[Ulogd PATCH 0/4] Implement filter for NFCT

[Ulogd PATCH 0/4] Implement filter for NFCT

[Eric Leblond]

Hello,

This patchset implements filtering capability in NFCT input plugin. For
now this is only possible when NFCT is used in event mode as the
libnetfilter_conntrack library does not support filtering of dump.

It adds a set of variable t the configuration of a NFCT capture in
ulogd.conf:

# source ip of connection must belong to these networks
accept_src_filter=192.168.1.0/24,1:2::/64 
# destination ip of connection must belong to these networks
accept_dst_filter=192.168.1.0/24 
# layer 4 proto of connections
accept_proto_filter=tcp,sctp

Patchset statistics:
 include/ulogd/addr.h            |   18 +++
 input/flow/ulogd_inpflow_NFCT.c |  274 ++++++++++++++++++++++++++++++++-
 src/Makefile.am                 |    2 +-
 src/addr.c                      |  113 ++++++++++++++
 ulogd.conf.in                   |    5 +
 5 files changed, 408 insertions(+), 4 deletions(-)

BR,
--
Eric Leblond <eric@regit.org>

[PATCH 1/4] nfct: call register callback on opened handler

[Eric Leblond]

nfctp_callback_register was called on the regular handler instead
of begin called on the newly opened handler dedicated to the dump.

Signed-off-by: Eric Leblond <eric@regit.org>
---
 input/flow/ulogd_inpflow_NFCT.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/input/flow/ulogd_inpflow_NFCT.c b/input/flow/ulogd_inpflow_NFCT.c
index 0946b4c..489c9e0 100644
--- a/input/flow/ulogd_inpflow_NFCT.c
+++ b/input/flow/ulogd_inpflow_NFCT.c
@@ -1063,7 +1063,7 @@ static int constructor_nfct_events(struct ulogd_pluginstance *upi)
 			ulogd_log(ULOGD_FATAL, "error opening ctnetlink\n");
 			goto err_ovh;
 		}
-		nfct_callback_register(cpi->cth, NFCT_T_ALL,
+		nfct_callback_register(h, NFCT_T_ALL,
 				       &event_handler_hashtable, upi);
 		nfct_query(h, NFCT_Q_DUMP, &family);
 		nfct_close(h);
-- 
1.7.10.4

[PATCH 2/4] addr: add file containing addr utility functions.

[Eric Leblond]

Signed-off-by: Eric Leblond <eric@regit.org>
---
 include/ulogd/addr.h |   18 ++++++++
 src/Makefile.am      |    2 +-
 src/addr.c           |  113 ++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 132 insertions(+), 1 deletion(-)
 create mode 100644 include/ulogd/addr.h
 create mode 100644 src/addr.c

diff --git a/include/ulogd/addr.h b/include/ulogd/addr.h
new file mode 100644
index 0000000..9c91270
--- /dev/null
+++ b/include/ulogd/addr.h
@@ -0,0 +1,18 @@
+#ifndef _ADDR_H
+#define _ADDR_H
+
+u_int32_t ulogd_bits2netmask(int bits);
+void ulogd_ipv6_cidr2mask_host(uint8_t cidr, uint32_t *res);
+void ulogd_ipv6_addr2addr_host(uint32_t *addr, uint32_t *res);
+
+struct ulogd_addr {
+	union {
+		uint32_t ipv4;
+		uint32_t ipv6[4];
+	} in;
+	uint32_t netmask;
+};
+
+int ulogd_parse_addr(char *string, size_t len, struct ulogd_addr *addr);
+
+#endif
diff --git a/src/Makefile.am b/src/Makefile.am
index 115ddd5..e462cb2 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -6,6 +6,6 @@ AM_CFLAGS = ${regular_CFLAGS}
 
 sbin_PROGRAMS = ulogd
 
-ulogd_SOURCES = ulogd.c select.c timer.c rbtree.c conffile.c hash.c
+ulogd_SOURCES = ulogd.c select.c timer.c rbtree.c conffile.c hash.c addr.c
 ulogd_LDADD   = ${libdl_LIBS}
 ulogd_LDFLAGS = -export-dynamic
diff --git a/src/addr.c b/src/addr.c
new file mode 100644
index 0000000..05320fe
--- /dev/null
+++ b/src/addr.c
@@ -0,0 +1,113 @@
+/* ulogd
+ *
+ * userspace logging daemon for the iptables ULOG target
+ * of the linux 2.4 netfilter subsystem.
+ *
+ * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
+ * (C) 2012 by Eric Leblond <eric@regit.org>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2 
+ *  as published by the Free Software Foundation
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+#include <arpa/inet.h>
+
+#include <ulogd/ulogd.h>
+#include <ulogd/addr.h>
+
+u_int32_t ulogd_bits2netmask(int bits)
+{
+	u_int32_t netmask, bm;
+
+	if (bits >= 32 || bits < 0)
+		return(~0);
+	for (netmask = 0, bm = 0x80000000; bits; bits--, bm >>= 1)
+		netmask |= bm;
+	return netmask;
+}
+
+
+void ulogd_ipv6_cidr2mask_host(uint8_t cidr, uint32_t *res)
+{
+	int i, j;
+
+	memset(res, 0, sizeof(uint32_t)*4);
+	for (i = 0;  i < 4 && cidr > 32; i++) {
+		res[i] = 0xFFFFFFFF;
+		cidr -= 32;
+	}
+	res[i] = 0xFFFFFFFF << (32 - cidr);
+	for (j = i+1; j < 4; j++) {
+		res[j] = 0;
+	}
+}
+
+/* I need this function because I initially defined an IPv6 address as
+ * uint32 u[4]. Using char u[16] instead would allow to remove this. */
+void ulogd_ipv6_addr2addr_host(uint32_t *addr, uint32_t *res)
+{
+	int i;
+
+	memset(res, 0, sizeof(uint32_t)*4);
+	for (i = 0;  i < 4; i++) {
+		res[i] = ntohl(addr[i]);
+	}
+}
+
+int ulogd_parse_addr(char *string, size_t len, struct ulogd_addr *addr)
+{
+	char filter_addr[128];
+	char *slash;
+	char *ddash;
+	if ((ddash = strchr(string, ':')) && (ddash - string < len)) {
+		struct in6_addr raddr;
+		int i;
+		slash = strchr(string, '/');
+		if (slash == NULL) {
+			ulogd_log(ULOGD_FATAL,
+					"No network specified\n");
+			return -1;
+		}
+
+		strncpy(filter_addr, string,
+				slash - string);
+		filter_addr[slash - string] = 0;
+		if (inet_pton(AF_INET6, filter_addr, (void *)&raddr)
+				!= 1) {
+			ulogd_log(ULOGD_FATAL,
+					"error reading address\n");
+			return -1;
+		}
+		for(i = 0; i < 4; i++)
+			addr->in.ipv6[i] = raddr.s6_addr32[i];
+		addr->netmask = atoi(slash + 1);
+
+		return AF_INET6;
+	}
+	if ((ddash = strchr(string, '.')) && (ddash - string < len)) {
+		slash = strchr(string, '/');
+		if (slash == NULL) {
+			ulogd_log(ULOGD_FATAL,
+					"No network specified\n");
+			return -1;
+		}
+		strncpy(filter_addr, string,
+				slash - string);
+		filter_addr[slash - string] = 0;
+		addr->in.ipv4 = inet_addr(filter_addr);
+		addr->netmask = atoi(slash + 1);
+
+		return AF_INET;
+	}
+	return -1;
+}
-- 
1.7.10.4

[PATCH 3/4] nfct: implement src and dst filter

[Eric Leblond]

This patch implements two filtering options in NFCT input plugin.
If 'accept_src_filter' is set to a network it will only catch the
event where the source is that specific network. 'accept_dst_filter'
does the same for the destination.

Signed-off-by: Eric Leblond <eric@regit.org>
---
 input/flow/ulogd_inpflow_NFCT.c |  216 ++++++++++++++++++++++++++++++++++++++-
 ulogd.conf.in                   |    4 +
 2 files changed, 218 insertions(+), 2 deletions(-)

diff --git a/input/flow/ulogd_inpflow_NFCT.c b/input/flow/ulogd_inpflow_NFCT.c
index 489c9e0..b3e48d7 100644
--- a/input/flow/ulogd_inpflow_NFCT.c
+++ b/input/flow/ulogd_inpflow_NFCT.c
@@ -43,6 +43,7 @@
 #include <ulogd/ulogd.h>
 #include <ulogd/timer.h>
 #include <ulogd/ipfix_protocol.h>
+#include <ulogd/addr.h>
 
 #include <libnetfilter_conntrack/libnetfilter_conntrack.h>
 
@@ -72,7 +73,7 @@ struct nfct_pluginstance {
 #define EVENT_MASK	NF_NETLINK_CONNTRACK_NEW | NF_NETLINK_CONNTRACK_DESTROY
 
 static struct config_keyset nfct_kset = {
-	.num_ces = 9,
+	.num_ces = 11,
 	.ces = {
 		{
 			.key	 = "pollinterval",
@@ -128,6 +129,16 @@ static struct config_keyset nfct_kset = {
 			.options = CONFIG_OPT_NONE,
 			.u.value = 0,
 		},
+		{
+			.key	 = "accept_src_filter",
+			.type	 = CONFIG_TYPE_STRING,
+			.options = CONFIG_OPT_NONE,
+		},
+		{
+			.key	 = "accept_dst_filter",
+			.type	 = CONFIG_TYPE_STRING,
+			.options = CONFIG_OPT_NONE,
+		},
 	},
 };
 #define pollint_ce(x)	(x->ces[0])
@@ -139,6 +150,8 @@ static struct config_keyset nfct_kset = {
 #define nlsockbufmaxsize_ce(x) (x->ces[6])
 #define nlresynctimeout_ce(x) (x->ces[7])
 #define reliable_ce(x)	(x->ces[8])
+#define src_filter_ce(x)	((x)->ces[9])
+#define dst_filter_ce(x)	((x)->ces[10])
 
 enum nfct_keys {
 	NFCT_ORIG_IP_SADDR = 0,
@@ -993,11 +1006,200 @@ static void overrun_timeout(struct ulogd_timer *a, void *data)
 	nfct_send(cpi->ovh, NFCT_Q_DUMP, &family);
 }
 
+
+#define NFCT_SRC_DIR 1
+#define NFCT_DST_DIR 2
+
+static inline int nfct_set_dir(int dir, int *filter_dir_ipv4, int *filter_dir_ipv6)
+{
+	switch (dir) {
+		case NFCT_DST_DIR:
+			*filter_dir_ipv4 = NFCT_FILTER_DST_IPV4;
+			*filter_dir_ipv6 = NFCT_FILTER_DST_IPV6;
+			break;
+		case NFCT_SRC_DIR:
+			*filter_dir_ipv4 = NFCT_FILTER_SRC_IPV4;
+			*filter_dir_ipv6 = NFCT_FILTER_SRC_IPV6;
+			break;
+		default:
+			ulogd_log(ULOGD_FATAL,
+					"Invalid direction %d\n",
+					dir);
+			return -1;
+	}
+	return 0;
+}
+
+static int nfct_add_to_filter(struct nfct_filter *filter,
+			      struct ulogd_addr *addr,
+			      int l3, int dir)
+{
+	int filter_dir_ipv4;
+	int filter_dir_ipv6;
+
+	if (nfct_set_dir(dir, &filter_dir_ipv4, &filter_dir_ipv6) == -1)
+		return -1;
+
+	switch (l3) {
+		case AF_INET6:
+			{
+				struct nfct_filter_ipv6 filter_ipv6;
+				/* BSF always wants data in host-byte order */
+				ulogd_ipv6_addr2addr_host(addr->in.ipv6, filter_ipv6.addr);
+				ulogd_ipv6_cidr2mask_host(addr->netmask, filter_ipv6.mask);
+
+				nfct_filter_set_logic(filter,
+						filter_dir_ipv6,
+						NFCT_FILTER_LOGIC_POSITIVE);
+				nfct_filter_add_attr(filter,
+						filter_dir_ipv6,
+						&filter_ipv6);
+			}
+			break;
+		case AF_INET:
+			{
+				/* BSF always wants data in host-byte order */
+				struct nfct_filter_ipv4 filter_ipv4 = {
+					.addr = ntohl(addr->in.ipv4),
+					.mask = ulogd_bits2netmask(addr->netmask),
+				};
+
+				nfct_filter_set_logic(filter,
+						filter_dir_ipv4,
+						NFCT_FILTER_LOGIC_POSITIVE);
+				nfct_filter_add_attr(filter, filter_dir_ipv4,
+						&filter_ipv4);
+			}
+			break;
+		default:
+			ulogd_log(ULOGD_FATAL, "Invalid protocol %d\n", l3);
+			return -1;
+	}
+	return 0;
+}
+
+static int build_nfct_filter_dir(struct nfct_filter *filter, char* filter_string, int dir)
+{
+	char *from = filter_string;
+	char *comma;
+	struct ulogd_addr addr;
+	int has_ipv4 = 0;
+	int has_ipv6 = 0;
+
+	while ((comma = strchr(from, ',')) != NULL) {
+		size_t len = comma - from;
+		switch(ulogd_parse_addr(from, len, &addr)) {
+			case AF_INET:
+				nfct_add_to_filter(filter, &addr, AF_INET, dir);
+				has_ipv4 = 1;
+				break;
+			case AF_INET6:
+				nfct_add_to_filter(filter, &addr, AF_INET6, dir);
+				has_ipv6 = 1;
+				break;
+			default:
+				return -1;
+		}
+		from += len + 1;
+	}
+	switch(ulogd_parse_addr(from, strlen(from), &addr)) {
+		case AF_INET:
+			nfct_add_to_filter(filter, &addr, AF_INET, dir);
+			has_ipv4 = 1;
+			break;
+		case AF_INET6:
+			nfct_add_to_filter(filter, &addr, AF_INET6, dir);
+			has_ipv6 = 1;
+			break;
+		default:
+			return -1;
+	}
+
+	if (!has_ipv6) {
+		struct nfct_filter_ipv6 filter_ipv6;
+		int filter_dir_ipv4;
+		int filter_dir_ipv6;
+		if (nfct_set_dir(dir, &filter_dir_ipv4, &filter_dir_ipv6) == -1)
+			return -1;
+		nfct_filter_set_logic(filter,
+				filter_dir_ipv6,
+				NFCT_FILTER_LOGIC_NEGATIVE);
+		nfct_filter_add_attr(filter, filter_dir_ipv6,
+				&filter_ipv6);
+	}
+	if (!has_ipv4) {
+		struct nfct_filter_ipv4 filter_ipv4;
+		int filter_dir_ipv4;
+		int filter_dir_ipv6;
+		if (nfct_set_dir(dir, &filter_dir_ipv4, &filter_dir_ipv6) == -1)
+			return -1;
+		nfct_filter_set_logic(filter,
+				filter_dir_ipv4,
+				NFCT_FILTER_LOGIC_NEGATIVE);
+		nfct_filter_add_attr(filter, filter_dir_ipv4,
+				&filter_ipv4);
+	}
+
+	return 0;
+}
+
+static int build_nfct_filter(struct ulogd_pluginstance *upi)
+{
+	struct nfct_pluginstance *cpi =
+			(struct nfct_pluginstance *)upi->private;
+	struct nfct_filter *filter = NULL;
+
+	if (!cpi->cth) {
+		ulogd_log(ULOGD_FATAL, "Refusing to attach NFCT filter to NULL handler\n");
+		goto err_init;
+	}
+
+	filter = nfct_filter_create();
+	if (!filter) {
+		ulogd_log(ULOGD_FATAL, "error creating NFCT filter\n");
+		goto err_init;
+	}
+
+	if (strlen(src_filter_ce(upi->config_kset).u.string) != 0) {
+		char *filter_string = src_filter_ce(upi->config_kset).u.string;
+		if (build_nfct_filter_dir(filter, filter_string, NFCT_SRC_DIR) != 0) {
+			ulogd_log(ULOGD_FATAL,
+					"Unable to create src filter\n");
+			goto err_filter;
+		}
+	}
+	if (strlen(dst_filter_ce(upi->config_kset).u.string) != 0) {
+		char *filter_string = dst_filter_ce(upi->config_kset).u.string;
+		if (build_nfct_filter_dir(filter, filter_string, NFCT_DST_DIR) != 0) {
+			ulogd_log(ULOGD_FATAL,
+					"Unable to create dst filter\n");
+			goto err_filter;
+		}
+	}
+
+	if (filter) {
+		if (nfct_filter_attach(nfct_fd(cpi->cth), filter) == -1) {
+			ulogd_log(ULOGD_FATAL, "nfct_filter_attach");
+		}
+
+		/* release the filter object, this does not detach the filter */
+		nfct_filter_destroy(filter);
+	}
+
+	return 0;
+
+err_filter:
+	nfct_filter_destroy(filter);
+err_init:
+	return -1;
+}
+
 static int constructor_nfct_events(struct ulogd_pluginstance *upi)
 {
 	struct nfct_pluginstance *cpi =
 			(struct nfct_pluginstance *)upi->private;
 
+
 	cpi->cth = nfct_open(NFNL_SUBSYS_CTNETLINK,
 			     eventmask_ce(upi->config_kset).u.value);
 	if (!cpi->cth) {
@@ -1005,9 +1207,19 @@ static int constructor_nfct_events(struct ulogd_pluginstance *upi)
 		goto err_cth;
 	}
 
+	if ((strlen(src_filter_ce(upi->config_kset).u.string) != 0) ||
+			(strlen(dst_filter_ce(upi->config_kset).u.string) != 0)
+	   ) {
+		if (build_nfct_filter(upi) != 0) {
+			ulogd_log(ULOGD_FATAL, "error creating NFCT filter\n");
+			goto err_cth;
+		}
+	}
+
+
 	if (usehash_ce(upi->config_kset).u.value != 0) {
 		nfct_callback_register(cpi->cth, NFCT_T_ALL,
-				       &event_handler_hashtable, upi);
+				&event_handler_hashtable, upi);
 	} else {
 		nfct_callback_register(cpi->cth, NFCT_T_ALL,
 				       &event_handler_no_hashtable, upi);
diff --git a/ulogd.conf.in b/ulogd.conf.in
index 6aff802..fa1fbf2 100644
--- a/ulogd.conf.in
+++ b/ulogd.conf.in
@@ -125,6 +125,10 @@ plugin="@pkglibdir@/ulogd_output_GRAPHITE.so"
 #netlink_socket_buffer_maxsize=1085440
 #netlink_resync_timeout=60 # seconds to wait to perform resynchronization
 #pollinterval=10 # use poll-based logging instead of event-driven
+# If pollinterval is not set, NFCT plugin will work in event mode
+# In this case, you can use the following filters on events:
+#accept_src_filter=192.168.1.0/24,1:2::/64 # source ip of connection must belong to these networks
+#accept_dst_filter=192.168.1.0/24 # destination ip of connection must belong to these networks
 
 [ct2]
 #netlink_socket_buffer_size=217088
-- 
1.7.10.4

[PATCH 4/4] nfct: add protocol filter

[Eric Leblond]

This patch adds a new configuration variable which is used to limit
conntrack event to connection of these protocols:
For example:
   accept_proto_filter=tcp,sctp

Signed-off-by: Eric Leblond <eric@regit.org>
---
 input/flow/ulogd_inpflow_NFCT.c |   60 +++++++++++++++++++++++++++++++++++++--
 ulogd.conf.in                   |    1 +
 2 files changed, 59 insertions(+), 2 deletions(-)

diff --git a/input/flow/ulogd_inpflow_NFCT.c b/input/flow/ulogd_inpflow_NFCT.c
index b3e48d7..3889b10 100644
--- a/input/flow/ulogd_inpflow_NFCT.c
+++ b/input/flow/ulogd_inpflow_NFCT.c
@@ -36,6 +36,7 @@
 #include <sys/time.h>
 #include <time.h>
 #include <netinet/in.h>
+#include <netdb.h>
 #include <ulogd/linuxlist.h>
 #include <ulogd/jhash.h>
 #include <ulogd/hash.h>
@@ -73,7 +74,7 @@ struct nfct_pluginstance {
 #define EVENT_MASK	NF_NETLINK_CONNTRACK_NEW | NF_NETLINK_CONNTRACK_DESTROY
 
 static struct config_keyset nfct_kset = {
-	.num_ces = 11,
+	.num_ces = 12,
 	.ces = {
 		{
 			.key	 = "pollinterval",
@@ -139,6 +140,11 @@ static struct config_keyset nfct_kset = {
 			.type	 = CONFIG_TYPE_STRING,
 			.options = CONFIG_OPT_NONE,
 		},
+		{
+			.key	 = "accept_proto_filter",
+			.type	 = CONFIG_TYPE_STRING,
+			.options = CONFIG_OPT_NONE,
+		},
 	},
 };
 #define pollint_ce(x)	(x->ces[0])
@@ -152,6 +158,7 @@ static struct config_keyset nfct_kset = {
 #define reliable_ce(x)	(x->ces[8])
 #define src_filter_ce(x)	((x)->ces[9])
 #define dst_filter_ce(x)	((x)->ces[10])
+#define proto_filter_ce(x)	((x)->ces[11])
 
 enum nfct_keys {
 	NFCT_ORIG_IP_SADDR = 0,
@@ -1143,6 +1150,46 @@ static int build_nfct_filter_dir(struct nfct_filter *filter, char* filter_string
 	return 0;
 }
 
+static int build_nfct_filter_proto(struct nfct_filter *filter, char* filter_string)
+{
+	char *from = filter_string;
+	char *comma;
+	struct protoent * pent = NULL;
+
+	while ((comma = strchr(from, ',')) != NULL) {
+		size_t len = comma - from;
+		*comma = 0;
+		pent = getprotobyname(from);
+		if (pent == NULL) {
+			ulogd_log(ULOGD_FATAL, "Unknown protocol\n");
+			endprotoent();
+			return -1;
+		}
+		ulogd_log(ULOGD_NOTICE, "adding proto to filter: \"%s\" (%d)\n",
+			  pent->p_name, pent->p_proto
+		 );
+		nfct_filter_add_attr_u32(filter, NFCT_FILTER_L4PROTO,
+					 pent->p_proto);
+		from += len + 1;
+	}
+	pent = getprotobyname(from);
+	if (pent == NULL) {
+		ulogd_log(ULOGD_FATAL, "Unknown protocol %s\n", from);
+		endprotoent();
+		return -1;
+	}
+	ulogd_log(ULOGD_NOTICE, "adding proto to filter: \"%s (%d)\"\n",
+			pent->p_name, pent->p_proto
+		 );
+	nfct_filter_add_attr_u32(filter, NFCT_FILTER_L4PROTO,
+			pent->p_proto);
+
+
+	endprotoent();
+	return 0;
+}
+
+
 static int build_nfct_filter(struct ulogd_pluginstance *upi)
 {
 	struct nfct_pluginstance *cpi =
@@ -1176,6 +1223,14 @@ static int build_nfct_filter(struct ulogd_pluginstance *upi)
 			goto err_filter;
 		}
 	}
+	if (strlen(proto_filter_ce(upi->config_kset).u.string) != 0) {
+		char *filter_string = proto_filter_ce(upi->config_kset).u.string;
+		if (build_nfct_filter_proto(filter, filter_string) != 0) {
+			ulogd_log(ULOGD_FATAL,
+					"Unable to create proto filter\n");
+			goto err_filter;
+		}
+	}
 
 	if (filter) {
 		if (nfct_filter_attach(nfct_fd(cpi->cth), filter) == -1) {
@@ -1208,7 +1263,8 @@ static int constructor_nfct_events(struct ulogd_pluginstance *upi)
 	}
 
 	if ((strlen(src_filter_ce(upi->config_kset).u.string) != 0) ||
-			(strlen(dst_filter_ce(upi->config_kset).u.string) != 0)
+		(strlen(dst_filter_ce(upi->config_kset).u.string) != 0) ||
+		(strlen(proto_filter_ce(upi->config_kset).u.string) != 0)
 	   ) {
 		if (build_nfct_filter(upi) != 0) {
 			ulogd_log(ULOGD_FATAL, "error creating NFCT filter\n");
diff --git a/ulogd.conf.in b/ulogd.conf.in
index fa1fbf2..783cb2b 100644
--- a/ulogd.conf.in
+++ b/ulogd.conf.in
@@ -129,6 +129,7 @@ plugin="@pkglibdir@/ulogd_output_GRAPHITE.so"
 # In this case, you can use the following filters on events:
 #accept_src_filter=192.168.1.0/24,1:2::/64 # source ip of connection must belong to these networks
 #accept_dst_filter=192.168.1.0/24 # destination ip of connection must belong to these networks
+#accept_proto_filter=tcp,sctp # layer 4 proto of connections
 
 [ct2]
 #netlink_socket_buffer_size=217088
-- 
1.7.10.4

Re: [Ulogd PATCH 0/4] Implement filter for NFCT

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 395 bytes --]

Hi,

On Fri, 2012-12-28 at 18:29 +0100, Eric Leblond wrote:
> Hello,
> 
> This patchset implements filtering capability in NFCT input plugin. For
> now this is only possible when NFCT is used in event mode as the
> libnetfilter_conntrack library does not support filtering of dump.

Patches pushed to git tree.

BR,
-- 
Eric Leblond <eric@regit.org>
Blog: https://home.regit.org/

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]