[PATCH ulogd 2/2] NFLOG: attach struct nf_conntrack

[PATCH ulogd 2/2] NFLOG: attach struct nf_conntrack

[Ken-ichirou MATSUZAWA]

put nf_conntrack in ct output key when 'attach_conntrack' is specified.

Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
---
 input/packet/Makefile.am          |  5 ++-
 input/packet/ulogd_inppkt_NFLOG.c | 68 +++++++++++++++++++++++++++++--
 2 files changed, 67 insertions(+), 6 deletions(-)

diff --git a/input/packet/Makefile.am b/input/packet/Makefile.am
index 1c3151d..0f9c316 100644
--- a/input/packet/Makefile.am
+++ b/input/packet/Makefile.am
@@ -1,5 +1,5 @@
 
-AM_CPPFLAGS = -I$(top_srcdir)/include ${LIBNETFILTER_LOG_CFLAGS}
+AM_CPPFLAGS = -I$(top_srcdir)/include ${LIBNETFILTER_LOG_CFLAGS} ${LIBNETFILTER_CONNTRACK_CFLAGS}
 AM_CFLAGS = ${regular_CFLAGS}
 
 pkglib_LTLIBRARIES = ulogd_inppkt_UNIXSOCK.la
@@ -13,7 +13,8 @@ pkglib_LTLIBRARIES += ulogd_inppkt_NFLOG.la
 endif
 
 ulogd_inppkt_NFLOG_la_SOURCES = ulogd_inppkt_NFLOG.c
-ulogd_inppkt_NFLOG_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_LOG_LIBS)
+ulogd_inppkt_NFLOG_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_LOG_LIBS) \
+                                 $(LIBNETFILTER_CONNTRACK_LIBS)
 
 ulogd_inppkt_ULOG_la_SOURCES = ulogd_inppkt_ULOG.c
 ulogd_inppkt_ULOG_la_LDFLAGS = -avoid-version -module
diff --git a/input/packet/ulogd_inppkt_NFLOG.c b/input/packet/ulogd_inppkt_NFLOG.c
index ea6fb0e..c8b1836 100644
--- a/input/packet/ulogd_inppkt_NFLOG.c
+++ b/input/packet/ulogd_inppkt_NFLOG.c
@@ -12,6 +12,11 @@
 #include <ulogd/ulogd.h>
 #include <libnfnetlink/libnfnetlink.h>
 #include <libnetfilter_log/libnetfilter_log.h>
+#ifdef BUILD_NFCT
+#include <libmnl/libmnl.h>
+#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+#endif
+
 
 #ifndef NFLOG_GROUP_DEFAULT
 #define NFLOG_GROUP_DEFAULT	0
@@ -148,6 +153,7 @@ enum nflog_keys {
 	NFLOG_KEY_RAW_MAC_SADDR,
 	NFLOG_KEY_RAW_MAC_ADDRLEN,
 	NFLOG_KEY_RAW,
+	NFLOG_KEY_RAW_CT,
 };
 
 static struct ulogd_key output_keys[] = {
@@ -319,11 +325,53 @@ static struct ulogd_key output_keys[] = {
 		.flags = ULOGD_RETF_NONE,
 		.name = "raw",
 	},
+	[NFLOG_KEY_RAW_CT] = {
+		.type = ULOGD_RET_RAW,
+		.flags = ULOGD_RETF_NONE,
+		.name = "ct",
+	},
 };
 
+#ifdef BUILD_NFCT
+struct nf_conntrack *build_ct(struct nfgenmsg *nfmsg) {
+        struct nlattr *attr, *ctattr = NULL;
+        struct nf_conntrack *ct = NULL;
+        struct nlmsghdr *nlh
+                = (struct nlmsghdr *)((void *)nfmsg - sizeof(*nlh));
+
+        mnl_attr_for_each(attr, nlh, sizeof(struct nfgenmsg)) {
+                if (mnl_attr_get_type(attr) == NFULA_CT) {
+                        ctattr = attr;
+                        break;
+                }
+        }
+        if (ctattr == NULL)
+                return NULL;
+
+        ct = nfct_new();
+        if (ct == NULL) {
+                ulogd_log(ULOGD_ERROR, "failed to allocate nfct\n");
+                return NULL;
+        }
+        if (nfct_payload_parse(mnl_attr_get_payload(ctattr),
+                               mnl_attr_get_payload_len(ctattr),
+                               nfmsg->nfgen_family, ct) < 0) {
+                ulogd_log(ULOGD_ERROR, "failed to parse nfct payload\n");
+                nfct_destroy(ct);
+                return NULL;
+        }
+
+        return ct;
+}
+#else
+void *build_ct(struct nfgenmsg *nfmsg) {
+        return NULL;
+}
+#endif
+
 static inline int
 interp_packet(struct ulogd_pluginstance *upi, uint8_t pf_family,
-	      struct nflog_data *ldata)
+	      struct nflog_data *ldata, void *ct)
 {
 	struct ulogd_key *ret = upi->output.keys;
 
@@ -404,6 +452,9 @@ interp_packet(struct ulogd_pluginstance *upi, uint8_t pf_family,
 
 	okey_set_ptr(&ret[NFLOG_KEY_RAW], ldata);
 
+        if (ct != NULL)
+                okey_set_ptr(&ret[NFLOG_KEY_RAW_CT], ct);
+
 	ulogd_propagate_results(upi);
 	return 0;
 }
@@ -479,15 +530,24 @@ static int msg_cb(struct nflog_g_handle *gh, struct nfgenmsg *nfmsg,
 	struct ulogd_pluginstance *upi = data;
 	struct ulogd_pluginstance *npi = NULL;
 	int ret = 0;
+        void *ct = build_ct(nfmsg);
 
 	/* since we support the re-use of one instance in several 
 	 * different stacks, we duplicate the message to let them know */
 	llist_for_each_entry(npi, &upi->plist, plist) {
-		ret = interp_packet(npi, nfmsg->nfgen_family, nfa);
+		ret = interp_packet(npi, nfmsg->nfgen_family, nfa, ct);
 		if (ret != 0)
-			return ret;
+                        goto release_ct;
 	}
-	return interp_packet(upi, nfmsg->nfgen_family, nfa);
+        ret = interp_packet(upi, nfmsg->nfgen_family, nfa, ct);
+
+release_ct:
+#ifdef BUILD_NFCT
+        if (ct != NULL)
+                nfct_destroy(ct);
+#endif
+
+        return ret;
 }
 
 static int configure(struct ulogd_pluginstance *upi,
-- 
2.30.2

Re: [PATCH ulogd 2/2] NFLOG: attach struct nf_conntrack

[Jeremy Sowden]

[-- Attachment #1: Type: text/plain, Size: 5731 bytes --]

On 2021-10-12, at 20:16:37 +0900, Ken-ichirou MATSUZAWA wrote:
> put nf_conntrack in ct output key when 'attach_conntrack' is specified.
>
> Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
> ---
>  input/packet/Makefile.am          |  5 ++-
>  input/packet/ulogd_inppkt_NFLOG.c | 68 +++++++++++++++++++++++++++++--
>  2 files changed, 67 insertions(+), 6 deletions(-)
>
> diff --git a/input/packet/Makefile.am b/input/packet/Makefile.am
> index 1c3151d..0f9c316 100644
> --- a/input/packet/Makefile.am
> +++ b/input/packet/Makefile.am
> @@ -1,5 +1,5 @@
>
> -AM_CPPFLAGS = -I$(top_srcdir)/include ${LIBNETFILTER_LOG_CFLAGS}
> +AM_CPPFLAGS = -I$(top_srcdir)/include ${LIBNETFILTER_LOG_CFLAGS} ${LIBNETFILTER_CONNTRACK_CFLAGS}
>  AM_CFLAGS = ${regular_CFLAGS}
>
>  pkglib_LTLIBRARIES = ulogd_inppkt_UNIXSOCK.la
> @@ -13,7 +13,8 @@ pkglib_LTLIBRARIES += ulogd_inppkt_NFLOG.la
>  endif
>
>  ulogd_inppkt_NFLOG_la_SOURCES = ulogd_inppkt_NFLOG.c
> -ulogd_inppkt_NFLOG_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_LOG_LIBS)
> +ulogd_inppkt_NFLOG_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_LOG_LIBS) \
> +                                 $(LIBNETFILTER_CONNTRACK_LIBS)
>
>  ulogd_inppkt_ULOG_la_SOURCES = ulogd_inppkt_ULOG.c
>  ulogd_inppkt_ULOG_la_LDFLAGS = -avoid-version -module
> diff --git a/input/packet/ulogd_inppkt_NFLOG.c b/input/packet/ulogd_inppkt_NFLOG.c
> index ea6fb0e..c8b1836 100644
> --- a/input/packet/ulogd_inppkt_NFLOG.c
> +++ b/input/packet/ulogd_inppkt_NFLOG.c
> @@ -12,6 +12,11 @@
>  #include <ulogd/ulogd.h>
>  #include <libnfnetlink/libnfnetlink.h>
>  #include <libnetfilter_log/libnetfilter_log.h>
> +#ifdef BUILD_NFCT
> +#include <libmnl/libmnl.h>
> +#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
> +#endif
> +

I would declare `struct nf_conntrack` here if BUILD_NFCT is not defined:

  +#ifdef BUILD_NFCT
  +#include <libmnl/libmnl.h>
  +#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
  +#else
  +struct nf_conntrack;
  +#endif

Then we can declare `build_ct` as always returning
`struct nf_conntrack *`:

  +struct nf_conntrack *build_ct(struct nfgenmsg *nfmsg) {
  +#ifdef BUILD_NFCT
  +        struct nlattr *attr, *ctattr = NULL;
  +        struct nf_conntrack *ct = NULL;
  +        ...
  +        return ct;
  +#else
  +        return NULL;
  +#endif
  +}

and `ct` as `struct nf_conntrack *` instead of `void *` below.

>  #ifndef NFLOG_GROUP_DEFAULT
>  #define NFLOG_GROUP_DEFAULT	0
> @@ -148,6 +153,7 @@ enum nflog_keys {
>  	NFLOG_KEY_RAW_MAC_SADDR,
>  	NFLOG_KEY_RAW_MAC_ADDRLEN,
>  	NFLOG_KEY_RAW,
> +	NFLOG_KEY_RAW_CT,
>  };
>
>  static struct ulogd_key output_keys[] = {
> @@ -319,11 +325,53 @@ static struct ulogd_key output_keys[] = {
>  		.flags = ULOGD_RETF_NONE,
>  		.name = "raw",
>  	},
> +	[NFLOG_KEY_RAW_CT] = {
> +		.type = ULOGD_RET_RAW,
> +		.flags = ULOGD_RETF_NONE,
> +		.name = "ct",
> +	},
>  };
>

You have used spaces, not tabs:

> +#ifdef BUILD_NFCT
> +struct nf_conntrack *build_ct(struct nfgenmsg *nfmsg) {
> +        struct nlattr *attr, *ctattr = NULL;
> +        struct nf_conntrack *ct = NULL;
> +        struct nlmsghdr *nlh
> +                = (struct nlmsghdr *)((void *)nfmsg - sizeof(*nlh));
> +
> +        mnl_attr_for_each(attr, nlh, sizeof(struct nfgenmsg)) {
> +                if (mnl_attr_get_type(attr) == NFULA_CT) {
> +                        ctattr = attr;
> +                        break;
> +                }
> +        }
> +        if (ctattr == NULL)
> +                return NULL;
> +
> +        ct = nfct_new();
> +        if (ct == NULL) {
> +                ulogd_log(ULOGD_ERROR, "failed to allocate nfct\n");
> +                return NULL;
> +        }
> +        if (nfct_payload_parse(mnl_attr_get_payload(ctattr),
> +                               mnl_attr_get_payload_len(ctattr),
> +                               nfmsg->nfgen_family, ct) < 0) {
> +                ulogd_log(ULOGD_ERROR, "failed to parse nfct payload\n");
> +                nfct_destroy(ct);
> +                return NULL;
> +        }
> +
> +        return ct;
> +}
> +#else
> +void *build_ct(struct nfgenmsg *nfmsg) {
> +        return NULL;
> +}
> +#endif
>  static inline int
>  interp_packet(struct ulogd_pluginstance *upi, uint8_t pf_family,
> -	      struct nflog_data *ldata)
> +	      struct nflog_data *ldata, void *ct)
>  {
>  	struct ulogd_key *ret = upi->output.keys;
>
> @@ -404,6 +452,9 @@ interp_packet(struct ulogd_pluginstance *upi, uint8_t pf_family,
>
>  	okey_set_ptr(&ret[NFLOG_KEY_RAW], ldata);
>

Spaces, not tabs:

> +        if (ct != NULL)
> +                okey_set_ptr(&ret[NFLOG_KEY_RAW_CT], ct);
> +
>  	ulogd_propagate_results(upi);
>  	return 0;
>  }
> @@ -479,15 +530,24 @@ static int msg_cb(struct nflog_g_handle *gh, struct nfgenmsg *nfmsg,
>  	struct ulogd_pluginstance *upi = data;
>  	struct ulogd_pluginstance *npi = NULL;
>  	int ret = 0;

Spaces, not tabs:

> +        void *ct = build_ct(nfmsg);
>
>  	/* since we support the re-use of one instance in several
>  	 * different stacks, we duplicate the message to let them know */
>  	llist_for_each_entry(npi, &upi->plist, plist) {
> -		ret = interp_packet(npi, nfmsg->nfgen_family, nfa);
> +		ret = interp_packet(npi, nfmsg->nfgen_family, nfa, ct);
>  		if (ret != 0)

Spaces, not tabs:

> -			return ret;
> +                        goto release_ct;
>  	}

Spaces, not tabs:

> -	return interp_packet(upi, nfmsg->nfgen_family, nfa);
> +        ret = interp_packet(upi, nfmsg->nfgen_family, nfa, ct);
> +
> +release_ct:
> +#ifdef BUILD_NFCT
> +        if (ct != NULL)
> +                nfct_destroy(ct);
> +#endif
> +
> +        return ret;
>  }
>
>  static int configure(struct ulogd_pluginstance *upi,
> --
> 2.30.2
>
>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[PATCHv2 ulogd 2/2] NFLOG: attach struct nf_conntrack

[Ken-ichirou MATSUZAWA]

put nf_conntrack in ct outputkey when "attach_conntrack" is specified.
But there is no way to show both nflog "raw" and "ct" now.

Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
---
 input/packet/Makefile.am          |  5 ++-
 input/packet/ulogd_inppkt_NFLOG.c | 68 +++++++++++++++++++++++++++++--
 2 files changed, 67 insertions(+), 6 deletions(-)

diff --git a/input/packet/Makefile.am b/input/packet/Makefile.am
index 1c3151d..0f9c316 100644
--- a/input/packet/Makefile.am
+++ b/input/packet/Makefile.am
@@ -1,5 +1,5 @@
 
-AM_CPPFLAGS = -I$(top_srcdir)/include ${LIBNETFILTER_LOG_CFLAGS}
+AM_CPPFLAGS = -I$(top_srcdir)/include ${LIBNETFILTER_LOG_CFLAGS} ${LIBNETFILTER_CONNTRACK_CFLAGS}
 AM_CFLAGS = ${regular_CFLAGS}
 
 pkglib_LTLIBRARIES = ulogd_inppkt_UNIXSOCK.la
@@ -13,7 +13,8 @@ pkglib_LTLIBRARIES += ulogd_inppkt_NFLOG.la
 endif
 
 ulogd_inppkt_NFLOG_la_SOURCES = ulogd_inppkt_NFLOG.c
-ulogd_inppkt_NFLOG_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_LOG_LIBS)
+ulogd_inppkt_NFLOG_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_LOG_LIBS) \
+                                 $(LIBNETFILTER_CONNTRACK_LIBS)
 
 ulogd_inppkt_ULOG_la_SOURCES = ulogd_inppkt_ULOG.c
 ulogd_inppkt_ULOG_la_LDFLAGS = -avoid-version -module
diff --git a/input/packet/ulogd_inppkt_NFLOG.c b/input/packet/ulogd_inppkt_NFLOG.c
index 449c0c6..34f7fe3 100644
--- a/input/packet/ulogd_inppkt_NFLOG.c
+++ b/input/packet/ulogd_inppkt_NFLOG.c
@@ -12,6 +12,13 @@
 #include <ulogd/ulogd.h>
 #include <libnfnetlink/libnfnetlink.h>
 #include <libnetfilter_log/libnetfilter_log.h>
+#ifdef BUILD_NFCT
+#include <libmnl/libmnl.h>
+#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+#else
+struct nf_conntrack;
+#endif
+
 
 #ifndef NFLOG_GROUP_DEFAULT
 #define NFLOG_GROUP_DEFAULT	0
@@ -148,6 +155,7 @@ enum nflog_keys {
 	NFLOG_KEY_RAW_MAC_SADDR,
 	NFLOG_KEY_RAW_MAC_ADDRLEN,
 	NFLOG_KEY_RAW,
+	NFLOG_KEY_RAW_CT,
 };
 
 static struct ulogd_key output_keys[] = {
@@ -319,11 +327,51 @@ static struct ulogd_key output_keys[] = {
 		.flags = ULOGD_RETF_NONE,
 		.name = "raw",
 	},
+	[NFLOG_KEY_RAW_CT] = {
+		.type = ULOGD_RET_RAW,
+		.flags = ULOGD_RETF_NONE,
+		.name = "ct",
+	},
 };
 
+struct nf_conntrack *build_ct(struct nfgenmsg *nfmsg) {
+#ifdef BUILD_NFCT
+	struct nlattr *attr, *ctattr = NULL;
+	struct nf_conntrack *ct = NULL;
+	struct nlmsghdr *nlh
+		= (struct nlmsghdr *)((void *)nfmsg - sizeof(*nlh));
+
+	mnl_attr_for_each(attr, nlh, sizeof(struct nfgenmsg)) {
+		if (mnl_attr_get_type(attr) == NFULA_CT) {
+			ctattr = attr;
+			break;
+		}
+	}
+	if (ctattr == NULL)
+		return NULL;
+	
+	ct = nfct_new();
+	if (ct == NULL) {
+		ulogd_log(ULOGD_ERROR, "failed to allocate nfct\n");
+		return NULL;
+	}
+	if (nfct_payload_parse(mnl_attr_get_payload(ctattr),
+			       mnl_attr_get_payload_len(ctattr),
+			       nfmsg->nfgen_family, ct) < 0) {
+		ulogd_log(ULOGD_ERROR, "failed to parse nfct payload\n");
+		nfct_destroy(ct);
+		return NULL;
+	}
+	
+	return ct;
+#else
+	return NULL;
+#endif
+}
+
 static inline int
 interp_packet(struct ulogd_pluginstance *upi, uint8_t pf_family,
-	      struct nflog_data *ldata)
+	      struct nflog_data *ldata, struct nf_conntrack *ct)
 {
 	struct ulogd_key *ret = upi->output.keys;
 
@@ -404,6 +452,9 @@ interp_packet(struct ulogd_pluginstance *upi, uint8_t pf_family,
 
 	okey_set_ptr(&ret[NFLOG_KEY_RAW], ldata);
 
+	if (ct != NULL)
+		okey_set_ptr(&ret[NFLOG_KEY_RAW_CT], ct);
+
 	ulogd_propagate_results(upi);
 	return 0;
 }
@@ -479,15 +530,24 @@ static int msg_cb(struct nflog_g_handle *gh, struct nfgenmsg *nfmsg,
 	struct ulogd_pluginstance *upi = data;
 	struct ulogd_pluginstance *npi = NULL;
 	int ret = 0;
+	void *ct = build_ct(nfmsg);
 
 	/* since we support the re-use of one instance in several 
 	 * different stacks, we duplicate the message to let them know */
 	llist_for_each_entry(npi, &upi->plist, plist) {
-		ret = interp_packet(npi, nfmsg->nfgen_family, nfa);
+		ret = interp_packet(npi, nfmsg->nfgen_family, nfa, ct);
 		if (ret != 0)
-			return ret;
+			goto release_ct;
 	}
-	return interp_packet(upi, nfmsg->nfgen_family, nfa);
+	ret = interp_packet(upi, nfmsg->nfgen_family, nfa, ct);
+
+release_ct:
+#ifdef BUILD_NFCT
+	if (ct != NULL)
+		nfct_destroy(ct);
+#endif
+
+	return ret;
 }
 
 static int configure(struct ulogd_pluginstance *upi,
-- 
2.30.2

Re: [PATCHv2 ulogd 2/2] NFLOG: attach struct nf_conntrack

[Pablo Neira Ayuso]

On Thu, Nov 18, 2021 at 08:09:19PM +0900, Ken-ichirou MATSUZAWA wrote:
> put nf_conntrack in ct outputkey when "attach_conntrack" is specified.
> But there is no way to show both nflog "raw" and "ct" now.

Applied, thanks.

Re: [PATCHv2 ulogd 2/2] NFLOG: attach struct nf_conntrack

[Pablo Neira Ayuso]

On Thu, Nov 18, 2021 at 08:09:19PM +0900, Ken-ichirou MATSUZAWA wrote:
> put nf_conntrack in ct outputkey when "attach_conntrack" is specified.

Applied, thanks.

> But there is no way to show both nflog "raw" and "ct" now.

One of the output plugins need to be extended to print "raw" and "ct",
correct?