[PATCH libnetfilter_conntrack v2 0/2] add event filters

[PATCH libnetfilter_conntrack v2 0/2] add event filters

[Ken-ichirou MATSUZAWA]

  Hello,
 
I tried to chang zero CTA_MARK and CTA_ZONE value handling, regard its value
as 0 if the values are not set in a message.
 
Thanks,

[PATCH libnetfilter_conntrack v2 1/2] conntrack: add mark event filter

[Ken-ichirou MATSUZAWA]

This patch adds mark filter for event listener, using same struct
nfct_filter_dump_mark.

Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
---
 include/internal/object.h                          |  7 +++
 .../libnetfilter_conntrack.h                       |  1 +
 src/conntrack/bsf.c                                | 73 ++++++++++++++++++++++
 src/conntrack/filter.c                             | 13 ++++
 4 files changed, 94 insertions(+)

diff --git a/include/internal/object.h b/include/internal/object.h
index 540ad0d..1259467 100644
--- a/include/internal/object.h
+++ b/include/internal/object.h
@@ -263,6 +263,13 @@ struct nfct_filter {
 		u_int32_t 	mask[4];
 	} l3proto_ipv6[2][__FILTER_IPV6_MAX];
 
+	u_int32_t 		mark_elems;
+	struct {
+#define __FILTER_MARK_MAX	127
+		u_int32_t 	val;
+		u_int32_t 	mask;
+	} mark[__FILTER_MARK_MAX];
+
 	u_int32_t 		set[1];
 };
 
diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack.h b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
index a5e6a91..03bf3ca 100644
--- a/include/libnetfilter_conntrack/libnetfilter_conntrack.h
+++ b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
@@ -498,6 +498,7 @@ enum nfct_filter_attr {
 	NFCT_FILTER_DST_IPV4,		/* struct nfct_filter_ipv4 */
 	NFCT_FILTER_SRC_IPV6,		/* struct nfct_filter_ipv6 */
 	NFCT_FILTER_DST_IPV6,		/* struct nfct_filter_ipv6 */
+	NFCT_FILTER_MARK,		/* struct nfct_filter_dump_mark */
 	NFCT_FILTER_MAX
 };
 
diff --git a/src/conntrack/bsf.c b/src/conntrack/bsf.c
index 534202f..d4dfaec 100644
--- a/src/conntrack/bsf.c
+++ b/src/conntrack/bsf.c
@@ -55,6 +55,9 @@ static char *code2str(u_int16_t code)
 	case BPF_MISC|BPF_TAX:
 		return "BPF_MISC|BPF_TAX";
 		break;
+	case BPF_MISC|BPF_TXA:
+		return "BPF_MISC|BPF_TXA";
+		break;
 	case BPF_LD|BPF_B|BPF_IND:
 		return "BPF_LD|BPF_B|BPF_IND";
 		break;
@@ -228,6 +231,16 @@ nfct_bsf_x_equal_a(struct sock_filter *this, int pos)
 }
 
 static int
+nfct_bsf_a_equal_x(struct sock_filter *this, int pos)
+{
+	struct sock_filter __code = {
+		.code	= BPF_MISC|BPF_TXA,
+	};
+	memcpy(&this[pos], &__code, sizeof(__code));
+	return NEW_POS(__code);
+}
+
+static int
 nfct_bsf_load_attr(struct sock_filter *this, int word_size, int pos)
 {
 	struct sock_filter __code = {
@@ -663,6 +676,63 @@ bsf_add_daddr_ipv6_filter(const struct nfct_filter *f, struct sock_filter *this)
 	return bsf_add_addr_ipv6_filter(f, this, CTA_IP_V6_DST);
 }
 
+static int
+bsf_add_mark_filter(const struct nfct_filter *f, struct sock_filter *this)
+{
+	unsigned int i, j;
+	unsigned int jt;
+	struct stack *s;
+	struct jump jmp;
+	struct sock_filter __code = {
+		/* if (A == 0) skip next two */
+		.code = BPF_JMP|BPF_JEQ|BPF_K,
+		.k = 0,
+		.jt = 2,
+		.jf = 0,
+	};
+
+	/* nothing to filter, skip */
+	if (f->mark_elems == 0)
+		return 0;
+
+	/* XXX: see bsf_add_addr_ipv4_filter() */
+	s = stack_create(sizeof(struct jump), 3 + 127);
+	if (s == NULL) {
+		errno = ENOMEM;
+		return -1;
+	}
+
+	jt = 1;
+	j = 0;
+	j += nfct_bsf_load_payload_offset(this, j);
+	j += nfct_bsf_find_attr(this, CTA_MARK, j);
+	memcpy(&this[j], &__code, sizeof(__code));
+	j += NEW_POS(__code);
+	j += nfct_bsf_x_equal_a(this, j);
+	j += nfct_bsf_load_attr(this, BPF_W, j);
+	j += nfct_bsf_x_equal_a(this, j);
+
+	for (i = 0; i < f->mark_elems; i++) {
+		int mark = f->mark[i].val & f->mark[i].mask;
+
+		j += nfct_bsf_alu_and(this, f->mark[i].mask, j);
+		j += nfct_bsf_cmp_k_stack(this, mark, jt - j, j, s);
+		j += nfct_bsf_a_equal_x(this, j);
+	}
+
+	while (stack_pop(s, &jmp) != -1)
+		this[jmp.line].jt += jmp.jt + j;
+
+	if (f->logic[NFCT_FILTER_MARK] == NFCT_FILTER_LOGIC_NEGATIVE)
+		j += nfct_bsf_jump_to(this, 1, j);
+
+	j += nfct_bsf_ret_verdict(this, NFCT_FILTER_REJECT, j);
+
+	stack_destroy(s);
+
+	return j;
+}
+
 /* this buffer must be big enough to store all the autogenerated lines */
 #define BSF_BUFFER_SIZE 	2048
 
@@ -696,6 +766,9 @@ int __setup_netlink_socket_filter(int fd, struct nfct_filter *f)
 	j += bsf_add_state_filter(f, &bsf[j]);
 	show_filter(bsf, from, j, "---- check state ----");
 	from = j;
+	j += bsf_add_mark_filter(f, &bsf[j]);
+	show_filter(bsf, from, j, "---- check mark ----");
+	from = j;
 
 	/* nothing to filter, skip */
 	if (j == 0)
diff --git a/src/conntrack/filter.c b/src/conntrack/filter.c
index 026545a..78fbbc5 100644
--- a/src/conntrack/filter.c
+++ b/src/conntrack/filter.c
@@ -79,6 +79,18 @@ static void filter_attr_dst_ipv6(struct nfct_filter *filter, const void *value)
 	filter->l3proto_elems_ipv6[1]++;
 }
 
+static void filter_attr_mark(struct nfct_filter *filter, const void *value)
+{
+	const struct nfct_filter_dump_mark *this = value;
+
+	if (filter->mark_elems >= __FILTER_MARK_MAX)
+		return;
+
+	filter->mark[filter->mark_elems].val = this->val;
+	filter->mark[filter->mark_elems].mask = this->mask;
+	filter->mark_elems++;
+}
+
 const filter_attr filter_attr_array[NFCT_FILTER_MAX] = {
 	[NFCT_FILTER_L4PROTO]		= filter_attr_l4proto,
 	[NFCT_FILTER_L4PROTO_STATE]	= filter_attr_l4proto_state,
@@ -86,4 +98,5 @@ const filter_attr filter_attr_array[NFCT_FILTER_MAX] = {
 	[NFCT_FILTER_DST_IPV4]		= filter_attr_dst_ipv4,
 	[NFCT_FILTER_SRC_IPV6]		= filter_attr_src_ipv6,
 	[NFCT_FILTER_DST_IPV6]		= filter_attr_dst_ipv6,
+	[NFCT_FILTER_MARK]		= filter_attr_mark,
 };
-- 
1.9.1

[PATCH libnetfilter_conntrack v2 2/2] conntrack: add zone event filter

[Ken-ichirou MATSUZAWA]

This patch adds zone filter for event listener.

Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
---
 include/internal/object.h                          |  4 ++
 .../libnetfilter_conntrack.h                       |  1 +
 src/conntrack/bsf.c                                | 71 +++++++++++++++++++---
 src/conntrack/filter.c                             | 10 +++
 4 files changed, 77 insertions(+), 9 deletions(-)

diff --git a/include/internal/object.h b/include/internal/object.h
index 1259467..83d9010 100644
--- a/include/internal/object.h
+++ b/include/internal/object.h
@@ -270,6 +270,10 @@ struct nfct_filter {
 		u_int32_t 	mask;
 	} mark[__FILTER_MARK_MAX];
 
+	u_int32_t 		zone_elems;
+#define __FILTER_ZONE_MAX	511
+	u_int16_t		zone[__FILTER_ZONE_MAX];
+
 	u_int32_t 		set[1];
 };
 
diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack.h b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
index 03bf3ca..52fee85 100644
--- a/include/libnetfilter_conntrack/libnetfilter_conntrack.h
+++ b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
@@ -499,6 +499,7 @@ enum nfct_filter_attr {
 	NFCT_FILTER_SRC_IPV6,		/* struct nfct_filter_ipv6 */
 	NFCT_FILTER_DST_IPV6,		/* struct nfct_filter_ipv6 */
 	NFCT_FILTER_MARK,		/* struct nfct_filter_dump_mark */
+	NFCT_FILTER_ZONE,		/* u_int16_t */
 	NFCT_FILTER_MAX
 };
 
diff --git a/src/conntrack/bsf.c b/src/conntrack/bsf.c
index d4dfaec..2a46d4d 100644
--- a/src/conntrack/bsf.c
+++ b/src/conntrack/bsf.c
@@ -316,6 +316,20 @@ bsf_cmp_subsys(struct sock_filter *this, int pos, u_int8_t subsys)
 }
 
 static int
+nfct_bsf_skip_if_a(struct sock_filter *this, int pos,
+		   u_int32_t aval, u_int8_t nskip)
+{
+	struct sock_filter __code = {
+		.code = BPF_JMP|BPF_JEQ|BPF_K,
+		.k = aval,
+		.jt = nskip,
+		.jf = 0,
+	};
+	memcpy(&this[pos], &__code, sizeof(__code));
+	return NEW_POS(__code);
+}
+
+static int
 add_state_filter_cta(struct sock_filter *this,
 		     unsigned int cta_protoinfo_proto,
 		     unsigned int cta_protoinfo_state,
@@ -683,13 +697,6 @@ bsf_add_mark_filter(const struct nfct_filter *f, struct sock_filter *this)
 	unsigned int jt;
 	struct stack *s;
 	struct jump jmp;
-	struct sock_filter __code = {
-		/* if (A == 0) skip next two */
-		.code = BPF_JMP|BPF_JEQ|BPF_K,
-		.k = 0,
-		.jt = 2,
-		.jf = 0,
-	};
 
 	/* nothing to filter, skip */
 	if (f->mark_elems == 0)
@@ -706,8 +713,7 @@ bsf_add_mark_filter(const struct nfct_filter *f, struct sock_filter *this)
 	j = 0;
 	j += nfct_bsf_load_payload_offset(this, j);
 	j += nfct_bsf_find_attr(this, CTA_MARK, j);
-	memcpy(&this[j], &__code, sizeof(__code));
-	j += NEW_POS(__code);
+	j += nfct_bsf_skip_if_a(this, j, 0, 2);
 	j += nfct_bsf_x_equal_a(this, j);
 	j += nfct_bsf_load_attr(this, BPF_W, j);
 	j += nfct_bsf_x_equal_a(this, j);
@@ -733,6 +739,50 @@ bsf_add_mark_filter(const struct nfct_filter *f, struct sock_filter *this)
 	return j;
 }
 
+static int
+bsf_add_zone_filter(const struct nfct_filter *f, struct sock_filter *this)
+{
+	unsigned int i, j;
+	unsigned int jt;
+	struct stack *s;
+	struct jump jmp;
+
+	/* nothing to filter, skip */
+	if (f->zone_elems == 0)
+		return 0;
+
+	s = stack_create(sizeof(struct jump), 3 + 511);
+	if (s == NULL) {
+		errno = ENOMEM;
+		return -1;
+	}
+
+	jt = 1;
+	j = 0;
+	j += nfct_bsf_load_payload_offset(this, j);
+	j += nfct_bsf_find_attr(this, CTA_ZONE, j);
+	/* A message which does not contain CTA_ZONE is regarded
+	 * as its value is 0. */
+	j += nfct_bsf_skip_if_a(this, j, 0, 2);
+	j += nfct_bsf_x_equal_a(this, j);
+	j += nfct_bsf_load_attr(this, BPF_H, j);
+
+	for (i = 0; i < f->zone_elems; i++)
+		j += nfct_bsf_cmp_k_stack(this, f->zone[i], jt - j, j, s);
+
+	while (stack_pop(s, &jmp) != -1)
+		this[jmp.line].jt += jmp.jt + j;
+
+	if (f->logic[NFCT_FILTER_ZONE] == NFCT_FILTER_LOGIC_NEGATIVE)
+		j += nfct_bsf_jump_to(this, 1, j);
+
+	j += nfct_bsf_ret_verdict(this, NFCT_FILTER_REJECT, j);
+
+	stack_destroy(s);
+
+	return j;
+}
+
 /* this buffer must be big enough to store all the autogenerated lines */
 #define BSF_BUFFER_SIZE 	2048
 
@@ -769,6 +819,9 @@ int __setup_netlink_socket_filter(int fd, struct nfct_filter *f)
 	j += bsf_add_mark_filter(f, &bsf[j]);
 	show_filter(bsf, from, j, "---- check mark ----");
 	from = j;
+	j += bsf_add_zone_filter(f, &bsf[j]);
+	show_filter(bsf, from, j, "---- check zone ----");
+	from = j;
 
 	/* nothing to filter, skip */
 	if (j == 0)
diff --git a/src/conntrack/filter.c b/src/conntrack/filter.c
index 78fbbc5..34be99b 100644
--- a/src/conntrack/filter.c
+++ b/src/conntrack/filter.c
@@ -91,6 +91,15 @@ static void filter_attr_mark(struct nfct_filter *filter, const void *value)
 	filter->mark_elems++;
 }
 
+static void filter_attr_zone(struct nfct_filter *filter, const void *value)
+{
+	if (filter->zone_elems >= __FILTER_ZONE_MAX)
+		return;
+
+	filter->zone[filter->zone_elems] = *(u_int16_t *)value;
+	filter->zone_elems++;
+}
+
 const filter_attr filter_attr_array[NFCT_FILTER_MAX] = {
 	[NFCT_FILTER_L4PROTO]		= filter_attr_l4proto,
 	[NFCT_FILTER_L4PROTO_STATE]	= filter_attr_l4proto_state,
@@ -99,4 +108,5 @@ const filter_attr filter_attr_array[NFCT_FILTER_MAX] = {
 	[NFCT_FILTER_SRC_IPV6]		= filter_attr_src_ipv6,
 	[NFCT_FILTER_DST_IPV6]		= filter_attr_dst_ipv6,
 	[NFCT_FILTER_MARK]		= filter_attr_mark,
+	[NFCT_FILTER_ZONE]		= filter_attr_zone,
 };
-- 
1.9.1