netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] CT: add "none" as parameter for --ctevents
@ 2011-01-31 22:48 Pablo Neira Ayuso
  2011-01-31 22:58 ` Pablo Neira Ayuso
  2011-02-01 15:19 ` Patrick McHardy
  0 siblings, 2 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2011-01-31 22:48 UTC (permalink / raw)
  To: netfilter-devel

This allows not to deliver any event. This can be useful if you want
no events for some protocols, for example:

iptables -I PREROUTING -t raw -p udp -j CT --ctevents none

Thus, no events for UDP traffic are delivered to user-space.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 extensions/libxt_CT.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

diff --git a/extensions/libxt_CT.c b/extensions/libxt_CT.c
index 682dd83..e233902 100644
--- a/extensions/libxt_CT.c
+++ b/extensions/libxt_CT.c
@@ -68,7 +68,7 @@ static uint32_t ct_parse_events(const struct event_tbl *tbl, unsigned int size,
 	strcpy(str, events);
 	while ((t = strsep(&e, ","))) {
 		for (i = 0; i < size; i++) {
-			if (strcmp(t, tbl[i].name))
+			if (!strcmp(t, "none") || strcmp(t, tbl[i].name))
 				continue;
 			mask |= 1 << tbl[i].event;
 			break;
@@ -87,6 +87,10 @@ static void ct_print_events(const char *pfx, const struct event_tbl *tbl,
 	const char *sep = "";
 	unsigned int i;
 
+	if (mask == 0) {
+		printf("none ");
+		return;
+	}
 	printf("%s ", pfx);
 	for (i = 0; i < size; i++) {
 		if (mask & (1 << tbl[i].event)) {


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH] CT: add "none" as parameter for --ctevents
@ 2016-05-14 16:22 Rolf Fokkens
  0 siblings, 0 replies; 4+ messages in thread
From: Rolf Fokkens @ 2016-05-14 16:22 UTC (permalink / raw)
  To: netfilter-devel

Hi,

I noticed increasing CPU utilisation by conntrackd, which resulted from 
our Zabbix monitoring. Zabbix creates lots of short-lived tcp 
connections, which of course has impact on the number of connections and 
conntrackd. The solutions is the following iptables command:

iptables -I PREROUTING -t raw -p tcp --dport 10050 -j CT --ctevents none

So Zabbix connections are welcome in the connection tracking table, but 
there's no need to synchronize them with the other firewall.

This need some iptables patching, it was brought up before: 
http://permalink.gmane.org/gmane.comp.security.firewalls.netfilter.devel/37745

The solution didn't work though: during processing a mask of 0 is 
interpreted as "not specified" which in turn is interpreted as "all 
events". So I got it to work with a trick: I use 0x8000 to specify 
"none". It will not be misunderstood as "not specified", bug bit 16 will 
never match any (existing) events. The patch is below.

I think there's a better solution than misusing an unused bit, but the 
kernel (Latest Centos kernel that is) is happy with this, and so am I.

Rolf

[rolf.fokkens@th-dev-pkgbuilder ~]$ cat 
rpmbuild/SOURCES/iptables-1.4.21-ctevents_none.patch
--- iptables-1.4.21/extensions/libxt_CT.c.ctevents_none 2013-11-22 
12:18:13.000000000 +0100
+++ iptables-1.4.21/extensions/libxt_CT.c    2016-05-14 
12:43:56.368676956 +0200
@@ -95,6 +95,8 @@
  static uint32_t ct_parse_events(const struct event_tbl *tbl, unsigned 
int size,
                  const char *events)
  {
+    if (strcmp(events, "none") == 0) return 0x8000;
+
      char str[strlen(events) + 1], *e = str, *t;
      unsigned int mask = 0, i;

@@ -121,6 +123,11 @@
      unsigned int i;

      printf(" %s ", pfx);
+    if ((mask & ~0x8000) == 0) {
+        printf ("none");
+        return;
+    }
+
      for (i = 0; i < size; i++) {
          if (mask & (1 << tbl[i].event)) {
              printf("%s%s", sep, tbl[i].name);
--- iptables-1.4.21/extensions/libxt_CT.man.ctevents_none 2013-11-22 
12:18:13.000000000 +0100
+++ iptables-1.4.21/extensions/libxt_CT.man    2016-05-14 
12:34:29.723349847 +0200
@@ -15,6 +15,8 @@
  event types are: \fBnew\fP, \fBrelated\fP, \fBdestroy\fP, \fBreply\fP,
  \fBassured\fP, \fBprotoinfo\fP, \fBhelper\fP, \fBmark\fP (this refers to
  the ctmark, not nfmark), \fBnatseqinfo\fP, \fBsecmark\fP (ctsecmark).
+Alternatively the set of events can be specified as \fBnone\fP, which
+explicitly specifies not to generate any event at all.
  .TP
  \fB\-\-expevents\fP \fIevent\fP[\fB,\fP...]
  Only generate the specified expectation events for this connection.
[rolf.fokkens@th-dev-pkgbuilder ~]$


^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-05-14 16:22 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-01-31 22:48 [PATCH] CT: add "none" as parameter for --ctevents Pablo Neira Ayuso
2011-01-31 22:58 ` Pablo Neira Ayuso
2011-02-01 15:19 ` Patrick McHardy
  -- strict thread matches above, loose matches on Subject: below --
2016-05-14 16:22 Rolf Fokkens

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).