From: Ken-ichirou MATSUZAWA <chamaken@gmail.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: The netfilter developer mailinglist
<netfilter-devel@vger.kernel.org>,
Florian Westphal <fw@strlen.de>
Subject: Re: [RFC PATCH libnetfilter_conntrack] add userspace dump filter
Date: Mon, 23 Jun 2014 19:26:50 +0900 [thread overview]
Message-ID: <20140623102650.GD29052@gmail.com> (raw)
In-Reply-To: <20140618085936.GA3923@localhost>
Thank you for your understandable explanation.
2014-06-18 17:59 GMT+09:00 Pablo Neira Ayuso <pablo@netfilter.org>:
> On Tue, Jun 17, 2014 at 09:37:18PM +0900, Ken-ichirou MATSUZAWA wrote:
> Please, if you work on this, first send us a patch to generalize the
> filtering "framework" for ctnetlink dumps and then add the filtering
> by zone.
How about using sk_filter? I could have understood it's not efficient
than the way you told me but BPF seems more versatile and can work
on the socket which both dumping and listening event.
# I think your nfct-daemon.c example in libmnl
Also I know this changes dump behavior, I need to include an indication
in nla or somewhere which distinguishes from normal dump, but it's not
included.
--------
This patch enables dump filtering by bpf. It is not efficient since every
nf_conn needs to be translated into skb, but it can be used both event and
dump socket.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
---
net/netfilter/nf_conntrack_netlink.c | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index f77024d..189f19d 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -831,10 +831,26 @@ restart:
cb->nlh->nlmsg_seq,
NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
ct);
- rcu_read_unlock();
- if (res < 0) {
+ if (res >= 0) {
+ struct sk_filter *skfilter
+ = rcu_dereference(skb->sk->sk_filter);
+ int ret = 0;
+
+ if (skfilter != NULL) {
+ skb_pull(skb, cb->args[2]);
+ ret = SK_RUN_FILTER(skfilter, skb);
+ skb_push(skb, cb->args[2]);
+ if (ret)
+ cb->args[2] = res;
+ else
+ skb_trim(skb, cb->args[2]);
+ }
+ rcu_read_unlock();
+ } else {
+ rcu_read_unlock();
nf_conntrack_get(&ct->ct_general);
cb->args[1] = (unsigned long)ct;
+ cb->args[2] = 0;
spin_unlock(lockp);
goto out;
}
--
1.7.10.4
next prev parent reply other threads:[~2014-06-23 10:26 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-17 12:37 [RFC PATCH libnetfilter_conntrack] add userspace dump filter Ken-ichirou MATSUZAWA
2014-06-18 8:59 ` Pablo Neira Ayuso
2014-06-23 10:26 ` Ken-ichirou MATSUZAWA [this message]
2014-06-23 18:33 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140623102650.GD29052@gmail.com \
--to=chamaken@gmail.com \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).