From: Ken-ichirou MATSUZAWA <chamaken@gmail.com>
To: netfilter-devel@vger.kernel.org
Subject: [ulogd PATCH 3/3] add mark dump filter
Date: Tue, 8 Apr 2014 19:34:22 +0900 [thread overview]
Message-ID: <20140408103420.GD29462@gmail.com> (raw)
In-Reply-To: <20140408102614.GA29462@gmail.com>
This patch makes enable to filter dump by mark.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
---
input/flow/ulogd_inpflow_NFCT.c | 63 +++++++++++++++++++++++++++--------------
1 file changed, 42 insertions(+), 21 deletions(-)
diff --git a/input/flow/ulogd_inpflow_NFCT.c b/input/flow/ulogd_inpflow_NFCT.c
index a5cf854..37b45e8 100644
--- a/input/flow/ulogd_inpflow_NFCT.c
+++ b/input/flow/ulogd_inpflow_NFCT.c
@@ -71,6 +71,7 @@ struct nfct_pluginstance {
struct ulogd_timer ov_timer; /* overrun retry timer */
struct hashtable *ct_active;
int nlbufsiz; /* current netlink buffer size */
+ struct nfct_filter_dump *filter_dump;
struct nf_conntrack *ct;
};
@@ -1003,8 +1004,9 @@ dump_reset_handler(enum nf_conntrack_msg_type type,
static void get_ctr_zero(struct ulogd_pluginstance *upi)
{
+ struct nfct_pluginstance *cpi =
+ (struct nfct_pluginstance *)upi->private;
struct nfct_handle *h;
- int family = AF_UNSPEC;
h = nfct_open(CONNTRACK, 0);
if (h == NULL) {
@@ -1012,7 +1014,7 @@ static void get_ctr_zero(struct ulogd_pluginstance *upi)
return;
}
nfct_callback_register(h, NFCT_T_ALL, &dump_reset_handler, upi);
- if (nfct_query(h, NFCT_Q_DUMP_RESET, &family) == -1)
+ if (nfct_query(h, NFCT_Q_DUMP_FILTER_RESET, cpi->filter_dump) == -1)
ulogd_log(ULOGD_FATAL, "Cannot dump and reset counters\n");
nfct_close(h);
@@ -1023,9 +1025,8 @@ static void polling_timer_cb(struct ulogd_timer *t, void *data)
struct ulogd_pluginstance *upi = data;
struct nfct_pluginstance *cpi =
(struct nfct_pluginstance *)upi->private;
- int family = AF_UNSPEC;
- nfct_query(cpi->pgh, NFCT_Q_DUMP, &family);
+ nfct_query(cpi->pgh, NFCT_Q_DUMP_FILTER, cpi->filter_dump);
hashtable_iterate(cpi->ct_active, upi, do_purge);
ulogd_add_timer(&cpi->timer, pollint_ce(upi->config_kset).u.value);
}
@@ -1044,12 +1045,11 @@ static int configure_nfct(struct ulogd_pluginstance *upi,
static void overrun_timeout(struct ulogd_timer *a, void *data)
{
- int family = AF_UNSPEC;
struct ulogd_pluginstance *upi = data;
struct nfct_pluginstance *cpi =
(struct nfct_pluginstance *)upi->private;
- nfct_send(cpi->ovh, NFCT_Q_DUMP, &family);
+ nfct_send(cpi->ovh, NFCT_Q_DUMP_FILTER, cpi->filter_dump);
}
@@ -1228,8 +1228,8 @@ static int build_nfct_filter_proto(struct nfct_filter *filter, char* filter_stri
return 0;
}
-#if defined HAVE_NFCT_FILTER_MARK
-static int build_nfct_filter_mark(struct nfct_filter *filter, char* filter_string)
+static int build_nfct_filter_mark(struct nfct_filter *filter, char* filter_string,
+ struct nfct_filter_dump *filter_dump)
{
char *p, *endptr;
uintmax_t v;
@@ -1264,24 +1264,27 @@ static int build_nfct_filter_mark(struct nfct_filter *filter, char* filter_strin
filter_mark.mask = UINT32_MAX;
}
- ulogd_log(ULOGD_NOTICE, "adding mark to filter: \"%u/%u\"\n",
+ if (filter != NULL) {
+#if defined HAVE_NFCT_FILTER_MARK
+ nfct_filter_add_attr(filter, NFCT_FILTER_MARK, &filter_mark);
+ ulogd_log(ULOGD_NOTICE, "adding mark to event filter: \"%u/%u\"\n",
+ filter_mark.val, filter_mark.mask);
+#else
+ ulogd_log(ULOGD_FATAL, "mark event filter is not supported\n");
+ return -1;
+#endif
+ }
+ nfct_filter_dump_set_attr(filter_dump, NFCT_FILTER_DUMP_MARK,
+ &filter_mark);
+ ulogd_log(ULOGD_NOTICE, "adding mark to dump filter: \"%u/%u\"\n",
filter_mark.val, filter_mark.mask);
- nfct_filter_add_attr(filter, NFCT_FILTER_MARK, &filter_mark);
return 0;
invalid_error:
ulogd_log(ULOGD_FATAL, "invalid val/mask %s\n", filter_string);
return -1;
-
-}
-#else
-static int build_nfct_filter_mark(struct nfct_filter *filter, char* filter_string)
-{
- ulogd_log(ULOGD_FATAL, "mark filter is not supported\n");
- return -1;
}
-#endif /* HAVE_NFCT_FILTER_MARK */
static int build_nfct_filter(struct ulogd_pluginstance *upi)
{
@@ -1327,7 +1330,7 @@ static int build_nfct_filter(struct ulogd_pluginstance *upi)
if (strlen(mark_filter_ce(upi->config_kset).u.string) != 0) {
char *filter_string = mark_filter_ce(upi->config_kset).u.string;
- if (build_nfct_filter_mark(filter, filter_string) != 0) {
+ if (build_nfct_filter_mark(filter, filter_string, cpi->filter_dump) != 0) {
ulogd_log(ULOGD_FATAL,
"Unable to create mark filter\n");
goto err_filter;
@@ -1412,7 +1415,6 @@ static int constructor_nfct_events(struct ulogd_pluginstance *upi)
goto err_nfctobj;
if (usehash_ce(upi->config_kset).u.value != 0) {
- int family = AF_UNSPEC;
struct nfct_handle *h;
/* we use a hashtable to cache entries in userspace. */
@@ -1436,7 +1438,7 @@ static int constructor_nfct_events(struct ulogd_pluginstance *upi)
}
nfct_callback_register(h, NFCT_T_ALL,
&event_handler_hashtable, upi);
- nfct_query(h, NFCT_Q_DUMP, &family);
+ nfct_query(h, NFCT_Q_DUMP_FILTER, cpi->filter_dump);
nfct_close(h);
/* the overrun handler only make sense with the hashtable,
@@ -1500,6 +1502,14 @@ static int constructor_nfct_polling(struct ulogd_pluginstance *upi)
ulogd_log(ULOGD_FATAL, "error opening ctnetlink\n");
goto err;
}
+ if (strlen(mark_filter_ce(upi->config_kset).u.string) != 0) {
+ char *filter_string = mark_filter_ce(upi->config_kset).u.string;
+ if (build_nfct_filter_mark(NULL, filter_string,
+ cpi->filter_dump) != 0) {
+ ulogd_log(ULOGD_FATAL, "error creating NFCT mark filter\n");
+ goto err_hashtable;
+ }
+ }
nfct_callback_register(cpi->pgh, NFCT_T_ALL, &polling_handler, upi);
cpi->ct_active =
@@ -1534,6 +1544,15 @@ err:
static int constructor_nfct(struct ulogd_pluginstance *upi)
{
+ struct nfct_pluginstance *cpi =
+ (struct nfct_pluginstance *) upi->private;
+
+ cpi->filter_dump = nfct_filter_dump_create();
+ if (cpi->filter_dump == NULL) {
+ ulogd_log(ULOGD_FATAL, "could not create filter_dump\n");
+ return -1;
+ }
+
if (pollint_ce(upi->config_kset).u.value == 0) {
/* listen to ctnetlink events. */
return constructor_nfct_events(upi);
@@ -1553,6 +1572,8 @@ static int destructor_nfct_events(struct ulogd_pluginstance *upi)
ulogd_unregister_fd(&cpi->nfct_fd);
+ nfct_filter_dump_destroy(cpi->filter_dump);
+
rc = nfct_close(cpi->cth);
if (rc < 0)
return rc;
--
1.8.5.3
prev parent reply other threads:[~2014-04-08 10:34 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-08 10:26 [libnetfilter_conntrack/ulogd PATCH 0/3] add mark filter Ken-ichirou MATSUZAWA
2014-04-08 10:30 ` [libnetfilter_conntrack PATCH 1/3] conntrack: add mark event filter Ken-ichirou MATSUZAWA
2014-04-14 12:53 ` Pablo Neira Ayuso
2014-04-15 11:54 ` [libnetfilter_conntrack PATCH 1/3 resend] " Ken-ichirou MATSUZAWA
2014-04-08 10:32 ` [ulogd PATCH 2/3] " Ken-ichirou MATSUZAWA
2014-04-14 12:54 ` Pablo Neira Ayuso
2014-04-08 10:34 ` Ken-ichirou MATSUZAWA [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140408103420.GD29462@gmail.com \
--to=chamaken@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).