* [libnetfilter_conntrack/ulogd PATCH 0/3] add mark filter
@ 2014-04-08 10:26 Ken-ichirou MATSUZAWA
2014-04-08 10:30 ` [libnetfilter_conntrack PATCH 1/3] conntrack: add mark event filter Ken-ichirou MATSUZAWA
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Ken-ichirou MATSUZAWA @ 2014-04-08 10:26 UTC (permalink / raw)
To: netfilter-devel
Hello,
This patch series enables mark filtering in NFCT plugin.
Would you review it? I think there are two issues:
* libnetfilter_conntrack
I reused struct nfct_filter_dump_mark for NFCT_FILTER_MARK
nfct_filter_add_attr(). Should I introduce a new one which
will be the same field?
* ulogd
I've changed all dump function to use nfct_filter_dump
excepting in do_purge(). It may require many tests so that
is it better having a field to check mark filter has set
and checking it on dumping?
Thanks.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [libnetfilter_conntrack PATCH 1/3] conntrack: add mark event filter
2014-04-08 10:26 [libnetfilter_conntrack/ulogd PATCH 0/3] add mark filter Ken-ichirou MATSUZAWA
@ 2014-04-08 10:30 ` Ken-ichirou MATSUZAWA
2014-04-14 12:53 ` Pablo Neira Ayuso
2014-04-08 10:32 ` [ulogd PATCH 2/3] " Ken-ichirou MATSUZAWA
2014-04-08 10:34 ` [ulogd PATCH 3/3] add mark dump filter Ken-ichirou MATSUZAWA
2 siblings, 1 reply; 7+ messages in thread
From: Ken-ichirou MATSUZAWA @ 2014-04-08 10:30 UTC (permalink / raw)
To: netfilter-devel
This patch adds mark filter for event listener, using same struct
nfct_filter_dump_mark.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
---
include/internal/object.h | 7 ++++
.../libnetfilter_conntrack.h | 1 +
src/conntrack/bsf.c | 49 ++++++++++++++++++++++
src/conntrack/filter.c | 13 ++++++
4 files changed, 70 insertions(+)
diff --git a/include/internal/object.h b/include/internal/object.h
index 540ad0d..1259467 100644
--- a/include/internal/object.h
+++ b/include/internal/object.h
@@ -263,6 +263,13 @@ struct nfct_filter {
u_int32_t mask[4];
} l3proto_ipv6[2][__FILTER_IPV6_MAX];
+ u_int32_t mark_elems;
+ struct {
+#define __FILTER_MARK_MAX 127
+ u_int32_t val;
+ u_int32_t mask;
+ } mark[__FILTER_MARK_MAX];
+
u_int32_t set[1];
};
diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack.h b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
index d4542ba..890721a 100644
--- a/include/libnetfilter_conntrack/libnetfilter_conntrack.h
+++ b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
@@ -496,6 +496,7 @@ enum nfct_filter_attr {
NFCT_FILTER_DST_IPV4, /* struct nfct_filter_ipv4 */
NFCT_FILTER_SRC_IPV6, /* struct nfct_filter_ipv6 */
NFCT_FILTER_DST_IPV6, /* struct nfct_filter_ipv6 */
+ NFCT_FILTER_MARK, /* struct nfct_filter_dump_mark */
NFCT_FILTER_MAX
};
diff --git a/src/conntrack/bsf.c b/src/conntrack/bsf.c
index 534202f..08a9a44 100644
--- a/src/conntrack/bsf.c
+++ b/src/conntrack/bsf.c
@@ -663,6 +663,52 @@ bsf_add_daddr_ipv6_filter(const struct nfct_filter *f, struct sock_filter *this)
return bsf_add_addr_ipv6_filter(f, this, CTA_IP_V6_DST);
}
+static int
+bsf_add_mark_filter(const struct nfct_filter *f, struct sock_filter *this)
+{
+ unsigned int i, j;
+ unsigned int jt;
+ struct stack *s;
+ struct jump jmp;
+
+ /* nothing to filter, skip */
+ if (f->mark_elems == 0)
+ return 0;
+
+ /* XXX: see bsf_add_addr_ipv4_filter() */
+ s = stack_create(sizeof(struct jump), 3 + 127);
+ if (s == NULL) {
+ errno = ENOMEM;
+ return -1;
+ }
+
+ jt = 1;
+ j = 0;
+ j += nfct_bsf_load_payload_offset(this, j);
+ j += nfct_bsf_find_attr(this, CTA_MARK, j);
+ j += nfct_bsf_x_equal_a(this, j);
+
+ for (i = 0; i < f->mark_elems; i++) {
+ int mark = f->mark[i].val & f->mark[i].mask;
+
+ j += nfct_bsf_load_attr(this, BPF_W, j);
+ j += nfct_bsf_alu_and(this, f->mark[i].mask, j);
+ j += nfct_bsf_cmp_k_stack(this, mark, jt - j, j, s);
+ }
+
+ while (stack_pop(s, &jmp) != -1)
+ this[jmp.line].jt += jmp.jt + j;
+
+ if (f->logic[NFCT_FILTER_MARK] == NFCT_FILTER_LOGIC_NEGATIVE)
+ j += nfct_bsf_jump_to(this, 1, j);
+
+ j += nfct_bsf_ret_verdict(this, NFCT_FILTER_REJECT, j);
+
+ stack_destroy(s);
+
+ return j;
+}
+
/* this buffer must be big enough to store all the autogenerated lines */
#define BSF_BUFFER_SIZE 2048
@@ -696,6 +742,9 @@ int __setup_netlink_socket_filter(int fd, struct nfct_filter *f)
j += bsf_add_state_filter(f, &bsf[j]);
show_filter(bsf, from, j, "---- check state ----");
from = j;
+ j += bsf_add_mark_filter(f, &bsf[j]);
+ show_filter(bsf, from, j, "---- check mark ----");
+ from = j;
/* nothing to filter, skip */
if (j == 0)
diff --git a/src/conntrack/filter.c b/src/conntrack/filter.c
index 026545a..78fbbc5 100644
--- a/src/conntrack/filter.c
+++ b/src/conntrack/filter.c
@@ -79,6 +79,18 @@ static void filter_attr_dst_ipv6(struct nfct_filter *filter, const void *value)
filter->l3proto_elems_ipv6[1]++;
}
+static void filter_attr_mark(struct nfct_filter *filter, const void *value)
+{
+ const struct nfct_filter_dump_mark *this = value;
+
+ if (filter->mark_elems >= __FILTER_MARK_MAX)
+ return;
+
+ filter->mark[filter->mark_elems].val = this->val;
+ filter->mark[filter->mark_elems].mask = this->mask;
+ filter->mark_elems++;
+}
+
const filter_attr filter_attr_array[NFCT_FILTER_MAX] = {
[NFCT_FILTER_L4PROTO] = filter_attr_l4proto,
[NFCT_FILTER_L4PROTO_STATE] = filter_attr_l4proto_state,
@@ -86,4 +98,5 @@ const filter_attr filter_attr_array[NFCT_FILTER_MAX] = {
[NFCT_FILTER_DST_IPV4] = filter_attr_dst_ipv4,
[NFCT_FILTER_SRC_IPV6] = filter_attr_src_ipv6,
[NFCT_FILTER_DST_IPV6] = filter_attr_dst_ipv6,
+ [NFCT_FILTER_MARK] = filter_attr_mark,
};
--
1.8.5.3
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [ulogd PATCH 2/3] add mark event filter
2014-04-08 10:26 [libnetfilter_conntrack/ulogd PATCH 0/3] add mark filter Ken-ichirou MATSUZAWA
2014-04-08 10:30 ` [libnetfilter_conntrack PATCH 1/3] conntrack: add mark event filter Ken-ichirou MATSUZAWA
@ 2014-04-08 10:32 ` Ken-ichirou MATSUZAWA
2014-04-14 12:54 ` Pablo Neira Ayuso
2014-04-08 10:34 ` [ulogd PATCH 3/3] add mark dump filter Ken-ichirou MATSUZAWA
2 siblings, 1 reply; 7+ messages in thread
From: Ken-ichirou MATSUZAWA @ 2014-04-08 10:32 UTC (permalink / raw)
To: netfilter-devel
This patch adds a new configuration variable which is used to limit
conntrack event to connection of the mark.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
---
configure.ac | 15 +++++++++
input/flow/ulogd_inpflow_NFCT.c | 75 +++++++++++++++++++++++++++++++++++++++--
2 files changed, 88 insertions(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index 522c345..7e5f5fc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -58,6 +58,20 @@ AS_IF([test "x$enable_nfct" = "xyes"], [
AC_DEFINE([BUILD_NFCT], [1], [Building nfct module])
])
AM_CONDITIONAL([BUILD_NFCT], [test "x$enable_nfct" = "xyes"])
+AS_IF([test "x$enable_nfct" = "xyes"], [
+ AC_MSG_CHECKING([for enable mark filter for event])
+ AC_CACHE_VAL(ac_cv_nfct_filter_mark,
+ AC_TRY_COMPILE(
+ [ #include <libnetfilter_conntrack/libnetfilter_conntrack.h>],
+ [ int i = NFCT_FILTER_MARK; ],
+ ac_cv_nfct_filter_mark=yes,
+ ac_cv_nfct_filter_mark=no))
+ AC_MSG_RESULT($ac_cv_nfct_filter_mark)
+ AS_IF([test "x$ac_cv_nfct_filter_mark" = "xyes"], [
+ AC_DEFINE([HAVE_NFCT_FILTER_MARK], [1], [Building nfct mark event filter])
+ ])
+])
+
AC_ARG_ENABLE(nfacct,
AS_HELP_STRING([--enable-nfacct], [Enable nfacct module [default=yes]]),,[enable_nfacct=yes])
AS_IF([test "x$enable_nfacct" = "xyes"], [
@@ -156,6 +170,7 @@ Ulogd configuration:
Input plugins:
NFLOG plugin: ${enable_nflog}
NFCT plugin: ${enable_nfct}
+ with MARK event filter ${ac_cv_nfct_filter_mark}
NFACCT plugin: ${enable_nfacct}
Output plugins:
PCAP plugin: ${enable_pcap}
diff --git a/input/flow/ulogd_inpflow_NFCT.c b/input/flow/ulogd_inpflow_NFCT.c
index 899b7e3..a5cf854 100644
--- a/input/flow/ulogd_inpflow_NFCT.c
+++ b/input/flow/ulogd_inpflow_NFCT.c
@@ -35,6 +35,7 @@
#include <sys/time.h>
#include <time.h>
+#include <ctype.h>
#include <netinet/in.h>
#include <netdb.h>
#include <ulogd/linuxlist.h>
@@ -78,7 +79,7 @@ struct nfct_pluginstance {
#define EVENT_MASK NF_NETLINK_CONNTRACK_NEW | NF_NETLINK_CONNTRACK_DESTROY
static struct config_keyset nfct_kset = {
- .num_ces = 12,
+ .num_ces = 13,
.ces = {
{
.key = "pollinterval",
@@ -149,6 +150,11 @@ static struct config_keyset nfct_kset = {
.type = CONFIG_TYPE_STRING,
.options = CONFIG_OPT_NONE,
},
+ {
+ .key = "accept_mark_filter",
+ .type = CONFIG_TYPE_STRING,
+ .options = CONFIG_OPT_NONE,
+ },
},
};
#define pollint_ce(x) (x->ces[0])
@@ -163,6 +169,7 @@ static struct config_keyset nfct_kset = {
#define src_filter_ce(x) ((x)->ces[9])
#define dst_filter_ce(x) ((x)->ces[10])
#define proto_filter_ce(x) ((x)->ces[11])
+#define mark_filter_ce(x) ((x)->ces[12])
enum nfct_keys {
NFCT_ORIG_IP_SADDR = 0,
@@ -1221,6 +1228,60 @@ static int build_nfct_filter_proto(struct nfct_filter *filter, char* filter_stri
return 0;
}
+#if defined HAVE_NFCT_FILTER_MARK
+static int build_nfct_filter_mark(struct nfct_filter *filter, char* filter_string)
+{
+ char *p, *endptr;
+ uintmax_t v;
+ struct nfct_filter_dump_mark filter_mark;
+ errno = 0;
+
+ for (p = filter_string; isspace(*p); ++p)
+ ;
+ v = strtoumax(p, &endptr, 0);
+ if (endptr == p)
+ goto invalid_error;
+ if ((errno == ERANGE && v == UINTMAX_MAX) || errno != 0)
+ goto invalid_error;
+ filter_mark.val = (uint32_t)v;
+
+ if (*endptr != '\0') {
+ for (p = endptr; isspace(*p); ++p)
+ ;
+ if (*p++ != '/')
+ goto invalid_error;
+ for (; isspace(*p); ++p)
+ ;
+ v = strtoumax(p, &endptr, 0);
+ if (endptr == p)
+ goto invalid_error;
+ if ((errno == ERANGE && v == UINTMAX_MAX) || errno != 0)
+ goto invalid_error;
+ filter_mark.mask = (uint32_t)v;
+ if (*endptr != '\0')
+ goto invalid_error;
+ } else {
+ filter_mark.mask = UINT32_MAX;
+ }
+
+ ulogd_log(ULOGD_NOTICE, "adding mark to filter: \"%u/%u\"\n",
+ filter_mark.val, filter_mark.mask);
+ nfct_filter_add_attr(filter, NFCT_FILTER_MARK, &filter_mark);
+
+ return 0;
+
+invalid_error:
+ ulogd_log(ULOGD_FATAL, "invalid val/mask %s\n", filter_string);
+ return -1;
+
+}
+#else
+static int build_nfct_filter_mark(struct nfct_filter *filter, char* filter_string)
+{
+ ulogd_log(ULOGD_FATAL, "mark filter is not supported\n");
+ return -1;
+}
+#endif /* HAVE_NFCT_FILTER_MARK */
static int build_nfct_filter(struct ulogd_pluginstance *upi)
{
@@ -1264,6 +1325,15 @@ static int build_nfct_filter(struct ulogd_pluginstance *upi)
}
}
+ if (strlen(mark_filter_ce(upi->config_kset).u.string) != 0) {
+ char *filter_string = mark_filter_ce(upi->config_kset).u.string;
+ if (build_nfct_filter_mark(filter, filter_string) != 0) {
+ ulogd_log(ULOGD_FATAL,
+ "Unable to create mark filter\n");
+ goto err_filter;
+ }
+ }
+
if (filter) {
if (nfct_filter_attach(nfct_fd(cpi->cth), filter) == -1) {
ulogd_log(ULOGD_FATAL, "nfct_filter_attach");
@@ -1296,7 +1366,8 @@ static int constructor_nfct_events(struct ulogd_pluginstance *upi)
if ((strlen(src_filter_ce(upi->config_kset).u.string) != 0) ||
(strlen(dst_filter_ce(upi->config_kset).u.string) != 0) ||
- (strlen(proto_filter_ce(upi->config_kset).u.string) != 0)
+ (strlen(proto_filter_ce(upi->config_kset).u.string) != 0) ||
+ (strlen(mark_filter_ce(upi->config_kset).u.string) != 0)
) {
if (build_nfct_filter(upi) != 0) {
ulogd_log(ULOGD_FATAL, "error creating NFCT filter\n");
--
1.8.5.3
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [ulogd PATCH 3/3] add mark dump filter
2014-04-08 10:26 [libnetfilter_conntrack/ulogd PATCH 0/3] add mark filter Ken-ichirou MATSUZAWA
2014-04-08 10:30 ` [libnetfilter_conntrack PATCH 1/3] conntrack: add mark event filter Ken-ichirou MATSUZAWA
2014-04-08 10:32 ` [ulogd PATCH 2/3] " Ken-ichirou MATSUZAWA
@ 2014-04-08 10:34 ` Ken-ichirou MATSUZAWA
2 siblings, 0 replies; 7+ messages in thread
From: Ken-ichirou MATSUZAWA @ 2014-04-08 10:34 UTC (permalink / raw)
To: netfilter-devel
This patch makes enable to filter dump by mark.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
---
input/flow/ulogd_inpflow_NFCT.c | 63 +++++++++++++++++++++++++++--------------
1 file changed, 42 insertions(+), 21 deletions(-)
diff --git a/input/flow/ulogd_inpflow_NFCT.c b/input/flow/ulogd_inpflow_NFCT.c
index a5cf854..37b45e8 100644
--- a/input/flow/ulogd_inpflow_NFCT.c
+++ b/input/flow/ulogd_inpflow_NFCT.c
@@ -71,6 +71,7 @@ struct nfct_pluginstance {
struct ulogd_timer ov_timer; /* overrun retry timer */
struct hashtable *ct_active;
int nlbufsiz; /* current netlink buffer size */
+ struct nfct_filter_dump *filter_dump;
struct nf_conntrack *ct;
};
@@ -1003,8 +1004,9 @@ dump_reset_handler(enum nf_conntrack_msg_type type,
static void get_ctr_zero(struct ulogd_pluginstance *upi)
{
+ struct nfct_pluginstance *cpi =
+ (struct nfct_pluginstance *)upi->private;
struct nfct_handle *h;
- int family = AF_UNSPEC;
h = nfct_open(CONNTRACK, 0);
if (h == NULL) {
@@ -1012,7 +1014,7 @@ static void get_ctr_zero(struct ulogd_pluginstance *upi)
return;
}
nfct_callback_register(h, NFCT_T_ALL, &dump_reset_handler, upi);
- if (nfct_query(h, NFCT_Q_DUMP_RESET, &family) == -1)
+ if (nfct_query(h, NFCT_Q_DUMP_FILTER_RESET, cpi->filter_dump) == -1)
ulogd_log(ULOGD_FATAL, "Cannot dump and reset counters\n");
nfct_close(h);
@@ -1023,9 +1025,8 @@ static void polling_timer_cb(struct ulogd_timer *t, void *data)
struct ulogd_pluginstance *upi = data;
struct nfct_pluginstance *cpi =
(struct nfct_pluginstance *)upi->private;
- int family = AF_UNSPEC;
- nfct_query(cpi->pgh, NFCT_Q_DUMP, &family);
+ nfct_query(cpi->pgh, NFCT_Q_DUMP_FILTER, cpi->filter_dump);
hashtable_iterate(cpi->ct_active, upi, do_purge);
ulogd_add_timer(&cpi->timer, pollint_ce(upi->config_kset).u.value);
}
@@ -1044,12 +1045,11 @@ static int configure_nfct(struct ulogd_pluginstance *upi,
static void overrun_timeout(struct ulogd_timer *a, void *data)
{
- int family = AF_UNSPEC;
struct ulogd_pluginstance *upi = data;
struct nfct_pluginstance *cpi =
(struct nfct_pluginstance *)upi->private;
- nfct_send(cpi->ovh, NFCT_Q_DUMP, &family);
+ nfct_send(cpi->ovh, NFCT_Q_DUMP_FILTER, cpi->filter_dump);
}
@@ -1228,8 +1228,8 @@ static int build_nfct_filter_proto(struct nfct_filter *filter, char* filter_stri
return 0;
}
-#if defined HAVE_NFCT_FILTER_MARK
-static int build_nfct_filter_mark(struct nfct_filter *filter, char* filter_string)
+static int build_nfct_filter_mark(struct nfct_filter *filter, char* filter_string,
+ struct nfct_filter_dump *filter_dump)
{
char *p, *endptr;
uintmax_t v;
@@ -1264,24 +1264,27 @@ static int build_nfct_filter_mark(struct nfct_filter *filter, char* filter_strin
filter_mark.mask = UINT32_MAX;
}
- ulogd_log(ULOGD_NOTICE, "adding mark to filter: \"%u/%u\"\n",
+ if (filter != NULL) {
+#if defined HAVE_NFCT_FILTER_MARK
+ nfct_filter_add_attr(filter, NFCT_FILTER_MARK, &filter_mark);
+ ulogd_log(ULOGD_NOTICE, "adding mark to event filter: \"%u/%u\"\n",
+ filter_mark.val, filter_mark.mask);
+#else
+ ulogd_log(ULOGD_FATAL, "mark event filter is not supported\n");
+ return -1;
+#endif
+ }
+ nfct_filter_dump_set_attr(filter_dump, NFCT_FILTER_DUMP_MARK,
+ &filter_mark);
+ ulogd_log(ULOGD_NOTICE, "adding mark to dump filter: \"%u/%u\"\n",
filter_mark.val, filter_mark.mask);
- nfct_filter_add_attr(filter, NFCT_FILTER_MARK, &filter_mark);
return 0;
invalid_error:
ulogd_log(ULOGD_FATAL, "invalid val/mask %s\n", filter_string);
return -1;
-
-}
-#else
-static int build_nfct_filter_mark(struct nfct_filter *filter, char* filter_string)
-{
- ulogd_log(ULOGD_FATAL, "mark filter is not supported\n");
- return -1;
}
-#endif /* HAVE_NFCT_FILTER_MARK */
static int build_nfct_filter(struct ulogd_pluginstance *upi)
{
@@ -1327,7 +1330,7 @@ static int build_nfct_filter(struct ulogd_pluginstance *upi)
if (strlen(mark_filter_ce(upi->config_kset).u.string) != 0) {
char *filter_string = mark_filter_ce(upi->config_kset).u.string;
- if (build_nfct_filter_mark(filter, filter_string) != 0) {
+ if (build_nfct_filter_mark(filter, filter_string, cpi->filter_dump) != 0) {
ulogd_log(ULOGD_FATAL,
"Unable to create mark filter\n");
goto err_filter;
@@ -1412,7 +1415,6 @@ static int constructor_nfct_events(struct ulogd_pluginstance *upi)
goto err_nfctobj;
if (usehash_ce(upi->config_kset).u.value != 0) {
- int family = AF_UNSPEC;
struct nfct_handle *h;
/* we use a hashtable to cache entries in userspace. */
@@ -1436,7 +1438,7 @@ static int constructor_nfct_events(struct ulogd_pluginstance *upi)
}
nfct_callback_register(h, NFCT_T_ALL,
&event_handler_hashtable, upi);
- nfct_query(h, NFCT_Q_DUMP, &family);
+ nfct_query(h, NFCT_Q_DUMP_FILTER, cpi->filter_dump);
nfct_close(h);
/* the overrun handler only make sense with the hashtable,
@@ -1500,6 +1502,14 @@ static int constructor_nfct_polling(struct ulogd_pluginstance *upi)
ulogd_log(ULOGD_FATAL, "error opening ctnetlink\n");
goto err;
}
+ if (strlen(mark_filter_ce(upi->config_kset).u.string) != 0) {
+ char *filter_string = mark_filter_ce(upi->config_kset).u.string;
+ if (build_nfct_filter_mark(NULL, filter_string,
+ cpi->filter_dump) != 0) {
+ ulogd_log(ULOGD_FATAL, "error creating NFCT mark filter\n");
+ goto err_hashtable;
+ }
+ }
nfct_callback_register(cpi->pgh, NFCT_T_ALL, &polling_handler, upi);
cpi->ct_active =
@@ -1534,6 +1544,15 @@ err:
static int constructor_nfct(struct ulogd_pluginstance *upi)
{
+ struct nfct_pluginstance *cpi =
+ (struct nfct_pluginstance *) upi->private;
+
+ cpi->filter_dump = nfct_filter_dump_create();
+ if (cpi->filter_dump == NULL) {
+ ulogd_log(ULOGD_FATAL, "could not create filter_dump\n");
+ return -1;
+ }
+
if (pollint_ce(upi->config_kset).u.value == 0) {
/* listen to ctnetlink events. */
return constructor_nfct_events(upi);
@@ -1553,6 +1572,8 @@ static int destructor_nfct_events(struct ulogd_pluginstance *upi)
ulogd_unregister_fd(&cpi->nfct_fd);
+ nfct_filter_dump_destroy(cpi->filter_dump);
+
rc = nfct_close(cpi->cth);
if (rc < 0)
return rc;
--
1.8.5.3
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [libnetfilter_conntrack PATCH 1/3] conntrack: add mark event filter
2014-04-08 10:30 ` [libnetfilter_conntrack PATCH 1/3] conntrack: add mark event filter Ken-ichirou MATSUZAWA
@ 2014-04-14 12:53 ` Pablo Neira Ayuso
2014-04-15 11:54 ` [libnetfilter_conntrack PATCH 1/3 resend] " Ken-ichirou MATSUZAWA
0 siblings, 1 reply; 7+ messages in thread
From: Pablo Neira Ayuso @ 2014-04-14 12:53 UTC (permalink / raw)
To: Ken-ichirou MATSUZAWA; +Cc: netfilter-devel
On Tue, Apr 08, 2014 at 07:30:04PM +0900, Ken-ichirou MATSUZAWA wrote:
> This patch adds mark filter for event listener, using same struct
> nfct_filter_dump_mark.
OK, let's put this in the tree.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [ulogd PATCH 2/3] add mark event filter
2014-04-08 10:32 ` [ulogd PATCH 2/3] " Ken-ichirou MATSUZAWA
@ 2014-04-14 12:54 ` Pablo Neira Ayuso
0 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2014-04-14 12:54 UTC (permalink / raw)
To: Ken-ichirou MATSUZAWA; +Cc: netfilter-devel, Eric Leblond
On Tue, Apr 08, 2014 at 07:32:19PM +0900, Ken-ichirou MATSUZAWA wrote:
> This patch adds a new configuration variable which is used to limit
> conntrack event to connection of the mark.
>
> Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
> ---
> configure.ac | 15 +++++++++
> input/flow/ulogd_inpflow_NFCT.c | 75 +++++++++++++++++++++++++++++++++++++++--
> 2 files changed, 88 insertions(+), 2 deletions(-)
>
> diff --git a/configure.ac b/configure.ac
> index 522c345..7e5f5fc 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -58,6 +58,20 @@ AS_IF([test "x$enable_nfct" = "xyes"], [
> AC_DEFINE([BUILD_NFCT], [1], [Building nfct module])
> ])
> AM_CONDITIONAL([BUILD_NFCT], [test "x$enable_nfct" = "xyes"])
> +AS_IF([test "x$enable_nfct" = "xyes"], [
> + AC_MSG_CHECKING([for enable mark filter for event])
> + AC_CACHE_VAL(ac_cv_nfct_filter_mark,
> + AC_TRY_COMPILE(
> + [ #include <libnetfilter_conntrack/libnetfilter_conntrack.h>],
> + [ int i = NFCT_FILTER_MARK; ],
> + ac_cv_nfct_filter_mark=yes,
> + ac_cv_nfct_filter_mark=no))
> + AC_MSG_RESULT($ac_cv_nfct_filter_mark)
> + AS_IF([test "x$ac_cv_nfct_filter_mark" = "xyes"], [
> + AC_DEFINE([HAVE_NFCT_FILTER_MARK], [1], [Building nfct mark event filter])
> + ])
> +])
I don't find a good reason to add a compile time option for this.
Eric?
^ permalink raw reply [flat|nested] 7+ messages in thread
* [libnetfilter_conntrack PATCH 1/3 resend] conntrack: add mark event filter
2014-04-14 12:53 ` Pablo Neira Ayuso
@ 2014-04-15 11:54 ` Ken-ichirou MATSUZAWA
0 siblings, 0 replies; 7+ messages in thread
From: Ken-ichirou MATSUZAWA @ 2014-04-15 11:54 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
This patch adds mark filter for event listener, using same struct
nfct_filter_dump_mark.
Signed-off-by Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
---
include/internal/object.h | 7 +++
.../libnetfilter_conntrack.h | 1 +
src/conntrack/bsf.c | 55 ++++++++++++++++++++++
src/conntrack/filter.c | 13 +++++
4 files changed, 76 insertions(+)
diff --git a/include/internal/object.h b/include/internal/object.h
index 540ad0d..1259467 100644
--- a/include/internal/object.h
+++ b/include/internal/object.h
@@ -263,6 +263,13 @@ struct nfct_filter {
u_int32_t mask[4];
} l3proto_ipv6[2][__FILTER_IPV6_MAX];
+ u_int32_t mark_elems;
+ struct {
+#define __FILTER_MARK_MAX 127
+ u_int32_t val;
+ u_int32_t mask;
+ } mark[__FILTER_MARK_MAX];
+
u_int32_t set[1];
};
diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack.h b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
index d4542ba..890721a 100644
--- a/include/libnetfilter_conntrack/libnetfilter_conntrack.h
+++ b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
@@ -496,6 +496,7 @@ enum nfct_filter_attr {
NFCT_FILTER_DST_IPV4, /* struct nfct_filter_ipv4 */
NFCT_FILTER_SRC_IPV6, /* struct nfct_filter_ipv6 */
NFCT_FILTER_DST_IPV6, /* struct nfct_filter_ipv6 */
+ NFCT_FILTER_MARK, /* struct nfct_filter_dump_mark */
NFCT_FILTER_MAX
};
diff --git a/src/conntrack/bsf.c b/src/conntrack/bsf.c
index 534202f..632c201 100644
--- a/src/conntrack/bsf.c
+++ b/src/conntrack/bsf.c
@@ -663,6 +663,58 @@ bsf_add_daddr_ipv6_filter(const struct nfct_filter *f, struct sock_filter *this)
return bsf_add_addr_ipv6_filter(f, this, CTA_IP_V6_DST);
}
+static int
+bsf_add_mark_filter(const struct nfct_filter *f, struct sock_filter *this)
+{
+ unsigned int i, j;
+ unsigned int label_continue, jt;
+ struct stack *s;
+ struct jump jmp;
+
+ /* nothing to filter, skip */
+ if (f->mark_elems == 0)
+ return 0;
+
+ /* XXX: see bsf_add_addr_ipv4_filter() */
+ s = stack_create(sizeof(struct jump), 3 + 127);
+ if (s == NULL) {
+ errno = ENOMEM;
+ return -1;
+ }
+
+ jt = 1;
+ if (f->logic[NFCT_FILTER_MARK] == NFCT_FILTER_LOGIC_POSITIVE)
+ label_continue = 1;
+ else
+ label_continue = 2;
+
+ j = 0;
+ j += nfct_bsf_load_payload_offset(this, j);
+ j += nfct_bsf_find_attr(this, CTA_MARK, j);
+ j += nfct_bsf_cmp_k_stack(this, 0, label_continue - j, j, s);
+ j += nfct_bsf_x_equal_a(this, j);
+
+ for (i = 0; i < f->mark_elems; i++) {
+ int mark = f->mark[i].val & f->mark[i].mask;
+
+ j += nfct_bsf_load_attr(this, BPF_W, j);
+ j += nfct_bsf_alu_and(this, f->mark[i].mask, j);
+ j += nfct_bsf_cmp_k_stack(this, mark, jt - j, j, s);
+ }
+
+ while (stack_pop(s, &jmp) != -1)
+ this[jmp.line].jt += jmp.jt + j;
+
+ if (f->logic[NFCT_FILTER_MARK] == NFCT_FILTER_LOGIC_NEGATIVE)
+ j += nfct_bsf_jump_to(this, 1, j);
+
+ j += nfct_bsf_ret_verdict(this, NFCT_FILTER_REJECT, j);
+
+ stack_destroy(s);
+
+ return j;
+}
+
/* this buffer must be big enough to store all the autogenerated lines */
#define BSF_BUFFER_SIZE 2048
@@ -696,6 +748,9 @@ int __setup_netlink_socket_filter(int fd, struct nfct_filter *f)
j += bsf_add_state_filter(f, &bsf[j]);
show_filter(bsf, from, j, "---- check state ----");
from = j;
+ j += bsf_add_mark_filter(f, &bsf[j]);
+ show_filter(bsf, from, j, "---- check mark ----");
+ from = j;
/* nothing to filter, skip */
if (j == 0)
diff --git a/src/conntrack/filter.c b/src/conntrack/filter.c
index 026545a..78fbbc5 100644
--- a/src/conntrack/filter.c
+++ b/src/conntrack/filter.c
@@ -79,6 +79,18 @@ static void filter_attr_dst_ipv6(struct nfct_filter *filter, const void *value)
filter->l3proto_elems_ipv6[1]++;
}
+static void filter_attr_mark(struct nfct_filter *filter, const void *value)
+{
+ const struct nfct_filter_dump_mark *this = value;
+
+ if (filter->mark_elems >= __FILTER_MARK_MAX)
+ return;
+
+ filter->mark[filter->mark_elems].val = this->val;
+ filter->mark[filter->mark_elems].mask = this->mask;
+ filter->mark_elems++;
+}
+
const filter_attr filter_attr_array[NFCT_FILTER_MAX] = {
[NFCT_FILTER_L4PROTO] = filter_attr_l4proto,
[NFCT_FILTER_L4PROTO_STATE] = filter_attr_l4proto_state,
@@ -86,4 +98,5 @@ const filter_attr filter_attr_array[NFCT_FILTER_MAX] = {
[NFCT_FILTER_DST_IPV4] = filter_attr_dst_ipv4,
[NFCT_FILTER_SRC_IPV6] = filter_attr_src_ipv6,
[NFCT_FILTER_DST_IPV6] = filter_attr_dst_ipv6,
+ [NFCT_FILTER_MARK] = filter_attr_mark,
};
--
1.9.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2014-04-15 11:55 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-04-08 10:26 [libnetfilter_conntrack/ulogd PATCH 0/3] add mark filter Ken-ichirou MATSUZAWA
2014-04-08 10:30 ` [libnetfilter_conntrack PATCH 1/3] conntrack: add mark event filter Ken-ichirou MATSUZAWA
2014-04-14 12:53 ` Pablo Neira Ayuso
2014-04-15 11:54 ` [libnetfilter_conntrack PATCH 1/3 resend] " Ken-ichirou MATSUZAWA
2014-04-08 10:32 ` [ulogd PATCH 2/3] " Ken-ichirou MATSUZAWA
2014-04-14 12:54 ` Pablo Neira Ayuso
2014-04-08 10:34 ` [ulogd PATCH 3/3] add mark dump filter Ken-ichirou MATSUZAWA
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.