a, void *data)
{
- int family = AF_UNSPEC;
struct ulogd_pluginstance *upi = data;
struct nfct_pluginstance *cpi =
(struct nfct_pluginstance *)upi->private;
- nfct_send(cpi->ovh, NFCT_Q_DUMP, &family);
+ nfct_send(cpi->ovh, NFCT_Q_DUMP_FILTER, cpi->filter_dump);
}
@@ -1228,8 +1228,8 @@ static int build_nfct_filter_proto(struct nfct_filter *filter, char* filter_stri
return 0;
}
-#if defined HAVE_NFCT_FILTER_MARK
-static int build_nfct_filter_mark(struct nfct_filter *filter, char* filter_string)
+static int build_nfct_filter_mark(struct nfct_filter *filter, char* filter_string,
+ struct nfct_filter_dump *filter_dump)
{
char *p, *endptr;
uintmax_t v;
@@ -1264,24 +1264,27 @@ static int build_nfct_filter_mark(struct nfct_filter *filter, char* filter_strin
filter_mark.mask = UINT32_MAX;
}
- ulogd_log(ULOGD_NOTICE, "adding mark to filter: \"%u/%u\"\n",
+ if (filter != NULL) {
+#if defined HAVE_NFCT_FILTER_MARK
+ nfct_filter_add_attr(filter, NFCT_FILTER_MARK, &filter_mark);
+ ulogd_log(ULOGD_NOTICE, "adding mark to event filter: \"%u/%u\"\n",
+ filter_mark.val, filter_mark.mask);
+#else
+ ulogd_log(ULOGD_FATAL, "mark event filter is not supported\n");
+ return -1;
+#endif
+ }
+ nfct_filter_dump_set_attr(filter_dump, NFCT_FILTER_DUMP_MARK,
+ &filter_mark);
+ ulogd_log(ULOGD_NOTICE, "adding mark to dump filter: \"%u/%u\"\n",
filter_mark.val, filter_mark.mask);
- nfct_filter_add_attr(filter, NFCT_FILTER_MARK, &filter_mark);
return 0;
invalid_error:
ulogd_log(ULOGD_FATAL, "invalid val/mask %s\n", filter_string);
return -1;
-
-}
-#else
-static int build_nfct_filter_mark(struct nfct_filter *filter, char* filter_string)
-{
- ulogd_log(ULOGD_FATAL, "mark filter is not supported\n");
- return -1;
}
-#endif /* HAVE_NFCT_FILTER_MARK */
static int build_nfct_filter(struct ulogd_pluginstance *upi)
{
@@ -1327,7 +1330,7 @@ static int build_nfct_filter(struct ulogd_pluginstance *upi)
if (strlen(mark_filter_ce(upi->config_kset).u.string) != 0) {
char *filter_string = mark_filter_ce(upi->config_kset).u.string;
- if (build_nfct_filter_mark(filter, filter_string) != 0) {
+ if (build_nfct_filter_mark(filter, filter_string, cpi->filter_dump) != 0) {
ulogd_log(ULOGD_FATAL,
"Unable to create mark filter\n");
goto err_filter;
@@ -1412,7 +1415,6 @@ static int constructor_nfct_events(struct ulogd_pluginstance *upi)
goto err_nfctobj;
if (usehash_ce(upi->config_kset).u.value != 0) {
- int family = AF_UNSPEC;
struct nfct_handle *h;
/* we use a hashtable to cache entries in userspace. */
@@ -1436,7 +1438,7 @@ static int constructor_nfct_events(struct ulogd_pluginstance *upi)
}
nfct_callback_register(h, NFCT_T_ALL,
&event_handler_hashtable, upi);
- nfct_query(h, NFCT_Q_DUMP, &family);
+ nfct_query(h, NFCT_Q_DUMP_FILTER, cpi->filter_dump);
nfct_close(h);
/* the overrun handler only make sense with the hashtable,
@@ -1500,6 +1502,14 @@ static int constructor_nfct_polling(struct ulogd_pluginstance *upi)
ulogd_log(ULOGD_FATAL, "error opening ctnetlink\n");
goto err;
}
+ if (strlen(mark_filter_ce(upi->config_kset).u.string) != 0) {
+ char *filter_string = mark_filter_ce(upi->config_kset).u.string;
+ if (build_nfct_filter_mark(NULL, filter_string,
+ cpi->filter_dump) != 0) {
+ ulogd_log(ULOGD_FATAL, "error creating NFCT mark filter\n");
+ goto err_hashtable;
+ }
+ }
nfct_callback_register(cpi->pgh, NFCT_T_ALL, &polling_handler, upi);
cpi->ct_active =
@@ -1534,6 +1544,15 @@ err:
static int constructor_nfct(struct ulogd_pluginstance *upi)
{
+ struct nfct_pluginstance *cpi =
+ (struct nfct_pluginstance *) upi->private;
+
+ cpi->filter_dump = nfct_filter_dump_create();
+ if (cpi->filter_dump == NULL) {
+ ulogd_log(ULOGD_FATAL, "could not create filter_dump\n");
+ return -1;
+ }
+
if (pollint_ce(upi->config_kset).u.value == 0) {
/* listen to ctnetlink events. */
return constructor_nfct_events(upi);
@@ -1553,6 +1572,8 @@ static int destructor_nfct_events(struct ulogd_pluginstance *upi)
ulogd_unregister_fd(&cpi->nfct_fd);
+ nfct_filter_dump_destroy(cpi->filter_dump);
+
rc = nfct_close(cpi->cth);
if (rc < 0)
return rc;
--
1.8.5.3
prev parent reply other threads:[~2014-04-08 10:34 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-08 10:26 [libnetfilter_conntrack/ulogd PATCH 0/3] add mark filter Ken-ichirou MATSUZAWA
2014-04-08 10:30 ` [libnetfilter_conntrack PATCH 1/3] conntrack: add mark event filter Ken-ichirou MATSUZAWA
2014-04-14 12:53 ` Pablo Neira Ayuso
2014-04-15 11:54 ` [libnetfilter_conntrack PATCH 1/3 resend] " Ken-ichirou MATSUZAWA
2014-04-08 10:32 ` [ulogd PATCH 2/3] " Ken-ichirou MATSUZAWA
2014-04-14 12:54 ` Pablo Neira Ayuso
2014-04-08 10:34 ` Ken-ichirou MATSUZAWA [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140408103420.GD29462@gmail.com \
--to=chamaken@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.