[libnetfilter_conntrack/ulogd PATCH 0/3] add mark filter

[libnetfilter_conntrack/ulogd PATCH 0/3] add mark filter

[Ken-ichirou MATSUZAWA]

 Hello,

This patch series enables mark filtering in NFCT plugin.
Would you review it? I think there are two issues:

* libnetfilter_conntrack
  I reused struct nfct_filter_dump_mark for NFCT_FILTER_MARK
  nfct_filter_add_attr(). Should I introduce a new one which
  will be the same field?

* ulogd
  I've changed all dump function to use nfct_filter_dump
  excepting in do_purge(). It may require many tests so that
  is it better having a field to check mark filter has set
  and checking it on dumping?

Thanks.

[libnetfilter_conntrack PATCH 1/3] conntrack: add mark event filter

[Ken-ichirou MATSUZAWA]

This patch adds mark filter for event listener, using same struct
nfct_filter_dump_mark.

Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
---
 include/internal/object.h                          |  7 ++++
 .../libnetfilter_conntrack.h                       |  1 +
 src/conntrack/bsf.c                                | 49 ++++++++++++++++++++++
 src/conntrack/filter.c                             | 13 ++++++
 4 files changed, 70 insertions(+)

diff --git a/include/internal/object.h b/include/internal/object.h
index 540ad0d..1259467 100644
--- a/include/internal/object.h
+++ b/include/internal/object.h
@@ -263,6 +263,13 @@ struct nfct_filter {
 		u_int32_t 	mask[4];
 	} l3proto_ipv6[2][__FILTER_IPV6_MAX];
 
+	u_int32_t 		mark_elems;
+	struct {
+#define __FILTER_MARK_MAX	127
+		u_int32_t 	val;
+		u_int32_t 	mask;
+	} mark[__FILTER_MARK_MAX];
+
 	u_int32_t 		set[1];
 };
 
diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack.h b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
index d4542ba..890721a 100644
--- a/include/libnetfilter_conntrack/libnetfilter_conntrack.h
+++ b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
@@ -496,6 +496,7 @@ enum nfct_filter_attr {
 	NFCT_FILTER_DST_IPV4,		/* struct nfct_filter_ipv4 */
 	NFCT_FILTER_SRC_IPV6,		/* struct nfct_filter_ipv6 */
 	NFCT_FILTER_DST_IPV6,		/* struct nfct_filter_ipv6 */
+	NFCT_FILTER_MARK,		/* struct nfct_filter_dump_mark */
 	NFCT_FILTER_MAX
 };
 
diff --git a/src/conntrack/bsf.c b/src/conntrack/bsf.c
index 534202f..08a9a44 100644
--- a/src/conntrack/bsf.c
+++ b/src/conntrack/bsf.c
@@ -663,6 +663,52 @@ bsf_add_daddr_ipv6_filter(const struct nfct_filter *f, struct sock_filter *this)
 	return bsf_add_addr_ipv6_filter(f, this, CTA_IP_V6_DST);
 }
 
+static int
+bsf_add_mark_filter(const struct nfct_filter *f, struct sock_filter *this)
+{
+	unsigned int i, j;
+	unsigned int jt;
+	struct stack *s;
+	struct jump jmp;
+
+	/* nothing to filter, skip */
+	if (f->mark_elems == 0)
+		return 0;
+
+	/* XXX: see bsf_add_addr_ipv4_filter() */
+	s = stack_create(sizeof(struct jump), 3 + 127);
+	if (s == NULL) {
+		errno = ENOMEM;
+		return -1;
+	}
+
+	jt = 1;
+	j = 0;
+	j += nfct_bsf_load_payload_offset(this, j);
+	j += nfct_bsf_find_attr(this, CTA_MARK, j);
+	j += nfct_bsf_x_equal_a(this, j);
+
+	for (i = 0; i < f->mark_elems; i++) {
+		int mark = f->mark[i].val & f->mark[i].mask;
+
+		j += nfct_bsf_load_attr(this, BPF_W, j);
+		j += nfct_bsf_alu_and(this, f->mark[i].mask, j);
+		j += nfct_bsf_cmp_k_stack(this, mark, jt - j, j, s);
+	}
+
+	while (stack_pop(s, &jmp) != -1)
+		this[jmp.line].jt += jmp.jt + j;
+
+	if (f->logic[NFCT_FILTER_MARK] == NFCT_FILTER_LOGIC_NEGATIVE)
+		j += nfct_bsf_jump_to(this, 1, j);
+
+	j += nfct_bsf_ret_verdict(this, NFCT_FILTER_REJECT, j);
+
+	stack_destroy(s);
+
+	return j;
+}
+
 /* this buffer must be big enough to store all the autogenerated lines */
 #define BSF_BUFFER_SIZE 	2048
 
@@ -696,6 +742,9 @@ int __setup_netlink_socket_filter(int fd, struct nfct_filter *f)
 	j += bsf_add_state_filter(f, &bsf[j]);
 	show_filter(bsf, from, j, "---- check state ----");
 	from = j;
+	j += bsf_add_mark_filter(f, &bsf[j]);
+	show_filter(bsf, from, j, "---- check mark ----");
+	from = j;
 
 	/* nothing to filter, skip */
 	if (j == 0)
diff --git a/src/conntrack/filter.c b/src/conntrack/filter.c
index 026545a..78fbbc5 100644
--- a/src/conntrack/filter.c
+++ b/src/conntrack/filter.c
@@ -79,6 +79,18 @@ static void filter_attr_dst_ipv6(struct nfct_filter *filter, const void *value)
 	filter->l3proto_elems_ipv6[1]++;
 }
 
+static void filter_attr_mark(struct nfct_filter *filter, const void *value)
+{
+	const struct nfct_filter_dump_mark *this = value;
+
+	if (filter->mark_elems >= __FILTER_MARK_MAX)
+		return;
+
+	filter->mark[filter->mark_elems].val = this->val;
+	filter->mark[filter->mark_elems].mask = this->mask;
+	filter->mark_elems++;
+}
+
 const filter_attr filter_attr_array[NFCT_FILTER_MAX] = {
 	[NFCT_FILTER_L4PROTO]		= filter_attr_l4proto,
 	[NFCT_FILTER_L4PROTO_STATE]	= filter_attr_l4proto_state,
@@ -86,4 +98,5 @@ const filter_attr filter_attr_array[NFCT_FILTER_MAX] = {
 	[NFCT_FILTER_DST_IPV4]		= filter_attr_dst_ipv4,
 	[NFCT_FILTER_SRC_IPV6]		= filter_attr_src_ipv6,
 	[NFCT_FILTER_DST_IPV6]		= filter_attr_dst_ipv6,
+	[NFCT_FILTER_MARK]		= filter_attr_mark,
 };
-- 
1.8.5.3

[ulogd PATCH 2/3] add mark event filter

[Ken-ichirou MATSUZAWA]

This patch adds a new configuration variable which is used to limit
conntrack event to connection of the mark.

Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
---
 configure.ac                    | 15 +++++++++
 input/flow/ulogd_inpflow_NFCT.c | 75 +++++++++++++++++++++++++++++++++++++++--
 2 files changed, 88 insertions(+), 2 deletions(-)

diff --git a/configure.ac b/configure.ac
index 522c345..7e5f5fc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -58,6 +58,20 @@ AS_IF([test "x$enable_nfct" = "xyes"], [
     AC_DEFINE([BUILD_NFCT], [1], [Building nfct module])
 ])
 AM_CONDITIONAL([BUILD_NFCT], [test "x$enable_nfct" = "xyes"])
+AS_IF([test "x$enable_nfct" = "xyes"], [
+    AC_MSG_CHECKING([for enable mark filter for event])
+    AC_CACHE_VAL(ac_cv_nfct_filter_mark,
+    AC_TRY_COMPILE(
+        [ #include <libnetfilter_conntrack/libnetfilter_conntrack.h>],
+        [ int i = NFCT_FILTER_MARK; ],
+        ac_cv_nfct_filter_mark=yes,
+        ac_cv_nfct_filter_mark=no))
+    AC_MSG_RESULT($ac_cv_nfct_filter_mark)
+    AS_IF([test "x$ac_cv_nfct_filter_mark" = "xyes"], [
+        AC_DEFINE([HAVE_NFCT_FILTER_MARK], [1], [Building nfct mark event filter])
+    ])
+])
+
 AC_ARG_ENABLE(nfacct,
        AS_HELP_STRING([--enable-nfacct], [Enable nfacct module [default=yes]]),,[enable_nfacct=yes])
 AS_IF([test "x$enable_nfacct" = "xyes"], [
@@ -156,6 +170,7 @@ Ulogd configuration:
   Input plugins:
     NFLOG plugin:			${enable_nflog}
     NFCT plugin:			${enable_nfct}
+      with MARK event filter		${ac_cv_nfct_filter_mark}
     NFACCT plugin:			${enable_nfacct}
   Output plugins:
     PCAP plugin:			${enable_pcap}
diff --git a/input/flow/ulogd_inpflow_NFCT.c b/input/flow/ulogd_inpflow_NFCT.c
index 899b7e3..a5cf854 100644
--- a/input/flow/ulogd_inpflow_NFCT.c
+++ b/input/flow/ulogd_inpflow_NFCT.c
@@ -35,6 +35,7 @@
 
 #include <sys/time.h>
 #include <time.h>
+#include <ctype.h>
 #include <netinet/in.h>
 #include <netdb.h>
 #include <ulogd/linuxlist.h>
@@ -78,7 +79,7 @@ struct nfct_pluginstance {
 #define EVENT_MASK	NF_NETLINK_CONNTRACK_NEW | NF_NETLINK_CONNTRACK_DESTROY
 
 static struct config_keyset nfct_kset = {
-	.num_ces = 12,
+	.num_ces = 13,
 	.ces = {
 		{
 			.key	 = "pollinterval",
@@ -149,6 +150,11 @@ static struct config_keyset nfct_kset = {
 			.type	 = CONFIG_TYPE_STRING,
 			.options = CONFIG_OPT_NONE,
 		},
+		{
+			.key	 = "accept_mark_filter",
+			.type	 = CONFIG_TYPE_STRING,
+			.options = CONFIG_OPT_NONE,
+		},
 	},
 };
 #define pollint_ce(x)	(x->ces[0])
@@ -163,6 +169,7 @@ static struct config_keyset nfct_kset = {
 #define src_filter_ce(x)	((x)->ces[9])
 #define dst_filter_ce(x)	((x)->ces[10])
 #define proto_filter_ce(x)	((x)->ces[11])
+#define mark_filter_ce(x)	((x)->ces[12])
 
 enum nfct_keys {
 	NFCT_ORIG_IP_SADDR = 0,
@@ -1221,6 +1228,60 @@ static int build_nfct_filter_proto(struct nfct_filter *filter, char* filter_stri
 	return 0;
 }
 
+#if defined HAVE_NFCT_FILTER_MARK
+static int build_nfct_filter_mark(struct nfct_filter *filter, char* filter_string)
+{
+	char *p, *endptr;
+	uintmax_t v;
+	struct nfct_filter_dump_mark filter_mark;
+	errno = 0;
+
+	for (p = filter_string; isspace(*p); ++p)
+		;
+	v = strtoumax(p, &endptr, 0);
+	if (endptr == p)
+		goto invalid_error;
+	if ((errno == ERANGE && v == UINTMAX_MAX) || errno != 0)
+		goto invalid_error;
+	filter_mark.val = (uint32_t)v;
+
+	if (*endptr != '\0') {
+		for (p = endptr; isspace(*p); ++p)
+			;
+		if (*p++ != '/')
+			goto invalid_error;
+		for (; isspace(*p); ++p)
+			;
+		v = strtoumax(p, &endptr, 0);
+		if (endptr == p)
+			goto invalid_error;
+		if ((errno == ERANGE && v == UINTMAX_MAX) || errno != 0)
+			goto invalid_error;
+		filter_mark.mask = (uint32_t)v;
+		if (*endptr != '\0')
+			goto invalid_error;
+	} else {
+		filter_mark.mask = UINT32_MAX;
+	}
+
+	ulogd_log(ULOGD_NOTICE, "adding mark to filter: \"%u/%u\"\n",
+		  filter_mark.val, filter_mark.mask);
+	nfct_filter_add_attr(filter, NFCT_FILTER_MARK, &filter_mark);
+
+	return 0;
+
+invalid_error:
+	ulogd_log(ULOGD_FATAL, "invalid val/mask %s\n", filter_string);
+	return -1;
+
+}
+#else
+static int build_nfct_filter_mark(struct nfct_filter *filter, char* filter_string)
+{
+	ulogd_log(ULOGD_FATAL, "mark filter is not supported\n");
+	return -1;
+}
+#endif /* HAVE_NFCT_FILTER_MARK */
 
 static int build_nfct_filter(struct ulogd_pluginstance *upi)
 {
@@ -1264,6 +1325,15 @@ static int build_nfct_filter(struct ulogd_pluginstance *upi)
 		}
 	}
 
+	if (strlen(mark_filter_ce(upi->config_kset).u.string) != 0) {
+		char *filter_string = mark_filter_ce(upi->config_kset).u.string;
+		if (build_nfct_filter_mark(filter, filter_string) != 0) {
+			ulogd_log(ULOGD_FATAL,
+					"Unable to create mark filter\n");
+			goto err_filter;
+		}
+	}
+
 	if (filter) {
 		if (nfct_filter_attach(nfct_fd(cpi->cth), filter) == -1) {
 			ulogd_log(ULOGD_FATAL, "nfct_filter_attach");
@@ -1296,7 +1366,8 @@ static int constructor_nfct_events(struct ulogd_pluginstance *upi)
 
 	if ((strlen(src_filter_ce(upi->config_kset).u.string) != 0) ||
 		(strlen(dst_filter_ce(upi->config_kset).u.string) != 0) ||
-		(strlen(proto_filter_ce(upi->config_kset).u.string) != 0)
+		(strlen(proto_filter_ce(upi->config_kset).u.string) != 0) ||
+		(strlen(mark_filter_ce(upi->config_kset).u.string) != 0)
 	   ) {
 		if (build_nfct_filter(upi) != 0) {
 			ulogd_log(ULOGD_FATAL, "error creating NFCT filter\n");
-- 
1.8.5.3

[ulogd PATCH 3/3] add mark dump filter

[Ken-ichirou MATSUZAWA]

This patch makes enable to filter dump by mark.

Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
---
 input/flow/ulogd_inpflow_NFCT.c | 63 +++++++++++++++++++++++++++--------------
 1 file changed, 42 insertions(+), 21 deletions(-)

diff --git a/input/flow/ulogd_inpflow_NFCT.c b/input/flow/ulogd_inpflow_NFCT.c
index a5cf854..37b45e8 100644
--- a/input/flow/ulogd_inpflow_NFCT.c
+++ b/input/flow/ulogd_inpflow_NFCT.c
@@ -71,6 +71,7 @@ struct nfct_pluginstance {
 	struct ulogd_timer ov_timer;	/* overrun retry timer */
 	struct hashtable *ct_active;
 	int nlbufsiz;			/* current netlink buffer size */
+	struct nfct_filter_dump *filter_dump;
 	struct nf_conntrack *ct;
 };
 
@@ -1003,8 +1004,9 @@ dump_reset_handler(enum nf_conntrack_msg_type type,
 
 static void get_ctr_zero(struct ulogd_pluginstance *upi)
 {
+	struct nfct_pluginstance *cpi =
+			(struct nfct_pluginstance *)upi->private;
 	struct nfct_handle *h;
-	int family = AF_UNSPEC;
 
 	h = nfct_open(CONNTRACK, 0);
 	if (h == NULL) {
@@ -1012,7 +1014,7 @@ static void get_ctr_zero(struct ulogd_pluginstance *upi)
 		return;
 	}
 	nfct_callback_register(h, NFCT_T_ALL, &dump_reset_handler, upi);
-	if (nfct_query(h, NFCT_Q_DUMP_RESET, &family) == -1)
+	if (nfct_query(h, NFCT_Q_DUMP_FILTER_RESET, cpi->filter_dump) == -1)
 		ulogd_log(ULOGD_FATAL, "Cannot dump and reset counters\n");
 
 	nfct_close(h);
@@ -1023,9 +1025,8 @@ static void polling_timer_cb(struct ulogd_timer *t, void *data)
 	struct ulogd_pluginstance *upi = data;
 	struct nfct_pluginstance *cpi =
 			(struct nfct_pluginstance *)upi->private;
-	int family = AF_UNSPEC;
 
-	nfct_query(cpi->pgh, NFCT_Q_DUMP, &family);
+	nfct_query(cpi->pgh, NFCT_Q_DUMP_FILTER, cpi->filter_dump);
 	hashtable_iterate(cpi->ct_active, upi, do_purge);
 	ulogd_add_timer(&cpi->timer, pollint_ce(upi->config_kset).u.value);
 }
@@ -1044,12 +1045,11 @@ static int configure_nfct(struct ulogd_pluginstance *upi,
 
 static void overrun_timeout(struct ulogd_timer *a, void *data)
 {
-	int family = AF_UNSPEC;
 	struct ulogd_pluginstance *upi = data;
 	struct nfct_pluginstance *cpi =
 			(struct nfct_pluginstance *)upi->private;
 
-	nfct_send(cpi->ovh, NFCT_Q_DUMP, &family);
+	nfct_send(cpi->ovh, NFCT_Q_DUMP_FILTER, cpi->filter_dump);
 }
 
 
@@ -1228,8 +1228,8 @@ static int build_nfct_filter_proto(struct nfct_filter *filter, char* filter_stri
 	return 0;
 }
 
-#if defined HAVE_NFCT_FILTER_MARK
-static int build_nfct_filter_mark(struct nfct_filter *filter, char* filter_string)
+static int build_nfct_filter_mark(struct nfct_filter *filter, char* filter_string,
+				struct nfct_filter_dump *filter_dump)
 {
 	char *p, *endptr;
 	uintmax_t v;
@@ -1264,24 +1264,27 @@ static int build_nfct_filter_mark(struct nfct_filter *filter, char* filter_strin
 		filter_mark.mask = UINT32_MAX;
 	}
 
-	ulogd_log(ULOGD_NOTICE, "adding mark to filter: \"%u/%u\"\n",
+	if (filter != NULL) {
+#if defined HAVE_NFCT_FILTER_MARK
+		nfct_filter_add_attr(filter, NFCT_FILTER_MARK, &filter_mark);
+		ulogd_log(ULOGD_NOTICE, "adding mark to event filter: \"%u/%u\"\n",
+			  filter_mark.val, filter_mark.mask);
+#else
+		ulogd_log(ULOGD_FATAL, "mark event filter is not supported\n");
+		return -1;
+#endif
+	}
+	nfct_filter_dump_set_attr(filter_dump, NFCT_FILTER_DUMP_MARK,
+					&filter_mark);
+	ulogd_log(ULOGD_NOTICE, "adding mark to dump filter: \"%u/%u\"\n",
 		  filter_mark.val, filter_mark.mask);
-	nfct_filter_add_attr(filter, NFCT_FILTER_MARK, &filter_mark);
 
 	return 0;
 
 invalid_error:
 	ulogd_log(ULOGD_FATAL, "invalid val/mask %s\n", filter_string);
 	return -1;
-
-}
-#else
-static int build_nfct_filter_mark(struct nfct_filter *filter, char* filter_string)
-{
-	ulogd_log(ULOGD_FATAL, "mark filter is not supported\n");
-	return -1;
 }
-#endif /* HAVE_NFCT_FILTER_MARK */
 
 static int build_nfct_filter(struct ulogd_pluginstance *upi)
 {
@@ -1327,7 +1330,7 @@ static int build_nfct_filter(struct ulogd_pluginstance *upi)
 
 	if (strlen(mark_filter_ce(upi->config_kset).u.string) != 0) {
 		char *filter_string = mark_filter_ce(upi->config_kset).u.string;
-		if (build_nfct_filter_mark(filter, filter_string) != 0) {
+		if (build_nfct_filter_mark(filter, filter_string, cpi->filter_dump) != 0) {
 			ulogd_log(ULOGD_FATAL,
 					"Unable to create mark filter\n");
 			goto err_filter;
@@ -1412,7 +1415,6 @@ static int constructor_nfct_events(struct ulogd_pluginstance *upi)
 		goto err_nfctobj;
 
 	if (usehash_ce(upi->config_kset).u.value != 0) {
-		int family = AF_UNSPEC;
 		struct nfct_handle *h;
 
 		/* we use a hashtable to cache entries in userspace. */
@@ -1436,7 +1438,7 @@ static int constructor_nfct_events(struct ulogd_pluginstance *upi)
 		}
 		nfct_callback_register(h, NFCT_T_ALL,
 				       &event_handler_hashtable, upi);
-		nfct_query(h, NFCT_Q_DUMP, &family);
+		nfct_query(h, NFCT_Q_DUMP_FILTER, cpi->filter_dump);
 		nfct_close(h);
 
 		/* the overrun handler only make sense with the hashtable,
@@ -1500,6 +1502,14 @@ static int constructor_nfct_polling(struct ulogd_pluginstance *upi)
 		ulogd_log(ULOGD_FATAL, "error opening ctnetlink\n");
 		goto err;
 	}
+	if (strlen(mark_filter_ce(upi->config_kset).u.string) != 0) {
+		char *filter_string = mark_filter_ce(upi->config_kset).u.string;
+		if (build_nfct_filter_mark(NULL, filter_string,
+					   cpi->filter_dump) != 0) {
+			ulogd_log(ULOGD_FATAL, "error creating NFCT mark filter\n");
+			goto err_hashtable;
+		}
+	}
 	nfct_callback_register(cpi->pgh, NFCT_T_ALL, &polling_handler, upi);
 
 	cpi->ct_active =
@@ -1534,6 +1544,15 @@ err:
 
 static int constructor_nfct(struct ulogd_pluginstance *upi)
 {
+	struct nfct_pluginstance *cpi =
+			(struct nfct_pluginstance *) upi->private;
+
+	cpi->filter_dump = nfct_filter_dump_create();
+	if (cpi->filter_dump == NULL) {
+		ulogd_log(ULOGD_FATAL, "could not create filter_dump\n");
+		return -1;
+	}
+
 	if (pollint_ce(upi->config_kset).u.value == 0) {
 		/* listen to ctnetlink events. */
 		return constructor_nfct_events(upi);
@@ -1553,6 +1572,8 @@ static int destructor_nfct_events(struct ulogd_pluginstance *upi)
 
 	ulogd_unregister_fd(&cpi->nfct_fd);
 
+	nfct_filter_dump_destroy(cpi->filter_dump);
+
 	rc = nfct_close(cpi->cth);
 	if (rc < 0)
 		return rc;
-- 
1.8.5.3

Re: [libnetfilter_conntrack PATCH 1/3] conntrack: add mark event filter

[Pablo Neira Ayuso]

On Tue, Apr 08, 2014 at 07:30:04PM +0900, Ken-ichirou MATSUZAWA wrote:
> This patch adds mark filter for event listener, using same struct
> nfct_filter_dump_mark.

OK, let's put this in the tree.

Re: [ulogd PATCH 2/3] add mark event filter

[Pablo Neira Ayuso]

On Tue, Apr 08, 2014 at 07:32:19PM +0900, Ken-ichirou MATSUZAWA wrote:
> This patch adds a new configuration variable which is used to limit
> conntrack event to connection of the mark.
> 
> Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
> ---
>  configure.ac                    | 15 +++++++++
>  input/flow/ulogd_inpflow_NFCT.c | 75 +++++++++++++++++++++++++++++++++++++++--
>  2 files changed, 88 insertions(+), 2 deletions(-)
> 
> diff --git a/configure.ac b/configure.ac
> index 522c345..7e5f5fc 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -58,6 +58,20 @@ AS_IF([test "x$enable_nfct" = "xyes"], [
>      AC_DEFINE([BUILD_NFCT], [1], [Building nfct module])
>  ])
>  AM_CONDITIONAL([BUILD_NFCT], [test "x$enable_nfct" = "xyes"])
> +AS_IF([test "x$enable_nfct" = "xyes"], [
> +    AC_MSG_CHECKING([for enable mark filter for event])
> +    AC_CACHE_VAL(ac_cv_nfct_filter_mark,
> +    AC_TRY_COMPILE(
> +        [ #include <libnetfilter_conntrack/libnetfilter_conntrack.h>],
> +        [ int i = NFCT_FILTER_MARK; ],
> +        ac_cv_nfct_filter_mark=yes,
> +        ac_cv_nfct_filter_mark=no))
> +    AC_MSG_RESULT($ac_cv_nfct_filter_mark)
> +    AS_IF([test "x$ac_cv_nfct_filter_mark" = "xyes"], [
> +        AC_DEFINE([HAVE_NFCT_FILTER_MARK], [1], [Building nfct mark event filter])
> +    ])
> +])

I don't find a good reason to add a compile time option for this.

Eric?

[libnetfilter_conntrack PATCH 1/3 resend] conntrack: add mark event filter

[Ken-ichirou MATSUZAWA]

This patch adds mark filter for event listener, using same struct
nfct_filter_dump_mark.

Signed-off-by Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>

---
 include/internal/object.h                          |  7 +++
 .../libnetfilter_conntrack.h                       |  1 +
 src/conntrack/bsf.c                                | 55 ++++++++++++++++++++++
 src/conntrack/filter.c                             | 13 +++++
 4 files changed, 76 insertions(+)

diff --git a/include/internal/object.h b/include/internal/object.h
index 540ad0d..1259467 100644
--- a/include/internal/object.h
+++ b/include/internal/object.h
@@ -263,6 +263,13 @@ struct nfct_filter {
 		u_int32_t 	mask[4];
 	} l3proto_ipv6[2][__FILTER_IPV6_MAX];
 
+	u_int32_t 		mark_elems;
+	struct {
+#define __FILTER_MARK_MAX	127
+		u_int32_t 	val;
+		u_int32_t 	mask;
+	} mark[__FILTER_MARK_MAX];
+
 	u_int32_t 		set[1];
 };
 
diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack.h b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
index d4542ba..890721a 100644
--- a/include/libnetfilter_conntrack/libnetfilter_conntrack.h
+++ b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
@@ -496,6 +496,7 @@ enum nfct_filter_attr {
 	NFCT_FILTER_DST_IPV4,		/* struct nfct_filter_ipv4 */
 	NFCT_FILTER_SRC_IPV6,		/* struct nfct_filter_ipv6 */
 	NFCT_FILTER_DST_IPV6,		/* struct nfct_filter_ipv6 */
+	NFCT_FILTER_MARK,		/* struct nfct_filter_dump_mark */
 	NFCT_FILTER_MAX
 };
 
diff --git a/src/conntrack/bsf.c b/src/conntrack/bsf.c
index 534202f..632c201 100644
--- a/src/conntrack/bsf.c
+++ b/src/conntrack/bsf.c
@@ -663,6 +663,58 @@ bsf_add_daddr_ipv6_filter(const struct nfct_filter *f, struct sock_filter *this)
 	return bsf_add_addr_ipv6_filter(f, this, CTA_IP_V6_DST);
 }
 
+static int
+bsf_add_mark_filter(const struct nfct_filter *f, struct sock_filter *this)
+{
+	unsigned int i, j;
+	unsigned int label_continue, jt;
+	struct stack *s;
+	struct jump jmp;
+
+	/* nothing to filter, skip */
+	if (f->mark_elems == 0)
+		return 0;
+
+	/* XXX: see bsf_add_addr_ipv4_filter() */
+	s = stack_create(sizeof(struct jump), 3 + 127);
+	if (s == NULL) {
+		errno = ENOMEM;
+		return -1;
+	}
+
+	jt = 1;
+	if (f->logic[NFCT_FILTER_MARK] == NFCT_FILTER_LOGIC_POSITIVE)
+		label_continue = 1;
+	else
+		label_continue = 2;
+
+	j = 0;
+	j += nfct_bsf_load_payload_offset(this, j);
+	j += nfct_bsf_find_attr(this, CTA_MARK, j);
+	j += nfct_bsf_cmp_k_stack(this, 0, label_continue - j, j, s);
+	j += nfct_bsf_x_equal_a(this, j);
+
+	for (i = 0; i < f->mark_elems; i++) {
+		int mark = f->mark[i].val & f->mark[i].mask;
+
+		j += nfct_bsf_load_attr(this, BPF_W, j);
+		j += nfct_bsf_alu_and(this, f->mark[i].mask, j);
+		j += nfct_bsf_cmp_k_stack(this, mark, jt - j, j, s);
+	}
+
+	while (stack_pop(s, &jmp) != -1)
+		this[jmp.line].jt += jmp.jt + j;
+
+	if (f->logic[NFCT_FILTER_MARK] == NFCT_FILTER_LOGIC_NEGATIVE)
+		j += nfct_bsf_jump_to(this, 1, j);
+
+	j += nfct_bsf_ret_verdict(this, NFCT_FILTER_REJECT, j);
+
+	stack_destroy(s);
+
+	return j;
+}
+
 /* this buffer must be big enough to store all the autogenerated lines */
 #define BSF_BUFFER_SIZE 	2048
 
@@ -696,6 +748,9 @@ int __setup_netlink_socket_filter(int fd, struct nfct_filter *f)
 	j += bsf_add_state_filter(f, &bsf[j]);
 	show_filter(bsf, from, j, "---- check state ----");
 	from = j;
+	j += bsf_add_mark_filter(f, &bsf[j]);
+	show_filter(bsf, from, j, "---- check mark ----");
+	from = j;
 
 	/* nothing to filter, skip */
 	if (j == 0)
diff --git a/src/conntrack/filter.c b/src/conntrack/filter.c
index 026545a..78fbbc5 100644
--- a/src/conntrack/filter.c
+++ b/src/conntrack/filter.c
@@ -79,6 +79,18 @@ static void filter_attr_dst_ipv6(struct nfct_filter *filter, const void *value)
 	filter->l3proto_elems_ipv6[1]++;
 }
 
+static void filter_attr_mark(struct nfct_filter *filter, const void *value)
+{
+	const struct nfct_filter_dump_mark *this = value;
+
+	if (filter->mark_elems >= __FILTER_MARK_MAX)
+		return;
+
+	filter->mark[filter->mark_elems].val = this->val;
+	filter->mark[filter->mark_elems].mask = this->mask;
+	filter->mark_elems++;
+}
+
 const filter_attr filter_attr_array[NFCT_FILTER_MAX] = {
 	[NFCT_FILTER_L4PROTO]		= filter_attr_l4proto,
 	[NFCT_FILTER_L4PROTO_STATE]	= filter_attr_l4proto_state,
@@ -86,4 +98,5 @@ const filter_attr filter_attr_array[NFCT_FILTER_MAX] = {
 	[NFCT_FILTER_DST_IPV4]		= filter_attr_dst_ipv4,
 	[NFCT_FILTER_SRC_IPV6]		= filter_attr_src_ipv6,
 	[NFCT_FILTER_DST_IPV6]		= filter_attr_dst_ipv6,
+	[NFCT_FILTER_MARK]		= filter_attr_mark,
 };
-- 
1.9.1