* [PATCH] netfilter: ctnetlink: support CTA_FILTER for flush
@ 2024-06-20 11:35 Changliang Wu
2024-07-11 5:40 ` Changliang Wu
0 siblings, 1 reply; 4+ messages in thread
From: Changliang Wu @ 2024-06-20 11:35 UTC (permalink / raw)
To: pablo, kadlec, davem, edumazet, kuba, pabeni
Cc: netfilter-devel, coreteam, netdev, linux-kernel, Changliang Wu
From cb8aa9a, we can use kernel side filtering for dump, but
this capability is not available for flush.
This Patch allows advanced filter with CTA_FILTER for flush
Performace
1048576 ct flows in total, delete 50,000 flows by origin src ip
3.06s -> dump all, compare and delete
584ms -> directly flush with filter
Signed-off-by: Changliang Wu <changliang.wu@smartx.com>
---
net/netfilter/nf_conntrack_netlink.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 3b846cbdc..93afe57d9 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1579,9 +1579,6 @@ static int ctnetlink_flush_conntrack(struct net *net,
};
if (ctnetlink_needs_filter(family, cda)) {
- if (cda[CTA_FILTER])
- return -EOPNOTSUPP;
-
filter = ctnetlink_alloc_filter(cda, family);
if (IS_ERR(filter))
return PTR_ERR(filter);
@@ -1610,14 +1607,14 @@ static int ctnetlink_del_conntrack(struct sk_buff *skb,
if (err < 0)
return err;
- if (cda[CTA_TUPLE_ORIG])
+ if (cda[CTA_TUPLE_ORIG] && !cda[CTA_FILTER])
err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
family, &zone);
- else if (cda[CTA_TUPLE_REPLY])
+ else if (cda[CTA_TUPLE_REPLY] && !cda[CTA_FILTER])
err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
family, &zone);
else {
- u_int8_t u3 = info->nfmsg->version ? family : AF_UNSPEC;
+ u8 u3 = info->nfmsg->version || cda[CTA_FILTER] ? family : AF_UNSPEC;
return ctnetlink_flush_conntrack(info->net, cda,
NETLINK_CB(skb).portid,
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] netfilter: ctnetlink: support CTA_FILTER for flush
2024-06-20 11:35 [PATCH] netfilter: ctnetlink: support CTA_FILTER for flush Changliang Wu
@ 2024-07-11 5:40 ` Changliang Wu
2024-08-19 18:47 ` Pablo Neira Ayuso
0 siblings, 1 reply; 4+ messages in thread
From: Changliang Wu @ 2024-07-11 5:40 UTC (permalink / raw)
To: pablo, kadlec, davem, edumazet, kuba, pabeni
Cc: netfilter-devel, coreteam, netdev, linux-kernel
PING
Changliang Wu <changliang.wu@smartx.com> 于2024年6月20日周四 19:35写道:
>
> From cb8aa9a, we can use kernel side filtering for dump, but
> this capability is not available for flush.
>
> This Patch allows advanced filter with CTA_FILTER for flush
>
> Performace
> 1048576 ct flows in total, delete 50,000 flows by origin src ip
> 3.06s -> dump all, compare and delete
> 584ms -> directly flush with filter
>
> Signed-off-by: Changliang Wu <changliang.wu@smartx.com>
> ---
> net/netfilter/nf_conntrack_netlink.c | 9 +++------
> 1 file changed, 3 insertions(+), 6 deletions(-)
>
> diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
> index 3b846cbdc..93afe57d9 100644
> --- a/net/netfilter/nf_conntrack_netlink.c
> +++ b/net/netfilter/nf_conntrack_netlink.c
> @@ -1579,9 +1579,6 @@ static int ctnetlink_flush_conntrack(struct net *net,
> };
>
> if (ctnetlink_needs_filter(family, cda)) {
> - if (cda[CTA_FILTER])
> - return -EOPNOTSUPP;
> -
> filter = ctnetlink_alloc_filter(cda, family);
> if (IS_ERR(filter))
> return PTR_ERR(filter);
> @@ -1610,14 +1607,14 @@ static int ctnetlink_del_conntrack(struct sk_buff *skb,
> if (err < 0)
> return err;
>
> - if (cda[CTA_TUPLE_ORIG])
> + if (cda[CTA_TUPLE_ORIG] && !cda[CTA_FILTER])
> err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
> family, &zone);
> - else if (cda[CTA_TUPLE_REPLY])
> + else if (cda[CTA_TUPLE_REPLY] && !cda[CTA_FILTER])
> err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
> family, &zone);
> else {
> - u_int8_t u3 = info->nfmsg->version ? family : AF_UNSPEC;
> + u8 u3 = info->nfmsg->version || cda[CTA_FILTER] ? family : AF_UNSPEC;
>
> return ctnetlink_flush_conntrack(info->net, cda,
> NETLINK_CB(skb).portid,
> --
> 2.43.0
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] netfilter: ctnetlink: support CTA_FILTER for flush
2024-07-11 5:40 ` Changliang Wu
@ 2024-08-19 18:47 ` Pablo Neira Ayuso
2024-08-22 7:58 ` Changliang Wu
0 siblings, 1 reply; 4+ messages in thread
From: Pablo Neira Ayuso @ 2024-08-19 18:47 UTC (permalink / raw)
To: Changliang Wu
Cc: kadlec, davem, edumazet, kuba, pabeni, netfilter-devel, coreteam,
netdev, linux-kernel
Please, provide an example program for libnetfilter_conntrack.
See:
commit 27f09380ebb0fc21c4cd20070b828a27430b5de1
Author: Felix Huettner <felix.huettner@mail.schwarz>
Date: Tue Dec 5 09:35:16 2023 +0000
conntrack: support flush filtering
for instance.
thanks
On Thu, Jul 11, 2024 at 01:40:02PM +0800, Changliang Wu wrote:
> PING
>
>
> Changliang Wu <changliang.wu@smartx.com> 于2024年6月20日周四 19:35写道:
> >
> > From cb8aa9a, we can use kernel side filtering for dump, but
> > this capability is not available for flush.
> >
> > This Patch allows advanced filter with CTA_FILTER for flush
> >
> > Performace
> > 1048576 ct flows in total, delete 50,000 flows by origin src ip
> > 3.06s -> dump all, compare and delete
> > 584ms -> directly flush with filter
> >
> > Signed-off-by: Changliang Wu <changliang.wu@smartx.com>
> > ---
> > net/netfilter/nf_conntrack_netlink.c | 9 +++------
> > 1 file changed, 3 insertions(+), 6 deletions(-)
> >
> > diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
> > index 3b846cbdc..93afe57d9 100644
> > --- a/net/netfilter/nf_conntrack_netlink.c
> > +++ b/net/netfilter/nf_conntrack_netlink.c
> > @@ -1579,9 +1579,6 @@ static int ctnetlink_flush_conntrack(struct net *net,
> > };
> >
> > if (ctnetlink_needs_filter(family, cda)) {
> > - if (cda[CTA_FILTER])
> > - return -EOPNOTSUPP;
> > -
> > filter = ctnetlink_alloc_filter(cda, family);
> > if (IS_ERR(filter))
> > return PTR_ERR(filter);
> > @@ -1610,14 +1607,14 @@ static int ctnetlink_del_conntrack(struct sk_buff *skb,
> > if (err < 0)
> > return err;
> >
> > - if (cda[CTA_TUPLE_ORIG])
> > + if (cda[CTA_TUPLE_ORIG] && !cda[CTA_FILTER])
> > err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
> > family, &zone);
> > - else if (cda[CTA_TUPLE_REPLY])
> > + else if (cda[CTA_TUPLE_REPLY] && !cda[CTA_FILTER])
> > err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
> > family, &zone);
> > else {
> > - u_int8_t u3 = info->nfmsg->version ? family : AF_UNSPEC;
> > + u8 u3 = info->nfmsg->version || cda[CTA_FILTER] ? family : AF_UNSPEC;
> >
> > return ctnetlink_flush_conntrack(info->net, cda,
> > NETLINK_CB(skb).portid,
> > --
> > 2.43.0
> >
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] netfilter: ctnetlink: support CTA_FILTER for flush
2024-08-19 18:47 ` Pablo Neira Ayuso
@ 2024-08-22 7:58 ` Changliang Wu
0 siblings, 0 replies; 4+ messages in thread
From: Changliang Wu @ 2024-08-22 7:58 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: kadlec, davem, edumazet, kuba, pabeni, netfilter-devel, coreteam,
netdev, linux-kernel
diff --git a/src/conntrack/filter_dump.c b/src/conntrack/filter_dump.c
index fd2d002..18d941b 100644
--- a/src/conntrack/filter_dump.c
+++ b/src/conntrack/filter_dump.c
@@ -68,9 +68,5 @@ int __build_filter_dump(struct nfnlhdr *req, size_t size,
int __build_filter_flush(struct nfnlhdr *req, size_t size,
const struct nfct_filter_dump *filter_dump)
{
- if (filter_dump->set & (1 << NFCT_FILTER_DUMP_TUPLE)) {
- errno = ENOTSUP;
- return -1;
- }
return nfct_nlmsg_build_filter(&req->nlh, filter_dump);
}
diff --git a/utils/Makefile.am b/utils/Makefile.am
index 7e7aef4..50a1c7c 100644
--- a/utils/Makefile.am
+++ b/utils/Makefile.am
@@ -11,6 +11,7 @@ check_PROGRAMS = expect_dump expect_create
expect_get expect_delete \
conntrack_dump_filter \
conntrack_dump_filter_tuple \
conntrack_flush_filter \
+ conntrack_flush_filter_tuple \
ctexp_events
conntrack_grp_create_SOURCES = conntrack_grp_create.c
@@ -46,6 +47,9 @@ conntrack_flush_LDADD = ../src/libnetfilter_conntrack.la
conntrack_flush_filter_SOURCES = conntrack_flush_filter.c
conntrack_flush_filter_LDADD = ../src/libnetfilter_conntrack.la
+conntrack_flush_filter_tuple_SOURCES = conntrack_flush_filter_tuple.c
+conntrack_flush_filter_tuple_LDADD = ../src/libnetfilter_conntrack.la
+
conntrack_events_SOURCES = conntrack_events.c
conntrack_events_LDADD = ../src/libnetfilter_conntrack.la
diff --git a/utils/conntrack_flush_filter_tuple.c
b/utils/conntrack_flush_filter_tuple.c
new file mode 100644
index 0000000..f2bf558
--- /dev/null
+++ b/utils/conntrack_flush_filter_tuple.c
@@ -0,0 +1,61 @@
+#include <arpa/inet.h>
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+
+static int cb(enum nf_conntrack_msg_type type, struct nf_conntrack *ct,
+ void *data) {
+ char buf[1024];
+
+ nfct_snprintf(buf, sizeof(buf), ct, NFCT_T_UNKNOWN, NFCT_O_DEFAULT,
+ NFCT_OF_SHOW_LAYER3 | NFCT_OF_TIMESTAMP);
+ printf("%s\n", buf);
+
+ return NFCT_CB_CONTINUE;
+}
+
+int main(void) {
+ int ret;
+ struct nfct_handle *h;
+
+ h = nfct_open(CONNTRACK, 0);
+ if (!h) {
+ perror("nfct_open");
+ return -1;
+ }
+ struct nfct_filter_dump *filter_dump = nfct_filter_dump_create();
+ if (filter_dump == NULL) {
+ perror("nfct_filter_dump_alloc");
+ return -1;
+ }
+
+ struct nf_conntrack *ct;
+ ct = nfct_new();
+ if (!ct) {
+ perror("nfct_new");
+ return 0;
+ }
+
+ nfct_set_attr_u8(ct, ATTR_ORIG_L3PROTO, AF_INET);
+ nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_ICMP);
+ nfct_set_attr_u32(ct, ATTR_ORIG_IPV4_DST, inet_addr("192.168.1.1"));
+ nfct_filter_dump_set_attr(filter_dump, NFCT_FILTER_DUMP_TUPLE, ct);
+
+ nfct_callback_register(h, NFCT_T_ALL, cb, NULL);
+ ret = nfct_query(h, NFCT_Q_FLUSH_FILTER, filter_dump);
+
+ nfct_filter_dump_destroy(filter_dump);
+
+ printf("TEST: get conntrack ");
+ if (ret == -1)
+ printf("(%d)(%s)\n", ret, strerror(errno));
+ else
+ printf("(OK)\n");
+
+ nfct_close(h);
+
+ ret == -1 ? exit(EXIT_FAILURE) : exit(EXIT_SUCCESS);
+}
Thank you for your reply.
Here is an example patch for conntrack_flush_filter_tuple above.
Pablo Neira Ayuso <pablo@netfilter.org> 于2024年8月20日周二 02:47写道:
>
> Please, provide an example program for libnetfilter_conntrack.
>
> See:
>
> commit 27f09380ebb0fc21c4cd20070b828a27430b5de1
> Author: Felix Huettner <felix.huettner@mail.schwarz>
> Date: Tue Dec 5 09:35:16 2023 +0000
>
> conntrack: support flush filtering
>
> for instance.
>
> thanks
>
> On Thu, Jul 11, 2024 at 01:40:02PM +0800, Changliang Wu wrote:
> > PING
> >
> >
> > Changliang Wu <changliang.wu@smartx.com> 于2024年6月20日周四 19:35写道:
> > >
> > > From cb8aa9a, we can use kernel side filtering for dump, but
> > > this capability is not available for flush.
> > >
> > > This Patch allows advanced filter with CTA_FILTER for flush
> > >
> > > Performace
> > > 1048576 ct flows in total, delete 50,000 flows by origin src ip
> > > 3.06s -> dump all, compare and delete
> > > 584ms -> directly flush with filter
> > >
> > > Signed-off-by: Changliang Wu <changliang.wu@smartx.com>
> > > ---
> > > net/netfilter/nf_conntrack_netlink.c | 9 +++------
> > > 1 file changed, 3 insertions(+), 6 deletions(-)
> > >
> > > diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
> > > index 3b846cbdc..93afe57d9 100644
> > > --- a/net/netfilter/nf_conntrack_netlink.c
> > > +++ b/net/netfilter/nf_conntrack_netlink.c
> > > @@ -1579,9 +1579,6 @@ static int ctnetlink_flush_conntrack(struct net *net,
> > > };
> > >
> > > if (ctnetlink_needs_filter(family, cda)) {
> > > - if (cda[CTA_FILTER])
> > > - return -EOPNOTSUPP;
> > > -
> > > filter = ctnetlink_alloc_filter(cda, family);
> > > if (IS_ERR(filter))
> > > return PTR_ERR(filter);
> > > @@ -1610,14 +1607,14 @@ static int ctnetlink_del_conntrack(struct sk_buff *skb,
> > > if (err < 0)
> > > return err;
> > >
> > > - if (cda[CTA_TUPLE_ORIG])
> > > + if (cda[CTA_TUPLE_ORIG] && !cda[CTA_FILTER])
> > > err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
> > > family, &zone);
> > > - else if (cda[CTA_TUPLE_REPLY])
> > > + else if (cda[CTA_TUPLE_REPLY] && !cda[CTA_FILTER])
> > > err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
> > > family, &zone);
> > > else {
> > > - u_int8_t u3 = info->nfmsg->version ? family : AF_UNSPEC;
> > > + u8 u3 = info->nfmsg->version || cda[CTA_FILTER] ? family : AF_UNSPEC;
> > >
> > > return ctnetlink_flush_conntrack(info->net, cda,
> > > NETLINK_CB(skb).portid,
> > > --
> > > 2.43.0
> > >
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-08-22 7:58 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-06-20 11:35 [PATCH] netfilter: ctnetlink: support CTA_FILTER for flush Changliang Wu
2024-07-11 5:40 ` Changliang Wu
2024-08-19 18:47 ` Pablo Neira Ayuso
2024-08-22 7:58 ` Changliang Wu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).