* [PATCH 1/4] nfct: call register callback on opened handler
2012-12-28 17:29 [Ulogd PATCH 0/4] Implement filter for NFCT Eric Leblond
@ 2012-12-28 17:29 ` Eric Leblond
2012-12-28 17:29 ` [PATCH 2/4] addr: add file containing addr utility functions Eric Leblond
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Eric Leblond @ 2012-12-28 17:29 UTC (permalink / raw)
To: netfilter-devel; +Cc: Eric Leblond
nfctp_callback_register was called on the regular handler instead
of begin called on the newly opened handler dedicated to the dump.
Signed-off-by: Eric Leblond <eric@regit.org>
---
input/flow/ulogd_inpflow_NFCT.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/input/flow/ulogd_inpflow_NFCT.c b/input/flow/ulogd_inpflow_NFCT.c
index 0946b4c..489c9e0 100644
--- a/input/flow/ulogd_inpflow_NFCT.c
+++ b/input/flow/ulogd_inpflow_NFCT.c
@@ -1063,7 +1063,7 @@ static int constructor_nfct_events(struct ulogd_pluginstance *upi)
ulogd_log(ULOGD_FATAL, "error opening ctnetlink\n");
goto err_ovh;
}
- nfct_callback_register(cpi->cth, NFCT_T_ALL,
+ nfct_callback_register(h, NFCT_T_ALL,
&event_handler_hashtable, upi);
nfct_query(h, NFCT_Q_DUMP, &family);
nfct_close(h);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH 2/4] addr: add file containing addr utility functions.
2012-12-28 17:29 [Ulogd PATCH 0/4] Implement filter for NFCT Eric Leblond
2012-12-28 17:29 ` [PATCH 1/4] nfct: call register callback on opened handler Eric Leblond
@ 2012-12-28 17:29 ` Eric Leblond
2012-12-28 17:30 ` [PATCH 3/4] nfct: implement src and dst filter Eric Leblond
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Eric Leblond @ 2012-12-28 17:29 UTC (permalink / raw)
To: netfilter-devel; +Cc: Eric Leblond
Signed-off-by: Eric Leblond <eric@regit.org>
---
include/ulogd/addr.h | 18 ++++++++
src/Makefile.am | 2 +-
src/addr.c | 113 ++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 132 insertions(+), 1 deletion(-)
create mode 100644 include/ulogd/addr.h
create mode 100644 src/addr.c
diff --git a/include/ulogd/addr.h b/include/ulogd/addr.h
new file mode 100644
index 0000000..9c91270
--- /dev/null
+++ b/include/ulogd/addr.h
@@ -0,0 +1,18 @@
+#ifndef _ADDR_H
+#define _ADDR_H
+
+u_int32_t ulogd_bits2netmask(int bits);
+void ulogd_ipv6_cidr2mask_host(uint8_t cidr, uint32_t *res);
+void ulogd_ipv6_addr2addr_host(uint32_t *addr, uint32_t *res);
+
+struct ulogd_addr {
+ union {
+ uint32_t ipv4;
+ uint32_t ipv6[4];
+ } in;
+ uint32_t netmask;
+};
+
+int ulogd_parse_addr(char *string, size_t len, struct ulogd_addr *addr);
+
+#endif
diff --git a/src/Makefile.am b/src/Makefile.am
index 115ddd5..e462cb2 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -6,6 +6,6 @@ AM_CFLAGS = ${regular_CFLAGS}
sbin_PROGRAMS = ulogd
-ulogd_SOURCES = ulogd.c select.c timer.c rbtree.c conffile.c hash.c
+ulogd_SOURCES = ulogd.c select.c timer.c rbtree.c conffile.c hash.c addr.c
ulogd_LDADD = ${libdl_LIBS}
ulogd_LDFLAGS = -export-dynamic
diff --git a/src/addr.c b/src/addr.c
new file mode 100644
index 0000000..05320fe
--- /dev/null
+++ b/src/addr.c
@@ -0,0 +1,113 @@
+/* ulogd
+ *
+ * userspace logging daemon for the iptables ULOG target
+ * of the linux 2.4 netfilter subsystem.
+ *
+ * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
+ * (C) 2012 by Eric Leblond <eric@regit.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#include <arpa/inet.h>
+
+#include <ulogd/ulogd.h>
+#include <ulogd/addr.h>
+
+u_int32_t ulogd_bits2netmask(int bits)
+{
+ u_int32_t netmask, bm;
+
+ if (bits >= 32 || bits < 0)
+ return(~0);
+ for (netmask = 0, bm = 0x80000000; bits; bits--, bm >>= 1)
+ netmask |= bm;
+ return netmask;
+}
+
+
+void ulogd_ipv6_cidr2mask_host(uint8_t cidr, uint32_t *res)
+{
+ int i, j;
+
+ memset(res, 0, sizeof(uint32_t)*4);
+ for (i = 0; i < 4 && cidr > 32; i++) {
+ res[i] = 0xFFFFFFFF;
+ cidr -= 32;
+ }
+ res[i] = 0xFFFFFFFF << (32 - cidr);
+ for (j = i+1; j < 4; j++) {
+ res[j] = 0;
+ }
+}
+
+/* I need this function because I initially defined an IPv6 address as
+ * uint32 u[4]. Using char u[16] instead would allow to remove this. */
+void ulogd_ipv6_addr2addr_host(uint32_t *addr, uint32_t *res)
+{
+ int i;
+
+ memset(res, 0, sizeof(uint32_t)*4);
+ for (i = 0; i < 4; i++) {
+ res[i] = ntohl(addr[i]);
+ }
+}
+
+int ulogd_parse_addr(char *string, size_t len, struct ulogd_addr *addr)
+{
+ char filter_addr[128];
+ char *slash;
+ char *ddash;
+ if ((ddash = strchr(string, ':')) && (ddash - string < len)) {
+ struct in6_addr raddr;
+ int i;
+ slash = strchr(string, '/');
+ if (slash == NULL) {
+ ulogd_log(ULOGD_FATAL,
+ "No network specified\n");
+ return -1;
+ }
+
+ strncpy(filter_addr, string,
+ slash - string);
+ filter_addr[slash - string] = 0;
+ if (inet_pton(AF_INET6, filter_addr, (void *)&raddr)
+ != 1) {
+ ulogd_log(ULOGD_FATAL,
+ "error reading address\n");
+ return -1;
+ }
+ for(i = 0; i < 4; i++)
+ addr->in.ipv6[i] = raddr.s6_addr32[i];
+ addr->netmask = atoi(slash + 1);
+
+ return AF_INET6;
+ }
+ if ((ddash = strchr(string, '.')) && (ddash - string < len)) {
+ slash = strchr(string, '/');
+ if (slash == NULL) {
+ ulogd_log(ULOGD_FATAL,
+ "No network specified\n");
+ return -1;
+ }
+ strncpy(filter_addr, string,
+ slash - string);
+ filter_addr[slash - string] = 0;
+ addr->in.ipv4 = inet_addr(filter_addr);
+ addr->netmask = atoi(slash + 1);
+
+ return AF_INET;
+ }
+ return -1;
+}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH 3/4] nfct: implement src and dst filter
2012-12-28 17:29 [Ulogd PATCH 0/4] Implement filter for NFCT Eric Leblond
2012-12-28 17:29 ` [PATCH 1/4] nfct: call register callback on opened handler Eric Leblond
2012-12-28 17:29 ` [PATCH 2/4] addr: add file containing addr utility functions Eric Leblond
@ 2012-12-28 17:30 ` Eric Leblond
2012-12-28 17:30 ` [PATCH 4/4] nfct: add protocol filter Eric Leblond
2013-01-05 9:57 ` [Ulogd PATCH 0/4] Implement filter for NFCT Eric Leblond
4 siblings, 0 replies; 6+ messages in thread
From: Eric Leblond @ 2012-12-28 17:30 UTC (permalink / raw)
To: netfilter-devel; +Cc: Eric Leblond
This patch implements two filtering options in NFCT input plugin.
If 'accept_src_filter' is set to a network it will only catch the
event where the source is that specific network. 'accept_dst_filter'
does the same for the destination.
Signed-off-by: Eric Leblond <eric@regit.org>
---
input/flow/ulogd_inpflow_NFCT.c | 216 ++++++++++++++++++++++++++++++++++++++-
ulogd.conf.in | 4 +
2 files changed, 218 insertions(+), 2 deletions(-)
diff --git a/input/flow/ulogd_inpflow_NFCT.c b/input/flow/ulogd_inpflow_NFCT.c
index 489c9e0..b3e48d7 100644
--- a/input/flow/ulogd_inpflow_NFCT.c
+++ b/input/flow/ulogd_inpflow_NFCT.c
@@ -43,6 +43,7 @@
#include <ulogd/ulogd.h>
#include <ulogd/timer.h>
#include <ulogd/ipfix_protocol.h>
+#include <ulogd/addr.h>
#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
@@ -72,7 +73,7 @@ struct nfct_pluginstance {
#define EVENT_MASK NF_NETLINK_CONNTRACK_NEW | NF_NETLINK_CONNTRACK_DESTROY
static struct config_keyset nfct_kset = {
- .num_ces = 9,
+ .num_ces = 11,
.ces = {
{
.key = "pollinterval",
@@ -128,6 +129,16 @@ static struct config_keyset nfct_kset = {
.options = CONFIG_OPT_NONE,
.u.value = 0,
},
+ {
+ .key = "accept_src_filter",
+ .type = CONFIG_TYPE_STRING,
+ .options = CONFIG_OPT_NONE,
+ },
+ {
+ .key = "accept_dst_filter",
+ .type = CONFIG_TYPE_STRING,
+ .options = CONFIG_OPT_NONE,
+ },
},
};
#define pollint_ce(x) (x->ces[0])
@@ -139,6 +150,8 @@ static struct config_keyset nfct_kset = {
#define nlsockbufmaxsize_ce(x) (x->ces[6])
#define nlresynctimeout_ce(x) (x->ces[7])
#define reliable_ce(x) (x->ces[8])
+#define src_filter_ce(x) ((x)->ces[9])
+#define dst_filter_ce(x) ((x)->ces[10])
enum nfct_keys {
NFCT_ORIG_IP_SADDR = 0,
@@ -993,11 +1006,200 @@ static void overrun_timeout(struct ulogd_timer *a, void *data)
nfct_send(cpi->ovh, NFCT_Q_DUMP, &family);
}
+
+#define NFCT_SRC_DIR 1
+#define NFCT_DST_DIR 2
+
+static inline int nfct_set_dir(int dir, int *filter_dir_ipv4, int *filter_dir_ipv6)
+{
+ switch (dir) {
+ case NFCT_DST_DIR:
+ *filter_dir_ipv4 = NFCT_FILTER_DST_IPV4;
+ *filter_dir_ipv6 = NFCT_FILTER_DST_IPV6;
+ break;
+ case NFCT_SRC_DIR:
+ *filter_dir_ipv4 = NFCT_FILTER_SRC_IPV4;
+ *filter_dir_ipv6 = NFCT_FILTER_SRC_IPV6;
+ break;
+ default:
+ ulogd_log(ULOGD_FATAL,
+ "Invalid direction %d\n",
+ dir);
+ return -1;
+ }
+ return 0;
+}
+
+static int nfct_add_to_filter(struct nfct_filter *filter,
+ struct ulogd_addr *addr,
+ int l3, int dir)
+{
+ int filter_dir_ipv4;
+ int filter_dir_ipv6;
+
+ if (nfct_set_dir(dir, &filter_dir_ipv4, &filter_dir_ipv6) == -1)
+ return -1;
+
+ switch (l3) {
+ case AF_INET6:
+ {
+ struct nfct_filter_ipv6 filter_ipv6;
+ /* BSF always wants data in host-byte order */
+ ulogd_ipv6_addr2addr_host(addr->in.ipv6, filter_ipv6.addr);
+ ulogd_ipv6_cidr2mask_host(addr->netmask, filter_ipv6.mask);
+
+ nfct_filter_set_logic(filter,
+ filter_dir_ipv6,
+ NFCT_FILTER_LOGIC_POSITIVE);
+ nfct_filter_add_attr(filter,
+ filter_dir_ipv6,
+ &filter_ipv6);
+ }
+ break;
+ case AF_INET:
+ {
+ /* BSF always wants data in host-byte order */
+ struct nfct_filter_ipv4 filter_ipv4 = {
+ .addr = ntohl(addr->in.ipv4),
+ .mask = ulogd_bits2netmask(addr->netmask),
+ };
+
+ nfct_filter_set_logic(filter,
+ filter_dir_ipv4,
+ NFCT_FILTER_LOGIC_POSITIVE);
+ nfct_filter_add_attr(filter, filter_dir_ipv4,
+ &filter_ipv4);
+ }
+ break;
+ default:
+ ulogd_log(ULOGD_FATAL, "Invalid protocol %d\n", l3);
+ return -1;
+ }
+ return 0;
+}
+
+static int build_nfct_filter_dir(struct nfct_filter *filter, char* filter_string, int dir)
+{
+ char *from = filter_string;
+ char *comma;
+ struct ulogd_addr addr;
+ int has_ipv4 = 0;
+ int has_ipv6 = 0;
+
+ while ((comma = strchr(from, ',')) != NULL) {
+ size_t len = comma - from;
+ switch(ulogd_parse_addr(from, len, &addr)) {
+ case AF_INET:
+ nfct_add_to_filter(filter, &addr, AF_INET, dir);
+ has_ipv4 = 1;
+ break;
+ case AF_INET6:
+ nfct_add_to_filter(filter, &addr, AF_INET6, dir);
+ has_ipv6 = 1;
+ break;
+ default:
+ return -1;
+ }
+ from += len + 1;
+ }
+ switch(ulogd_parse_addr(from, strlen(from), &addr)) {
+ case AF_INET:
+ nfct_add_to_filter(filter, &addr, AF_INET, dir);
+ has_ipv4 = 1;
+ break;
+ case AF_INET6:
+ nfct_add_to_filter(filter, &addr, AF_INET6, dir);
+ has_ipv6 = 1;
+ break;
+ default:
+ return -1;
+ }
+
+ if (!has_ipv6) {
+ struct nfct_filter_ipv6 filter_ipv6;
+ int filter_dir_ipv4;
+ int filter_dir_ipv6;
+ if (nfct_set_dir(dir, &filter_dir_ipv4, &filter_dir_ipv6) == -1)
+ return -1;
+ nfct_filter_set_logic(filter,
+ filter_dir_ipv6,
+ NFCT_FILTER_LOGIC_NEGATIVE);
+ nfct_filter_add_attr(filter, filter_dir_ipv6,
+ &filter_ipv6);
+ }
+ if (!has_ipv4) {
+ struct nfct_filter_ipv4 filter_ipv4;
+ int filter_dir_ipv4;
+ int filter_dir_ipv6;
+ if (nfct_set_dir(dir, &filter_dir_ipv4, &filter_dir_ipv6) == -1)
+ return -1;
+ nfct_filter_set_logic(filter,
+ filter_dir_ipv4,
+ NFCT_FILTER_LOGIC_NEGATIVE);
+ nfct_filter_add_attr(filter, filter_dir_ipv4,
+ &filter_ipv4);
+ }
+
+ return 0;
+}
+
+static int build_nfct_filter(struct ulogd_pluginstance *upi)
+{
+ struct nfct_pluginstance *cpi =
+ (struct nfct_pluginstance *)upi->private;
+ struct nfct_filter *filter = NULL;
+
+ if (!cpi->cth) {
+ ulogd_log(ULOGD_FATAL, "Refusing to attach NFCT filter to NULL handler\n");
+ goto err_init;
+ }
+
+ filter = nfct_filter_create();
+ if (!filter) {
+ ulogd_log(ULOGD_FATAL, "error creating NFCT filter\n");
+ goto err_init;
+ }
+
+ if (strlen(src_filter_ce(upi->config_kset).u.string) != 0) {
+ char *filter_string = src_filter_ce(upi->config_kset).u.string;
+ if (build_nfct_filter_dir(filter, filter_string, NFCT_SRC_DIR) != 0) {
+ ulogd_log(ULOGD_FATAL,
+ "Unable to create src filter\n");
+ goto err_filter;
+ }
+ }
+ if (strlen(dst_filter_ce(upi->config_kset).u.string) != 0) {
+ char *filter_string = dst_filter_ce(upi->config_kset).u.string;
+ if (build_nfct_filter_dir(filter, filter_string, NFCT_DST_DIR) != 0) {
+ ulogd_log(ULOGD_FATAL,
+ "Unable to create dst filter\n");
+ goto err_filter;
+ }
+ }
+
+ if (filter) {
+ if (nfct_filter_attach(nfct_fd(cpi->cth), filter) == -1) {
+ ulogd_log(ULOGD_FATAL, "nfct_filter_attach");
+ }
+
+ /* release the filter object, this does not detach the filter */
+ nfct_filter_destroy(filter);
+ }
+
+ return 0;
+
+err_filter:
+ nfct_filter_destroy(filter);
+err_init:
+ return -1;
+}
+
static int constructor_nfct_events(struct ulogd_pluginstance *upi)
{
struct nfct_pluginstance *cpi =
(struct nfct_pluginstance *)upi->private;
+
cpi->cth = nfct_open(NFNL_SUBSYS_CTNETLINK,
eventmask_ce(upi->config_kset).u.value);
if (!cpi->cth) {
@@ -1005,9 +1207,19 @@ static int constructor_nfct_events(struct ulogd_pluginstance *upi)
goto err_cth;
}
+ if ((strlen(src_filter_ce(upi->config_kset).u.string) != 0) ||
+ (strlen(dst_filter_ce(upi->config_kset).u.string) != 0)
+ ) {
+ if (build_nfct_filter(upi) != 0) {
+ ulogd_log(ULOGD_FATAL, "error creating NFCT filter\n");
+ goto err_cth;
+ }
+ }
+
+
if (usehash_ce(upi->config_kset).u.value != 0) {
nfct_callback_register(cpi->cth, NFCT_T_ALL,
- &event_handler_hashtable, upi);
+ &event_handler_hashtable, upi);
} else {
nfct_callback_register(cpi->cth, NFCT_T_ALL,
&event_handler_no_hashtable, upi);
diff --git a/ulogd.conf.in b/ulogd.conf.in
index 6aff802..fa1fbf2 100644
--- a/ulogd.conf.in
+++ b/ulogd.conf.in
@@ -125,6 +125,10 @@ plugin="@pkglibdir@/ulogd_output_GRAPHITE.so"
#netlink_socket_buffer_maxsize=1085440
#netlink_resync_timeout=60 # seconds to wait to perform resynchronization
#pollinterval=10 # use poll-based logging instead of event-driven
+# If pollinterval is not set, NFCT plugin will work in event mode
+# In this case, you can use the following filters on events:
+#accept_src_filter=192.168.1.0/24,1:2::/64 # source ip of connection must belong to these networks
+#accept_dst_filter=192.168.1.0/24 # destination ip of connection must belong to these networks
[ct2]
#netlink_socket_buffer_size=217088
--
1.7.10.4
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH 4/4] nfct: add protocol filter
2012-12-28 17:29 [Ulogd PATCH 0/4] Implement filter for NFCT Eric Leblond
` (2 preceding siblings ...)
2012-12-28 17:30 ` [PATCH 3/4] nfct: implement src and dst filter Eric Leblond
@ 2012-12-28 17:30 ` Eric Leblond
2013-01-05 9:57 ` [Ulogd PATCH 0/4] Implement filter for NFCT Eric Leblond
4 siblings, 0 replies; 6+ messages in thread
From: Eric Leblond @ 2012-12-28 17:30 UTC (permalink / raw)
To: netfilter-devel; +Cc: Eric Leblond
This patch adds a new configuration variable which is used to limit
conntrack event to connection of these protocols:
For example:
accept_proto_filter=tcp,sctp
Signed-off-by: Eric Leblond <eric@regit.org>
---
input/flow/ulogd_inpflow_NFCT.c | 60 +++++++++++++++++++++++++++++++++++++--
ulogd.conf.in | 1 +
2 files changed, 59 insertions(+), 2 deletions(-)
diff --git a/input/flow/ulogd_inpflow_NFCT.c b/input/flow/ulogd_inpflow_NFCT.c
index b3e48d7..3889b10 100644
--- a/input/flow/ulogd_inpflow_NFCT.c
+++ b/input/flow/ulogd_inpflow_NFCT.c
@@ -36,6 +36,7 @@
#include <sys/time.h>
#include <time.h>
#include <netinet/in.h>
+#include <netdb.h>
#include <ulogd/linuxlist.h>
#include <ulogd/jhash.h>
#include <ulogd/hash.h>
@@ -73,7 +74,7 @@ struct nfct_pluginstance {
#define EVENT_MASK NF_NETLINK_CONNTRACK_NEW | NF_NETLINK_CONNTRACK_DESTROY
static struct config_keyset nfct_kset = {
- .num_ces = 11,
+ .num_ces = 12,
.ces = {
{
.key = "pollinterval",
@@ -139,6 +140,11 @@ static struct config_keyset nfct_kset = {
.type = CONFIG_TYPE_STRING,
.options = CONFIG_OPT_NONE,
},
+ {
+ .key = "accept_proto_filter",
+ .type = CONFIG_TYPE_STRING,
+ .options = CONFIG_OPT_NONE,
+ },
},
};
#define pollint_ce(x) (x->ces[0])
@@ -152,6 +158,7 @@ static struct config_keyset nfct_kset = {
#define reliable_ce(x) (x->ces[8])
#define src_filter_ce(x) ((x)->ces[9])
#define dst_filter_ce(x) ((x)->ces[10])
+#define proto_filter_ce(x) ((x)->ces[11])
enum nfct_keys {
NFCT_ORIG_IP_SADDR = 0,
@@ -1143,6 +1150,46 @@ static int build_nfct_filter_dir(struct nfct_filter *filter, char* filter_string
return 0;
}
+static int build_nfct_filter_proto(struct nfct_filter *filter, char* filter_string)
+{
+ char *from = filter_string;
+ char *comma;
+ struct protoent * pent = NULL;
+
+ while ((comma = strchr(from, ',')) != NULL) {
+ size_t len = comma - from;
+ *comma = 0;
+ pent = getprotobyname(from);
+ if (pent == NULL) {
+ ulogd_log(ULOGD_FATAL, "Unknown protocol\n");
+ endprotoent();
+ return -1;
+ }
+ ulogd_log(ULOGD_NOTICE, "adding proto to filter: \"%s\" (%d)\n",
+ pent->p_name, pent->p_proto
+ );
+ nfct_filter_add_attr_u32(filter, NFCT_FILTER_L4PROTO,
+ pent->p_proto);
+ from += len + 1;
+ }
+ pent = getprotobyname(from);
+ if (pent == NULL) {
+ ulogd_log(ULOGD_FATAL, "Unknown protocol %s\n", from);
+ endprotoent();
+ return -1;
+ }
+ ulogd_log(ULOGD_NOTICE, "adding proto to filter: \"%s (%d)\"\n",
+ pent->p_name, pent->p_proto
+ );
+ nfct_filter_add_attr_u32(filter, NFCT_FILTER_L4PROTO,
+ pent->p_proto);
+
+
+ endprotoent();
+ return 0;
+}
+
+
static int build_nfct_filter(struct ulogd_pluginstance *upi)
{
struct nfct_pluginstance *cpi =
@@ -1176,6 +1223,14 @@ static int build_nfct_filter(struct ulogd_pluginstance *upi)
goto err_filter;
}
}
+ if (strlen(proto_filter_ce(upi->config_kset).u.string) != 0) {
+ char *filter_string = proto_filter_ce(upi->config_kset).u.string;
+ if (build_nfct_filter_proto(filter, filter_string) != 0) {
+ ulogd_log(ULOGD_FATAL,
+ "Unable to create proto filter\n");
+ goto err_filter;
+ }
+ }
if (filter) {
if (nfct_filter_attach(nfct_fd(cpi->cth), filter) == -1) {
@@ -1208,7 +1263,8 @@ static int constructor_nfct_events(struct ulogd_pluginstance *upi)
}
if ((strlen(src_filter_ce(upi->config_kset).u.string) != 0) ||
- (strlen(dst_filter_ce(upi->config_kset).u.string) != 0)
+ (strlen(dst_filter_ce(upi->config_kset).u.string) != 0) ||
+ (strlen(proto_filter_ce(upi->config_kset).u.string) != 0)
) {
if (build_nfct_filter(upi) != 0) {
ulogd_log(ULOGD_FATAL, "error creating NFCT filter\n");
diff --git a/ulogd.conf.in b/ulogd.conf.in
index fa1fbf2..783cb2b 100644
--- a/ulogd.conf.in
+++ b/ulogd.conf.in
@@ -129,6 +129,7 @@ plugin="@pkglibdir@/ulogd_output_GRAPHITE.so"
# In this case, you can use the following filters on events:
#accept_src_filter=192.168.1.0/24,1:2::/64 # source ip of connection must belong to these networks
#accept_dst_filter=192.168.1.0/24 # destination ip of connection must belong to these networks
+#accept_proto_filter=tcp,sctp # layer 4 proto of connections
[ct2]
#netlink_socket_buffer_size=217088
--
1.7.10.4
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [Ulogd PATCH 0/4] Implement filter for NFCT
2012-12-28 17:29 [Ulogd PATCH 0/4] Implement filter for NFCT Eric Leblond
` (3 preceding siblings ...)
2012-12-28 17:30 ` [PATCH 4/4] nfct: add protocol filter Eric Leblond
@ 2013-01-05 9:57 ` Eric Leblond
4 siblings, 0 replies; 6+ messages in thread
From: Eric Leblond @ 2013-01-05 9:57 UTC (permalink / raw)
To: netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 395 bytes --]
Hi,
On Fri, 2012-12-28 at 18:29 +0100, Eric Leblond wrote:
> Hello,
>
> This patchset implements filtering capability in NFCT input plugin. For
> now this is only possible when NFCT is used in event mode as the
> libnetfilter_conntrack library does not support filtering of dump.
Patches pushed to git tree.
BR,
--
Eric Leblond <eric@regit.org>
Blog: https://home.regit.org/
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread