From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Ken-ichirou MATSUZAWA <chamaken@gmail.com>
Cc: The netfilter developer mailinglist
<netfilter-devel@vger.kernel.org>,
Florian Westphal <fw@strlen.de>
Subject: Re: [RFC PATCH libnetfilter_conntrack] add userspace dump filter
Date: Wed, 18 Jun 2014 10:59:36 +0200 [thread overview]
Message-ID: <20140618085936.GA3923@localhost> (raw)
In-Reply-To: <20140617123718.GC24712@gmail.com>
On Tue, Jun 17, 2014 at 09:37:18PM +0900, Ken-ichirou MATSUZAWA wrote:
> Hello,
>
> I tried to filter dump by zone in userspace. But it seems for me
> that CTA_ZONE is classified larger class than CTA_MARK, then I
> think it allows to be filtered in kernel like CTA_MARK/CTA_MARK_MASK.
>
> Which is preferable way?
>
> --------
>
> This patch adds more type to filter_dump, working in userspace,
If this works from userspace, then you can just filter out the
conntracks from the callback handler itself. So I don't think this
patch is the way to go.
The kernel side filtering aims to reduce the time to dump conntrack
tables with lots of entries. If you want to add filtering by zone in
the ctnetlink_dump_table path, you have to generalize the existing
ctnetlink code.
My suggestion is to rework ctnetlink_dump_filter to make it look like
(just quick code, I didn't even compile test it):
struct ctnetlink_dump_filter {
enum ctnetlink_filter_key key;
u_int32_t data;
u_int32_t mask;
};
The keys can be:
enum ctnetlink_filter_key {
CTNL_FILTER_MARK = 0,
CTNL_FILTER_ZONE,
};
Then, from ctnetlink_dump_table() you'll need to do something like:
if (filter) {
data = ctnetlink_fetch_key(ct, filter->key);
if (!(data & filter->mask == filter->data))
continue;
}
The ctnetlink_fetch_key() should look like:
static u_int32_t ctnetlink_fetch_key(const struct nf_conn *ct, u_int32_t key)
{
u_int32_t ret;
switch (key) {
case CTNL_FILTER_MARK:
ret = ct->mark;
case CTNL_FILTER_ZONE:
ret = ct->zone;
}
return ret;
}
Please, if you work on this, first send us a patch to generalize the
filtering "framework" for ctnetlink dumps and then add the filtering
by zone.
next prev parent reply other threads:[~2014-06-18 8:59 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-17 12:37 [RFC PATCH libnetfilter_conntrack] add userspace dump filter Ken-ichirou MATSUZAWA
2014-06-18 8:59 ` Pablo Neira Ayuso [this message]
2014-06-23 10:26 ` Ken-ichirou MATSUZAWA
2014-06-23 18:33 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140618085936.GA3923@localhost \
--to=pablo@netfilter.org \
--cc=chamaken@gmail.com \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).