Re: [PATCH net-next v2] net: ctnetlink: support filtering by zone

[Felix Huettner <felix.huettner@mail.schwarz>]

Hi,

On Mon, Nov 27, 2023 at 01:38:06PM +0100, Pablo Neira Ayuso wrote:
> Hi,
> 
> On Mon, Nov 27, 2023 at 11:49:16AM +0000, Felix Huettner wrote:
> > conntrack zones are heavily used by tools like openvswitch to run
> > multiple virtual "routers" on a single machine. In this context each
> > conntrack zone matches to a single router, thereby preventing
> > overlapping IPs from becoming issues.
> > In these systems it is common to operate on all conntrack entries of a
> > given zone, e.g. to delete them when a router is deleted. Previously this
> > required these tools to dump the full conntrack table and filter out the
> > relevant entries in userspace potentially causing performance issues.
> > 
> > To do this we reuse the existing CTA_ZONE attribute. This was previous
> > parsed but not used during dump and flush requests. Now if CTA_ZONE is
> > set we filter these operations based on the provided zone.
> > However this means that users that previously passed CTA_ZONE will
> > experience a difference in functionality.
> > 
> > Alternatively CTA_FILTER could have been used for the same
> > functionality. However it is not yet supported during flush requests and
> > is only available when using AF_INET or AF_INET6.
> 
> You mean, AF_UNSPEC cannot be specified in CTA_FILTER?

Currently ctnetlink_parse_tuple_filter returns EOPNOTSUPP if e.g.
AF_UNSPEC would be passed. This could probably be changed to only
require this for the CTA_IP_SRC and CTA_IP_DST filter flags. However i
am unsure about assumptions in other pieces of code that these fields
exist.

Also CTA_FILTER seems to be currently not supported when deleting
conntrack entries.

> 
> Please, extend libnetfilter_conntrack to support for this feature,
> there is a filter API that can be used for this purpose.

I will do that and post it here (or in the next version) once i am done.

> 
> Thanks.

Thanks for the fast feedback