* [RFC ulogd patch 0/1] Implement conntrack event filter in NFCT input @ 2012-08-01 21:33 Eric Leblond 2012-08-01 21:33 ` [RFC ulogd PATCH] nfct: implement src and dst filter Eric Leblond 2012-08-02 11:23 ` [RFC ulogd patch 0/1] Implement conntrack event filter in NFCT input Pablo Neira Ayuso 0 siblings, 2 replies; 5+ messages in thread From: Eric Leblond @ 2012-08-01 21:33 UTC (permalink / raw) To: pablo; +Cc: netfilter-devel Hello, This patch implements filtering for NFCT input plugin. It adds two configuration variables src_filter and dst_filter which can be used to select the IPv4 or IPv6 network to filter on for the source or destination address. For IPv4 this is working fine but despite the latest update from Pablo on libnetfilter_conntrack, I still don't manage to get IPv6 working. Any help appreciated on this. This explains the RFC status of this patch. The other reason is that I want to ensure that the proposed filtering is convenient for the users. BR, -- Eric ^ permalink raw reply [flat|nested] 5+ messages in thread
* [RFC ulogd PATCH] nfct: implement src and dst filter 2012-08-01 21:33 [RFC ulogd patch 0/1] Implement conntrack event filter in NFCT input Eric Leblond @ 2012-08-01 21:33 ` Eric Leblond 2012-08-02 11:21 ` Pablo Neira Ayuso 2012-08-02 11:23 ` [RFC ulogd patch 0/1] Implement conntrack event filter in NFCT input Pablo Neira Ayuso 1 sibling, 1 reply; 5+ messages in thread From: Eric Leblond @ 2012-08-01 21:33 UTC (permalink / raw) To: pablo; +Cc: netfilter-devel, Eric Leblond This patch implements two filtering options in NFCT input plugin. If 'src_filter' is set to a network it will only catch the event where the source is that specific network. 'dst_filter' does the same for the destination. The filters are simple and does only accept one network at a time. Multiple networks can be handled by using multiple stacks. To handle connection from and to a network, two stacks are needed too. --- input/flow/ulogd_inpflow_NFCT.c | 239 ++++++++++++++++++++++++++++++++++++++- ulogd.conf.in | 2 + 2 files changed, 239 insertions(+), 2 deletions(-) diff --git a/input/flow/ulogd_inpflow_NFCT.c b/input/flow/ulogd_inpflow_NFCT.c index dcba58f..49ff66e 100644 --- a/input/flow/ulogd_inpflow_NFCT.c +++ b/input/flow/ulogd_inpflow_NFCT.c @@ -33,6 +33,10 @@ #include <string.h> #include <errno.h> +#include <sys/socket.h> +#include <netinet/in.h> +#include <arpa/inet.h> + #include <sys/time.h> #include <time.h> #include <netinet/in.h> @@ -72,7 +76,7 @@ struct nfct_pluginstance { #define EVENT_MASK NF_NETLINK_CONNTRACK_NEW | NF_NETLINK_CONNTRACK_DESTROY static struct config_keyset nfct_kset = { - .num_ces = 9, + .num_ces = 11, .ces = { { .key = "pollinterval", @@ -128,6 +132,16 @@ static struct config_keyset nfct_kset = { .options = CONFIG_OPT_NONE, .u.value = 0, }, + { + .key = "src_filter", + .type = CONFIG_TYPE_STRING, + .options = CONFIG_OPT_NONE, + }, + { + .key = "dst_filter", + .type = CONFIG_TYPE_STRING, + .options = CONFIG_OPT_NONE, + }, }, }; #define pollint_ce(x) (x->ces[0]) @@ -139,6 +153,8 @@ static struct config_keyset nfct_kset = { #define nlsockbufmaxsize_ce(x) (x->ces[6]) #define nlresynctimeout_ce(x) (x->ces[7]) #define reliable_ce(x) (x->ces[8]) +#define src_filter_ce(x) ((x)->ces[9]) +#define dst_filter_ce(x) ((x)->ces[10]) enum nfct_keys { NFCT_ORIG_IP_SADDR = 0, @@ -995,10 +1011,54 @@ static void overrun_timeout(struct ulogd_timer *a, void *data) nfct_send(cpi->ovh, NFCT_Q_DUMP, &family); } +static u_int32_t bits2netmask(int bits) +{ + u_int32_t netmask, bm; + + if (bits >= 32 || bits < 0) + return(~0); + for (netmask = 0, bm = 0x80000000; bits; bits--, bm >>= 1) + netmask |= bm; + return netmask; +} + + +static void ipv6_cidr2mask_host(uint8_t cidr, uint32_t *res) +{ + int i, j; + + memset(res, 0, sizeof(uint32_t)*4); + for (i = 0; i < 4 && cidr > 32; i++) { + res[i] = 0xFFFFFFFF; + cidr -= 32; + } + res[i] = 0xFFFFFFFF << (32 - cidr); + for (j = i+1; j < 4; j++) { + res[j] = 0; + } +} + +/* I need this function because I initially defined an IPv6 address as + * uint32 u[4]. Using char u[16] instead would allow to remove this. */ +static void ipv6_addr2addr_host(uint32_t *addr, uint32_t *res) +{ + int i; + + memset(res, 0, sizeof(uint32_t)*4); + for (i = 0; i < 4; i++) { + res[i] = ntohl(addr[i]); + } +} + static int constructor_nfct_events(struct ulogd_pluginstance *upi) { struct nfct_pluginstance *cpi = (struct nfct_pluginstance *)upi->private; + char filter_addr[128]; + uint32_t faddr[4]; + int netmask; + char *slash; + struct nfct_filter *filter = NULL; cpi->cth = nfct_open(NFNL_SUBSYS_CTNETLINK, eventmask_ce(upi->config_kset).u.value); @@ -1007,9 +1067,184 @@ static int constructor_nfct_events(struct ulogd_pluginstance *upi) goto err_cth; } + if ((strlen(src_filter_ce(upi->config_kset).u.string) != 0) || + (strlen(dst_filter_ce(upi->config_kset).u.string) != 0) + ) { + ulogd_log(ULOGD_NOTICE, "adding filter: \"%s\"\n", + src_filter_ce(upi->config_kset).u.string + ); + filter = nfct_filter_create(); + if (!filter) { + ulogd_log(ULOGD_FATAL, "error creating NFCT filter\n"); + goto err_cth; + } + + } + + if (strlen(src_filter_ce(upi->config_kset).u.string) != 0) { + char *filter_string = src_filter_ce(upi->config_kset).u.string; + if (strchr(filter_string, ':')) { + struct nfct_filter_ipv6 src_filter_ipv6; + struct nfct_filter_ipv4 src_filter_ipv4; + + slash = strchr(filter_string, '/'); + if (slash == NULL) { + ulogd_log(ULOGD_FATAL, + "No network specified\n"); + goto err_cth; + } + + strncpy(filter_addr, filter_string, + slash - filter_string); + filter_addr[slash - filter_string] = 0; + if (inet_pton(AF_INET6, filter_addr, (void *)faddr) + != 1) { + ulogd_log(ULOGD_FATAL, + "error reading address\n"); + goto err_cth; + } + netmask = atoi(slash + 1); + /* BSF always wants data in host-byte order */ + ipv6_addr2addr_host(faddr, src_filter_ipv6.addr); + ipv6_cidr2mask_host(netmask, src_filter_ipv6.mask); + + nfct_filter_set_logic(filter, + NFCT_FILTER_SRC_IPV6, + NFCT_FILTER_LOGIC_POSITIVE); + nfct_filter_add_attr(filter, + NFCT_FILTER_SRC_IPV6, + &src_filter_ipv6); + + nfct_filter_set_logic(filter, + NFCT_FILTER_SRC_IPV4, + NFCT_FILTER_LOGIC_NEGATIVE); + nfct_filter_add_attr(filter, + NFCT_FILTER_SRC_IPV4, + &src_filter_ipv4); + } else if (strchr(filter_string, '.')) { + struct nfct_filter_ipv6 src_filter_ipv6; + + slash = strchr(filter_string, '/'); + if (slash == NULL) { + ulogd_log(ULOGD_FATAL, + "No network specified\n"); + goto err_cth; + } + strncpy(filter_addr, filter_string, + slash - filter_string); + filter_addr[slash - filter_string] = 0; + netmask = atoi(slash + 1); + /* BSF always wants data in host-byte order */ + struct nfct_filter_ipv4 filter_ipv4 = { + .addr = ntohl(inet_addr(filter_addr)), + .mask = bits2netmask(netmask), + }; + + nfct_filter_set_logic(filter, + NFCT_FILTER_SRC_IPV4, + NFCT_FILTER_LOGIC_POSITIVE); + nfct_filter_add_attr(filter, NFCT_FILTER_SRC_IPV4, + &filter_ipv4); + + nfct_filter_set_logic(filter, + NFCT_FILTER_SRC_IPV6, + NFCT_FILTER_LOGIC_NEGATIVE); + nfct_filter_add_attr(filter, NFCT_FILTER_SRC_IPV6, + &src_filter_ipv6); + } else { + ulogd_log(ULOGD_FATAL, + "filter does not look like an IP\n"); + goto err_cth; + } + } + + if (strlen(dst_filter_ce(upi->config_kset).u.string) != 0) { + char *filter_string = dst_filter_ce(upi->config_kset).u.string; + if (strchr(filter_string, ':')) { + struct nfct_filter_ipv6 dst_filter_ipv6; + struct nfct_filter_ipv4 dst_filter_ipv4; + + /* handle dest filter */ + slash = strchr(filter_string, '/'); + if (slash == NULL) { + ulogd_log(ULOGD_FATAL, + "No network specified\n"); + goto err_cth; + } + strncpy(filter_addr, filter_string, + slash - filter_string); + filter_addr[slash - filter_string] = 0; + if (inet_pton(AF_INET6, filter_addr, + (void *)&faddr + ) != 1) { + ulogd_log(ULOGD_FATAL, + "error reading address\n"); + goto err_cth; + } + netmask = atoi(slash + 1); + /* BSF always wants data in host-byte order */ + ipv6_addr2addr_host(faddr, dst_filter_ipv6.addr); + ipv6_cidr2mask_host(netmask, dst_filter_ipv6.mask); + + nfct_filter_set_logic(filter, + NFCT_FILTER_DST_IPV6, + NFCT_FILTER_LOGIC_POSITIVE); + nfct_filter_add_attr(filter, NFCT_FILTER_DST_IPV6, + &dst_filter_ipv6); + + nfct_filter_set_logic(filter, + NFCT_FILTER_DST_IPV4, + NFCT_FILTER_LOGIC_NEGATIVE); + nfct_filter_add_attr(filter, NFCT_FILTER_DST_IPV4, + &dst_filter_ipv4); + } else if (strchr(filter_string, '.')) { + struct nfct_filter_ipv6 dst_filter_ipv6; + + slash = strchr(filter_string, '/'); + if (slash == NULL) { + ulogd_log(ULOGD_FATAL, "No network specified\n"); + goto err_cth; + } + strncpy(filter_addr, filter_string, + slash - filter_string); + filter_addr[slash - filter_string] = 0; + netmask = atoi(slash + 1); + /* BSF always wants data in host-byte order */ + struct nfct_filter_ipv4 filter_ipv4 = { + .addr = ntohl(inet_addr(filter_addr)), + .mask = bits2netmask(netmask), + }; + + nfct_filter_set_logic(filter, + NFCT_FILTER_DST_IPV4, + NFCT_FILTER_LOGIC_POSITIVE); + nfct_filter_add_attr(filter, NFCT_FILTER_DST_IPV4, + &filter_ipv4); + + nfct_filter_set_logic(filter, + NFCT_FILTER_DST_IPV6, + NFCT_FILTER_LOGIC_NEGATIVE); + nfct_filter_add_attr(filter, NFCT_FILTER_DST_IPV6, + &dst_filter_ipv6); + } else { + ulogd_log(ULOGD_FATAL, + "filter does not look like an IP\n"); + goto err_cth; + } + } + + if (filter) { + if (nfct_filter_attach(nfct_fd(cpi->cth), filter) == -1) { + ulogd_log(ULOGD_FATAL, "nfct_filter_attach"); + } + + /* release the filter object, this does not detach the filter */ + nfct_filter_destroy(filter); + } + if (usehash_ce(upi->config_kset).u.value != 0) { nfct_callback_register(cpi->cth, NFCT_T_ALL, - &event_handler_hashtable, upi); + &event_handler_hashtable, upi); } else { nfct_callback_register(cpi->cth, NFCT_T_ALL, &event_handler_no_hashtable, upi); diff --git a/ulogd.conf.in b/ulogd.conf.in index e99212f..7167732 100644 --- a/ulogd.conf.in +++ b/ulogd.conf.in @@ -121,6 +121,8 @@ plugin="@pkglibdir@/ulogd_inpflow_NFACCT.so" #netlink_socket_buffer_maxsize=1085440 #netlink_resync_timeout=60 # seconds to wait to perform resynchronization #pollinterval=10 # use poll-based logging instead of event-driven +#src_filter=192.168.1.0/24 # source ip of connection must belong to this network +#dst_filter=192.168.1.0/24 # destination ip of connection must belong to this network [ct2] #netlink_socket_buffer_size=217088 -- 1.7.10.4 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [RFC ulogd PATCH] nfct: implement src and dst filter 2012-08-01 21:33 ` [RFC ulogd PATCH] nfct: implement src and dst filter Eric Leblond @ 2012-08-02 11:21 ` Pablo Neira Ayuso 0 siblings, 0 replies; 5+ messages in thread From: Pablo Neira Ayuso @ 2012-08-02 11:21 UTC (permalink / raw) To: Eric Leblond; +Cc: netfilter-devel Hi Eric, On Wed, Aug 01, 2012 at 11:33:29PM +0200, Eric Leblond wrote: > This patch implements two filtering options in NFCT input plugin. > If 'src_filter' is set to a network it will only catch the event > where the source is that specific network. 'dst_filter' does the > same for the destination. The filters are simple and does only > accept one network at a time. Multiple networks can be handled by > using multiple stacks. I think it should not be hard to support a list of addresses, something like: src_filter=192.168.1.0/24,192.168.0.38,::1 Some snippet (I didn't compile it, BTW): char *from = string; while ((comma = strchr(',', from)) != NULL) { len = comma - from; switch(ulogd_parse_addr(from, len, &addr)) { case AF_INET: add to filter; break; case AF_INET6: add to filter; break; } from = ret; } /* no comma, handle one address case */ ... addr can be an union that contains IPv4 and IPv6 address. We use that in netfilter kernel code. I would also rename src_filter to `accept_src_filter', so it explicitly tells what it accepts. More comments on the code. > To handle connection from and to a network, two stacks are needed too. > --- > input/flow/ulogd_inpflow_NFCT.c | 239 ++++++++++++++++++++++++++++++++++++++- > ulogd.conf.in | 2 + > 2 files changed, 239 insertions(+), 2 deletions(-) > > diff --git a/input/flow/ulogd_inpflow_NFCT.c b/input/flow/ulogd_inpflow_NFCT.c > index dcba58f..49ff66e 100644 > --- a/input/flow/ulogd_inpflow_NFCT.c > +++ b/input/flow/ulogd_inpflow_NFCT.c > @@ -33,6 +33,10 @@ > #include <string.h> > #include <errno.h> > > +#include <sys/socket.h> > +#include <netinet/in.h> > +#include <arpa/inet.h> > + > #include <sys/time.h> > #include <time.h> > #include <netinet/in.h> > @@ -72,7 +76,7 @@ struct nfct_pluginstance { > #define EVENT_MASK NF_NETLINK_CONNTRACK_NEW | NF_NETLINK_CONNTRACK_DESTROY > > static struct config_keyset nfct_kset = { > - .num_ces = 9, > + .num_ces = 11, > .ces = { > { > .key = "pollinterval", > @@ -128,6 +132,16 @@ static struct config_keyset nfct_kset = { > .options = CONFIG_OPT_NONE, > .u.value = 0, > }, > + { > + .key = "src_filter", > + .type = CONFIG_TYPE_STRING, > + .options = CONFIG_OPT_NONE, > + }, > + { > + .key = "dst_filter", > + .type = CONFIG_TYPE_STRING, > + .options = CONFIG_OPT_NONE, > + }, > }, > }; > #define pollint_ce(x) (x->ces[0]) > @@ -139,6 +153,8 @@ static struct config_keyset nfct_kset = { > #define nlsockbufmaxsize_ce(x) (x->ces[6]) > #define nlresynctimeout_ce(x) (x->ces[7]) > #define reliable_ce(x) (x->ces[8]) > +#define src_filter_ce(x) ((x)->ces[9]) > +#define dst_filter_ce(x) ((x)->ces[10]) > > enum nfct_keys { > NFCT_ORIG_IP_SADDR = 0, > @@ -995,10 +1011,54 @@ static void overrun_timeout(struct ulogd_timer *a, void *data) > nfct_send(cpi->ovh, NFCT_Q_DUMP, &family); > } > > +static u_int32_t bits2netmask(int bits) > +{ > + u_int32_t netmask, bm; > + > + if (bits >= 32 || bits < 0) > + return(~0); > + for (netmask = 0, bm = 0x80000000; bits; bits--, bm >>= 1) > + netmask |= bm; > + return netmask; > +} > + > + > +static void ipv6_cidr2mask_host(uint8_t cidr, uint32_t *res) > +{ > + int i, j; > + > + memset(res, 0, sizeof(uint32_t)*4); > + for (i = 0; i < 4 && cidr > 32; i++) { > + res[i] = 0xFFFFFFFF; > + cidr -= 32; > + } > + res[i] = 0xFFFFFFFF << (32 - cidr); > + for (j = i+1; j < 4; j++) { > + res[j] = 0; > + } > +} > + > +/* I need this function because I initially defined an IPv6 address as > + * uint32 u[4]. Using char u[16] instead would allow to remove this. */ > +static void ipv6_addr2addr_host(uint32_t *addr, uint32_t *res) > +{ > + int i; > + > + memset(res, 0, sizeof(uint32_t)*4); > + for (i = 0; i < 4; i++) { > + res[i] = ntohl(addr[i]); > + } > +} Better, move all generic network address string parsing and conversion to src/addr.c (or similar name). They could be reused in the future. > + > static int constructor_nfct_events(struct ulogd_pluginstance *upi) > { > struct nfct_pluginstance *cpi = > (struct nfct_pluginstance *)upi->private; > + char filter_addr[128]; > + uint32_t faddr[4]; > + int netmask; > + char *slash; > + struct nfct_filter *filter = NULL; > > cpi->cth = nfct_open(NFNL_SUBSYS_CTNETLINK, > eventmask_ce(upi->config_kset).u.value); > @@ -1007,9 +1067,184 @@ static int constructor_nfct_events(struct ulogd_pluginstance *upi) > goto err_cth; > } > > + if ((strlen(src_filter_ce(upi->config_kset).u.string) != 0) || > + (strlen(dst_filter_ce(upi->config_kset).u.string) != 0) > + ) { > + ulogd_log(ULOGD_NOTICE, "adding filter: \"%s\"\n", > + src_filter_ce(upi->config_kset).u.string > + ); > + filter = nfct_filter_create(); > + if (!filter) { > + ulogd_log(ULOGD_FATAL, "error creating NFCT filter\n"); > + goto err_cth; > + } > + > + } > + > + if (strlen(src_filter_ce(upi->config_kset).u.string) != 0) { > + char *filter_string = src_filter_ce(upi->config_kset).u.string; > + if (strchr(filter_string, ':')) { > + struct nfct_filter_ipv6 src_filter_ipv6; > + struct nfct_filter_ipv4 src_filter_ipv4; > + > + slash = strchr(filter_string, '/'); > + if (slash == NULL) { > + ulogd_log(ULOGD_FATAL, > + "No network specified\n"); > + goto err_cth; > + } > + > + strncpy(filter_addr, filter_string, > + slash - filter_string); > + filter_addr[slash - filter_string] = 0; > + if (inet_pton(AF_INET6, filter_addr, (void *)faddr) > + != 1) { > + ulogd_log(ULOGD_FATAL, > + "error reading address\n"); > + goto err_cth; > + } > + netmask = atoi(slash + 1); > + /* BSF always wants data in host-byte order */ > + ipv6_addr2addr_host(faddr, src_filter_ipv6.addr); > + ipv6_cidr2mask_host(netmask, src_filter_ipv6.mask); > + > + nfct_filter_set_logic(filter, > + NFCT_FILTER_SRC_IPV6, > + NFCT_FILTER_LOGIC_POSITIVE); > + nfct_filter_add_attr(filter, > + NFCT_FILTER_SRC_IPV6, > + &src_filter_ipv6); > + > + nfct_filter_set_logic(filter, > + NFCT_FILTER_SRC_IPV4, > + NFCT_FILTER_LOGIC_NEGATIVE); > + nfct_filter_add_attr(filter, > + NFCT_FILTER_SRC_IPV4, > + &src_filter_ipv4); I think you can move this to some function to improve code maintainability. After this, constructor_nfct_events will look quite large. > + } else if (strchr(filter_string, '.')) { > + struct nfct_filter_ipv6 src_filter_ipv6; > + > + slash = strchr(filter_string, '/'); > + if (slash == NULL) { > + ulogd_log(ULOGD_FATAL, > + "No network specified\n"); > + goto err_cth; > + } > + strncpy(filter_addr, filter_string, > + slash - filter_string); > + filter_addr[slash - filter_string] = 0; > + netmask = atoi(slash + 1); > + /* BSF always wants data in host-byte order */ > + struct nfct_filter_ipv4 filter_ipv4 = { > + .addr = ntohl(inet_addr(filter_addr)), > + .mask = bits2netmask(netmask), > + }; > + > + nfct_filter_set_logic(filter, > + NFCT_FILTER_SRC_IPV4, > + NFCT_FILTER_LOGIC_POSITIVE); > + nfct_filter_add_attr(filter, NFCT_FILTER_SRC_IPV4, > + &filter_ipv4); > + > + nfct_filter_set_logic(filter, > + NFCT_FILTER_SRC_IPV6, > + NFCT_FILTER_LOGIC_NEGATIVE); > + nfct_filter_add_attr(filter, NFCT_FILTER_SRC_IPV6, > + &src_filter_ipv6); > + } else { > + ulogd_log(ULOGD_FATAL, > + "filter does not look like an IP\n"); > + goto err_cth; > + } > + } > + > + if (strlen(dst_filter_ce(upi->config_kset).u.string) != 0) { > + char *filter_string = dst_filter_ce(upi->config_kset).u.string; > + if (strchr(filter_string, ':')) { > + struct nfct_filter_ipv6 dst_filter_ipv6; > + struct nfct_filter_ipv4 dst_filter_ipv4; > + > + /* handle dest filter */ > + slash = strchr(filter_string, '/'); > + if (slash == NULL) { > + ulogd_log(ULOGD_FATAL, > + "No network specified\n"); > + goto err_cth; > + } > + strncpy(filter_addr, filter_string, > + slash - filter_string); > + filter_addr[slash - filter_string] = 0; > + if (inet_pton(AF_INET6, filter_addr, > + (void *)&faddr > + ) != 1) { > + ulogd_log(ULOGD_FATAL, > + "error reading address\n"); > + goto err_cth; > + } > + netmask = atoi(slash + 1); > + /* BSF always wants data in host-byte order */ > + ipv6_addr2addr_host(faddr, dst_filter_ipv6.addr); > + ipv6_cidr2mask_host(netmask, dst_filter_ipv6.mask); > + > + nfct_filter_set_logic(filter, > + NFCT_FILTER_DST_IPV6, > + NFCT_FILTER_LOGIC_POSITIVE); > + nfct_filter_add_attr(filter, NFCT_FILTER_DST_IPV6, > + &dst_filter_ipv6); > + > + nfct_filter_set_logic(filter, > + NFCT_FILTER_DST_IPV4, > + NFCT_FILTER_LOGIC_NEGATIVE); > + nfct_filter_add_attr(filter, NFCT_FILTER_DST_IPV4, > + &dst_filter_ipv4); > + } else if (strchr(filter_string, '.')) { > + struct nfct_filter_ipv6 dst_filter_ipv6; > + > + slash = strchr(filter_string, '/'); > + if (slash == NULL) { > + ulogd_log(ULOGD_FATAL, "No network specified\n"); > + goto err_cth; > + } > + strncpy(filter_addr, filter_string, > + slash - filter_string); > + filter_addr[slash - filter_string] = 0; > + netmask = atoi(slash + 1); > + /* BSF always wants data in host-byte order */ > + struct nfct_filter_ipv4 filter_ipv4 = { > + .addr = ntohl(inet_addr(filter_addr)), > + .mask = bits2netmask(netmask), > + }; > + > + nfct_filter_set_logic(filter, > + NFCT_FILTER_DST_IPV4, > + NFCT_FILTER_LOGIC_POSITIVE); > + nfct_filter_add_attr(filter, NFCT_FILTER_DST_IPV4, > + &filter_ipv4); > + > + nfct_filter_set_logic(filter, > + NFCT_FILTER_DST_IPV6, > + NFCT_FILTER_LOGIC_NEGATIVE); > + nfct_filter_add_attr(filter, NFCT_FILTER_DST_IPV6, > + &dst_filter_ipv6); > + } else { > + ulogd_log(ULOGD_FATAL, > + "filter does not look like an IP\n"); > + goto err_cth; > + } > + } > + > + if (filter) { > + if (nfct_filter_attach(nfct_fd(cpi->cth), filter) == -1) { > + ulogd_log(ULOGD_FATAL, "nfct_filter_attach"); > + } > + > + /* release the filter object, this does not detach the filter */ > + nfct_filter_destroy(filter); > + } > + > if (usehash_ce(upi->config_kset).u.value != 0) { > nfct_callback_register(cpi->cth, NFCT_T_ALL, > - &event_handler_hashtable, upi); > + &event_handler_hashtable, upi); > } else { > nfct_callback_register(cpi->cth, NFCT_T_ALL, > &event_handler_no_hashtable, upi); > diff --git a/ulogd.conf.in b/ulogd.conf.in > index e99212f..7167732 100644 > --- a/ulogd.conf.in > +++ b/ulogd.conf.in > @@ -121,6 +121,8 @@ plugin="@pkglibdir@/ulogd_inpflow_NFACCT.so" > #netlink_socket_buffer_maxsize=1085440 > #netlink_resync_timeout=60 # seconds to wait to perform resynchronization > #pollinterval=10 # use poll-based logging instead of event-driven > +#src_filter=192.168.1.0/24 # source ip of connection must belong to this network > +#dst_filter=192.168.1.0/24 # destination ip of connection must belong to this network > > [ct2] > #netlink_socket_buffer_size=217088 > -- > 1.7.10.4 > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [RFC ulogd patch 0/1] Implement conntrack event filter in NFCT input 2012-08-01 21:33 [RFC ulogd patch 0/1] Implement conntrack event filter in NFCT input Eric Leblond 2012-08-01 21:33 ` [RFC ulogd PATCH] nfct: implement src and dst filter Eric Leblond @ 2012-08-02 11:23 ` Pablo Neira Ayuso 2012-09-03 7:36 ` Eric Leblond 1 sibling, 1 reply; 5+ messages in thread From: Pablo Neira Ayuso @ 2012-08-02 11:23 UTC (permalink / raw) To: Eric Leblond; +Cc: netfilter-devel On Wed, Aug 01, 2012 at 11:33:28PM +0200, Eric Leblond wrote: > > Hello, > > This patch implements filtering for NFCT input plugin. It adds > two configuration variables src_filter and dst_filter which > can be used to select the IPv4 or IPv6 network to filter on > for the source or destination address. > > For IPv4 this is working fine but despite the latest update > from Pablo on libnetfilter_conntrack, I still don't manage > to get IPv6 working. Any help appreciated on this. Note that ulogd2 initially dumps the entire table. The filtering will not apply to dumping, only to events. You need to filter filter dumps. conntrackd already has a framework for user-space filtering, that is used for filter. You can grab it. We can probably later move it to libnetfilter_conntrack to avoid code redundancy. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [RFC ulogd patch 0/1] Implement conntrack event filter in NFCT input 2012-08-02 11:23 ` [RFC ulogd patch 0/1] Implement conntrack event filter in NFCT input Pablo Neira Ayuso @ 2012-09-03 7:36 ` Eric Leblond 0 siblings, 0 replies; 5+ messages in thread From: Eric Leblond @ 2012-09-03 7:36 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter-devel [-- Attachment #1: Type: text/plain, Size: 938 bytes --] Hello, Sorry for being late to reply here. Le jeudi 02 août 2012 à 13:23 +0200, Pablo Neira Ayuso a écrit : > On Wed, Aug 01, 2012 at 11:33:28PM +0200, Eric Leblond wrote: > > > > Hello, ... > Note that ulogd2 initially dumps the entire table. The filtering will > not apply to dumping, only to events. Why is this needed ? This gave us more accurate stats about existing connection by filling the hash at start ? > > You need to filter filter dumps. > > conntrackd already has a framework for user-space filtering, that is > used for filter. You can grab it. We can probably later move it to > libnetfilter_conntrack to avoid code redundancy. I've looked at this part of the code but the implementation seems to need a lot of conntrackd things like vector. This seems a bit too big to include inside ulogd. BR, -- Eric Leblond Blog: http://home.regit.org/ - Portfolio: http://regit.500px.com/ [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 198 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2012-09-03 7:38 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2012-08-01 21:33 [RFC ulogd patch 0/1] Implement conntrack event filter in NFCT input Eric Leblond 2012-08-01 21:33 ` [RFC ulogd PATCH] nfct: implement src and dst filter Eric Leblond 2012-08-02 11:21 ` Pablo Neira Ayuso 2012-08-02 11:23 ` [RFC ulogd patch 0/1] Implement conntrack event filter in NFCT input Pablo Neira Ayuso 2012-09-03 7:36 ` Eric Leblond
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).