netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Ken-ichirou MATSUZAWA <chamaken@gmail.com>
To: netfilter-devel@vger.kernel.org
Subject: [ulogd PATCH 2/3] add mark event filter
Date: Tue, 8 Apr 2014 19:32:19 +0900	[thread overview]
Message-ID: <20140408103218.GC29462@gmail.com> (raw)
In-Reply-To: <20140408102614.GA29462@gmail.com>

This patch adds a new configuration variable which is used to limit
conntrack event to connection of the mark.

Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
---
 configure.ac                    | 15 +++++++++
 input/flow/ulogd_inpflow_NFCT.c | 75 +++++++++++++++++++++++++++++++++++++++--
 2 files changed, 88 insertions(+), 2 deletions(-)

diff --git a/configure.ac b/configure.ac
index 522c345..7e5f5fc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -58,6 +58,20 @@ AS_IF([test "x$enable_nfct" = "xyes"], [
     AC_DEFINE([BUILD_NFCT], [1], [Building nfct module])
 ])
 AM_CONDITIONAL([BUILD_NFCT], [test "x$enable_nfct" = "xyes"])
+AS_IF([test "x$enable_nfct" = "xyes"], [
+    AC_MSG_CHECKING([for enable mark filter for event])
+    AC_CACHE_VAL(ac_cv_nfct_filter_mark,
+    AC_TRY_COMPILE(
+        [ #include <libnetfilter_conntrack/libnetfilter_conntrack.h>],
+        [ int i = NFCT_FILTER_MARK; ],
+        ac_cv_nfct_filter_mark=yes,
+        ac_cv_nfct_filter_mark=no))
+    AC_MSG_RESULT($ac_cv_nfct_filter_mark)
+    AS_IF([test "x$ac_cv_nfct_filter_mark" = "xyes"], [
+        AC_DEFINE([HAVE_NFCT_FILTER_MARK], [1], [Building nfct mark event filter])
+    ])
+])
+
 AC_ARG_ENABLE(nfacct,
        AS_HELP_STRING([--enable-nfacct], [Enable nfacct module [default=yes]]),,[enable_nfacct=yes])
 AS_IF([test "x$enable_nfacct" = "xyes"], [
@@ -156,6 +170,7 @@ Ulogd configuration:
   Input plugins:
     NFLOG plugin:			${enable_nflog}
     NFCT plugin:			${enable_nfct}
+      with MARK event filter		${ac_cv_nfct_filter_mark}
     NFACCT plugin:			${enable_nfacct}
   Output plugins:
     PCAP plugin:			${enable_pcap}
diff --git a/input/flow/ulogd_inpflow_NFCT.c b/input/flow/ulogd_inpflow_NFCT.c
index 899b7e3..a5cf854 100644
--- a/input/flow/ulogd_inpflow_NFCT.c
+++ b/input/flow/ulogd_inpflow_NFCT.c
@@ -35,6 +35,7 @@
 
 #include <sys/time.h>
 #include <time.h>
+#include <ctype.h>
 #include <netinet/in.h>
 #include <netdb.h>
 #include <ulogd/linuxlist.h>
@@ -78,7 +79,7 @@ struct nfct_pluginstance {
 #define EVENT_MASK	NF_NETLINK_CONNTRACK_NEW | NF_NETLINK_CONNTRACK_DESTROY
 
 static struct config_keyset nfct_kset = {
-	.num_ces = 12,
+	.num_ces = 13,
 	.ces = {
 		{
 			.key	 = "pollinterval",
@@ -149,6 +150,11 @@ static struct config_keyset nfct_kset = {
 			.type	 = CONFIG_TYPE_STRING,
 			.options = CONFIG_OPT_NONE,
 		},
+		{
+			.key	 = "accept_mark_filter",
+			.type	 = CONFIG_TYPE_STRING,
+			.options = CONFIG_OPT_NONE,
+		},
 	},
 };
 #define pollint_ce(x)	(x->ces[0])
@@ -163,6 +169,7 @@ static struct config_keyset nfct_kset = {
 #define src_filter_ce(x)	((x)->ces[9])
 #define dst_filter_ce(x)	((x)->ces[10])
 #define proto_filter_ce(x)	((x)->ces[11])
+#define mark_filter_ce(x)	((x)->ces[12])
 
 enum nfct_keys {
 	NFCT_ORIG_IP_SADDR = 0,
@@ -1221,6 +1228,60 @@ static int build_nfct_filter_proto(struct nfct_filter *filter, char* filter_stri
 	return 0;
 }
 
+#if defined HAVE_NFCT_FILTER_MARK
+static int build_nfct_filter_mark(struct nfct_filter *filter, char* filter_string)
+{
+	char *p, *endptr;
+	uintmax_t v;
+	struct nfct_filter_dump_mark filter_mark;
+	errno = 0;
+
+	for (p = filter_string; isspace(*p); ++p)
+		;
+	v = strtoumax(p, &endptr, 0);
+	if (endptr == p)
+		goto invalid_error;
+	if ((errno == ERANGE && v == UINTMAX_MAX) || errno != 0)
+		goto invalid_error;
+	filter_mark.val = (uint32_t)v;
+
+	if (*endptr != '\0') {
+		for (p = endptr; isspace(*p); ++p)
+			;
+		if (*p++ != '/')
+			goto invalid_error;
+		for (; isspace(*p); ++p)
+			;
+		v = strtoumax(p, &endptr, 0);
+		if (endptr == p)
+			goto invalid_error;
+		if ((errno == ERANGE && v == UINTMAX_MAX) || errno != 0)
+			goto invalid_error;
+		filter_mark.mask = (uint32_t)v;
+		if (*endptr != '\0')
+			goto invalid_error;
+	} else {
+		filter_mark.mask = UINT32_MAX;
+	}
+
+	ulogd_log(ULOGD_NOTICE, "adding mark to filter: \"%u/%u\"\n",
+		  filter_mark.val, filter_mark.mask);
+	nfct_filter_add_attr(filter, NFCT_FILTER_MARK, &filter_mark);
+
+	return 0;
+
+invalid_error:
+	ulogd_log(ULOGD_FATAL, "invalid val/mask %s\n", filter_string);
+	return -1;
+
+}
+#else
+static int build_nfct_filter_mark(struct nfct_filter *filter, char* filter_string)
+{
+	ulogd_log(ULOGD_FATAL, "mark filter is not supported\n");
+	return -1;
+}
+#endif /* HAVE_NFCT_FILTER_MARK */
 
 static int build_nfct_filter(struct ulogd_pluginstance *upi)
 {
@@ -1264,6 +1325,15 @@ static int build_nfct_filter(struct ulogd_pluginstance *upi)
 		}
 	}
 
+	if (strlen(mark_filter_ce(upi->config_kset).u.string) != 0) {
+		char *filter_string = mark_filter_ce(upi->config_kset).u.string;
+		if (build_nfct_filter_mark(filter, filter_string) != 0) {
+			ulogd_log(ULOGD_FATAL,
+					"Unable to create mark filter\n");
+			goto err_filter;
+		}
+	}
+
 	if (filter) {
 		if (nfct_filter_attach(nfct_fd(cpi->cth), filter) == -1) {
 			ulogd_log(ULOGD_FATAL, "nfct_filter_attach");
@@ -1296,7 +1366,8 @@ static int constructor_nfct_events(struct ulogd_pluginstance *upi)
 
 	if ((strlen(src_filter_ce(upi->config_kset).u.string) != 0) ||
 		(strlen(dst_filter_ce(upi->config_kset).u.string) != 0) ||
-		(strlen(proto_filter_ce(upi->config_kset).u.string) != 0)
+		(strlen(proto_filter_ce(upi->config_kset).u.string) != 0) ||
+		(strlen(mark_filter_ce(upi->config_kset).u.string) != 0)
 	   ) {
 		if (build_nfct_filter(upi) != 0) {
 			ulogd_log(ULOGD_FATAL, "error creating NFCT filter\n");
-- 
1.8.5.3


  parent reply	other threads:[~2014-04-08 10:32 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-04-08 10:26 [libnetfilter_conntrack/ulogd PATCH 0/3] add mark filter Ken-ichirou MATSUZAWA
2014-04-08 10:30 ` [libnetfilter_conntrack PATCH 1/3] conntrack: add mark event filter Ken-ichirou MATSUZAWA
2014-04-14 12:53   ` Pablo Neira Ayuso
2014-04-15 11:54     ` [libnetfilter_conntrack PATCH 1/3 resend] " Ken-ichirou MATSUZAWA
2014-04-08 10:32 ` Ken-ichirou MATSUZAWA [this message]
2014-04-14 12:54   ` [ulogd PATCH 2/3] " Pablo Neira Ayuso
2014-04-08 10:34 ` [ulogd PATCH 3/3] add mark dump filter Ken-ichirou MATSUZAWA

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140408103218.GC29462@gmail.com \
    --to=chamaken@gmail.com \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).