From: Ken-ichirou MATSUZAWA <chamaken@gmail.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: [libnetfilter_conntrack PATCH 1/3 resend] conntrack: add mark event filter
Date: Tue, 15 Apr 2014 20:54:53 +0900 [thread overview]
Message-ID: <20140415115453.GA6947@gmail.com> (raw)
In-Reply-To: <20140414125324.GA22192@localhost>
This patch adds mark filter for event listener, using same struct
nfct_filter_dump_mark.
Signed-off-by Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
---
include/internal/object.h | 7 +++
.../libnetfilter_conntrack.h | 1 +
src/conntrack/bsf.c | 55 ++++++++++++++++++++++
src/conntrack/filter.c | 13 +++++
4 files changed, 76 insertions(+)
diff --git a/include/internal/object.h b/include/internal/object.h
index 540ad0d..1259467 100644
--- a/include/internal/object.h
+++ b/include/internal/object.h
@@ -263,6 +263,13 @@ struct nfct_filter {
u_int32_t mask[4];
} l3proto_ipv6[2][__FILTER_IPV6_MAX];
+ u_int32_t mark_elems;
+ struct {
+#define __FILTER_MARK_MAX 127
+ u_int32_t val;
+ u_int32_t mask;
+ } mark[__FILTER_MARK_MAX];
+
u_int32_t set[1];
};
diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack.h b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
index d4542ba..890721a 100644
--- a/include/libnetfilter_conntrack/libnetfilter_conntrack.h
+++ b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
@@ -496,6 +496,7 @@ enum nfct_filter_attr {
NFCT_FILTER_DST_IPV4, /* struct nfct_filter_ipv4 */
NFCT_FILTER_SRC_IPV6, /* struct nfct_filter_ipv6 */
NFCT_FILTER_DST_IPV6, /* struct nfct_filter_ipv6 */
+ NFCT_FILTER_MARK, /* struct nfct_filter_dump_mark */
NFCT_FILTER_MAX
};
diff --git a/src/conntrack/bsf.c b/src/conntrack/bsf.c
index 534202f..632c201 100644
--- a/src/conntrack/bsf.c
+++ b/src/conntrack/bsf.c
@@ -663,6 +663,58 @@ bsf_add_daddr_ipv6_filter(const struct nfct_filter *f, struct sock_filter *this)
return bsf_add_addr_ipv6_filter(f, this, CTA_IP_V6_DST);
}
+static int
+bsf_add_mark_filter(const struct nfct_filter *f, struct sock_filter *this)
+{
+ unsigned int i, j;
+ unsigned int label_continue, jt;
+ struct stack *s;
+ struct jump jmp;
+
+ /* nothing to filter, skip */
+ if (f->mark_elems == 0)
+ return 0;
+
+ /* XXX: see bsf_add_addr_ipv4_filter() */
+ s = stack_create(sizeof(struct jump), 3 + 127);
+ if (s == NULL) {
+ errno = ENOMEM;
+ return -1;
+ }
+
+ jt = 1;
+ if (f->logic[NFCT_FILTER_MARK] == NFCT_FILTER_LOGIC_POSITIVE)
+ label_continue = 1;
+ else
+ label_continue = 2;
+
+ j = 0;
+ j += nfct_bsf_load_payload_offset(this, j);
+ j += nfct_bsf_find_attr(this, CTA_MARK, j);
+ j += nfct_bsf_cmp_k_stack(this, 0, label_continue - j, j, s);
+ j += nfct_bsf_x_equal_a(this, j);
+
+ for (i = 0; i < f->mark_elems; i++) {
+ int mark = f->mark[i].val & f->mark[i].mask;
+
+ j += nfct_bsf_load_attr(this, BPF_W, j);
+ j += nfct_bsf_alu_and(this, f->mark[i].mask, j);
+ j += nfct_bsf_cmp_k_stack(this, mark, jt - j, j, s);
+ }
+
+ while (stack_pop(s, &jmp) != -1)
+ this[jmp.line].jt += jmp.jt + j;
+
+ if (f->logic[NFCT_FILTER_MARK] == NFCT_FILTER_LOGIC_NEGATIVE)
+ j += nfct_bsf_jump_to(this, 1, j);
+
+ j += nfct_bsf_ret_verdict(this, NFCT_FILTER_REJECT, j);
+
+ stack_destroy(s);
+
+ return j;
+}
+
/* this buffer must be big enough to store all the autogenerated lines */
#define BSF_BUFFER_SIZE 2048
@@ -696,6 +748,9 @@ int __setup_netlink_socket_filter(int fd, struct nfct_filter *f)
j += bsf_add_state_filter(f, &bsf[j]);
show_filter(bsf, from, j, "---- check state ----");
from = j;
+ j += bsf_add_mark_filter(f, &bsf[j]);
+ show_filter(bsf, from, j, "---- check mark ----");
+ from = j;
/* nothing to filter, skip */
if (j == 0)
diff --git a/src/conntrack/filter.c b/src/conntrack/filter.c
index 026545a..78fbbc5 100644
--- a/src/conntrack/filter.c
+++ b/src/conntrack/filter.c
@@ -79,6 +79,18 @@ static void filter_attr_dst_ipv6(struct nfct_filter *filter, const void *value)
filter->l3proto_elems_ipv6[1]++;
}
+static void filter_attr_mark(struct nfct_filter *filter, const void *value)
+{
+ const struct nfct_filter_dump_mark *this = value;
+
+ if (filter->mark_elems >= __FILTER_MARK_MAX)
+ return;
+
+ filter->mark[filter->mark_elems].val = this->val;
+ filter->mark[filter->mark_elems].mask = this->mask;
+ filter->mark_elems++;
+}
+
const filter_attr filter_attr_array[NFCT_FILTER_MAX] = {
[NFCT_FILTER_L4PROTO] = filter_attr_l4proto,
[NFCT_FILTER_L4PROTO_STATE] = filter_attr_l4proto_state,
@@ -86,4 +98,5 @@ const filter_attr filter_attr_array[NFCT_FILTER_MAX] = {
[NFCT_FILTER_DST_IPV4] = filter_attr_dst_ipv4,
[NFCT_FILTER_SRC_IPV6] = filter_attr_src_ipv6,
[NFCT_FILTER_DST_IPV6] = filter_attr_dst_ipv6,
+ [NFCT_FILTER_MARK] = filter_attr_mark,
};
--
1.9.1
next prev parent reply other threads:[~2014-04-15 11:55 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-08 10:26 [libnetfilter_conntrack/ulogd PATCH 0/3] add mark filter Ken-ichirou MATSUZAWA
2014-04-08 10:30 ` [libnetfilter_conntrack PATCH 1/3] conntrack: add mark event filter Ken-ichirou MATSUZAWA
2014-04-14 12:53 ` Pablo Neira Ayuso
2014-04-15 11:54 ` Ken-ichirou MATSUZAWA [this message]
2014-04-08 10:32 ` [ulogd PATCH 2/3] " Ken-ichirou MATSUZAWA
2014-04-14 12:54 ` Pablo Neira Ayuso
2014-04-08 10:34 ` [ulogd PATCH 3/3] add mark dump filter Ken-ichirou MATSUZAWA
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140415115453.GA6947@gmail.com \
--to=chamaken@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).