Re: [PATCH 2/2] conntrack: add connlabel format attribute

[Pablo Neira Ayuso <pablo@netfilter.org>]

On Sun, Jun 30, 2013 at 11:10:48PM +0200, Florian Westphal wrote:
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
>  Change since v1:
>  - rename option to '-o labels'
>  - make it incompatible with xml option (can't
>    add attributes to existing xml output
>    buffer without insane hackery ]

Ah, now I understand the XML issue.

You can have something like in libnetfilter_conntrack:

extern int nfct_snprintf_clabels(char *buf, 
                                 unsigned int size,
                                 const struct nf_conntrack *ct,
                                 const unsigned int msg_type,
                                 const unsigned int out_type,
                                 const unsigned int out_flags,
                                 struct nfct_labelmap *map,
                                 const struct nfct_bitmask *b);

We have then two interfaces, the normal nfct_snprintf(...) for people
that don't need clabels, and the one that includes clabels (including
XML support).

Having two interfaces to print seems fine to me. You could even
emulate nfct_snprintf by allow last two parameters (labelmap and
bitmask) to be NULL, that will simply the patch as nfct_snprintf will
interface call nfct_snprintf_clabels.

You'll have to adapt this patch for the conntrack util though.

Thanks.

>  conntrack.8     |  4 +++-
>  src/conntrack.c | 39 +++++++++++++++++++++++++++++++++++----
>  2 files changed, 38 insertions(+), 5 deletions(-)
> 
> diff --git a/conntrack.8 b/conntrack.8
> index a411fd4..41a59ce 100644
> --- a/conntrack.8
> +++ b/conntrack.8
> @@ -88,11 +88,13 @@ Show the in-kernel connection tracking system statistics.
>  Atomically zero counters after reading them.  This option is only valid in
>  combination with the "-L, --dump" command options.
>  .TP
> -.BI "-o, --output [extended,xml,timestamp,id,ktimestamp] "
> +.BI "-o, --output [extended,xml,timestamp,id,ktimestamp,labels] "
>  Display output in a certain format. With the extended output option, this tool
>  displays the layer 3 information. With ktimestamp, it displays the in-kernel
>  timestamp available since 2.6.38 (you can enable it via echo 1 >
>  /proc/sys/net/netfilter/nf_conntrack_timestamp).
> +The labels output option tells conntrack to show the names of labels that
> +might be present, this is currently incompatible with xml output.
>  .TP
>  .BI "-e, --event-mask " "[ALL|NEW|UPDATES|DESTROY][,...]"
>  Set the bitmask of events that are to be generated by the in-kernel ctnetlink
> diff --git a/src/conntrack.c b/src/conntrack.c
> index d4e79de..74561ba 100644
> --- a/src/conntrack.c
> +++ b/src/conntrack.c
> @@ -488,6 +488,7 @@ static unsigned int addr_valid_flags[ADDR_VALID_FLAGS_MAX] = {
>  static LIST_HEAD(proto_list);
>  
>  static unsigned int options;
> +static struct nfct_labelmap *label_map;
>  
>  void register_proto(struct ctproto_handler *h)
>  {
> @@ -731,6 +732,7 @@ enum {
>  	_O_TMS	= (1 << 2),
>  	_O_ID	= (1 << 3),
>  	_O_KTMS	= (1 << 4),
> +	_O_LAB	= (1 << 5),
>  };
>  
>  enum {
> @@ -749,8 +751,8 @@ static struct parse_parameter {
>  	  { IPS_ASSURED, IPS_SEEN_REPLY, 0, IPS_FIXED_TIMEOUT, IPS_EXPECTED} },
>  	{ {"ALL", "NEW", "UPDATES", "DESTROY"}, 4,
>  	  { CT_EVENT_F_ALL, CT_EVENT_F_NEW, CT_EVENT_F_UPD, CT_EVENT_F_DEL } },
> -	{ {"xml", "extended", "timestamp", "id", "ktimestamp"}, 5, 
> -	  { _O_XML, _O_EXT, _O_TMS, _O_ID, _O_KTMS },
> +	{ {"xml", "extended", "timestamp", "id", "ktimestamp", "labels", }, 6, 
> +	  { _O_XML, _O_EXT, _O_TMS, _O_ID, _O_KTMS, _O_LAB },
>  	},
>  };
>  
> @@ -1108,6 +1110,15 @@ exp_event_sighandler(int s)
>  	exit(0);
>  }
>  
> +static void print_labels(const struct nfct_bitmask *b)
> +{
> +	char buf[1024];
> +	if (!b)
> +		return;
> +	nfct_snprintf_labels(buf, sizeof(buf), label_map, b, NFCT_O_DEFAULT);
> +	printf(" labels=%s", buf);
> +}
> +
>  static int event_cb(enum nf_conntrack_msg_type type,
>  		    struct nf_conntrack *ct,
>  		    void *data)
> @@ -1152,7 +1163,11 @@ static int event_cb(enum nf_conntrack_msg_type type,
>  
>  	nfct_snprintf(buf, sizeof(buf), ct, type, op_type, op_flags);
>  
> -	printf("%s\n", buf);
> +	printf("%s", buf);
> +
> +	if (output_mask & _O_LAB)
> +		print_labels(nfct_get_attr(ct, ATTR_CONNLABELS));
> +	printf("\n");
>  	fflush(stdout);
>  
>  	counter++;
> @@ -1195,8 +1210,11 @@ static int dump_cb(enum nf_conntrack_msg_type type,
>  		op_flags |= NFCT_OF_ID;
>  
>  	nfct_snprintf(buf, sizeof(buf), ct, NFCT_T_UNKNOWN, op_type, op_flags);
> -	printf("%s\n", buf);
> +	printf("%s", buf);
>  
> +	if (output_mask & _O_LAB)
> +		print_labels(nfct_get_attr(ct, ATTR_CONNLABELS));
> +	printf("\n");
>  	counter++;
>  
>  	return NFCT_CB_CONTINUE;
> @@ -1879,6 +1897,17 @@ int main(int argc, char *argv[])
>  		case 'o':
>  			options |= CT_OPT_OUTPUT;
>  			parse_parameter(optarg, &output_mask, PARSE_OUTPUT);
> +			if (output_mask & _O_LAB) {
> +				if (output_mask & _O_XML) {
> +					output_mask &= ~_O_LAB;
> +					break;
> +				}
> +				label_map = nfct_labelmap_new(NULL);
> +				if (!label_map) {
> +					perror("nfct_labelmap_new");
> +					output_mask &= ~_O_LAB;
> +				}
> +			}
>  			break;
>  		case 'z':
>  			options |= CT_OPT_ZERO;
> @@ -2372,6 +2401,8 @@ try_proc:
>  
>  	free_tmpl_objects();
>  	free_options();
> +	if (label_map)
> +		nfct_labelmap_destroy(label_map);
>  
>  	if (command && exit_msg[cmd][0]) {
>  		fprintf(stderr, "%s v%s (conntrack-tools): ",PROGNAME,VERSION);
> -- 
> 1.8.1.5
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html