* [PATCH libnetfilter_conntrack 0/2] dump/flush support filtering by zone
@ 2023-12-05 9:34 Felix Huettner
2023-12-05 9:35 ` [PATCH libnetfilter_conntrack 1/2] dump: " Felix Huettner
2023-12-05 9:35 ` [PATCH libnetfilter_conntrack 2/2] flush: support filtering Felix Huettner
0 siblings, 2 replies; 4+ messages in thread
From: Felix Huettner @ 2023-12-05 9:34 UTC (permalink / raw)
To: netfilter-devel
this patchset expands libnetfilter_conntrack to send dump and flush requests
that filter by conntrack zone.
It is dependent on a patch to the kernel repo at
https://marc.info/?l=linux-kernel&m=170108582310775
Felix Huettner (2):
dump: support filtering by zone
flush: support filtering
include/internal/object.h | 1 +
include/internal/prototypes.h | 1 +
.../libnetfilter_conntrack.h | 5 ++
src/conntrack/api.c | 14 +++++
src/conntrack/build_mnl.c | 3 +
src/conntrack/filter_dump.c | 17 ++++++
utils/.gitignore | 1 +
utils/Makefile.am | 4 ++
utils/conntrack_dump_filter.c | 2 +
utils/conntrack_flush_filter.c | 60 +++++++++++++++++++
10 files changed, 108 insertions(+)
create mode 100644 utils/conntrack_flush_filter.c
--
2.43.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH libnetfilter_conntrack 1/2] dump: support filtering by zone
2023-12-05 9:34 [PATCH libnetfilter_conntrack 0/2] dump/flush support filtering by zone Felix Huettner
@ 2023-12-05 9:35 ` Felix Huettner
2024-01-24 20:23 ` Pablo Neira Ayuso
2023-12-05 9:35 ` [PATCH libnetfilter_conntrack 2/2] flush: support filtering Felix Huettner
1 sibling, 1 reply; 4+ messages in thread
From: Felix Huettner @ 2023-12-05 9:35 UTC (permalink / raw)
To: netfilter-devel
based on a kernel side extension of the conntrack api, this patch brings
this extension to userspace.
When dumping the conntrack table we can now filter based on the
conntrack zone directly in kernel space. If the kernel does not yet
support this feature this filtering is ignored.
Signed-off-by: Felix Huettner <felix.huettner@mail.schwarz>
---
include/internal/object.h | 1 +
.../libnetfilter_conntrack/libnetfilter_conntrack.h | 5 +++++
src/conntrack/api.c | 13 +++++++++++++
src/conntrack/build_mnl.c | 3 +++
src/conntrack/filter_dump.c | 8 ++++++++
utils/conntrack_dump_filter.c | 2 ++
6 files changed, 32 insertions(+)
diff --git a/include/internal/object.h b/include/internal/object.h
index 4cac4f1..8854ef2 100644
--- a/include/internal/object.h
+++ b/include/internal/object.h
@@ -293,6 +293,7 @@ struct nfct_filter_dump {
struct nfct_filter_dump_mark status;
uint8_t l3num;
uint32_t set;
+ uint16_t zone;
};
/*
diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack.h b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
index 76b5c27..2e9458a 100644
--- a/include/libnetfilter_conntrack/libnetfilter_conntrack.h
+++ b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
@@ -547,6 +547,7 @@ enum nfct_filter_dump_attr {
NFCT_FILTER_DUMP_MARK = 0, /* struct nfct_filter_dump_mark */
NFCT_FILTER_DUMP_L3NUM, /* uint8_t */
NFCT_FILTER_DUMP_STATUS, /* struct nfct_filter_dump_mark */
+ NFCT_FILTER_DUMP_ZONE, /* uint16_t */
NFCT_FILTER_DUMP_TUPLE,
NFCT_FILTER_DUMP_MAX
};
@@ -563,6 +564,10 @@ void nfct_filter_dump_set_attr_u8(struct nfct_filter_dump *filter_dump,
const enum nfct_filter_dump_attr type,
uint8_t data);
+void nfct_filter_dump_set_attr_u16(struct nfct_filter_dump *filter_dump,
+ const enum nfct_filter_dump_attr type,
+ uint16_t data);
+
/* low level API: netlink functions */
extern __attribute__((deprecated)) int
diff --git a/src/conntrack/api.c b/src/conntrack/api.c
index cd8bea8..60c87b3 100644
--- a/src/conntrack/api.c
+++ b/src/conntrack/api.c
@@ -1551,6 +1551,19 @@ void nfct_filter_dump_set_attr_u8(struct nfct_filter_dump *filter_dump,
nfct_filter_dump_set_attr(filter_dump, type, &value);
}
+/**
+ * nfct_filter_dump_attr_set_u16 - set u16 dump filter attribute
+ * \param filter dump filter object that we want to modify
+ * \param type filter attribute type
+ * \param value value of the filter attribute using unsigned int (32 bits).
+ */
+void nfct_filter_dump_set_attr_u16(struct nfct_filter_dump *filter_dump,
+ const enum nfct_filter_dump_attr type,
+ uint16_t value)
+{
+ nfct_filter_dump_set_attr(filter_dump, type, &value);
+}
+
/**
* @}
*/
diff --git a/src/conntrack/build_mnl.c b/src/conntrack/build_mnl.c
index eb9fcbf..eed0679 100644
--- a/src/conntrack/build_mnl.c
+++ b/src/conntrack/build_mnl.c
@@ -658,6 +658,9 @@ int nfct_nlmsg_build_filter(struct nlmsghdr *nlh,
mnl_attr_put_u32(nlh, CTA_STATUS_MASK,
htonl(filter_dump->status.mask));
}
+ if (filter_dump->set & (1 << NFCT_FILTER_DUMP_ZONE)) {
+ mnl_attr_put_u16(nlh, CTA_ZONE, htons(filter_dump->zone));
+ }
if (filter_dump->set & (1 << NFCT_FILTER_DUMP_TUPLE)) {
const struct nf_conntrack *ct = &filter_dump->ct;
struct nlattr *nest;
diff --git a/src/conntrack/filter_dump.c b/src/conntrack/filter_dump.c
index 5723a44..0a19985 100644
--- a/src/conntrack/filter_dump.c
+++ b/src/conntrack/filter_dump.c
@@ -37,6 +37,13 @@ set_filter_dump_attr_family(struct nfct_filter_dump *filter_dump,
filter_dump->l3num = *((uint8_t *)value);
}
+static void
+set_filter_dump_attr_zone(struct nfct_filter_dump *filter_dump,
+ const void *value)
+{
+ filter_dump->zone = *((uint16_t *)value);
+}
+
static void
set_filter_dump_attr_tuple(struct nfct_filter_dump *filter_dump,
const void *value)
@@ -48,6 +55,7 @@ const set_filter_dump_attr set_filter_dump_attr_array[NFCT_FILTER_DUMP_MAX] = {
[NFCT_FILTER_DUMP_MARK] = set_filter_dump_attr_mark,
[NFCT_FILTER_DUMP_L3NUM] = set_filter_dump_attr_family,
[NFCT_FILTER_DUMP_STATUS] = set_filter_dump_attr_status,
+ [NFCT_FILTER_DUMP_ZONE] = set_filter_dump_attr_zone,
[NFCT_FILTER_DUMP_TUPLE] = set_filter_dump_attr_tuple,
};
diff --git a/utils/conntrack_dump_filter.c b/utils/conntrack_dump_filter.c
index 41e3f0c..16492ac 100644
--- a/utils/conntrack_dump_filter.c
+++ b/utils/conntrack_dump_filter.c
@@ -40,6 +40,8 @@ int main(void)
&filter_dump_mark);
nfct_filter_dump_set_attr_u8(filter_dump, NFCT_FILTER_DUMP_L3NUM,
AF_INET);
+ nfct_filter_dump_set_attr_u16(filter_dump, NFCT_FILTER_DUMP_ZONE,
+ 123);
nfct_callback_register(h, NFCT_T_ALL, cb, NULL);
ret = nfct_query(h, NFCT_Q_DUMP_FILTER, filter_dump);
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH libnetfilter_conntrack 2/2] flush: support filtering
2023-12-05 9:34 [PATCH libnetfilter_conntrack 0/2] dump/flush support filtering by zone Felix Huettner
2023-12-05 9:35 ` [PATCH libnetfilter_conntrack 1/2] dump: " Felix Huettner
@ 2023-12-05 9:35 ` Felix Huettner
1 sibling, 0 replies; 4+ messages in thread
From: Felix Huettner @ 2023-12-05 9:35 UTC (permalink / raw)
To: netfilter-devel
flushing already supports filtering on the kernel side for value like
mark, l3num or zone. This patch extends the userspace code to also
support this.
To reduce code duplication the `nfct_filter_dump` struct and associated
logic is reused. Note that filtering by tuple is not supported, since
`CTA_FILTER` is not yet supported on the kernel side for flushing.
Trying to use it returns `-ENOTSUP`.
Signed-off-by: Felix Huettner <felix.huettner@mail.schwarz>
---
include/internal/prototypes.h | 1 +
src/conntrack/api.c | 1 +
src/conntrack/filter_dump.c | 9 +++++
utils/.gitignore | 1 +
utils/Makefile.am | 4 +++
utils/conntrack_flush_filter.c | 60 ++++++++++++++++++++++++++++++++++
6 files changed, 76 insertions(+)
create mode 100644 utils/conntrack_flush_filter.c
diff --git a/include/internal/prototypes.h b/include/internal/prototypes.h
index 5e935f0..82a3f29 100644
--- a/include/internal/prototypes.h
+++ b/include/internal/prototypes.h
@@ -36,6 +36,7 @@ void __copy_fast(struct nf_conntrack *ct1, const struct nf_conntrack *ct);
int __setup_netlink_socket_filter(int fd, struct nfct_filter *filter);
int __build_filter_dump(struct nfnlhdr *req, size_t size, const struct nfct_filter_dump *filter_dump);
+int __build_filter_flush(struct nfnlhdr *req, size_t size, const struct nfct_filter_dump *filter_dump);
int nfct_build_tuple(struct nlmsghdr *nlh, const struct __nfct_tuple *t, int type);
int nfct_parse_tuple(const struct nlattr *attr, struct __nfct_tuple *tuple, int dir, uint32_t *set);
diff --git a/src/conntrack/api.c b/src/conntrack/api.c
index 60c87b3..769eb1a 100644
--- a/src/conntrack/api.c
+++ b/src/conntrack/api.c
@@ -835,6 +835,7 @@ __build_query_ct(struct nfnl_subsys_handle *ssh,
break;
case NFCT_Q_FLUSH_FILTER:
nfct_fill_hdr(req, IPCTNL_MSG_CT_DELETE, NLM_F_ACK, *family, 1);
+ assert(__build_filter_flush(req, size, data) == 0);
break;
case NFCT_Q_DUMP:
nfct_fill_hdr(req, IPCTNL_MSG_CT_GET, NLM_F_DUMP, *family,
diff --git a/src/conntrack/filter_dump.c b/src/conntrack/filter_dump.c
index 0a19985..2d32dcd 100644
--- a/src/conntrack/filter_dump.c
+++ b/src/conntrack/filter_dump.c
@@ -64,3 +64,12 @@ int __build_filter_dump(struct nfnlhdr *req, size_t size,
{
return nfct_nlmsg_build_filter(&req->nlh, filter_dump);
}
+
+int __build_filter_flush(struct nfnlhdr *req, size_t size,
+ const struct nfct_filter_dump *filter_dump)
+{
+ if (filter_dump->set & (1 << NFCT_FILTER_DUMP_TUPLE)) {
+ return -ENOTSUP;
+ }
+ return nfct_nlmsg_build_filter(&req->nlh, filter_dump);
+}
diff --git a/utils/.gitignore b/utils/.gitignore
index 0de05c0..c63fd8b 100644
--- a/utils/.gitignore
+++ b/utils/.gitignore
@@ -7,6 +7,7 @@
/conntrack_events
/conntrack_filter
/conntrack_flush
+/conntrack_flush_filter
/conntrack_get
/conntrack_grp_create
/conntrack_master
diff --git a/utils/Makefile.am b/utils/Makefile.am
index 438ca74..e24d037 100644
--- a/utils/Makefile.am
+++ b/utils/Makefile.am
@@ -10,6 +10,7 @@ check_PROGRAMS = expect_dump expect_create expect_get expect_delete \
conntrack_grp_create \
conntrack_dump_filter \
conntrack_dump_filter_tuple \
+ conntrack_flush_filter \
ctexp_events
conntrack_grp_create_SOURCES = conntrack_grp_create.c
@@ -42,6 +43,9 @@ conntrack_dump_filter_tuple_LDADD = ../src/libnetfilter_conntrack.la
conntrack_flush_SOURCES = conntrack_flush.c
conntrack_flush_LDADD = ../src/libnetfilter_conntrack.la
+conntrack_flush_filter_SOURCES = conntrack_flush_filter.c
+conntrack_flush_filter_LDADD = ../src/libnetfilter_conntrack.la
+
conntrack_events_SOURCES = conntrack_events.c
conntrack_events_LDADD = ../src/libnetfilter_conntrack.la
diff --git a/utils/conntrack_flush_filter.c b/utils/conntrack_flush_filter.c
new file mode 100644
index 0000000..6e8d93b
--- /dev/null
+++ b/utils/conntrack_flush_filter.c
@@ -0,0 +1,60 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+
+#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+
+static int cb(enum nf_conntrack_msg_type type,
+ struct nf_conntrack *ct,
+ void *data)
+{
+ char buf[1024];
+
+ nfct_snprintf(buf, sizeof(buf), ct, NFCT_T_UNKNOWN, NFCT_O_DEFAULT, NFCT_OF_SHOW_LAYER3 | NFCT_OF_TIMESTAMP);
+ printf("%s\n", buf);
+
+ return NFCT_CB_CONTINUE;
+}
+
+int main(void)
+{
+ int ret;
+ struct nfct_handle *h;
+
+ h = nfct_open(CONNTRACK, 0);
+ if (!h) {
+ perror("nfct_open");
+ return -1;
+ }
+ struct nfct_filter_dump *filter_dump = nfct_filter_dump_create();
+ if (filter_dump == NULL) {
+ perror("nfct_filter_dump_alloc");
+ return -1;
+ }
+ struct nfct_filter_dump_mark filter_dump_mark = {
+ .val = 1,
+ .mask = 0xffffffff,
+ };
+ nfct_filter_dump_set_attr(filter_dump, NFCT_FILTER_DUMP_MARK,
+ &filter_dump_mark);
+ nfct_filter_dump_set_attr_u8(filter_dump, NFCT_FILTER_DUMP_L3NUM,
+ AF_INET);
+ nfct_filter_dump_set_attr_u16(filter_dump, NFCT_FILTER_DUMP_ZONE,
+ 123);
+
+ nfct_callback_register(h, NFCT_T_ALL, cb, NULL);
+ ret = nfct_query(h, NFCT_Q_FLUSH_FILTER, filter_dump);
+
+ nfct_filter_dump_destroy(filter_dump);
+
+ printf("TEST: get conntrack ");
+ if (ret == -1)
+ printf("(%d)(%s)\n", ret, strerror(errno));
+ else
+ printf("(OK)\n");
+
+ nfct_close(h);
+
+ ret == -1 ? exit(EXIT_FAILURE) : exit(EXIT_SUCCESS);
+}
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH libnetfilter_conntrack 1/2] dump: support filtering by zone
2023-12-05 9:35 ` [PATCH libnetfilter_conntrack 1/2] dump: " Felix Huettner
@ 2024-01-24 20:23 ` Pablo Neira Ayuso
0 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2024-01-24 20:23 UTC (permalink / raw)
To: Felix Huettner; +Cc: netfilter-devel
On Tue, Dec 05, 2023 at 09:35:03AM +0000, Felix Huettner wrote:
> diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack.h b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
> index 76b5c27..2e9458a 100644
> --- a/include/libnetfilter_conntrack/libnetfilter_conntrack.h
> +++ b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
> @@ -547,6 +547,7 @@ enum nfct_filter_dump_attr {
> NFCT_FILTER_DUMP_MARK = 0, /* struct nfct_filter_dump_mark */
> NFCT_FILTER_DUMP_L3NUM, /* uint8_t */
> NFCT_FILTER_DUMP_STATUS, /* struct nfct_filter_dump_mark */
> + NFCT_FILTER_DUMP_ZONE, /* uint16_t */
> NFCT_FILTER_DUMP_TUPLE,
> NFCT_FILTER_DUMP_MAX
> };
Applied with nit. I had to move NFCT_FILTER_DUMP_ZONE after
NFCT_FILTER_DUMP_TUPLE in enum nfct_filter_dump_attr, otherwise it
breaks ABI.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-01-24 20:23 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-12-05 9:34 [PATCH libnetfilter_conntrack 0/2] dump/flush support filtering by zone Felix Huettner
2023-12-05 9:35 ` [PATCH libnetfilter_conntrack 1/2] dump: " Felix Huettner
2024-01-24 20:23 ` Pablo Neira Ayuso
2023-12-05 9:35 ` [PATCH libnetfilter_conntrack 2/2] flush: support filtering Felix Huettner
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).