[PATCH RFC 0/3] Rework nfnetlink_queue conntrack support

[PATCH RFC 0/3] Rework nfnetlink_queue conntrack support

[Pablo Neira Ayuso]

Hi Ken-ichirou,

Would you have a look at this patchset?

I think it should prepare the ground for what you need.

They are totally untested, so please carefully review them.

Pablo Neira Ayuso (3):
  netfilter: ctnetlink: remove ctnetlink_nfqueue_build_size()
  netfilter: nfnetlink_queue: get rid of nfnetlink_queue_ct.c
  netfilter: rename nfnetlink_queue_core.c to nfnetlink_queue.c

 include/linux/netfilter.h               |   12 +-
 include/net/netfilter/nfnetlink_queue.h |   51 --
 net/netfilter/Makefile                  |    1 -
 net/netfilter/nf_conntrack_netlink.c    |   87 +-
 net/netfilter/nfnetlink_queue.c         | 1443 +++++++++++++++++++++++++++++++
 net/netfilter/nfnetlink_queue_core.c    | 1415 ------------------------------
 net/netfilter/nfnetlink_queue_ct.c      |  113 ---
 7 files changed, 1506 insertions(+), 1616 deletions(-)
 delete mode 100644 include/net/netfilter/nfnetlink_queue.h
 create mode 100644 net/netfilter/nfnetlink_queue.c
 delete mode 100644 net/netfilter/nfnetlink_queue_core.c
 delete mode 100644 net/netfilter/nfnetlink_queue_ct.c

-- 
1.7.10.4

[PATCH RFC 1/3] netfilter: ctnetlink: remove ctnetlink_nfqueue_build_size()

[Pablo Neira Ayuso]

Factor out code from netlink_nlmsg_size() to consolidate ctnetlink message size
calculation. Don't inline these functions so the compiler decides for us.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_conntrack_netlink.c |   42 ++++++++--------------------------
 1 file changed, 9 insertions(+), 33 deletions(-)

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 94a6654..5fd3d48 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -596,11 +596,9 @@ ctnetlink_timestamp_size(const struct nf_conn *ct)
 #endif
 }
 
-static inline size_t
-ctnetlink_nlmsg_size(const struct nf_conn *ct)
+static size_t ctnetlink_nlmsg_payload_size(const struct nf_conn *ct)
 {
-	return NLMSG_ALIGN(sizeof(struct nfgenmsg))
-	       + 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */
+	return   3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */
 	       + 3 * nla_total_size(0) /* CTA_TUPLE_IP */
 	       + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */
 	       + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */
@@ -628,6 +626,12 @@ ctnetlink_nlmsg_size(const struct nf_conn *ct)
 	       ;
 }
 
+static size_t ctnetlink_nlmsg_size(const struct nf_conn *ct)
+{
+	return NLMSG_ALIGN(sizeof(struct nfgenmsg)) +
+	       ctnetlink_nlmsg_payload_size(ct);
+}
+
 #ifdef CONFIG_NF_CONNTRACK_EVENTS
 static int
 ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item)
@@ -2134,34 +2138,6 @@ ctnetlink_alloc_expect(const struct nlattr *const cda[], struct nf_conn *ct,
 		       struct nf_conntrack_tuple *mask);
 
 #ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT
-static size_t
-ctnetlink_nfqueue_build_size(const struct nf_conn *ct)
-{
-	return 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */
-	       + 3 * nla_total_size(0) /* CTA_TUPLE_IP */
-	       + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */
-	       + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */
-	       + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */
-	       + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */
-	       + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */
-	       + nla_total_size(0) /* CTA_PROTOINFO */
-	       + nla_total_size(0) /* CTA_HELP */
-	       + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */
-	       + ctnetlink_secctx_size(ct)
-#ifdef CONFIG_NF_NAT_NEEDED
-	       + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */
-	       + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */
-#endif
-#ifdef CONFIG_NF_CONNTRACK_MARK
-	       + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */
-#endif
-#ifdef CONFIG_NF_CONNTRACK_ZONES
-	       + nla_total_size(sizeof(u_int16_t)) /* CTA_ZONE|CTA_TUPLE_ZONE */
-#endif
-	       + ctnetlink_proto_size(ct)
-	       ;
-}
-
 static int
 ctnetlink_nfqueue_build(struct sk_buff *skb, struct nf_conn *ct)
 {
@@ -2351,7 +2327,7 @@ ctnetlink_nfqueue_attach_expect(const struct nlattr *attr, struct nf_conn *ct,
 }
 
 static struct nfq_ct_hook ctnetlink_nfqueue_hook = {
-	.build_size	= ctnetlink_nfqueue_build_size,
+	.build_size	= ctnetlink_nlmsg_payload_size,
 	.build		= ctnetlink_nfqueue_build,
 	.parse		= ctnetlink_nfqueue_parse,
 	.attach_expect	= ctnetlink_nfqueue_attach_expect,
-- 
1.7.10.4

[PATCH RFC 2/3] netfilter: nfnetlink_queue: get rid of nfnetlink_queue_ct.c

[Pablo Neira Ayuso]

The original intention was to avoid dependencies between nfnetlink_queue and
conntrack without ifdef pollution. However, we can achieve this by moving the
conntrack dependent code into ctnetlink and keep some glue code to access the
nfq_ct indirection from nfqueue.

After this patch, the nfq_ct indirection is always compiled in the netfilter
core to avoid polluting nfqueue with ifdefs. Thus, if nf_conntrack is not
compiled this results in only 8-bytes of memory waste in x86_64.

This patch also adds ctnetlink_nfqueue_seqadj() to avoid that the nf_conn
structure layout if exposed to nf_queue, which creates another dependency with
nf_conntrack at compilation time.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/linux/netfilter.h               |   12 ++--
 include/net/netfilter/nfnetlink_queue.h |   51 --------------
 net/netfilter/Makefile                  |    1 -
 net/netfilter/nf_conntrack_netlink.c    |   51 +++++++++++++-
 net/netfilter/nfnetlink_queue_core.c    |   52 ++++++++++----
 net/netfilter/nfnetlink_queue_ct.c      |  113 -------------------------------
 6 files changed, 97 insertions(+), 183 deletions(-)
 delete mode 100644 include/net/netfilter/nfnetlink_queue.h
 delete mode 100644 net/netfilter/nfnetlink_queue_ct.c

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index d788ce6..89bf246 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -371,14 +371,21 @@ nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family)
 extern void (*ip_ct_attach)(struct sk_buff *, const struct sk_buff *) __rcu;
 void nf_ct_attach(struct sk_buff *, const struct sk_buff *);
 extern void (*nf_ct_destroy)(struct nf_conntrack *) __rcu;
+#else
+static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {}
+#endif
 
 struct nf_conn;
 enum ip_conntrack_info;
 struct nlattr;
 
 struct nfq_ct_hook {
+	struct nf_conn *(*get_ct)(struct sk_buff *skb,
+				  enum ip_conntrack_info *ctinfo);
 	size_t (*build_size)(const struct nf_conn *ct);
-	int (*build)(struct sk_buff *skb, struct nf_conn *ct);
+	int (*build)(struct sk_buff *skb, struct nf_conn *ct,
+		     enum ip_conntrack_info ctinfo,
+		     u_int16_t ct_attr, u_int16_t ct_info_attr);
 	int (*parse)(const struct nlattr *attr, struct nf_conn *ct);
 	int (*attach_expect)(const struct nlattr *attr, struct nf_conn *ct,
 			     u32 portid, u32 report);
@@ -386,9 +393,6 @@ struct nfq_ct_hook {
 			   enum ip_conntrack_info ctinfo, s32 off);
 };
 extern struct nfq_ct_hook __rcu *nfq_ct_hook;
-#else
-static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {}
-#endif
 
 /**
  * nf_skb_duplicated - TEE target has sent a packet
diff --git a/include/net/netfilter/nfnetlink_queue.h b/include/net/netfilter/nfnetlink_queue.h
deleted file mode 100644
index aff88ba..0000000
--- a/include/net/netfilter/nfnetlink_queue.h
+++ /dev/null
@@ -1,51 +0,0 @@
-#ifndef _NET_NFNL_QUEUE_H_
-#define _NET_NFNL_QUEUE_H_
-
-#include <linux/netfilter/nf_conntrack_common.h>
-
-struct nf_conn;
-
-#ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT
-struct nf_conn *nfqnl_ct_get(struct sk_buff *entskb, size_t *size,
-			     enum ip_conntrack_info *ctinfo);
-struct nf_conn *nfqnl_ct_parse(const struct sk_buff *skb,
-			       const struct nlattr *attr,
-			       enum ip_conntrack_info *ctinfo);
-int nfqnl_ct_put(struct sk_buff *skb, struct nf_conn *ct,
-		 enum ip_conntrack_info ctinfo);
-void nfqnl_ct_seq_adjust(struct sk_buff *skb, struct nf_conn *ct,
-			 enum ip_conntrack_info ctinfo, int diff);
-int nfqnl_attach_expect(struct nf_conn *ct, const struct nlattr *attr,
-			u32 portid, u32 report);
-#else
-inline struct nf_conn *
-nfqnl_ct_get(struct sk_buff *entskb, size_t *size, enum ip_conntrack_info *ctinfo)
-{
-	return NULL;
-}
-
-inline struct nf_conn *nfqnl_ct_parse(const struct sk_buff *skb,
-				      const struct nlattr *attr,
-				      enum ip_conntrack_info *ctinfo)
-{
-	return NULL;
-}
-
-inline int
-nfqnl_ct_put(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info ctinfo)
-{
-	return 0;
-}
-
-inline void nfqnl_ct_seq_adjust(struct sk_buff *skb, struct nf_conn *ct,
-				enum ip_conntrack_info ctinfo, int diff)
-{
-}
-
-inline int nfqnl_attach_expect(struct nf_conn *ct, const struct nlattr *attr,
-			       u32 portid, u32 report)
-{
-	return 0;
-}
-#endif /* NF_CONNTRACK */
-#endif
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 70d026d..4d68e72 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -11,7 +11,6 @@ obj-$(CONFIG_NETFILTER) = netfilter.o
 obj-$(CONFIG_NETFILTER_NETLINK) += nfnetlink.o
 obj-$(CONFIG_NETFILTER_NETLINK_ACCT) += nfnetlink_acct.o
 nfnetlink_queue-y := nfnetlink_queue_core.o
-nfnetlink_queue-$(CONFIG_NETFILTER_NETLINK_QUEUE_CT) += nfnetlink_queue_ct.o
 obj-$(CONFIG_NETFILTER_NETLINK_QUEUE) += nfnetlink_queue.o
 obj-$(CONFIG_NETFILTER_NETLINK_LOG) += nfnetlink_log.o
 
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 5fd3d48..a13c1c0 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -2138,8 +2138,20 @@ ctnetlink_alloc_expect(const struct nlattr *const cda[], struct nf_conn *ct,
 		       struct nf_conntrack_tuple *mask);
 
 #ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT
+static struct nf_conn *ctnetlink_nfqueue_get_ct(struct sk_buff *skb,
+						enum ip_conntrack_info *ctinfo)
+{
+	struct nf_conn *ct;
+
+	ct = nf_ct_get(skb, ctinfo);
+	if (ct && nf_ct_is_untracked(ct))
+		ct = NULL;
+
+	return ct;
+}
+
 static int
-ctnetlink_nfqueue_build(struct sk_buff *skb, struct nf_conn *ct)
+__ctnetlink_nfqueue_build(struct sk_buff *skb, struct nf_conn *ct)
 {
 	const struct nf_conntrack_zone *zone;
 	struct nlattr *nest_parms;
@@ -2212,6 +2224,31 @@ nla_put_failure:
 }
 
 static int
+ctnetlink_nfqueue_build(struct sk_buff *skb, struct nf_conn *ct,
+			enum ip_conntrack_info ctinfo,
+			u_int16_t ct_attr, u_int16_t ct_info_attr)
+{
+	struct nlattr *nest_parms;
+
+	nest_parms = nla_nest_start(skb, ct_attr | NLA_F_NESTED);
+	if (!nest_parms)
+		goto nla_put_failure;
+
+	if (__ctnetlink_nfqueue_build(skb, ct) < 0)
+		goto nla_put_failure;
+
+	nla_nest_end(skb, nest_parms);
+
+	if (nla_put_be32(skb, ct_info_attr, htonl(ctinfo)))
+		goto nla_put_failure;
+
+	return 0;
+
+nla_put_failure:
+	return -ENOSPC;
+}
+
+static int
 ctnetlink_nfqueue_parse_ct(const struct nlattr *cda[], struct nf_conn *ct)
 {
 	int err;
@@ -2326,12 +2363,22 @@ ctnetlink_nfqueue_attach_expect(const struct nlattr *attr, struct nf_conn *ct,
 	return 0;
 }
 
+static void ctnetlink_nfqueue_seqadj(struct sk_buff *skb, struct nf_conn *ct,
+				     enum ip_conntrack_info ctinfo, int diff)
+{
+	if (!(ct->status & IPS_NAT_MASK))
+		return;
+
+	nf_ct_tcp_seqadj_set(skb, ct, ctinfo, diff);
+}
+
 static struct nfq_ct_hook ctnetlink_nfqueue_hook = {
+	.get_ct		= ctnetlink_nfqueue_get_ct,
 	.build_size	= ctnetlink_nlmsg_payload_size,
 	.build		= ctnetlink_nfqueue_build,
 	.parse		= ctnetlink_nfqueue_parse,
 	.attach_expect	= ctnetlink_nfqueue_attach_expect,
-	.seq_adjust	= nf_ct_tcp_seqadj_set,
+	.seq_adjust	= ctnetlink_nfqueue_seqadj,
 };
 #endif /* CONFIG_NETFILTER_NETLINK_QUEUE_CT */
 
diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
index 685cc6a..801af4e 100644
--- a/net/netfilter/nfnetlink_queue_core.c
+++ b/net/netfilter/nfnetlink_queue_core.c
@@ -28,12 +28,12 @@
 #include <linux/netfilter_bridge.h>
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nfnetlink_queue.h>
+#include <linux/netfilter/nf_conntrack_common.h>
 #include <linux/list.h>
 #include <net/sock.h>
 #include <net/tcp_states.h>
 #include <net/netfilter/nf_queue.h>
 #include <net/netns/generic.h>
-#include <net/netfilter/nfnetlink_queue.h>
 
 #include <linux/atomic.h>
 
@@ -302,6 +302,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
 {
 	size_t size;
 	size_t data_len = 0, cap_len = 0;
+	struct nfq_ct_hook *nfq_ct;
 	unsigned int hlen = 0;
 	struct sk_buff *skb;
 	struct nlattr *nla;
@@ -363,8 +364,14 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
 		break;
 	}
 
-	if (queue->flags & NFQA_CFG_F_CONNTRACK)
-		ct = nfqnl_ct_get(entskb, &size, &ctinfo);
+	if (queue->flags & NFQA_CFG_F_CONNTRACK) {
+		nfq_ct = rcu_dereference(nfq_ct_hook);
+		if (nfq_ct != NULL) {
+			ct = nfq_ct->get_ct(entskb, &ctinfo);
+			if (ct != NULL)
+				size += nfq_ct->build_size(ct);
+		}
+	}
 
 	if (queue->flags & NFQA_CFG_F_UID_GID) {
 		size +=  (nla_total_size(sizeof(u_int32_t))	/* uid */
@@ -507,7 +514,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
 	if (seclen && nla_put(skb, NFQA_SECCTX, seclen, secdata))
 		goto nla_put_failure;
 
-	if (ct && nfqnl_ct_put(skb, ct, ctinfo) < 0)
+	if (ct && nfq_ct->build(skb, ct, ctinfo, NFQA_CT, NFQA_CT_INFO) < 0)
 		goto nla_put_failure;
 
 	if (cap_len > data_len &&
@@ -1001,6 +1008,28 @@ nfqnl_recv_verdict_batch(struct sock *ctnl, struct sk_buff *skb,
 	return 0;
 }
 
+static struct nf_conn *nfqnl_ct_parse(struct nfq_ct_hook *nfq_ct,
+				      const struct nlmsghdr *nlh,
+				      const struct nlattr * const nfqa[],
+				      struct nf_queue_entry *entry,
+				      enum ip_conntrack_info *ctinfo)
+{
+	struct nf_conn *ct;
+
+	ct = nfq_ct->get_ct(entry->skb, ctinfo);
+	if (ct == NULL)
+		return NULL;
+
+	if (nfq_ct->parse(nfqa[NFQA_CT], ct) < 0)
+		return NULL;
+
+	if (nfqa[NFQA_EXP])
+		nfq_ct->attach_expect(nfqa[NFQA_EXP], ct,
+				      NETLINK_CB(entry->skb).portid,
+				      nlmsg_report(nlh));
+	return ct;
+}
+
 static int
 nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb,
 		   const struct nlmsghdr *nlh,
@@ -1014,6 +1043,7 @@ nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb,
 	unsigned int verdict;
 	struct nf_queue_entry *entry;
 	enum ip_conntrack_info uninitialized_var(ctinfo);
+	struct nfq_ct_hook *nfq_ct;
 	struct nf_conn *ct = NULL;
 
 	struct net *net = sock_net(ctnl);
@@ -1037,12 +1067,10 @@ nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb,
 		return -ENOENT;
 
 	if (nfqa[NFQA_CT]) {
-		ct = nfqnl_ct_parse(entry->skb, nfqa[NFQA_CT], &ctinfo);
-		if (ct && nfqa[NFQA_EXP]) {
-			nfqnl_attach_expect(ct, nfqa[NFQA_EXP],
-					    NETLINK_CB(skb).portid,
-					    nlmsg_report(nlh));
-		}
+		/* rcu lock already held from nfnl->call_rcu. */
+		nfq_ct = rcu_dereference(nfq_ct_hook);
+		if (nfq_ct != NULL)
+			ct = nfqnl_ct_parse(nfq_ct, nlh, nfqa, entry, &ctinfo);
 	}
 
 	if (nfqa[NFQA_PAYLOAD]) {
@@ -1053,8 +1081,8 @@ nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb,
 				 payload_len, entry, diff) < 0)
 			verdict = NF_DROP;
 
-		if (ct)
-			nfqnl_ct_seq_adjust(entry->skb, ct, ctinfo, diff);
+		if (ct && diff)
+			nfq_ct->seq_adjust(entry->skb, ct, ctinfo, diff);
 	}
 
 	if (nfqa[NFQA_MARK])
diff --git a/net/netfilter/nfnetlink_queue_ct.c b/net/netfilter/nfnetlink_queue_ct.c
deleted file mode 100644
index 96cac50..0000000
--- a/net/netfilter/nfnetlink_queue_ct.c
+++ /dev/null
@@ -1,113 +0,0 @@
-/*
- * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- *
- */
-
-#include <linux/skbuff.h>
-#include <linux/netfilter.h>
-#include <linux/netfilter/nfnetlink.h>
-#include <linux/netfilter/nfnetlink_queue.h>
-#include <net/netfilter/nf_conntrack.h>
-#include <net/netfilter/nfnetlink_queue.h>
-
-struct nf_conn *nfqnl_ct_get(struct sk_buff *entskb, size_t *size,
-			     enum ip_conntrack_info *ctinfo)
-{
-	struct nfq_ct_hook *nfq_ct;
-	struct nf_conn *ct;
-
-	/* rcu_read_lock()ed by __nf_queue already. */
-	nfq_ct = rcu_dereference(nfq_ct_hook);
-	if (nfq_ct == NULL)
-		return NULL;
-
-	ct = nf_ct_get(entskb, ctinfo);
-	if (ct) {
-		if (!nf_ct_is_untracked(ct))
-			*size += nfq_ct->build_size(ct);
-		else
-			ct = NULL;
-	}
-	return ct;
-}
-
-struct nf_conn *
-nfqnl_ct_parse(const struct sk_buff *skb, const struct nlattr *attr,
-	       enum ip_conntrack_info *ctinfo)
-{
-	struct nfq_ct_hook *nfq_ct;
-	struct nf_conn *ct;
-
-	/* rcu_read_lock()ed by __nf_queue already. */
-	nfq_ct = rcu_dereference(nfq_ct_hook);
-	if (nfq_ct == NULL)
-		return NULL;
-
-	ct = nf_ct_get(skb, ctinfo);
-	if (ct && !nf_ct_is_untracked(ct))
-		nfq_ct->parse(attr, ct);
-
-	return ct;
-}
-
-int nfqnl_ct_put(struct sk_buff *skb, struct nf_conn *ct,
-		 enum ip_conntrack_info ctinfo)
-{
-	struct nfq_ct_hook *nfq_ct;
-	struct nlattr *nest_parms;
-	u_int32_t tmp;
-
-	nfq_ct = rcu_dereference(nfq_ct_hook);
-	if (nfq_ct == NULL)
-		return 0;
-
-	nest_parms = nla_nest_start(skb, NFQA_CT | NLA_F_NESTED);
-	if (!nest_parms)
-		goto nla_put_failure;
-
-	if (nfq_ct->build(skb, ct) < 0)
-		goto nla_put_failure;
-
-	nla_nest_end(skb, nest_parms);
-
-	tmp = ctinfo;
-	if (nla_put_be32(skb, NFQA_CT_INFO, htonl(tmp)))
-		goto nla_put_failure;
-
-	return 0;
-
-nla_put_failure:
-	return -1;
-}
-
-void nfqnl_ct_seq_adjust(struct sk_buff *skb, struct nf_conn *ct,
-			 enum ip_conntrack_info ctinfo, int diff)
-{
-	struct nfq_ct_hook *nfq_ct;
-
-	nfq_ct = rcu_dereference(nfq_ct_hook);
-	if (nfq_ct == NULL)
-		return;
-
-	if ((ct->status & IPS_NAT_MASK) && diff)
-		nfq_ct->seq_adjust(skb, ct, ctinfo, diff);
-}
-
-int nfqnl_attach_expect(struct nf_conn *ct, const struct nlattr *attr,
-			u32 portid, u32 report)
-{
-	struct nfq_ct_hook *nfq_ct;
-
-	if (nf_ct_is_untracked(ct))
-		return 0;
-
-	nfq_ct = rcu_dereference(nfq_ct_hook);
-	if (nfq_ct == NULL)
-		return -EOPNOTSUPP;
-
-	return nfq_ct->attach_expect(attr, ct, portid, report);
-}
-- 
1.7.10.4

[PATCH RFC 3/3] netfilter: rename nfnetlink_queue_core.c to nfnetlink_queue.c

[Pablo Neira Ayuso]

Now that we have integrated the ct glue code into nfnetlink_queue without
introducing dependencies with the conntrack code.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/{nfnetlink_queue_core.c => nfnetlink_queue.c} |    0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename net/netfilter/{nfnetlink_queue_core.c => nfnetlink_queue.c} (100%)

diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue.c
similarity index 100%
rename from net/netfilter/nfnetlink_queue_core.c
rename to net/netfilter/nfnetlink_queue.c
-- 
1.7.10.4

Re: [PATCH RFC 0/3] Rework nfnetlink_queue conntrack support

[Ken-ichirou MATSUZAWA]

 Hi Pablo,

Thank you for taking your time.

On Tue, Sep 08, 2015 at 06:54:48PM +0200, Pablo Neira Ayuso wrote:
> They are totally untested, so please carefully review them.

I'm sorry I could not to meet your expectations since I might not
understand your intention correctly, please let me ask three
questions:

* We will not modularize nfqueue attaching conntrack information
  part? (was nfnetlink_queue_ct.c)

* May I update nfqnl_ct prefix to nfnl_ct after this patch series
  applied to attach nfct info to nflog?

* We do not add another Kconfig for nflog attaching ct info?

I tested your patch a little with following lnf-queue patch and
it works fine. 

Thanks,

Re: [PATCH RFC 1/3] netfilter: ctnetlink: remove ctnetlink_nfqueue_build_size()

[Ken-ichirou MATSUZAWA]

On Tue, Sep 08, 2015 at 06:54:49PM +0200, Pablo Neira Ayuso wrote:
[...]
> diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
> index 94a6654..5fd3d48 100644
> --- a/net/netfilter/nf_conntrack_netlink.c
> +++ b/net/netfilter/nf_conntrack_netlink.c
> @@ -596,11 +596,9 @@ ctnetlink_timestamp_size(const struct nf_conn *ct)
>  #endif
>  }
>  
> -static inline size_t
> -ctnetlink_nlmsg_size(const struct nf_conn *ct)
> +static size_t ctnetlink_nlmsg_payload_size(const struct nf_conn *ct)
>  {
> -	return NLMSG_ALIGN(sizeof(struct nfgenmsg))
> -	       + 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */
> +	return   3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */
>  	       + 3 * nla_total_size(0) /* CTA_TUPLE_IP */
>  	       + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */
>  	       + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */
> @@ -628,6 +626,12 @@ ctnetlink_nlmsg_size(const struct nf_conn *ct)
>  	       ;
>  }
>  
> +static size_t ctnetlink_nlmsg_size(const struct nf_conn *ct)
> +{
> +	return NLMSG_ALIGN(sizeof(struct nfgenmsg)) +
> +	       ctnetlink_nlmsg_payload_size(ct);
> +}
> +
>  #ifdef CONFIG_NF_CONNTRACK_EVENTS
>  static int
>  ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item)
> @@ -2134,34 +2138,6 @@ ctnetlink_alloc_expect(const struct nlattr *const cda[], struct nf_conn *ct,
>  		       struct nf_conntrack_tuple *mask);
>  
>  #ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT
> -static size_t
> -ctnetlink_nfqueue_build_size(const struct nf_conn *ct)

A little apart from this issue, it seems that original
ctnetlink_nlmsg_size() lacks CTA_USE size.

A conntrack information attached to nfqueue does not have
CTA_COUNTERS_ and also CTA_USE attrs, but this change allocates
a space for it. If we reuse ctnetlink_nlmsg_size() to avoid a
code duplication, I think it would be better to comment it.

Thanks,

Re: [PATCH RFC 3/3] netfilter: rename nfnetlink_queue_core.c to nfnetlink_queue.c

[Ken-ichirou MATSUZAWA]

On Tue, Sep 08, 2015 at 06:54:51PM +0200, Pablo Neira Ayuso wrote:
[...]
> rename from net/netfilter/nfnetlink_queue_core.c
> rename to net/netfilter/nfnetlink_queue.c

So you know though, we can delete the nfnetlink_queue_core.o line
from Makefile.

May I suggest one thing? How about returning -EOPNOTSUPP at
nfqnl_recv_config() if derefering nfq_ct_hook is NULL?

Thanks,

[PATCH lnf-queue] examples: attaching a conntrack information

[Ken-ichirou MATSUZAWA]

This patch enables nf-queue in examples directory to show conntrack
information if --enable-nfct configure option is specified.

Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
---
 configure.ac         |   8 ++++
 examples/Makefile.am |   3 ++
 examples/nf-queue.c  | 101 ++++++++++++++++++++++++++++++++++++++++++++++++++-
 3 files changed, 110 insertions(+), 2 deletions(-)

diff --git a/configure.ac b/configure.ac
index 289868f..a11c1ba 100644
--- a/configure.ac
+++ b/configure.ac
@@ -28,6 +28,14 @@ esac
 dnl Dependencies
 PKG_CHECK_MODULES([LIBNFNETLINK], [libnfnetlink >= 0.0.41])
 PKG_CHECK_MODULES([LIBMNL], [libmnl >= 1.0.3])
+AC_ARG_ENABLE(nfct,
+       AS_HELP_STRING([--enable-nfct], [Enable nfct integration in examples [default=no]]),
+       [enable_nfct=$enableval],[enable_nfct=no])
+AS_IF([test "x$enable_nfct" = "xyes"], [
+    PKG_CHECK_MODULES([LIBNETFILTER_CONNTRACK], [libnetfilter_conntrack >= 1.0.2])
+    AC_DEFINE([BUILD_NFCT], [1], [building nfct integration example])
+])
+AM_CONDITIONAL([BUILD_NFCT], [test "x$enable_nfct" = "xyes"])
 
 dnl Output the makefiles
 AC_CONFIG_FILES([Makefile src/Makefile utils/Makefile examples/Makefile
diff --git a/examples/Makefile.am b/examples/Makefile.am
index 1906697..5fa16dd 100644
--- a/examples/Makefile.am
+++ b/examples/Makefile.am
@@ -5,3 +5,6 @@ check_PROGRAMS = nf-queue
 nf_queue_SOURCES = nf-queue.c
 nf_queue_LDADD = ../src/libnetfilter_queue.la
 nf_queue_LDFLAGS = -dynamic -lmnl
+if BUILD_NFCT
+nf_queue_LDFLAGS += $(LIBNETFILTER_CONNTRACK_LIBS)
+endif
diff --git a/examples/nf-queue.c b/examples/nf-queue.c
index d6c4b63..0cf86e7 100644
--- a/examples/nf-queue.c
+++ b/examples/nf-queue.c
@@ -15,6 +15,12 @@
 
 #include <libnetfilter_queue/libnetfilter_queue.h>
 
+#include "../config.h"
+#ifdef BUILD_NFCT
+#include <linux/netfilter/nf_conntrack_common.h>
+#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+#endif
+
 static struct mnl_socket *nl;
 
 static struct nlmsghdr *
@@ -47,6 +53,91 @@ nfq_send_verdict(int queue_num, uint32_t id)
 	}
 }
 
+#ifdef BUILD_NFCT
+static int print_ctinfo(const struct nlattr *const attr)
+{
+	char *s = NULL;
+
+	if (attr == NULL)
+		return MNL_CB_OK;
+	attr->nla_len = 12;
+	switch (ntohl(mnl_attr_get_u32(attr))) {
+	case IP_CT_ESTABLISHED:
+		s = "IP_CT_ESTABLISHED";
+		break;
+	case IP_CT_RELATED:
+		s = "IP_CT_RELATED";
+		break;
+	case IP_CT_NEW:
+		s = "IP_CT_NEW";
+		break;
+	case IP_CT_IS_REPLY:
+		s = "IP_CT_IS_REPLY";
+		break;
+	/* case IP_CT_ESTABLISHED_REPLY: == IP_CT_IS_REPLY
+	 *	s = "IP_CT_ESTABLISHED_REPLY";
+	 *	break;
+	 */
+	case IP_CT_RELATED_REPLY:
+		s = "IP_CT_RELATED_REPLY";
+		break;
+	case IP_CT_NEW_REPLY:
+		s = "IP_CT_NEW_REPLY";
+		break;
+	/* case IP_CT_NUMBER: == IP_CT_NEW_REPLY
+	 *	s ="IP_CT_NUMBER";
+	 *	break;
+	 */
+	default:
+		return MNL_CB_ERROR;
+	}
+
+	printf("  ip_conntrack_info: %s\n", s);
+	return MNL_CB_OK;
+}
+
+static int print_nfct(uint8_t family,
+		      const struct nlattr *const info_attr,
+		      const struct nlattr *const ct_attr)
+{
+	char buf[4096];
+	struct nf_conntrack *ct = NULL;
+
+	if (info_attr != NULL)
+		print_ctinfo(info_attr);
+
+	if (ct_attr == NULL)
+		return MNL_CB_OK;
+
+	ct = nfct_new();
+	if (ct == NULL) {
+		perror("nfct_new");
+		return MNL_CB_ERROR;
+	}
+
+	if (nfct_payload_parse(mnl_attr_get_payload(ct_attr),
+			       mnl_attr_get_payload_len(ct_attr),
+			       family, ct) < 0) {
+		perror("nfct_payload_parse");
+		nfct_destroy(ct);
+		return MNL_CB_ERROR;
+	}
+
+	nfct_snprintf(buf, sizeof(buf), ct, 0, NFCT_O_DEFAULT, 0);
+	printf("  %s\n", buf);
+	nfct_destroy(ct);
+
+	return MNL_CB_OK;
+}
+#else
+static int print_nfct(uint8_t family,
+		      const struct nlattr *const info_attr,
+		      const struct nlattr *const ct_attr)
+{
+	return MNL_CB_OK;
+}
+#endif
+
 static int queue_cb(const struct nlmsghdr *nlh, void *data)
 {
 	struct nfqnl_msg_packet_hdr *ph = NULL;
@@ -98,6 +189,8 @@ static int queue_cb(const struct nlmsghdr *nlh, void *data)
 		printf(", checksum not ready");
 	puts(")");
 
+	print_nfct(nfg->nfgen_family, attr[NFQA_CT_INFO], attr[NFQA_CT]);
+
 	nfq_send_verdict(ntohs(nfg->res_id), id);
 
 	return MNL_CB_OK;
@@ -111,6 +204,7 @@ int main(int argc, char *argv[])
 	struct nlmsghdr *nlh;
 	int ret;
 	unsigned int portid, queue_num;
+	uint32_t flags = NFQA_CFG_F_GSO;
 
 	if (argc != 2) {
 		printf("Usage: %s [queue_num]\n", argv[0]);
@@ -164,8 +258,11 @@ int main(int argc, char *argv[])
 	nlh = nfq_hdr_put(buf, NFQNL_MSG_CONFIG, queue_num);
 	nfq_nlmsg_cfg_put_params(nlh, NFQNL_COPY_PACKET, 0xffff);
 
-	mnl_attr_put_u32(nlh, NFQA_CFG_FLAGS, htonl(NFQA_CFG_F_GSO));
-	mnl_attr_put_u32(nlh, NFQA_CFG_MASK, htonl(NFQA_CFG_F_GSO));
+#ifdef BUILD_NFCT
+	flags |= NFQA_CFG_F_CONNTRACK;
+#endif
+	mnl_attr_put_u32(nlh, NFQA_CFG_FLAGS, htonl(flags));
+	mnl_attr_put_u32(nlh, NFQA_CFG_MASK, htonl(flags));
 
 	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
 		perror("mnl_socket_send");
-- 
2.1.4

Re: [PATCH lnf-queue] examples: attaching a conntrack information

[Florian Westphal]

Ken-ichirou MATSUZAWA <chamaken@gmail.com> wrote:
> This patch enables nf-queue in examples directory to show conntrack
> information if --enable-nfct configure option is specified.

Thanks for doing this!

> +#ifdef BUILD_NFCT
> +static int print_ctinfo(const struct nlattr *const attr)
> +{
> +	char *s = NULL;
> +
> +	if (attr == NULL)
> +		return MNL_CB_OK;
> +	attr->nla_len = 12;

What this?

Re: [PATCH lnf-queue] examples: attaching a conntrack information

[Ken-ichirou MATSUZAWA]

On Wed, Sep 09, 2015 at 10:29:32PM +0200, Florian Westphal wrote:
> Ken-ichirou MATSUZAWA <chamaken@gmail.com> wrote:
> > +	if (attr == NULL)
> > +		return MNL_CB_OK;
> > +	attr->nla_len = 12;
> 
> What this?

I just wanted to test const qualifier... sorry.
Would you mind deleting the line? or should I send it again?

Thakns,

Re: [PATCH lnf-queue] examples: attaching a conntrack information

[Florian Westphal]

Ken-ichirou MATSUZAWA <chamaken@gmail.com> wrote:
> On Wed, Sep 09, 2015 at 10:29:32PM +0200, Florian Westphal wrote:
> > Ken-ichirou MATSUZAWA <chamaken@gmail.com> wrote:
> > > +	if (attr == NULL)
> > > +		return MNL_CB_OK;
> > > +	attr->nla_len = 12;
> > 
> > What this?
> 
> I just wanted to test const qualifier... sorry.

I suspected as much ;)

> Would you mind deleting the line? or should I send it again?

I can delete it.

Re: [PATCH lnf-queue] examples: attaching a conntrack information

[Pablo Neira Ayuso]

On Wed, Sep 09, 2015 at 10:29:32PM +0200, Florian Westphal wrote:
> Ken-ichirou MATSUZAWA <chamaken@gmail.com> wrote:
> > This patch enables nf-queue in examples directory to show conntrack
> > information if --enable-nfct configure option is specified.
> 
> Thanks for doing this!

Thanks indeed.

Any chance we can get rid of --enable-nfct configure option?

Re: [PATCH RFC 0/3] Rework nfnetlink_queue conntrack support

[Pablo Neira Ayuso]

On Wed, Sep 09, 2015 at 06:50:42PM +0900, Ken-ichirou MATSUZAWA wrote:
>  Hi Pablo,
> 
> Thank you for taking your time.
> 
> On Tue, Sep 08, 2015 at 06:54:48PM +0200, Pablo Neira Ayuso wrote:
> > They are totally untested, so please carefully review them.
> 
> I'm sorry I could not to meet your expectations since I might not
> understand your intention correctly, please let me ask three
> questions:
> 
> * We will not modularize nfqueue attaching conntrack information
>   part? (was nfnetlink_queue_ct.c)

After my patchset, everything is in nf_conntrack_netlink.c, so you
only need some little extra glue code to access the nfnl_ct
indirection from nfnetlink_log.c

> * May I update nfqnl_ct prefix to nfnl_ct after this patch series
>   applied to attach nfct info to nflog?

Yes, that's the idea.

> * We do not add another Kconfig for nflog attaching ct info?

I think you can add it too, yes.

> I tested your patch a little with following lnf-queue patch and
> it works fine.

Thanks for reporting.

So will you send a follow up patchset on top of those three to add
what you need?

Re: [PATCH RFC 3/3] netfilter: rename nfnetlink_queue_core.c to nfnetlink_queue.c

[Pablo Neira Ayuso]

On Wed, Sep 09, 2015 at 06:55:16PM +0900, Ken-ichirou MATSUZAWA wrote:
> On Tue, Sep 08, 2015 at 06:54:51PM +0200, Pablo Neira Ayuso wrote:
> [...]
> > rename from net/netfilter/nfnetlink_queue_core.c
> > rename to net/netfilter/nfnetlink_queue.c
> 
> So you know though, we can delete the nfnetlink_queue_core.o line
> from Makefile.

Right, the Makefile update is missing. I'm going to fix that here.

> May I suggest one thing? How about returning -EOPNOTSUPP at
> nfqnl_recv_config() if derefering nfq_ct_hook is NULL?

Makes sense. Thus, the user knows that it is not supported, please
send a patch for that.

BTW, I think it would be good to add the missing code on
nfqnl_recv_verdict_batch() to support conntrack there too. Would you
add that code for nfnetlink_queue.c?

Thanks.

Re: [PATCH RFC 1/3] netfilter: ctnetlink: remove ctnetlink_nfqueue_build_size()

[Pablo Neira Ayuso]

On Wed, Sep 09, 2015 at 06:53:21PM +0900, Ken-ichirou MATSUZAWA wrote:
> On Tue, Sep 08, 2015 at 06:54:49PM +0200, Pablo Neira Ayuso wrote:
> [...]
> > diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
> > index 94a6654..5fd3d48 100644
> > --- a/net/netfilter/nf_conntrack_netlink.c
> > +++ b/net/netfilter/nf_conntrack_netlink.c
> > @@ -596,11 +596,9 @@ ctnetlink_timestamp_size(const struct nf_conn *ct)
> >  #endif
> >  }
> >  
> > -static inline size_t
> > -ctnetlink_nlmsg_size(const struct nf_conn *ct)
> > +static size_t ctnetlink_nlmsg_payload_size(const struct nf_conn *ct)
> >  {
> > -	return NLMSG_ALIGN(sizeof(struct nfgenmsg))
> > -	       + 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */
> > +	return   3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */
> >  	       + 3 * nla_total_size(0) /* CTA_TUPLE_IP */
> >  	       + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */
> >  	       + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */
> > @@ -628,6 +626,12 @@ ctnetlink_nlmsg_size(const struct nf_conn *ct)
> >  	       ;
> >  }
> >  
> > +static size_t ctnetlink_nlmsg_size(const struct nf_conn *ct)
> > +{
> > +	return NLMSG_ALIGN(sizeof(struct nfgenmsg)) +
> > +	       ctnetlink_nlmsg_payload_size(ct);
> > +}
> > +
> >  #ifdef CONFIG_NF_CONNTRACK_EVENTS
> >  static int
> >  ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item)
> > @@ -2134,34 +2138,6 @@ ctnetlink_alloc_expect(const struct nlattr *const cda[], struct nf_conn *ct,
> >  		       struct nf_conntrack_tuple *mask);
> >  
> >  #ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT
> > -static size_t
> > -ctnetlink_nfqueue_build_size(const struct nf_conn *ct)
> 
> A little apart from this issue, it seems that original
> ctnetlink_nlmsg_size() lacks CTA_USE size.
> 
> A conntrack information attached to nfqueue does not have
> CTA_COUNTERS_ and also CTA_USE attrs, but this change allocates
> a space for it. If we reuse ctnetlink_nlmsg_size() to avoid a
> code duplication, I think it would be better to comment it.

You're right, I have to revisit this. Will send a v2 of this patchset.

[PATCHv2 lnf-queue] examples: attaching a conntrack information

[Ken-ichirou MATSUZAWA]

This patch enables nf-queue in examples directory to show conntrack
information if libnetfilter_conntrack exists.

Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
---
 configure.ac         |   4 ++
 examples/Makefile.am |   3 ++
 examples/nf-queue.c  | 101 ++++++++++++++++++++++++++++++++++++++++++++++++++-
 3 files changed, 106 insertions(+), 2 deletions(-)

diff --git a/configure.ac b/configure.ac
index 289868f..68f8a57 100644
--- a/configure.ac
+++ b/configure.ac
@@ -28,6 +28,10 @@ esac
 dnl Dependencies
 PKG_CHECK_MODULES([LIBNFNETLINK], [libnfnetlink >= 0.0.41])
 PKG_CHECK_MODULES([LIBMNL], [libmnl >= 1.0.3])
+PKG_CHECK_MODULES([LIBNETFILTER_CONNTRACK], [libnetfilter_conntrack >= 1.0.2],
+		  [AC_DEFINE([BUILD_NFCT], [1], [building nfct integration example]) HAVE_LNFCT=1],
+		  [HAVE_LNFCT=0])
+AM_CONDITIONAL([BUILD_NFCT], [test "$HAVE_LNFCT" -eq 1])
 
 dnl Output the makefiles
 AC_CONFIG_FILES([Makefile src/Makefile utils/Makefile examples/Makefile
diff --git a/examples/Makefile.am b/examples/Makefile.am
index 1906697..5fa16dd 100644
--- a/examples/Makefile.am
+++ b/examples/Makefile.am
@@ -5,3 +5,6 @@ check_PROGRAMS = nf-queue
 nf_queue_SOURCES = nf-queue.c
 nf_queue_LDADD = ../src/libnetfilter_queue.la
 nf_queue_LDFLAGS = -dynamic -lmnl
+if BUILD_NFCT
+nf_queue_LDFLAGS += $(LIBNETFILTER_CONNTRACK_LIBS)
+endif
diff --git a/examples/nf-queue.c b/examples/nf-queue.c
index d6c4b63..3352a6d 100644
--- a/examples/nf-queue.c
+++ b/examples/nf-queue.c
@@ -15,6 +15,12 @@
 
 #include <libnetfilter_queue/libnetfilter_queue.h>
 
+#include "../config.h"
+#ifdef BUILD_NFCT
+#include <linux/netfilter/nf_conntrack_common.h>
+#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+#endif
+
 static struct mnl_socket *nl;
 
 static struct nlmsghdr *
@@ -47,6 +53,91 @@ nfq_send_verdict(int queue_num, uint32_t id)
 	}
 }
 
+#ifdef BUILD_NFCT
+static int print_ctinfo(const struct nlattr *const attr)
+{
+	char *s = NULL;
+
+	if (attr == NULL)
+		return MNL_CB_OK;
+
+	switch (ntohl(mnl_attr_get_u32(attr))) {
+	case IP_CT_ESTABLISHED:
+		s = "IP_CT_ESTABLISHED";
+		break;
+	case IP_CT_RELATED:
+		s = "IP_CT_RELATED";
+		break;
+	case IP_CT_NEW:
+		s = "IP_CT_NEW";
+		break;
+	case IP_CT_IS_REPLY:
+		s = "IP_CT_IS_REPLY";
+		break;
+	/* case IP_CT_ESTABLISHED_REPLY: == IP_CT_IS_REPLY
+	 *	s = "IP_CT_ESTABLISHED_REPLY";
+	 *	break;
+	 */
+	case IP_CT_RELATED_REPLY:
+		s = "IP_CT_RELATED_REPLY";
+		break;
+	case IP_CT_NEW_REPLY:
+		s = "IP_CT_NEW_REPLY";
+		break;
+	/* case IP_CT_NUMBER: == IP_CT_NEW_REPLY
+	 *	s ="IP_CT_NUMBER";
+	 *	break;
+	 */
+	default:
+		return MNL_CB_ERROR;
+	}
+
+	printf("  ip_conntrack_info: %s\n", s);
+	return MNL_CB_OK;
+}
+
+static int print_nfct(uint8_t family,
+		      const struct nlattr *const info_attr,
+		      const struct nlattr *const ct_attr)
+{
+	char buf[4096];
+	struct nf_conntrack *ct = NULL;
+
+	if (info_attr != NULL)
+		print_ctinfo(info_attr);
+
+	if (ct_attr == NULL)
+		return MNL_CB_OK;
+
+	ct = nfct_new();
+	if (ct == NULL) {
+		perror("nfct_new");
+		return MNL_CB_ERROR;
+	}
+
+	if (nfct_payload_parse(mnl_attr_get_payload(ct_attr),
+			       mnl_attr_get_payload_len(ct_attr),
+			       family, ct) < 0) {
+		perror("nfct_payload_parse");
+		nfct_destroy(ct);
+		return MNL_CB_ERROR;
+	}
+
+	nfct_snprintf(buf, sizeof(buf), ct, 0, NFCT_O_DEFAULT, 0);
+	printf("  %s\n", buf);
+	nfct_destroy(ct);
+
+	return MNL_CB_OK;
+}
+#else
+static int print_nfct(uint8_t family,
+		      const struct nlattr *const info_attr,
+		      const struct nlattr *const ct_attr)
+{
+	return MNL_CB_OK;
+}
+#endif
+
 static int queue_cb(const struct nlmsghdr *nlh, void *data)
 {
 	struct nfqnl_msg_packet_hdr *ph = NULL;
@@ -98,6 +189,8 @@ static int queue_cb(const struct nlmsghdr *nlh, void *data)
 		printf(", checksum not ready");
 	puts(")");
 
+	print_nfct(nfg->nfgen_family, attr[NFQA_CT_INFO], attr[NFQA_CT]);
+
 	nfq_send_verdict(ntohs(nfg->res_id), id);
 
 	return MNL_CB_OK;
@@ -111,6 +204,7 @@ int main(int argc, char *argv[])
 	struct nlmsghdr *nlh;
 	int ret;
 	unsigned int portid, queue_num;
+	uint32_t flags = NFQA_CFG_F_GSO;
 
 	if (argc != 2) {
 		printf("Usage: %s [queue_num]\n", argv[0]);
@@ -164,8 +258,11 @@ int main(int argc, char *argv[])
 	nlh = nfq_hdr_put(buf, NFQNL_MSG_CONFIG, queue_num);
 	nfq_nlmsg_cfg_put_params(nlh, NFQNL_COPY_PACKET, 0xffff);
 
-	mnl_attr_put_u32(nlh, NFQA_CFG_FLAGS, htonl(NFQA_CFG_F_GSO));
-	mnl_attr_put_u32(nlh, NFQA_CFG_MASK, htonl(NFQA_CFG_F_GSO));
+#ifdef BUILD_NFCT
+	flags |= NFQA_CFG_F_CONNTRACK;
+#endif
+	mnl_attr_put_u32(nlh, NFQA_CFG_FLAGS, htonl(flags));
+	mnl_attr_put_u32(nlh, NFQA_CFG_MASK, htonl(flags));
 
 	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
 		perror("mnl_socket_send");
-- 
2.1.4

nfqueue batch verdict with conntrack (was [PATCH RFC 3/3] netfilter: rename nfnetlink_queue_core.c to nfnetlink_queue.c)

[Ken-ichirou MATSUZAWA]

On Thu, Sep 10, 2015 at 02:09:58AM +0200, Pablo Neira Ayuso wrote:
> BTW, I think it would be good to add the missing code on
> nfqnl_recv_verdict_batch() to support conntrack there too. Would you

Sorry, I have never used it and I tried to understand, but...

It seems batch verdict mark and reinject packets in nfqueue its id
is less than user requested. What does conntrack (and payload) work
on it? update all conntrack expectations less than the id, to the
same one user requests?

Thanks,

Re: [PATCH lnf-queue] examples: attaching a conntrack information

[Ken-ichirou MATSUZAWA]

 Hi,

# I have almost fogotten to send this reply, sorry

On Thu, Sep 10, 2015 at 02:02:08AM +0200, Pablo Neira Ayuso wrote:
> On Wed, Sep 09, 2015 at 10:29:32PM +0200, Florian Westphal wrote:
> > Ken-ichirou MATSUZAWA <chamaken@gmail.com> wrote:
> > > This patch enables nf-queue in examples directory to show conntrack
> > > information if --enable-nfct configure option is specified.
> 
> Any chance we can get rid of --enable-nfct configure option?

Sure, would you review the foll^h^h^h^h previous patch?

[PATCH nf-next 0/1] netfilter: nfnetlink_queue: return -EOPNOTSUPP if QUEUE_CT is disabled

[Ken-ichirou MATSUZAWA]

 Hi,

> On Wed, Sep 09, 2015 at 06:55:16PM +0900, Ken-ichirou MATSUZAWA wrote:
> > On Tue, Sep 08, 2015 at 06:54:51PM +0200, Pablo Neira Ayuso wrote:
> > [...]
> > May I suggest one thing? How about returning -EOPNOTSUPP at
> > nfqnl_recv_config() if derefering nfq_ct_hook is NULL?
> 
> Makes sense. Thus, the user knows that it is not supported, please
> send a patch for that.

Would you review the following patch? It applies on top of your
"Rework nfnetlink_queue conntrack support" series.

Thanks,

[PATCH nf-next 1/1] netfilter: nfnetlink_queue: return -EOPNOTSUPP if QUEUE_CT is disabled

[Ken-ichirou MATSUZAWA]

Current kernel ignores NFQA_CFG_F_CONNTRACK config flag request even
if NETFILTER_NETLINK_QUEUE_CT is disabled. This patch enables to tell
it user by returning error nlmsg.

Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
---
 net/netfilter/nfnetlink_queue.c |    5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 801af4e..40982c7 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -1224,6 +1224,11 @@ nfqnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
 			goto err_out_unlock;
 		}
 #endif
+		if (flags & mask & NFQA_CFG_F_CONNTRACK &&
+		    rcu_dereference(nfq_ct_hook) == NULL) {
+			ret = -EOPNOTSUPP;
+			goto err_out_unlock;
+		}
 		spin_lock_bh(&queue->lock);
 		queue->flags &= ~mask;
 		queue->flags |= flags & mask;
-- 
1.7.10.4

Re: [PATCH RFC 0/3] Rework nfnetlink_queue conntrack support

[Ken-ichirou MATSUZAWA]

On Thu, Sep 10, 2015 at 02:06:15AM +0200, Pablo Neira Ayuso wrote:
> On Wed, Sep 09, 2015 at 06:50:42PM +0900, Ken-ichirou MATSUZAWA wrote:
> > * We do not add another Kconfig for nflog attaching ct info?
> 
> I think you can add it too, yes.
> 
> So will you send a follow up patchset on top of those three to add
> what you need?

Would you see the following patch set?
I don't understand Kconfig part above well,
would you give me some advice?

Thanks,

[PATCH nf-next 1/3] netfilter: nfnetlink_queue: rename related to nfqueue attaching conntrack info

[Ken-ichirou MATSUZAWA]

The idea of this series of patch is to attach conntrack information to
nflog like nfqueue has already done. nfqueue conntrack info attaching
basis is generic, rename those names to generic one, glue.

Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
---
 include/linux/netfilter.h            |    4 +--
 net/netfilter/core.c                 |    4 +--
 net/netfilter/nf_conntrack_netlink.c |   54 +++++++++++++++++-----------------
 net/netfilter/nfnetlink_queue.c      |   12 ++++----
 4 files changed, 37 insertions(+), 37 deletions(-)

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 89bf246..6df59f0 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -379,7 +379,7 @@ struct nf_conn;
 enum ip_conntrack_info;
 struct nlattr;
 
-struct nfq_ct_hook {
+struct nfnl_ct_hook {
 	struct nf_conn *(*get_ct)(struct sk_buff *skb,
 				  enum ip_conntrack_info *ctinfo);
 	size_t (*build_size)(const struct nf_conn *ct);
@@ -392,7 +392,7 @@ struct nfq_ct_hook {
 	void (*seq_adjust)(struct sk_buff *skb, struct nf_conn *ct,
 			   enum ip_conntrack_info ctinfo, s32 off);
 };
-extern struct nfq_ct_hook __rcu *nfq_ct_hook;
+extern struct nfnl_ct_hook __rcu *nfnl_ct_hook;
 
 /**
  * nf_skb_duplicated - TEE target has sent a packet
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 0b939b7..83fb9e2 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -385,8 +385,8 @@ void nf_conntrack_destroy(struct nf_conntrack *nfct)
 }
 EXPORT_SYMBOL(nf_conntrack_destroy);
 
-struct nfq_ct_hook __rcu *nfq_ct_hook __read_mostly;
-EXPORT_SYMBOL_GPL(nfq_ct_hook);
+struct nfnl_ct_hook __rcu *nfnl_ct_hook __read_mostly;
+EXPORT_SYMBOL_GPL(nfnl_ct_hook);
 
 #endif /* CONFIG_NF_CONNTRACK */
 
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index ee7b544..d6a5514 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -2139,8 +2139,8 @@ ctnetlink_alloc_expect(const struct nlattr *const cda[], struct nf_conn *ct,
 		       struct nf_conntrack_tuple *mask);
 
 #ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT
-static struct nf_conn *ctnetlink_nfqueue_get_ct(struct sk_buff *skb,
-						enum ip_conntrack_info *ctinfo)
+static struct nf_conn *ctnetlink_glue_get_ct(struct sk_buff *skb,
+					     enum ip_conntrack_info *ctinfo)
 {
 	struct nf_conn *ct;
 
@@ -2152,7 +2152,7 @@ static struct nf_conn *ctnetlink_nfqueue_get_ct(struct sk_buff *skb,
 }
 
 static int
-__ctnetlink_nfqueue_build(struct sk_buff *skb, struct nf_conn *ct)
+__ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct)
 {
 	const struct nf_conntrack_zone *zone;
 	struct nlattr *nest_parms;
@@ -2225,9 +2225,9 @@ nla_put_failure:
 }
 
 static int
-ctnetlink_nfqueue_build(struct sk_buff *skb, struct nf_conn *ct,
-			enum ip_conntrack_info ctinfo,
-			u_int16_t ct_attr, u_int16_t ct_info_attr)
+ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct,
+		     enum ip_conntrack_info ctinfo,
+		     u_int16_t ct_attr, u_int16_t ct_info_attr)
 {
 	struct nlattr *nest_parms;
 
@@ -2235,7 +2235,7 @@ ctnetlink_nfqueue_build(struct sk_buff *skb, struct nf_conn *ct,
 	if (!nest_parms)
 		goto nla_put_failure;
 
-	if (__ctnetlink_nfqueue_build(skb, ct) < 0)
+	if (__ctnetlink_glue_build(skb, ct) < 0)
 		goto nla_put_failure;
 
 	nla_nest_end(skb, nest_parms);
@@ -2250,7 +2250,7 @@ nla_put_failure:
 }
 
 static int
-ctnetlink_nfqueue_parse_ct(const struct nlattr *cda[], struct nf_conn *ct)
+ctnetlink_glue_parse_ct(const struct nlattr *cda[], struct nf_conn *ct)
 {
 	int err;
 
@@ -2290,7 +2290,7 @@ ctnetlink_nfqueue_parse_ct(const struct nlattr *cda[], struct nf_conn *ct)
 }
 
 static int
-ctnetlink_nfqueue_parse(const struct nlattr *attr, struct nf_conn *ct)
+ctnetlink_glue_parse(const struct nlattr *attr, struct nf_conn *ct)
 {
 	struct nlattr *cda[CTA_MAX+1];
 	int ret;
@@ -2300,16 +2300,16 @@ ctnetlink_nfqueue_parse(const struct nlattr *attr, struct nf_conn *ct)
 		return ret;
 
 	spin_lock_bh(&nf_conntrack_expect_lock);
-	ret = ctnetlink_nfqueue_parse_ct((const struct nlattr **)cda, ct);
+	ret = ctnetlink_glue_parse_ct((const struct nlattr **)cda, ct);
 	spin_unlock_bh(&nf_conntrack_expect_lock);
 
 	return ret;
 }
 
-static int ctnetlink_nfqueue_exp_parse(const struct nlattr * const *cda,
-				       const struct nf_conn *ct,
-				       struct nf_conntrack_tuple *tuple,
-				       struct nf_conntrack_tuple *mask)
+static int ctnetlink_glue_exp_parse(const struct nlattr * const *cda,
+				    const struct nf_conn *ct,
+				    struct nf_conntrack_tuple *tuple,
+				    struct nf_conntrack_tuple *mask)
 {
 	int err;
 
@@ -2323,8 +2323,8 @@ static int ctnetlink_nfqueue_exp_parse(const struct nlattr * const *cda,
 }
 
 static int
-ctnetlink_nfqueue_attach_expect(const struct nlattr *attr, struct nf_conn *ct,
-				u32 portid, u32 report)
+ctnetlink_glue_attach_expect(const struct nlattr *attr, struct nf_conn *ct,
+			     u32 portid, u32 report)
 {
 	struct nlattr *cda[CTA_EXPECT_MAX+1];
 	struct nf_conntrack_tuple tuple, mask;
@@ -2336,7 +2336,7 @@ ctnetlink_nfqueue_attach_expect(const struct nlattr *attr, struct nf_conn *ct,
 	if (err < 0)
 		return err;
 
-	err = ctnetlink_nfqueue_exp_parse((const struct nlattr * const *)cda,
+	err = ctnetlink_glue_exp_parse((const struct nlattr * const *)cda,
 					  ct, &tuple, &mask);
 	if (err < 0)
 		return err;
@@ -2364,8 +2364,8 @@ ctnetlink_nfqueue_attach_expect(const struct nlattr *attr, struct nf_conn *ct,
 	return 0;
 }
 
-static void ctnetlink_nfqueue_seqadj(struct sk_buff *skb, struct nf_conn *ct,
-				     enum ip_conntrack_info ctinfo, int diff)
+static void ctnetlink_glue_seqadj(struct sk_buff *skb, struct nf_conn *ct,
+				  enum ip_conntrack_info ctinfo, int diff)
 {
 	if (!(ct->status & IPS_NAT_MASK))
 		return;
@@ -2373,14 +2373,14 @@ static void ctnetlink_nfqueue_seqadj(struct sk_buff *skb, struct nf_conn *ct,
 	nf_ct_tcp_seqadj_set(skb, ct, ctinfo, diff);
 }
 
-static struct nfq_ct_hook ctnetlink_nfqueue_hook = {
-	.get_ct		= ctnetlink_nfqueue_get_ct,
+static struct nfnl_ct_hook ctnetlink_glue_hook = {
+	.get_ct		= ctnetlink_glue_get_ct,
 	/* extra size - acct and use */
 	.build_size	= ctnetlink_nlmsg_payload_size,
-	.build		= ctnetlink_nfqueue_build,
-	.parse		= ctnetlink_nfqueue_parse,
-	.attach_expect	= ctnetlink_nfqueue_attach_expect,
-	.seq_adjust	= ctnetlink_nfqueue_seqadj,
+	.build		= ctnetlink_glue_build,
+	.parse		= ctnetlink_glue_parse,
+	.attach_expect	= ctnetlink_glue_attach_expect,
+	.seq_adjust	= ctnetlink_glue_seqadj,
 };
 #endif /* CONFIG_NETFILTER_NETLINK_QUEUE_CT */
 
@@ -3368,7 +3368,7 @@ static int __init ctnetlink_init(void)
 	}
 #ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT
 	/* setup interaction between nf_queue and nf_conntrack_netlink. */
-	RCU_INIT_POINTER(nfq_ct_hook, &ctnetlink_nfqueue_hook);
+	RCU_INIT_POINTER(nfnl_ct_hook, &ctnetlink_glue_hook);
 #endif
 	return 0;
 
@@ -3388,7 +3388,7 @@ static void __exit ctnetlink_exit(void)
 	nfnetlink_subsys_unregister(&ctnl_exp_subsys);
 	nfnetlink_subsys_unregister(&ctnl_subsys);
 #ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT
-	RCU_INIT_POINTER(nfq_ct_hook, NULL);
+	RCU_INIT_POINTER(nfnl_ct_hook, NULL);
 #endif
 }
 
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 40982c7..3e3a577 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -302,7 +302,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
 {
 	size_t size;
 	size_t data_len = 0, cap_len = 0;
-	struct nfq_ct_hook *nfq_ct;
+	struct nfnl_ct_hook *nfq_ct;
 	unsigned int hlen = 0;
 	struct sk_buff *skb;
 	struct nlattr *nla;
@@ -365,7 +365,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
 	}
 
 	if (queue->flags & NFQA_CFG_F_CONNTRACK) {
-		nfq_ct = rcu_dereference(nfq_ct_hook);
+		nfq_ct = rcu_dereference(nfnl_ct_hook);
 		if (nfq_ct != NULL) {
 			ct = nfq_ct->get_ct(entskb, &ctinfo);
 			if (ct != NULL)
@@ -1008,7 +1008,7 @@ nfqnl_recv_verdict_batch(struct sock *ctnl, struct sk_buff *skb,
 	return 0;
 }
 
-static struct nf_conn *nfqnl_ct_parse(struct nfq_ct_hook *nfq_ct,
+static struct nf_conn *nfqnl_ct_parse(struct nfnl_ct_hook *nfq_ct,
 				      const struct nlmsghdr *nlh,
 				      const struct nlattr * const nfqa[],
 				      struct nf_queue_entry *entry,
@@ -1043,7 +1043,7 @@ nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb,
 	unsigned int verdict;
 	struct nf_queue_entry *entry;
 	enum ip_conntrack_info uninitialized_var(ctinfo);
-	struct nfq_ct_hook *nfq_ct;
+	struct nfnl_ct_hook *nfq_ct;
 	struct nf_conn *ct = NULL;
 
 	struct net *net = sock_net(ctnl);
@@ -1068,7 +1068,7 @@ nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb,
 
 	if (nfqa[NFQA_CT]) {
 		/* rcu lock already held from nfnl->call_rcu. */
-		nfq_ct = rcu_dereference(nfq_ct_hook);
+		nfq_ct = rcu_dereference(nfnl_ct_hook);
 		if (nfq_ct != NULL)
 			ct = nfqnl_ct_parse(nfq_ct, nlh, nfqa, entry, &ctinfo);
 	}
@@ -1225,7 +1225,7 @@ nfqnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
 		}
 #endif
 		if (flags & mask & NFQA_CFG_F_CONNTRACK &&
-		    rcu_dereference(nfq_ct_hook) == NULL) {
+		    rcu_dereference(nfnl_ct_hook) == NULL) {
 			ret = -EOPNOTSUPP;
 			goto err_out_unlock;
 		}
-- 
1.7.10.4

[PATCH nf-next 2/3] netfilter: nf_conntrack_netlink: add const qualifier to nfnl_hook

[Ken-ichirou MATSUZAWA]

get_ct as is and will not update its skb argument, and users of
nfnl_ct_hook is now only nfqueue, so we can add const qualifier.

Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
---
 include/linux/netfilter.h            |    2 +-
 net/netfilter/nf_conntrack_netlink.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 6df59f0..4c3bde9 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -380,7 +380,7 @@ enum ip_conntrack_info;
 struct nlattr;
 
 struct nfnl_ct_hook {
-	struct nf_conn *(*get_ct)(struct sk_buff *skb,
+	struct nf_conn *(*get_ct)(const struct sk_buff *skb,
 				  enum ip_conntrack_info *ctinfo);
 	size_t (*build_size)(const struct nf_conn *ct);
 	int (*build)(struct sk_buff *skb, struct nf_conn *ct,
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index d6a5514..155b2d0 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -2139,7 +2139,7 @@ ctnetlink_alloc_expect(const struct nlattr *const cda[], struct nf_conn *ct,
 		       struct nf_conntrack_tuple *mask);
 
 #ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT
-static struct nf_conn *ctnetlink_glue_get_ct(struct sk_buff *skb,
+static struct nf_conn *ctnetlink_glue_get_ct(const struct sk_buff *skb,
 					     enum ip_conntrack_info *ctinfo)
 {
 	struct nf_conn *ct;
-- 
1.7.10.4

[PATCH nf-next 3/3] netfilter: nfnetlink_log: allow to attach conntrack

[Ken-ichirou MATSUZAWA]

This patch enables to include the conntrack information together
with the packet that is sent to user-space via NFLOG, then a
user-space program can acquire NATed information by this NFULA_CT
attribute.

Including the conntrack information is optional, you can set it
via NFULNL_CFG_F_CONNTRACK flag with the NFULA_CFG_FLAGS attribute
like NFQUEUE.

Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
---
 include/uapi/linux/netfilter/nfnetlink_log.h |    3 ++
 net/netfilter/Kconfig                        |    8 +++++
 net/netfilter/nf_conntrack_netlink.c         |    8 ++---
 net/netfilter/nfnetlink_log.c                |   42 ++++++++++++++++++++++----
 4 files changed, 51 insertions(+), 10 deletions(-)

diff --git a/include/uapi/linux/netfilter/nfnetlink_log.h b/include/uapi/linux/netfilter/nfnetlink_log.h
index 90c2c95..081e7f9 100644
--- a/include/uapi/linux/netfilter/nfnetlink_log.h
+++ b/include/uapi/linux/netfilter/nfnetlink_log.h
@@ -51,6 +51,8 @@ enum nfulnl_attr_type {
 	NFULA_HWTYPE,			/* hardware type */
 	NFULA_HWHEADER,			/* hardware header */
 	NFULA_HWLEN,			/* hardware header length */
+	NFULA_CT,			/* nf_conntrack_netlink.h */
+	NFULA_CT_INFO,			/* enum ip_conntrack_info */
 
 	__NFULA_MAX
 };
@@ -93,5 +95,6 @@ enum nfulnl_attr_config {
 
 #define NFULNL_CFG_F_SEQ	0x0001
 #define NFULNL_CFG_F_SEQ_GLOBAL	0x0002
+#define NFULNL_CFG_F_CONNTRACK	0x0004
 
 #endif /* _NFNETLINK_LOG_H */
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 3e1b4ab..a8853c8 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -370,6 +370,14 @@ config NETFILTER_NETLINK_QUEUE_CT
 	  If this option is enabled, NFQUEUE can include Connection Tracking
 	  information together with the packet is the enqueued via NFNETLINK.
 
+config NETFILTER_NETLINK_LOG_CT
+        bool "NLOG integration with Connection Tracking"
+        default n
+        depends on NETFILTER_NETLINK_LOG
+	help
+	  If this option is enabled, NFLOG can include Connection Tracking
+	  information.
+
 config NF_NAT
 	tristate
 
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 155b2d0..ccdce3a 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -2138,7 +2138,7 @@ ctnetlink_alloc_expect(const struct nlattr *const cda[], struct nf_conn *ct,
 		       struct nf_conntrack_tuple *tuple,
 		       struct nf_conntrack_tuple *mask);
 
-#ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT
+#if defined(CONFIG_NETFILTER_NETLINK_QUEUE_CT) || defined(NETFILTER_NETLINK_LOG_CT)
 static struct nf_conn *ctnetlink_glue_get_ct(const struct sk_buff *skb,
 					     enum ip_conntrack_info *ctinfo)
 {
@@ -2382,7 +2382,7 @@ static struct nfnl_ct_hook ctnetlink_glue_hook = {
 	.attach_expect	= ctnetlink_glue_attach_expect,
 	.seq_adjust	= ctnetlink_glue_seqadj,
 };
-#endif /* CONFIG_NETFILTER_NETLINK_QUEUE_CT */
+#endif /* CONFIG_NETFILTER_NETLINK_QUEUE_CT || NETFILTER_NETLINK_LOG_CT */
 
 /***********************************************************************
  * EXPECT
@@ -3366,7 +3366,7 @@ static int __init ctnetlink_init(void)
 		pr_err("ctnetlink_init: cannot register pernet operations\n");
 		goto err_unreg_exp_subsys;
 	}
-#ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT
+#if defined(CONFIG_NETFILTER_NETLINK_QUEUE_CT) || defined(NETFILTER_NETLINK_LOG_CT)
 	/* setup interaction between nf_queue and nf_conntrack_netlink. */
 	RCU_INIT_POINTER(nfnl_ct_hook, &ctnetlink_glue_hook);
 #endif
@@ -3387,7 +3387,7 @@ static void __exit ctnetlink_exit(void)
 	unregister_pernet_subsys(&ctnetlink_net_ops);
 	nfnetlink_subsys_unregister(&ctnl_exp_subsys);
 	nfnetlink_subsys_unregister(&ctnl_subsys);
-#ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT
+#if defined(CONFIG_NETFILTER_NETLINK_QUEUE_CT) || defined(NETFILTER_NETLINK_LOG_CT)
 	RCU_INIT_POINTER(nfnl_ct_hook, NULL);
 #endif
 }
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 4670821..9d04c21 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -27,6 +27,7 @@
 #include <net/netlink.h>
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nfnetlink_log.h>
+#include <linux/netfilter/nf_conntrack_common.h>
 #include <linux/spinlock.h>
 #include <linux/sysctl.h>
 #include <linux/proc_fs.h>
@@ -401,7 +402,9 @@ __build_packet_message(struct nfnl_log_net *log,
 			unsigned int hooknum,
 			const struct net_device *indev,
 			const struct net_device *outdev,
-			const char *prefix, unsigned int plen)
+			const char *prefix, unsigned int plen,
+			struct nf_conn *ct, enum ip_conntrack_info ctinfo)
+
 {
 	struct nfulnl_msg_packet_hdr pmsg;
 	struct nlmsghdr *nlh;
@@ -409,6 +412,7 @@ __build_packet_message(struct nfnl_log_net *log,
 	sk_buff_data_t old_tail = inst->skb->tail;
 	struct sock *sk;
 	const unsigned char *hwhdrp;
+	struct nfnl_ct_hook *nflog_ct;
 
 	nlh = nlmsg_put(inst->skb, 0, 0,
 			NFNL_SUBSYS_ULOG << 8 | NFULNL_MSG_PACKET,
@@ -575,6 +579,14 @@ __build_packet_message(struct nfnl_log_net *log,
 			 htonl(atomic_inc_return(&log->global_seq))))
 		goto nla_put_failure;
 
+	/* conntrack */
+	if (ct) {
+		nflog_ct = rcu_dereference(nfnl_ct_hook);
+		if (nflog_ct->build(inst->skb, ct, ctinfo,
+				    NFULA_CT, NFULA_CT_INFO) < 0)
+			goto nla_put_failure;
+	}
+
 	if (data_len) {
 		struct nlattr *nla;
 		int size = nla_attr_size(data_len);
@@ -620,12 +632,16 @@ nfulnl_log_packet(struct net *net,
 		  const struct nf_loginfo *li_user,
 		  const char *prefix)
 {
-	unsigned int size, data_len;
+	size_t size;
+	unsigned int data_len;
 	struct nfulnl_instance *inst;
 	const struct nf_loginfo *li;
 	unsigned int qthreshold;
 	unsigned int plen;
 	struct nfnl_log_net *log = nfnl_log_pernet(net);
+	struct nfnl_ct_hook *nflog_ct;
+	struct nf_conn *ct = NULL;
+	enum ip_conntrack_info uninitialized_var(ctinfo);
 
 	if (li_user && li_user->type == NF_LOG_TYPE_ULOG)
 		li = li_user;
@@ -671,7 +687,14 @@ nfulnl_log_packet(struct net *net,
 		size += nla_total_size(sizeof(u_int32_t));
 	if (inst->flags & NFULNL_CFG_F_SEQ_GLOBAL)
 		size += nla_total_size(sizeof(u_int32_t));
-
+	if (inst->flags & NFULNL_CFG_F_CONNTRACK) {
+		nflog_ct = rcu_dereference(nfnl_ct_hook);
+		if (nflog_ct != NULL) {
+			ct = nflog_ct->get_ct(skb, &ctinfo);
+			if (ct != NULL)
+				size += nflog_ct->build_size(ct);
+		}
+	}
 	qthreshold = inst->qthreshold;
 	/* per-rule qthreshold overrides per-instance */
 	if (li->u.ulog.qthreshold)
@@ -715,7 +738,7 @@ nfulnl_log_packet(struct net *net,
 	inst->qlen++;
 
 	__build_packet_message(log, inst, skb, data_len, pf,
-				hooknum, in, out, prefix, plen);
+				hooknum, in, out, prefix, plen, ct, ctinfo);
 
 	if (inst->qlen >= qthreshold)
 		__nfulnl_flush(inst);
@@ -899,13 +922,20 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
 	}
 
 	if (nfula[NFULA_CFG_FLAGS]) {
-		__be16 flags = nla_get_be16(nfula[NFULA_CFG_FLAGS]);
+		__be16 flags = ntohs(nla_get_be16(nfula[NFULA_CFG_FLAGS]));
 
 		if (!inst) {
 			ret = -ENODEV;
 			goto out;
 		}
-		nfulnl_set_flags(inst, ntohs(flags));
+
+		if (flags & NFULNL_CFG_F_CONNTRACK &&
+		    rcu_dereference(nfnl_ct_hook) == NULL) {
+			ret = -EOPNOTSUPP;
+			goto out_put;
+		}
+
+		nfulnl_set_flags(inst, flags);
 	}
 
 out_put:
-- 
1.7.10.4

[PATCH lnf-log 1/3] include: Sync with kernel headers

[Ken-ichirou MATSUZAWA]

Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
---
 include/libnetfilter_log/linux_nfnetlink_log.h | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/include/libnetfilter_log/linux_nfnetlink_log.h b/include/libnetfilter_log/linux_nfnetlink_log.h
index 9f38277..081e7f9 100644
--- a/include/libnetfilter_log/linux_nfnetlink_log.h
+++ b/include/libnetfilter_log/linux_nfnetlink_log.h
@@ -1,16 +1,12 @@
 #ifndef _NFNETLINK_LOG_H
 #define _NFNETLINK_LOG_H
 
-#ifndef aligned_u64
-#define aligned_u64 unsigned long long __attribute__((aligned(8)))
-#endif
-
 /* This file describes the netlink messages (i.e. 'protocol packets'),
  * and not any kind of function definitions.  It is shared between kernel and
  * userspace.  Don't put kernel specific stuff in here */
 
 #include <linux/types.h>
-#include <libnfnetlink/linux_nfnetlink.h>
+#include <linux/netfilter/nfnetlink.h>
 
 enum nfulnl_msg_types {
 	NFULNL_MSG_PACKET,		/* packet from kernel to userspace */
@@ -55,6 +51,8 @@ enum nfulnl_attr_type {
 	NFULA_HWTYPE,			/* hardware type */
 	NFULA_HWHEADER,			/* hardware header */
 	NFULA_HWLEN,			/* hardware header length */
+	NFULA_CT,			/* nf_conntrack_netlink.h */
+	NFULA_CT_INFO,			/* enum ip_conntrack_info */
 
 	__NFULA_MAX
 };
@@ -97,5 +95,6 @@ enum nfulnl_attr_config {
 
 #define NFULNL_CFG_F_SEQ	0x0001
 #define NFULNL_CFG_F_SEQ_GLOBAL	0x0002
+#define NFULNL_CFG_F_CONNTRACK	0x0004
 
 #endif /* _NFNETLINK_LOG_H */
-- 
2.1.4

[PATCH lnf-log 2/3] nlmsg: Add NFULA_CT and NFULA_CT_INFO attributes support

[Ken-ichirou MATSUZAWA]

This patch validate NFULA_CT and NFULA_CT_INFO attributes,

Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
---
 src/nlmsg.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/nlmsg.c b/src/nlmsg.c
index 0aa21a0..3ebb364 100644
--- a/src/nlmsg.c
+++ b/src/nlmsg.c
@@ -7,7 +7,6 @@
  * (at your option) any later version.
  */
 #include <arpa/inet.h>
-#include <linux/netfilter/nfnetlink_log.h>
 #include <libmnl/libmnl.h>
 #include <libnetfilter_log/libnetfilter_log.h>
 #include <errno.h>
@@ -112,6 +111,7 @@ static int nflog_parse_attr_cb(const struct nlattr *attr, void *data)
 	case NFULA_SEQ:			/* instance-local sequence number */
 	case NFULA_SEQ_GLOBAL:		/* global sequence number */
 	case NFULA_GID:			/* group id of socket */
+	case NFULA_CT_INFO:		/* enum ip_conntrack_info */
 		if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
 			return MNL_CB_ERROR;
 		break;
@@ -139,6 +139,7 @@ static int nflog_parse_attr_cb(const struct nlattr *attr, void *data)
 		break;
 	case NFULA_HWHEADER:		/* hardware header */
 	case NFULA_PAYLOAD:		/* opaque data payload */
+	case NFULA_CT:			/* nf_conntrack_netlink.h */
 		break;
 	}
 	tb[type] = attr;
-- 
2.1.4

[PATCH lnf-log 3/3] utils: nf-log: attaching a conntrack information

[Ken-ichirou MATSUZAWA]

This patch enables nf-log in utils directory to show conntrack
information if libnetfilter_conntrack exists.

Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
---
 configure.ac      |   5 +++
 utils/Makefile.am |   3 ++
 utils/nf-log.c    | 103 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
 3 files changed, 110 insertions(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index ead9399..7d58f09 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4,6 +4,7 @@ AC_INIT([libnetfilter_log], [1.0.1])
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CANONICAL_HOST
 AC_CONFIG_MACRO_DIR([m4])
+AC_CONFIG_HEADERS([config.h])
 
 AM_INIT_AUTOMAKE([-Wall foreign subdir-objects
 	tar-pax no-dist-gzip dist-bzip2 1.6])
@@ -31,6 +32,10 @@ AM_CONDITIONAL([BUILD_IPULOG], [test "x$with_ipulog" != xno])
 dnl Dependencies
 PKG_CHECK_MODULES([LIBNFNETLINK], [libnfnetlink >= 0.0.41])
 PKG_CHECK_MODULES([LIBMNL], [libmnl >= 1.0.3])
+PKG_CHECK_MODULES([LIBNETFILTER_CONNTRACK], [libnetfilter_conntrack >= 1.0.2],
+		  [AC_DEFINE([BUILD_NFCT], [1], [building nfct integration example]) HAVE_LNFCT=1],
+		  [HAVE_LNFCT=0])
+AM_CONDITIONAL([BUILD_NFCT], [test "$HAVE_LNFCT" -eq 1])
 
 dnl Output the makefile
 AC_CONFIG_FILES([Makefile src/Makefile include/Makefile
diff --git a/utils/Makefile.am b/utils/Makefile.am
index dfe5f34..baef81a 100644
--- a/utils/Makefile.am
+++ b/utils/Makefile.am
@@ -9,6 +9,9 @@ nfulnl_test_LDFLAGS = -dynamic
 nf_log_SOURCES = nf-log.c
 nf_log_LDADD = ../src/libnetfilter_log.la
 nf_log_LDFLAGS = -dynamic -lmnl
+if BUILD_NFCT
+nf_log_LDFLAGS += $(LIBNETFILTER_CONNTRACK_LIBS)
+endif
 
 if BUILD_IPULOG
 check_PROGRAMS += ulog_test
diff --git a/utils/nf-log.c b/utils/nf-log.c
index 5f2a192..1418af4 100644
--- a/utils/nf-log.c
+++ b/utils/nf-log.c
@@ -3,15 +3,108 @@
 #include <stdlib.h>
 #include <arpa/inet.h>
 
-#include <linux/netfilter/nfnetlink_log.h>
+/* #include <linux/netfilter/nfnetlink_log.h> */
+#include <libnetfilter_log/linux_nfnetlink_log.h>
 
 #include <libmnl/libmnl.h>
 #include <libnetfilter_log/libnetfilter_log.h>
 
+#include "../config.h"
+#ifdef BUILD_NFCT
+#include <linux/netfilter/nf_conntrack_common.h>
+#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+#endif
+
+#ifdef BUILD_NFCT
+static int print_ctinfo(const struct nlattr *const attr)
+{
+	char *s = NULL;
+
+	if (attr == NULL)
+		return MNL_CB_OK;
+
+	switch (ntohl(mnl_attr_get_u32(attr))) {
+	case IP_CT_ESTABLISHED:
+		s = "IP_CT_ESTABLISHED";
+		break;
+	case IP_CT_RELATED:
+		s = "IP_CT_RELATED";
+		break;
+	case IP_CT_NEW:
+		s = "IP_CT_NEW";
+		break;
+	case IP_CT_IS_REPLY:
+		s = "IP_CT_IS_REPLY";
+		break;
+	/* case IP_CT_ESTABLISHED_REPLY: == IP_CT_IS_REPLY
+	 *	s = "IP_CT_ESTABLISHED_REPLY";
+	 *	break;
+	 */
+	case IP_CT_RELATED_REPLY:
+		s = "IP_CT_RELATED_REPLY";
+		break;
+	case IP_CT_NEW_REPLY:
+		s = "IP_CT_NEW_REPLY";
+		break;
+	/* case IP_CT_NUMBER: == IP_CT_NEW_REPLY
+	 *	s ="IP_CT_NUMBER";
+	 *	break;
+	 */
+	default:
+		return MNL_CB_ERROR;
+	}
+
+	printf("  ip_conntrack_info: %s\n", s);
+	return MNL_CB_OK;
+}
+
+static int print_nfct(uint8_t family,
+		      const struct nlattr *const info_attr,
+		      const struct nlattr *const ct_attr)
+{
+	char buf[4096];
+	struct nf_conntrack *ct = NULL;
+
+	if (info_attr != NULL)
+		print_ctinfo(info_attr);
+
+	if (ct_attr == NULL)
+		return MNL_CB_OK;
+
+	ct = nfct_new();
+	if (ct == NULL) {
+		perror("nfct_new");
+		return MNL_CB_ERROR;
+	}
+
+	if (nfct_payload_parse(mnl_attr_get_payload(ct_attr),
+			       mnl_attr_get_payload_len(ct_attr),
+			       family, ct) < 0) {
+		perror("nfct_payload_parse");
+		nfct_destroy(ct);
+		return MNL_CB_ERROR;
+	}
+
+	nfct_snprintf(buf, sizeof(buf), ct, 0, NFCT_O_DEFAULT, 0);
+	printf("  %s\n", buf);
+	nfct_destroy(ct);
+
+	return MNL_CB_OK;
+}
+#else
+static int print_nfct(uint8_t family,
+		      const struct nlattr *const info_attr,
+		      const struct nlattr *const ct_attr)
+{
+	return MNL_CB_OK;
+}
+#endif
+
 static int log_cb(const struct nlmsghdr *nlh, void *data)
 {
 	struct nlattr *attrs[NFULA_MAX + 1] = { NULL };
 	struct nfulnl_msg_packet_hdr *ph = NULL;
+	struct nfgenmsg *nfg;
 	const char *prefix = NULL;
 	uint32_t mark = 0;
 	char buf[4096];
@@ -21,6 +114,8 @@ static int log_cb(const struct nlmsghdr *nlh, void *data)
 	if (ret != MNL_CB_OK)
 		return ret;
 
+	nfg = mnl_nlmsg_get_payload(nlh);
+
 	if (attrs[NFULA_PACKET_HDR])
 		ph = mnl_attr_get_payload(attrs[NFULA_PACKET_HDR]);
 	if (attrs[NFULA_PREFIX])
@@ -38,6 +133,8 @@ static int log_cb(const struct nlmsghdr *nlh, void *data)
 		return MNL_CB_ERROR;
 	printf("%s (ret=%d)\n", buf, ret);
 
+	print_nfct(nfg->nfgen_family, attrs[NFULA_CT_INFO], attrs[NFULA_CT]);
+
 	return MNL_CB_OK;
 }
 
@@ -108,6 +205,10 @@ int main(int argc, char *argv[])
 		exit(EXIT_FAILURE);
 	}
 
+#ifdef BUILD_NFCT
+	mnl_attr_put_u16(nlh, NFULA_CFG_FLAGS, htons(NFULNL_CFG_F_CONNTRACK));
+#endif
+
 	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
 		perror("mnl_socket_sendto");
 		exit(EXIT_FAILURE);
-- 
2.1.4

Re: [PATCH nf-next 1/3] netfilter: nfnetlink_queue: rename related to nfqueue attaching conntrack info

[Pablo Neira Ayuso]

On Fri, Sep 11, 2015 at 12:07:48PM +0900, Ken-ichirou MATSUZAWA wrote:
> The idea of this series of patch is to attach conntrack information to
> nflog like nfqueue has already done. nfqueue conntrack info attaching
> basis is generic, rename those names to generic one, glue.

Looks good, please rebase on top of my two patches (unless you find
any problem on them) and resubmit this on top of them.

Thanks.

Re: [PATCH nf-next 3/3] netfilter: nfnetlink_log: allow to attach conntrack

[Pablo Neira Ayuso]

On Fri, Sep 11, 2015 at 12:10:37PM +0900, Ken-ichirou MATSUZAWA wrote:
> This patch enables to include the conntrack information together
> with the packet that is sent to user-space via NFLOG, then a
> user-space program can acquire NATed information by this NFULA_CT
> attribute.
> 
> Including the conntrack information is optional, you can set it
> via NFULNL_CFG_F_CONNTRACK flag with the NFULA_CFG_FLAGS attribute
> like NFQUEUE.
> 
> Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
> ---
>  include/uapi/linux/netfilter/nfnetlink_log.h |    3 ++
>  net/netfilter/Kconfig                        |    8 +++++
>  net/netfilter/nf_conntrack_netlink.c         |    8 ++---
>  net/netfilter/nfnetlink_log.c                |   42 ++++++++++++++++++++++----
>  4 files changed, 51 insertions(+), 10 deletions(-)
> 
> diff --git a/include/uapi/linux/netfilter/nfnetlink_log.h b/include/uapi/linux/netfilter/nfnetlink_log.h
> index 90c2c95..081e7f9 100644
> --- a/include/uapi/linux/netfilter/nfnetlink_log.h
> +++ b/include/uapi/linux/netfilter/nfnetlink_log.h
> @@ -51,6 +51,8 @@ enum nfulnl_attr_type {
>  	NFULA_HWTYPE,			/* hardware type */
>  	NFULA_HWHEADER,			/* hardware header */
>  	NFULA_HWLEN,			/* hardware header length */
> +	NFULA_CT,			/* nf_conntrack_netlink.h */
> +	NFULA_CT_INFO,			/* enum ip_conntrack_info */
>  
>  	__NFULA_MAX
>  };
> @@ -93,5 +95,6 @@ enum nfulnl_attr_config {
>  
>  #define NFULNL_CFG_F_SEQ	0x0001
>  #define NFULNL_CFG_F_SEQ_GLOBAL	0x0002
> +#define NFULNL_CFG_F_CONNTRACK	0x0004
>  
>  #endif /* _NFNETLINK_LOG_H */
> diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
> index 3e1b4ab..a8853c8 100644
> --- a/net/netfilter/Kconfig
> +++ b/net/netfilter/Kconfig
> @@ -370,6 +370,14 @@ config NETFILTER_NETLINK_QUEUE_CT
>  	  If this option is enabled, NFQUEUE can include Connection Tracking
>  	  information together with the packet is the enqueued via NFNETLINK.
>  
> +config NETFILTER_NETLINK_LOG_CT
> +        bool "NLOG integration with Connection Tracking"
   ^^^^^^^^
Use tabs to indent.

> +        default n
   ^^^^^^^^
Same here.

> +        depends on NETFILTER_NETLINK_LOG
> +	help
> +	  If this option is enabled, NFLOG can include Connection Tracking
> +	  information.
> +
>  config NF_NAT
>  	tristate
>  
> diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
> index 155b2d0..ccdce3a 100644
> --- a/net/netfilter/nf_conntrack_netlink.c
> +++ b/net/netfilter/nf_conntrack_netlink.c
> @@ -2138,7 +2138,7 @@ ctnetlink_alloc_expect(const struct nlattr *const cda[], struct nf_conn *ct,
>  		       struct nf_conntrack_tuple *tuple,
>  		       struct nf_conntrack_tuple *mask);
>  
> -#ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT
> +#if defined(CONFIG_NETFILTER_NETLINK_QUEUE_CT) || defined(NETFILTER_NETLINK_LOG_CT)
>  static struct nf_conn *ctnetlink_glue_get_ct(const struct sk_buff *skb,
>  					     enum ip_conntrack_info *ctinfo)
>  {
> @@ -2382,7 +2382,7 @@ static struct nfnl_ct_hook ctnetlink_glue_hook = {
>  	.attach_expect	= ctnetlink_glue_attach_expect,
>  	.seq_adjust	= ctnetlink_glue_seqadj,
>  };
> -#endif /* CONFIG_NETFILTER_NETLINK_QUEUE_CT */
> +#endif /* CONFIG_NETFILTER_NETLINK_QUEUE_CT || NETFILTER_NETLINK_LOG_CT */
>  
>  /***********************************************************************
>   * EXPECT
> @@ -3366,7 +3366,7 @@ static int __init ctnetlink_init(void)
>  		pr_err("ctnetlink_init: cannot register pernet operations\n");
>  		goto err_unreg_exp_subsys;
>  	}
> -#ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT
> +#if defined(CONFIG_NETFILTER_NETLINK_QUEUE_CT) || defined(NETFILTER_NETLINK_LOG_CT)
>  	/* setup interaction between nf_queue and nf_conntrack_netlink. */
>  	RCU_INIT_POINTER(nfnl_ct_hook, &ctnetlink_glue_hook);
>  #endif
> @@ -3387,7 +3387,7 @@ static void __exit ctnetlink_exit(void)
>  	unregister_pernet_subsys(&ctnetlink_net_ops);
>  	nfnetlink_subsys_unregister(&ctnl_exp_subsys);
>  	nfnetlink_subsys_unregister(&ctnl_subsys);
> -#ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT
> +#if defined(CONFIG_NETFILTER_NETLINK_QUEUE_CT) || defined(NETFILTER_NETLINK_LOG_CT)
>  	RCU_INIT_POINTER(nfnl_ct_hook, NULL);
>  #endif
>  }
> diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
> index 4670821..9d04c21 100644
> --- a/net/netfilter/nfnetlink_log.c
> +++ b/net/netfilter/nfnetlink_log.c
> @@ -27,6 +27,7 @@
>  #include <net/netlink.h>
>  #include <linux/netfilter/nfnetlink.h>
>  #include <linux/netfilter/nfnetlink_log.h>
> +#include <linux/netfilter/nf_conntrack_common.h>
>  #include <linux/spinlock.h>
>  #include <linux/sysctl.h>
>  #include <linux/proc_fs.h>
> @@ -401,7 +402,9 @@ __build_packet_message(struct nfnl_log_net *log,
>  			unsigned int hooknum,
>  			const struct net_device *indev,
>  			const struct net_device *outdev,
> -			const char *prefix, unsigned int plen)
> +			const char *prefix, unsigned int plen,
> +			struct nf_conn *ct, enum ip_conntrack_info ctinfo)
> +
>  {
>  	struct nfulnl_msg_packet_hdr pmsg;
>  	struct nlmsghdr *nlh;
> @@ -409,6 +412,7 @@ __build_packet_message(struct nfnl_log_net *log,
>  	sk_buff_data_t old_tail = inst->skb->tail;
>  	struct sock *sk;
>  	const unsigned char *hwhdrp;
> +	struct nfnl_ct_hook *nflog_ct;
>  
>  	nlh = nlmsg_put(inst->skb, 0, 0,
>  			NFNL_SUBSYS_ULOG << 8 | NFULNL_MSG_PACKET,
> @@ -575,6 +579,14 @@ __build_packet_message(struct nfnl_log_net *log,
>  			 htonl(atomic_inc_return(&log->global_seq))))
>  		goto nla_put_failure;
>  
> +	/* conntrack */

Please remove this comment.

> +	if (ct) {
> +		nflog_ct = rcu_dereference(nfnl_ct_hook);
> +		if (nflog_ct->build(inst->skb, ct, ctinfo,
> +				    NFULA_CT, NFULA_CT_INFO) < 0)
> +			goto nla_put_failure;
> +	}
> +
>  	if (data_len) {
>  		struct nlattr *nla;
>  		int size = nla_attr_size(data_len);
> @@ -620,12 +632,16 @@ nfulnl_log_packet(struct net *net,
>  		  const struct nf_loginfo *li_user,
>  		  const char *prefix)
>  {
> -	unsigned int size, data_len;
> +	size_t size;
> +	unsigned int data_len;
>  	struct nfulnl_instance *inst;
>  	const struct nf_loginfo *li;
>  	unsigned int qthreshold;
>  	unsigned int plen;
>  	struct nfnl_log_net *log = nfnl_log_pernet(net);
> +	struct nfnl_ct_hook *nflog_ct;
> +	struct nf_conn *ct = NULL;
> +	enum ip_conntrack_info uninitialized_var(ctinfo);
>  
>  	if (li_user && li_user->type == NF_LOG_TYPE_ULOG)
>  		li = li_user;
> @@ -671,7 +687,14 @@ nfulnl_log_packet(struct net *net,
>  		size += nla_total_size(sizeof(u_int32_t));
>  	if (inst->flags & NFULNL_CFG_F_SEQ_GLOBAL)
>  		size += nla_total_size(sizeof(u_int32_t));
> -
> +	if (inst->flags & NFULNL_CFG_F_CONNTRACK) {
> +		nflog_ct = rcu_dereference(nfnl_ct_hook);
> +		if (nflog_ct != NULL) {
> +			ct = nflog_ct->get_ct(skb, &ctinfo);
> +			if (ct != NULL)
> +				size += nflog_ct->build_size(ct);
> +		}
> +	}
>  	qthreshold = inst->qthreshold;
>  	/* per-rule qthreshold overrides per-instance */
>  	if (li->u.ulog.qthreshold)
> @@ -715,7 +738,7 @@ nfulnl_log_packet(struct net *net,
>  	inst->qlen++;
>  
>  	__build_packet_message(log, inst, skb, data_len, pf,
> -				hooknum, in, out, prefix, plen);
> +				hooknum, in, out, prefix, plen, ct, ctinfo);
>  
>  	if (inst->qlen >= qthreshold)
>  		__nfulnl_flush(inst);
> @@ -899,13 +922,20 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
>  	}
>  
>  	if (nfula[NFULA_CFG_FLAGS]) {
> -		__be16 flags = nla_get_be16(nfula[NFULA_CFG_FLAGS]);
> +		__be16 flags = ntohs(nla_get_be16(nfula[NFULA_CFG_FLAGS]));

You have to use u16 instead, otherwise 'sparse' checks via make C=2
will complain.

>  		if (!inst) {
>  			ret = -ENODEV;
>  			goto out;
>  		}
> -		nfulnl_set_flags(inst, ntohs(flags));
> +
> +		if (flags & NFULNL_CFG_F_CONNTRACK &&
> +		    rcu_dereference(nfnl_ct_hook) == NULL) {
> +			ret = -EOPNOTSUPP;
> +			goto out_put;
> +		}
> +
> +		nfulnl_set_flags(inst, flags);
>  	}
>  
>  out_put:
> -- 
> 1.7.10.4
> 

Re: [PATCH lnf-log 1/3] include: Sync with kernel headers

[Pablo Neira Ayuso]

On Fri, Sep 11, 2015 at 12:12:11PM +0900, Ken-ichirou MATSUZAWA wrote:
> Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>

Applied now that we got the kernelspace bits upstream, thanks.

Re: [PATCH lnf-log 2/3] nlmsg: Add NFULA_CT and NFULA_CT_INFO attributes support

[Pablo Neira Ayuso]

On Fri, Sep 11, 2015 at 12:14:25PM +0900, Ken-ichirou MATSUZAWA wrote:
> This patch validate NFULA_CT and NFULA_CT_INFO attributes,

Also applied, thanks.

Re: [PATCH lnf-log 3/3] utils: nf-log: attaching a conntrack information

[Pablo Neira Ayuso]

On Fri, Sep 11, 2015 at 12:15:35PM +0900, Ken-ichirou MATSUZAWA wrote:
> diff --git a/utils/nf-log.c b/utils/nf-log.c
> index 5f2a192..1418af4 100644
> --- a/utils/nf-log.c
> +++ b/utils/nf-log.c
> @@ -3,15 +3,108 @@
>  #include <stdlib.h>
>  #include <arpa/inet.h>
>  
> -#include <linux/netfilter/nfnetlink_log.h>
> +/* #include <linux/netfilter/nfnetlink_log.h> */

Do you remember why you had to comment out this line?

> +#include <libnetfilter_log/linux_nfnetlink_log.h>
>  
>  #include <libmnl/libmnl.h>
>  #include <libnetfilter_log/libnetfilter_log.h>
>  
> +#include "../config.h"
> +#ifdef BUILD_NFCT
> +#include <linux/netfilter/nf_conntrack_common.h>
> +#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
> +#endif
> +
> +#ifdef BUILD_NFCT
> +static int print_ctinfo(const struct nlattr *const attr)
> +{
> +	char *s = NULL;
> +
> +	if (attr == NULL)
> +		return MNL_CB_OK;
> +
> +	switch (ntohl(mnl_attr_get_u32(attr))) {
> +	case IP_CT_ESTABLISHED:
> +		s = "IP_CT_ESTABLISHED";

For this example, you can probably simplify this with.

        case IP_CT_ESTABLISHED:
        case IP_CT_ESTABLISHED_REPLY:
                s = "ESTABLISHED";

> +		break;
> +	case IP_CT_RELATED:
> +		s = "IP_CT_RELATED";
> +		break;
> +	case IP_CT_NEW:
> +		s = "IP_CT_NEW";
> +		break;
> +	case IP_CT_IS_REPLY:
> +		s = "IP_CT_IS_REPLY";
> +		break;

IP_CT_IS_REPLY is never used alone, it's is always combined with NEW,
ESTABLISHED, RELATED states.

> +	/* case IP_CT_ESTABLISHED_REPLY: == IP_CT_IS_REPLY
> +	 *	s = "IP_CT_ESTABLISHED_REPLY";
> +	 *	break;
> +	 */
> +	case IP_CT_RELATED_REPLY:
> +		s = "IP_CT_RELATED_REPLY";
> +		break;
> +	case IP_CT_NEW_REPLY:
> +		s = "IP_CT_NEW_REPLY";
> +		break;
> +	/* case IP_CT_NUMBER: == IP_CT_NEW_REPLY
> +	 *	s ="IP_CT_NUMBER";
> +	 *	break;
> +	 */

IP_CT_NUMBER should never happen. Please remove this code.

Same applied to the libnetfilter_queue example that you posted.

Thanks.

Re: [PATCH lnf-log 3/3] utils: nf-log: attaching a conntrack information

[Ken-ichirou MATSUZAWA]

On Mon, Oct 12, 2015 at 05:26:30PM +0200, Pablo Neira Ayuso wrote:
> On Fri, Sep 11, 2015 at 12:15:35PM +0900, Ken-ichirou MATSUZAWA wrote:
> > -#include <linux/netfilter/nfnetlink_log.h>
> > +/* #include <linux/netfilter/nfnetlink_log.h> */
> 
> Do you remember why you had to comment out this line?

I think I intended to use linux_nfnetlink_log.h synched previous
and made this mistake.

> > +	switch (ntohl(mnl_attr_get_u32(attr))) {
> > +	case IP_CT_ESTABLISHED:
> > +		s = "IP_CT_ESTABLISHED";
> 
> For this example, you can probably simplify this with.
> 
>         case IP_CT_ESTABLISHED:
>         case IP_CT_ESTABLISHED_REPLY:
>                 s = "ESTABLISHED";
[...]
> IP_CT_IS_REPLY is never used alone, it's is always combined with NEW,
> ESTABLISHED, RELATED states.
[...]
> IP_CT_NUMBER should never happen. Please remove this code.

I try to fix aboves and would you review the following again?
Thanks,

[PATCHv2 lnf-log] utils: nf-log: attaching a conntrack information

[Ken-ichirou MATSUZAWA]

This patch enables nf-log in utils directory to show conntrack
information if libnetfilter_conntrack exists.

Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
---
 configure.ac      |   5 +++
 utils/Makefile.am |   3 ++
 utils/nf-log.c    | 104 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
 3 files changed, 111 insertions(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index ead9399..7d58f09 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4,6 +4,7 @@ AC_INIT([libnetfilter_log], [1.0.1])
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CANONICAL_HOST
 AC_CONFIG_MACRO_DIR([m4])
+AC_CONFIG_HEADERS([config.h])
 
 AM_INIT_AUTOMAKE([-Wall foreign subdir-objects
 	tar-pax no-dist-gzip dist-bzip2 1.6])
@@ -31,6 +32,10 @@ AM_CONDITIONAL([BUILD_IPULOG], [test "x$with_ipulog" != xno])
 dnl Dependencies
 PKG_CHECK_MODULES([LIBNFNETLINK], [libnfnetlink >= 0.0.41])
 PKG_CHECK_MODULES([LIBMNL], [libmnl >= 1.0.3])
+PKG_CHECK_MODULES([LIBNETFILTER_CONNTRACK], [libnetfilter_conntrack >= 1.0.2],
+		  [AC_DEFINE([BUILD_NFCT], [1], [building nfct integration example]) HAVE_LNFCT=1],
+		  [HAVE_LNFCT=0])
+AM_CONDITIONAL([BUILD_NFCT], [test "$HAVE_LNFCT" -eq 1])
 
 dnl Output the makefile
 AC_CONFIG_FILES([Makefile src/Makefile include/Makefile
diff --git a/utils/Makefile.am b/utils/Makefile.am
index dfe5f34..baef81a 100644
--- a/utils/Makefile.am
+++ b/utils/Makefile.am
@@ -9,6 +9,9 @@ nfulnl_test_LDFLAGS = -dynamic
 nf_log_SOURCES = nf-log.c
 nf_log_LDADD = ../src/libnetfilter_log.la
 nf_log_LDFLAGS = -dynamic -lmnl
+if BUILD_NFCT
+nf_log_LDFLAGS += $(LIBNETFILTER_CONNTRACK_LIBS)
+endif
 
 if BUILD_IPULOG
 check_PROGRAMS += ulog_test
diff --git a/utils/nf-log.c b/utils/nf-log.c
index 5f2a192..006d4b0 100644
--- a/utils/nf-log.c
+++ b/utils/nf-log.c
@@ -3,15 +3,109 @@
 #include <stdlib.h>
 #include <arpa/inet.h>
 
-#include <linux/netfilter/nfnetlink_log.h>
+#include <libnetfilter_log/linux_nfnetlink_log.h>
 
 #include <libmnl/libmnl.h>
 #include <libnetfilter_log/libnetfilter_log.h>
 
+#include "../config.h"
+#ifdef BUILD_NFCT
+#include <linux/netfilter/nf_conntrack_common.h>
+#include <linux/netfilter/nf_conntrack_tuple_common.h>
+#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+#endif
+
+#ifdef BUILD_NFCT
+static int print_ctinfo(const struct nlattr *const attr)
+{
+	uint32_t ctinfo;
+
+	if (attr == NULL)
+		return MNL_CB_OK;
+
+	ctinfo = ntohl(mnl_attr_get_u32(attr));
+	printf("  ip_conntrack_info:");
+
+	switch (CTINFO2DIR(ctinfo)) {
+	case IP_CT_DIR_ORIGINAL:
+		printf(" ORIGINAL /");
+		break;
+	case IP_CT_DIR_REPLY:
+		printf(" REPLY /");
+		break;
+	default:
+		printf(" unknown dir: %d\n", CTINFO2DIR(ctinfo));
+		return MNL_CB_ERROR;
+	}
+
+	switch (ctinfo) {
+	case IP_CT_ESTABLISHED:
+	case IP_CT_ESTABLISHED_REPLY:
+		printf(" ESTABLISHED\n");
+		break;
+	case IP_CT_RELATED:
+	case IP_CT_RELATED_REPLY:
+		printf(" RELATED\n");
+		break;
+	case IP_CT_NEW:
+	case IP_CT_NEW_REPLY:
+		printf(" NEW\n");
+		break;
+	default:
+		printf(" unknown ctinfo: %d\n", ctinfo);
+		return MNL_CB_ERROR;
+	}
+
+	return MNL_CB_OK;
+}
+
+static int print_nfct(uint8_t family,
+		      const struct nlattr *const info_attr,
+		      const struct nlattr *const ct_attr)
+{
+	char buf[4096];
+	struct nf_conntrack *ct = NULL;
+
+	if (info_attr != NULL)
+		print_ctinfo(info_attr);
+
+	if (ct_attr == NULL)
+		return MNL_CB_OK;
+
+	ct = nfct_new();
+	if (ct == NULL) {
+		perror("nfct_new");
+		return MNL_CB_ERROR;
+	}
+
+	if (nfct_payload_parse(mnl_attr_get_payload(ct_attr),
+			       mnl_attr_get_payload_len(ct_attr),
+			       family, ct) < 0) {
+		perror("nfct_payload_parse");
+		nfct_destroy(ct);
+		return MNL_CB_ERROR;
+	}
+
+	nfct_snprintf(buf, sizeof(buf), ct, 0, NFCT_O_DEFAULT, 0);
+	printf("  %s\n", buf);
+	nfct_destroy(ct);
+
+	return MNL_CB_OK;
+}
+#else
+static int print_nfct(uint8_t family,
+		      const struct nlattr *const info_attr,
+		      const struct nlattr *const ct_attr)
+{
+	return MNL_CB_OK;
+}
+#endif
+
 static int log_cb(const struct nlmsghdr *nlh, void *data)
 {
 	struct nlattr *attrs[NFULA_MAX + 1] = { NULL };
 	struct nfulnl_msg_packet_hdr *ph = NULL;
+	struct nfgenmsg *nfg;
 	const char *prefix = NULL;
 	uint32_t mark = 0;
 	char buf[4096];
@@ -21,6 +115,8 @@ static int log_cb(const struct nlmsghdr *nlh, void *data)
 	if (ret != MNL_CB_OK)
 		return ret;
 
+	nfg = mnl_nlmsg_get_payload(nlh);
+
 	if (attrs[NFULA_PACKET_HDR])
 		ph = mnl_attr_get_payload(attrs[NFULA_PACKET_HDR]);
 	if (attrs[NFULA_PREFIX])
@@ -38,6 +134,8 @@ static int log_cb(const struct nlmsghdr *nlh, void *data)
 		return MNL_CB_ERROR;
 	printf("%s (ret=%d)\n", buf, ret);
 
+	print_nfct(nfg->nfgen_family, attrs[NFULA_CT_INFO], attrs[NFULA_CT]);
+
 	return MNL_CB_OK;
 }
 
@@ -108,6 +206,10 @@ int main(int argc, char *argv[])
 		exit(EXIT_FAILURE);
 	}
 
+#ifdef BUILD_NFCT
+	mnl_attr_put_u16(nlh, NFULA_CFG_FLAGS, htons(NFULNL_CFG_F_CONNTRACK));
+#endif
+
 	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
 		perror("mnl_socket_sendto");
 		exit(EXIT_FAILURE);
-- 
2.1.4

Re: [PATCHv2 lnf-log] utils: nf-log: attaching a conntrack information

[Pablo Neira Ayuso]

On Thu, Oct 15, 2015 at 01:39:25PM +0900, Ken-ichirou MATSUZAWA wrote:
> diff --git a/utils/nf-log.c b/utils/nf-log.c
> index 5f2a192..006d4b0 100644
> --- a/utils/nf-log.c
> +++ b/utils/nf-log.c
> @@ -3,15 +3,109 @@
>  #include <stdlib.h>
>  #include <arpa/inet.h>
>  
> -#include <linux/netfilter/nfnetlink_log.h>
> +#include <libnetfilter_log/linux_nfnetlink_log.h>
>  
>  #include <libmnl/libmnl.h>
>  #include <libnetfilter_log/libnetfilter_log.h>
>  
> +#include "../config.h"

I think you can update configure.ac to update CFLAGS, like this:

        CFLAGS="$CFLAGS -DBUILD_NFCT"

so we can skip this include.

I think it would be good if people can take the examples out of the
tree and compile them by hand through, eg.

        gcc -lnetfilter_log -lnetfilter_conntrack -lmnl -DBUILD_NFCT nf-log.c -o nf-log

Thanks.

Re: [PATCHv2 lnf-log] utils: nf-log: attaching a conntrack information

[Ken-ichirou MATSUZAWA]

 Hi, sorry for so much late.
 
On Fri, Oct 16, 2015 at 06:59:08PM +0200, Pablo Neira Ayuso wrote:
> I think you can update configure.ac to update CFLAGS, like this:
> 
>         CFLAGS="$CFLAGS -DBUILD_NFCT"
> 
> so we can skip this include.

We can avoid to (re)run autogen.sh without lnf-conntrack at first
then install it after, but

>         gcc -lnetfilter_log -lnetfilter_conntrack -lmnl -DBUILD_NFCT nf-log.c -o nf-log

this make a sense, I follow your advice.

I have met another issue related to lnf-conntrack, could you give me
some advice? The following patch is compile error:

    In file included from nf-log.c:14:0:
    /usr/include/libnetfilter_conntrack/libnetfilter_conntrack.h:729:6: error: nested redefinition of ‘enum ip_conntrack_status’
     enum ip_conntrack_status {
          ^
    /usr/include/libnetfilter_conntrack/libnetfilter_conntrack.h:729:6: error: redeclaration of ‘enum ip_conntrack_status’
    In file included from nf-log.c:12:0:
    /usr/include/linux/netfilter/nf_conntrack_common.h:37:6: note: originally defined here
     enum ip_conntrack_status {

since both libnetfilter_conntrack.h and nf_conntrack_common.h
defines ip_conntrack_status. Could you tell me how do I avoid such a
error when using ip_conntrack_status and ip_conntrack_info?

# It seems that the prev 2 patches I posted with this
# has not applied yet?

Thanks,

Re: [PATCHv2 lnf-log] utils: nf-log: attaching a conntrack information

[Ken-ichirou MATSUZAWA]

This patch enables nf-log in utils directory to show conntrack
information if libnetfilter_conntrack exists.

Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>

diff --git a/configure.ac b/configure.ac
index ead9399..c914e00 100644
--- a/configure.ac
+++ b/configure.ac
@@ -19,7 +19,7 @@ AM_PROG_LIBTOOL
 AC_PROG_INSTALL
 AC_PROG_LN_S
 
-case "$host" in 
+case "$host" in
 *-*-linux* | *-*-uclinux*) ;;
 *) AC_MSG_ERROR([Linux only, dude!]);;
 esac
@@ -31,6 +31,9 @@ AM_CONDITIONAL([BUILD_IPULOG], [test "x$with_ipulog" != xno])
 dnl Dependencies
 PKG_CHECK_MODULES([LIBNFNETLINK], [libnfnetlink >= 0.0.41])
 PKG_CHECK_MODULES([LIBMNL], [libmnl >= 1.0.3])
+PKG_CHECK_MODULES([LIBNETFILTER_CONNTRACK], [libnetfilter_conntrack >= 1.0.2],
+		  [HAVE_LNFCT=1], [HAVE_LNFCT=0])
+AM_CONDITIONAL([BUILD_NFCT], [test "$HAVE_LNFCT" -eq 1])
 
 dnl Output the makefile
 AC_CONFIG_FILES([Makefile src/Makefile include/Makefile
diff --git a/utils/Makefile.am b/utils/Makefile.am
index dfe5f34..a848b10 100644
--- a/utils/Makefile.am
+++ b/utils/Makefile.am
@@ -9,6 +9,10 @@ nfulnl_test_LDFLAGS = -dynamic
 nf_log_SOURCES = nf-log.c
 nf_log_LDADD = ../src/libnetfilter_log.la
 nf_log_LDFLAGS = -dynamic -lmnl
+if BUILD_NFCT
+nf_log_LDFLAGS += $(LIBNETFILTER_CONNTRACK_LIBS)
+nf_log_CFLAGS = -DBUILD_NFCT
+endif
 
 if BUILD_IPULOG
 check_PROGRAMS += ulog_test
diff --git a/utils/nf-log.c b/utils/nf-log.c
index 5f2a192..ad8369c 100644
--- a/utils/nf-log.c
+++ b/utils/nf-log.c
@@ -3,15 +3,108 @@
 #include <stdlib.h>
 #include <arpa/inet.h>
 
-#include <linux/netfilter/nfnetlink_log.h>
+#include <libnetfilter_log/linux_nfnetlink_log.h>
 
 #include <libmnl/libmnl.h>
 #include <libnetfilter_log/libnetfilter_log.h>
 
+#ifdef BUILD_NFCT
+#include <linux/netfilter/nf_conntrack_common.h>
+#include <linux/netfilter/nf_conntrack_tuple_common.h>
+#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+#endif
+
+#ifdef BUILD_NFCT
+static int print_ctinfo(const struct nlattr *const attr)
+{
+	uint32_t ctinfo;
+
+	if (attr == NULL)
+		return MNL_CB_OK;
+
+	ctinfo = ntohl(mnl_attr_get_u32(attr));
+	printf("  ip_conntrack_info:");
+
+	switch (CTINFO2DIR(ctinfo)) {
+	case IP_CT_DIR_ORIGINAL:
+		printf(" ORIGINAL /");
+		break;
+	case IP_CT_DIR_REPLY:
+		printf(" REPLY /");
+		break;
+	default:
+		printf(" unknown dir: %d\n", CTINFO2DIR(ctinfo));
+		return MNL_CB_ERROR;
+	}
+
+	switch (ctinfo) {
+	case IP_CT_ESTABLISHED:
+	case IP_CT_ESTABLISHED_REPLY:
+		printf(" ESTABLISHED\n");
+		break;
+	case IP_CT_RELATED:
+	case IP_CT_RELATED_REPLY:
+		printf(" RELATED\n");
+		break;
+	case IP_CT_NEW:
+	case IP_CT_NEW_REPLY:
+		printf(" NEW\n");
+		break;
+	default:
+		printf(" unknown ctinfo: %d\n", ctinfo);
+		return MNL_CB_ERROR;
+	}
+
+	return MNL_CB_OK;
+}
+
+static int print_nfct(uint8_t family,
+		      const struct nlattr *const info_attr,
+		      const struct nlattr *const ct_attr)
+{
+	char buf[4096];
+	struct nf_conntrack *ct = NULL;
+
+	if (info_attr != NULL)
+		print_ctinfo(info_attr);
+
+	if (ct_attr == NULL)
+		return MNL_CB_OK;
+
+	ct = nfct_new();
+	if (ct == NULL) {
+		perror("nfct_new");
+		return MNL_CB_ERROR;
+	}
+
+	if (nfct_payload_parse(mnl_attr_get_payload(ct_attr),
+			       mnl_attr_get_payload_len(ct_attr),
+			       family, ct) < 0) {
+		perror("nfct_payload_parse");
+		nfct_destroy(ct);
+		return MNL_CB_ERROR;
+	}
+
+	nfct_snprintf(buf, sizeof(buf), ct, 0, NFCT_O_DEFAULT, 0);
+	printf("  %s\n", buf);
+	nfct_destroy(ct);
+
+	return MNL_CB_OK;
+}
+#else
+static int print_nfct(uint8_t family,
+		      const struct nlattr *const info_attr,
+		      const struct nlattr *const ct_attr)
+{
+	return MNL_CB_OK;
+}
+#endif
+
 static int log_cb(const struct nlmsghdr *nlh, void *data)
 {
 	struct nlattr *attrs[NFULA_MAX + 1] = { NULL };
 	struct nfulnl_msg_packet_hdr *ph = NULL;
+	struct nfgenmsg *nfg;
 	const char *prefix = NULL;
 	uint32_t mark = 0;
 	char buf[4096];
@@ -21,6 +114,8 @@ static int log_cb(const struct nlmsghdr *nlh, void *data)
 	if (ret != MNL_CB_OK)
 		return ret;
 
+	nfg = mnl_nlmsg_get_payload(nlh);
+
 	if (attrs[NFULA_PACKET_HDR])
 		ph = mnl_attr_get_payload(attrs[NFULA_PACKET_HDR]);
 	if (attrs[NFULA_PREFIX])
@@ -38,6 +133,8 @@ static int log_cb(const struct nlmsghdr *nlh, void *data)
 		return MNL_CB_ERROR;
 	printf("%s (ret=%d)\n", buf, ret);
 
+	print_nfct(nfg->nfgen_family, attrs[NFULA_CT_INFO], attrs[NFULA_CT]);
+
 	return MNL_CB_OK;
 }
 
@@ -108,6 +205,10 @@ int main(int argc, char *argv[])
 		exit(EXIT_FAILURE);
 	}
 
+#ifdef BUILD_NFCT
+	mnl_attr_put_u16(nlh, NFULA_CFG_FLAGS, htons(NFULNL_CFG_F_CONNTRACK));
+#endif
+
 	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
 		perror("mnl_socket_sendto");
 		exit(EXIT_FAILURE);
-- 
2.1.4

Re: [PATCHv2 lnf-log] utils: nf-log: attaching a conntrack information

[Pablo Neira Ayuso]

On Tue, Nov 15, 2016 at 04:38:16PM +0900, Ken-ichirou MATSUZAWA wrote:
> This patch enables nf-log in utils directory to show conntrack
> information if libnetfilter_conntrack exists.

Applied, thanks Ken-ichirou.

We got already one user asking for this, so this is useful :)

Re: [PATCHv2 lnf-log] utils: nf-log: attaching a conntrack information

[Pablo Neira Ayuso]

On Tue, Nov 15, 2016 at 04:36:02PM +0900, Ken-ichirou MATSUZAWA wrote:
>  Hi, sorry for so much late.
>  
> On Fri, Oct 16, 2015 at 06:59:08PM +0200, Pablo Neira Ayuso wrote:
> > I think you can update configure.ac to update CFLAGS, like this:
> > 
> >         CFLAGS="$CFLAGS -DBUILD_NFCT"
> > 
> > so we can skip this include.
> 
> We can avoid to (re)run autogen.sh without lnf-conntrack at first
> then install it after, but
> 
> >         gcc -lnetfilter_log -lnetfilter_conntrack -lmnl -DBUILD_NFCT nf-log.c -o nf-log
> 
> this make a sense, I follow your advice.
> 
> I have met another issue related to lnf-conntrack, could you give me
> some advice? The following patch is compile error:
> 
>     In file included from nf-log.c:14:0:
>     /usr/include/libnetfilter_conntrack/libnetfilter_conntrack.h:729:6: error: nested redefinition of ‘enum ip_conntrack_status’
>      enum ip_conntrack_status {
>           ^
>     /usr/include/libnetfilter_conntrack/libnetfilter_conntrack.h:729:6: error: redeclaration of ‘enum ip_conntrack_status’
>     In file included from nf-log.c:12:0:
>     /usr/include/linux/netfilter/nf_conntrack_common.h:37:6: note: originally defined here
>      enum ip_conntrack_status {
> 
> since both libnetfilter_conntrack.h and nf_conntrack_common.h
> defines ip_conntrack_status. Could you tell me how do I avoid such a
> error when using ip_conntrack_status and ip_conntrack_info?

I have just fixed this on the repository:

commit 9833df6abd4d5ef381354e32b2d7d7afa7a616fe
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Thu Nov 24 14:09:34 2016 +0100

    include: expose a copy of nf_conntrack_common.h
    
    Copy and rename nf_conntrack_common.h to
linux_nf_conntrack_common.h,
    then include it from libnetfilter_conntrack.h
    
Please, let me know if you see any problem with such update, thanks.