From: Kristian Evensen <kristian.evensen@gmail.com>
To: netfilter-devel@vger.kernel.org
Cc: Kristian Evensen <kristian.evensen@gmail.com>
Subject: [PATCH v2 1/2] conntrack: Flush connections with a given mark
Date: Wed, 24 Dec 2014 09:57:10 +0100 [thread overview]
Message-ID: <1419411431-24715-2-git-send-email-kristian.evensen@gmail.com> (raw)
In-Reply-To: <1419411431-24715-1-git-send-email-kristian.evensen@gmail.com>
This patch adds support for selective flushing of conntrack mappings. By adding
CTA_MARK and CTA_MARK_MASK to a delete-message, the mark (and mask) is checked
before a connection is deleted while flushing.
Configuring the flush is moved out of ctnetlink_del_conntrack(), and instead of
calling nf_conntrack_flush_report(), we always call nf_ct_iterate_cleanup().
This enables us to only make one call from the new ctnetlink_flush_conntrack()
and makes it easy to add more filter parameters.
Filtering is done in the ctnetlink_apply_filter()-function, which is also called
from ctnetlink_dump_table(). ctnetlink_dump_filter has been renamed
ctnetlink_filter, to indicated that it is no longer only used when dumping
conntrack entries.
Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
---
net/netfilter/nf_conntrack_netlink.c | 57 ++++++++++++++++++++++++++++--------
1 file changed, 45 insertions(+), 12 deletions(-)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 1bd9ed9..85046d3 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -749,13 +749,29 @@ static int ctnetlink_done(struct netlink_callback *cb)
return 0;
}
-struct ctnetlink_dump_filter {
+struct ctnetlink_filter {
struct {
u_int32_t val;
u_int32_t mask;
} mark;
};
+static int ctnetlink_apply_filter(struct nf_conn *i, void *data)
+{
+ struct ctnetlink_filter *filter = data;
+
+ if (!filter)
+ return 1;
+
+#ifdef CONFIG_NF_CONNTRACK_MARK
+ if ((filter->mark.val && filter->mark.mask) &&
+ (i->mark & filter->mark.mask) != filter->mark.val)
+ return 0;
+#endif
+
+ return 1;
+}
+
static int
ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
{
@@ -769,7 +785,7 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
spinlock_t *lockp;
#ifdef CONFIG_NF_CONNTRACK_MARK
- const struct ctnetlink_dump_filter *filter = cb->data;
+ const struct ctnetlink_filter *filter = cb->data;
#endif
last = (struct nf_conn *)cb->args[1];
@@ -799,10 +815,9 @@ restart:
cb->args[1] = 0;
}
#ifdef CONFIG_NF_CONNTRACK_MARK
- if (filter && !((ct->mark & filter->mark.mask) ==
- filter->mark.val)) {
+ if (filter &&
+ !ctnetlink_apply_filter(ct, (void *)filter))
continue;
- }
#endif
rcu_read_lock();
res =
@@ -1001,6 +1016,25 @@ static const struct nla_policy ct_nla_policy[CTA_MAX+1] = {
.len = NF_CT_LABELS_MAX_SIZE },
};
+static void ctnetlink_flush_conntrack(struct net *net,
+ const struct nlattr * const cda[],
+ u32 portid, int report)
+{
+ struct ctnetlink_filter filter;
+
+ memset(&filter, 0, sizeof(filter));
+
+#ifdef CONFIG_NF_CONNTRACK_MARK
+ if (cda[CTA_MARK] && cda[CTA_MARK_MASK]) {
+ filter.mark.val = ntohl(nla_get_be32(cda[CTA_MARK]));
+ filter.mark.mask = ntohl(nla_get_be32(cda[CTA_MARK_MASK]));
+ }
+#endif
+
+ nf_ct_iterate_cleanup(net, ctnetlink_apply_filter, &filter,
+ portid, report);
+}
+
static int
ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb,
const struct nlmsghdr *nlh,
@@ -1024,10 +1058,9 @@ ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb,
else if (cda[CTA_TUPLE_REPLY])
err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, u3);
else {
- /* Flush the whole table */
- nf_conntrack_flush_report(net,
- NETLINK_CB(skb).portid,
- nlmsg_report(nlh));
+ /* Flush the table */
+ ctnetlink_flush_conntrack(net, cda, NETLINK_CB(skb).portid,
+ nlmsg_report(nlh));
return 0;
}
@@ -1075,13 +1108,13 @@ ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb,
struct netlink_dump_control c = {
.dump = ctnetlink_dump_table,
.done = ctnetlink_done,
+ .data = NULL,
};
#ifdef CONFIG_NF_CONNTRACK_MARK
if (cda[CTA_MARK] && cda[CTA_MARK_MASK]) {
- struct ctnetlink_dump_filter *filter;
+ struct ctnetlink_filter *filter;
- filter = kzalloc(sizeof(struct ctnetlink_dump_filter),
- GFP_ATOMIC);
+ filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
if (filter == NULL)
return -ENOMEM;
--
2.1.0
next prev parent reply other threads:[~2014-12-24 8:57 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-24 8:57 [PATCH v2 0/2] conntrack: Support flushing connections with given mark Kristian Evensen
2014-12-24 8:57 ` Kristian Evensen [this message]
2015-01-07 18:56 ` [PATCH v2 1/2] conntrack: Flush connections with a " Pablo Neira Ayuso
2015-01-07 20:05 ` Kristian Evensen
2015-01-08 13:13 ` Pablo Neira Ayuso
2015-01-08 13:28 ` Kristian Evensen
2015-01-07 20:16 ` Kristian Evensen
2014-12-24 8:57 ` [PATCH v2 2/2] conntrack: Remove nf_ct_conntrack_flush_report Kristian Evensen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1419411431-24715-2-git-send-email-kristian.evensen@gmail.com \
--to=kristian.evensen@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).