* [PATCH lnf-conntrack 1/4] include: sync uapi header with nf-next
2021-08-02 9:12 [PATCH] conntrack-tools: support conntrack dump status filtering Florian Westphal
@ 2021-08-02 9:12 ` Florian Westphal
2021-08-02 9:12 ` [PATCH lnf-conntrack 2/4] src: add support for status dump filter Florian Westphal
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Florian Westphal @ 2021-08-02 9:12 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
Signed-off-by: Florian Westphal <fw@strlen.de>
---
.../linux_nfnetlink_conntrack.h | 24 +++++++++++++++----
1 file changed, 19 insertions(+), 5 deletions(-)
diff --git a/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h b/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h
index 0e9af6c1ebd7..6c8de4eb7472 100644
--- a/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h
+++ b/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h
@@ -58,6 +58,8 @@ enum ctattr_type {
CTA_LABELS,
CTA_LABELS_MASK,
CTA_SYNPROXY,
+ CTA_FILTER,
+ CTA_STATUS_MASK,
__CTA_MAX
};
#define CTA_MAX (__CTA_MAX - 1)
@@ -121,6 +123,7 @@ enum ctattr_protoinfo_dccp {
CTA_PROTOINFO_DCCP_STATE,
CTA_PROTOINFO_DCCP_ROLE,
CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ,
+ CTA_PROTOINFO_DCCP_PAD,
__CTA_PROTOINFO_DCCP_MAX,
};
#define CTA_PROTOINFO_DCCP_MAX (__CTA_PROTOINFO_DCCP_MAX - 1)
@@ -140,6 +143,7 @@ enum ctattr_counters {
CTA_COUNTERS_BYTES, /* 64bit counters */
CTA_COUNTERS32_PACKETS, /* old 32bit counters, unused */
CTA_COUNTERS32_BYTES, /* old 32bit counters, unused */
+ CTA_COUNTERS_PAD,
__CTA_COUNTERS_MAX
};
#define CTA_COUNTERS_MAX (__CTA_COUNTERS_MAX - 1)
@@ -148,6 +152,7 @@ enum ctattr_tstamp {
CTA_TIMESTAMP_UNSPEC,
CTA_TIMESTAMP_START,
CTA_TIMESTAMP_STOP,
+ CTA_TIMESTAMP_PAD,
__CTA_TIMESTAMP_MAX
};
#define CTA_TIMESTAMP_MAX (__CTA_TIMESTAMP_MAX - 1)
@@ -242,13 +247,13 @@ enum ctattr_secctx {
enum ctattr_stats_cpu {
CTA_STATS_UNSPEC,
- CTA_STATS_SEARCHED,
+ CTA_STATS_SEARCHED, /* no longer used */
CTA_STATS_FOUND,
- CTA_STATS_NEW,
+ CTA_STATS_NEW, /* no longer used */
CTA_STATS_INVALID,
- CTA_STATS_IGNORE,
- CTA_STATS_DELETE,
- CTA_STATS_DELETE_LIST,
+ CTA_STATS_IGNORE, /* no longer used */
+ CTA_STATS_DELETE, /* no longer used */
+ CTA_STATS_DELETE_LIST, /* no longer used */
CTA_STATS_INSERT,
CTA_STATS_INSERT_FAILED,
CTA_STATS_DROP,
@@ -263,6 +268,7 @@ enum ctattr_stats_cpu {
enum ctattr_stats_global {
CTA_STATS_GLOBAL_UNSPEC,
CTA_STATS_GLOBAL_ENTRIES,
+ CTA_STATS_GLOBAL_MAX_ENTRIES,
__CTA_STATS_GLOBAL_MAX,
};
#define CTA_STATS_GLOBAL_MAX (__CTA_STATS_GLOBAL_MAX - 1)
@@ -276,6 +282,14 @@ enum ctattr_expect_stats {
};
#define CTA_STATS_EXP_MAX (__CTA_STATS_EXP_MAX - 1)
+enum ctattr_filter {
+ CTA_FILTER_UNSPEC,
+ CTA_FILTER_ORIG_FLAGS,
+ CTA_FILTER_REPLY_FLAGS,
+ __CTA_FILTER_MAX
+};
+#define CTA_FILTER_MAX (__CTA_FILTER_MAX - 1)
+
#ifdef __cplusplus
}
#endif
--
2.31.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH lnf-conntrack 2/4] src: add support for status dump filter
2021-08-02 9:12 [PATCH] conntrack-tools: support conntrack dump status filtering Florian Westphal
2021-08-02 9:12 ` [PATCH lnf-conntrack 1/4] include: sync uapi header with nf-next Florian Westphal
@ 2021-08-02 9:12 ` Florian Westphal
2021-08-02 9:12 ` [PATCH conntrack-tools 3/4] conntrack: enable kernel-based status filtering with -L -u STATUS Florian Westphal
2021-08-02 9:12 ` [PATCH conntrack-tools 4/4] conntrack: add shorthand mnemonic for UNREPLIED Florian Westphal
3 siblings, 0 replies; 5+ messages in thread
From: Florian Westphal @ 2021-08-02 9:12 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
This tells kernel to suppress conntrack entries that do not match
the status bits/bitmask filter.
This is useful to e.g. only list entries that are not assured
(value 0, mask == ASSUED) or entries that only saw one-way traffic
(value 0, mask == SEEN_REPLY).
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/internal/object.h | 1 +
.../libnetfilter_conntrack.h | 5 +++--
src/conntrack/filter_dump.c | 17 +++++++++++++++++
3 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/include/internal/object.h b/include/internal/object.h
index 3f6904f16d8b..75ffdbe97229 100644
--- a/include/internal/object.h
+++ b/include/internal/object.h
@@ -287,6 +287,7 @@ struct nfct_filter {
struct nfct_filter_dump {
struct nfct_filter_dump_mark mark;
+ struct nfct_filter_dump_mark status;
uint8_t l3num;
uint32_t set;
};
diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack.h b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
index f02d827761a8..6233434cfeb8 100644
--- a/include/libnetfilter_conntrack/libnetfilter_conntrack.h
+++ b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
@@ -137,11 +137,11 @@ enum nf_conntrack_attr {
ATTR_HELPER_INFO, /* variable length */
ATTR_CONNLABELS, /* variable length */
ATTR_CONNLABELS_MASK, /* variable length */
- ATTR_ORIG_ZONE, /* u16 bits */
+ ATTR_ORIG_ZONE = 68, /* u16 bits */
ATTR_REPL_ZONE, /* u16 bits */
ATTR_SNAT_IPV6, /* u128 bits */
ATTR_DNAT_IPV6, /* u128 bits */
- ATTR_SYNPROXY_ISN, /* u32 bits */
+ ATTR_SYNPROXY_ISN = 72, /* u32 bits */
ATTR_SYNPROXY_ITS, /* u32 bits */
ATTR_SYNPROXY_TSOFF, /* u32 bits */
ATTR_MAX
@@ -546,6 +546,7 @@ struct nfct_filter_dump_mark {
enum nfct_filter_dump_attr {
NFCT_FILTER_DUMP_MARK = 0, /* struct nfct_filter_dump_mark */
NFCT_FILTER_DUMP_L3NUM, /* uint8_t */
+ NFCT_FILTER_DUMP_STATUS, /* struct nfct_filter_dump_mark */
NFCT_FILTER_DUMP_MAX
};
diff --git a/src/conntrack/filter_dump.c b/src/conntrack/filter_dump.c
index 158b4cb1155d..3894d0638a72 100644
--- a/src/conntrack/filter_dump.c
+++ b/src/conntrack/filter_dump.c
@@ -19,6 +19,16 @@ set_filter_dump_attr_mark(struct nfct_filter_dump *filter_dump,
filter_dump->mark.mask = this->mask;
}
+static void
+set_filter_dump_attr_status(struct nfct_filter_dump *filter_dump,
+ const void *value)
+{
+ const struct nfct_filter_dump_mark *this = value;
+
+ filter_dump->status.val = this->val;
+ filter_dump->status.mask = this->mask;
+}
+
static void
set_filter_dump_attr_family(struct nfct_filter_dump *filter_dump,
const void *value)
@@ -29,6 +39,7 @@ set_filter_dump_attr_family(struct nfct_filter_dump *filter_dump,
const set_filter_dump_attr set_filter_dump_attr_array[NFCT_FILTER_DUMP_MAX] = {
[NFCT_FILTER_DUMP_MARK] = set_filter_dump_attr_mark,
[NFCT_FILTER_DUMP_L3NUM] = set_filter_dump_attr_family,
+ [NFCT_FILTER_DUMP_STATUS] = set_filter_dump_attr_status,
};
void __build_filter_dump(struct nfnlhdr *req, size_t size,
@@ -44,4 +55,10 @@ void __build_filter_dump(struct nfnlhdr *req, size_t size,
struct nfgenmsg *nfg = NLMSG_DATA(&req->nlh);
nfg->nfgen_family = filter_dump->l3num;
}
+ if (filter_dump->set & (1 << NFCT_FILTER_DUMP_STATUS)) {
+ nfnl_addattr32(&req->nlh, size, CTA_STATUS,
+ htonl(filter_dump->status.val));
+ nfnl_addattr32(&req->nlh, size, CTA_STATUS_MASK,
+ htonl(filter_dump->status.mask));
+ }
}
--
2.31.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH conntrack-tools 3/4] conntrack: enable kernel-based status filtering with -L -u STATUS
2021-08-02 9:12 [PATCH] conntrack-tools: support conntrack dump status filtering Florian Westphal
2021-08-02 9:12 ` [PATCH lnf-conntrack 1/4] include: sync uapi header with nf-next Florian Westphal
2021-08-02 9:12 ` [PATCH lnf-conntrack 2/4] src: add support for status dump filter Florian Westphal
@ 2021-08-02 9:12 ` Florian Westphal
2021-08-02 9:12 ` [PATCH conntrack-tools 4/4] conntrack: add shorthand mnemonic for UNREPLIED Florian Westphal
3 siblings, 0 replies; 5+ messages in thread
From: Florian Westphal @ 2021-08-02 9:12 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
This change is backwards compatible:
Old kernels do not recognize CTA_STATUS_MASK attribute and will
ignore it (no filtering in kernel).
Signed-off-by: Florian Westphal <fw@strlen.de>
---
src/conntrack.c | 59 +++++++++++++++++++++++++++++++++++++++++++++----
1 file changed, 55 insertions(+), 4 deletions(-)
diff --git a/src/conntrack.c b/src/conntrack.c
index 987a52140633..cc564a2b4b1b 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -92,6 +92,10 @@ struct ct_tmpl {
struct nfct_filter_dump_mark filter_mark_kernel;
bool filter_mark_kernel_set;
+ /* Allow to filter by status from kernel-space. */
+ struct nfct_filter_dump_mark filter_status_kernel;
+ bool filter_status_kernel_set;
+
/* Allows filtering by ctlabels */
struct nfct_bitmask *label;
@@ -1146,7 +1150,7 @@ static struct parse_parameter {
};
static int
-do_parse_parameter(const char *str, size_t str_length, unsigned int *value,
+do_parse_parameter(const char *str, size_t str_length, unsigned int *value,
int parse_type)
{
size_t i;
@@ -1171,7 +1175,7 @@ do_parse_parameter(const char *str, size_t str_length, unsigned int *value,
ret = 1;
break;
}
-
+
return ret;
}
@@ -1192,6 +1196,41 @@ parse_parameter(const char *arg, unsigned int *status, int parse_type)
exit_error(PARAMETER_PROBLEM, "Bad parameter `%s'", arg);
}
+static void
+parse_parameter_mask(const char *arg, unsigned int *status, unsigned int *mask, int parse_type)
+{
+ unsigned int *value;
+ const char *comma;
+ bool negated;
+
+ while ((comma = strchr(arg, ',')) != NULL) {
+ if (comma == arg)
+ exit_error(PARAMETER_PROBLEM,"Bad parameter `%s'", arg);
+
+ negated = *arg == '!';
+ if (negated)
+ arg++;
+ if (comma == arg)
+ exit_error(PARAMETER_PROBLEM,"Bad parameter `%s'", arg);
+
+ value = negated ? mask : status;
+
+ if (!do_parse_parameter(arg, comma-arg, value, parse_type))
+ exit_error(PARAMETER_PROBLEM,"Bad parameter `%s'", arg);
+ arg = comma+1;
+ }
+
+ negated = *arg == '!';
+ if (negated)
+ arg++;
+ value = negated ? mask : status;
+
+ if (strlen(arg) == 0
+ || !do_parse_parameter(arg, strlen(arg),
+ value, parse_type))
+ exit_error(PARAMETER_PROBLEM, "Bad parameter `%s'", arg);
+}
+
static void
parse_u32_mask(const char *arg, struct u32_mask *m)
{
@@ -2914,8 +2953,16 @@ static void do_parse(struct ct_cmd *ct_cmd, int argc, char *argv[])
break;
case 'u':
options |= CT_OPT_STATUS;
- parse_parameter(optarg, &status, PARSE_STATUS);
+ parse_parameter_mask(optarg, &status,
+ &tmpl->filter_status_kernel.mask,
+ PARSE_STATUS);
nfct_set_attr_u32(tmpl->ct, ATTR_STATUS, status);
+ if (tmpl->filter_status_kernel.mask == 0)
+ tmpl->filter_status_kernel.mask = status;
+
+ tmpl->mark.value = status;
+ tmpl->filter_status_kernel.val = tmpl->mark.value;
+ tmpl->filter_status_kernel_set = true;
break;
case 'e':
options |= CT_OPT_EVENT_MASK;
@@ -3171,7 +3218,11 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd)
nfct_filter_dump_set_attr_u8(filter_dump,
NFCT_FILTER_DUMP_L3NUM,
cmd->family);
-
+ if (cmd->tmpl.filter_status_kernel_set) {
+ nfct_filter_dump_set_attr(filter_dump,
+ NFCT_FILTER_DUMP_STATUS,
+ &cmd->tmpl.filter_status_kernel);
+ }
if (cmd->options & CT_OPT_ZERO)
res = nfct_query(cth, NFCT_Q_DUMP_FILTER_RESET,
filter_dump);
--
2.31.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH conntrack-tools 4/4] conntrack: add shorthand mnemonic for UNREPLIED
2021-08-02 9:12 [PATCH] conntrack-tools: support conntrack dump status filtering Florian Westphal
` (2 preceding siblings ...)
2021-08-02 9:12 ` [PATCH conntrack-tools 3/4] conntrack: enable kernel-based status filtering with -L -u STATUS Florian Westphal
@ 2021-08-02 9:12 ` Florian Westphal
3 siblings, 0 replies; 5+ messages in thread
From: Florian Westphal @ 2021-08-02 9:12 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
conntrack tool prints [UNREPLIED] if a conntrack entry lacks the
SEEN_REPLY bit. Accept this as '-u' argument too.
If requested, mask is set to SEEN_REPLY and value remains 0 (bit not set).
Signed-off-by: Florian Westphal <fw@strlen.de>
---
src/conntrack.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/src/conntrack.c b/src/conntrack.c
index cc564a2b4b1b..ef7f604c9e97 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -1199,6 +1199,7 @@ parse_parameter(const char *arg, unsigned int *status, int parse_type)
static void
parse_parameter_mask(const char *arg, unsigned int *status, unsigned int *mask, int parse_type)
{
+ static const char unreplied[] = "UNREPLIED";
unsigned int *value;
const char *comma;
bool negated;
@@ -1215,6 +1216,12 @@ parse_parameter_mask(const char *arg, unsigned int *status, unsigned int *mask,
value = negated ? mask : status;
+ if (!negated && strncmp(arg, unreplied, strlen(unreplied)) == 0) {
+ *mask |= IPS_SEEN_REPLY;
+ arg = comma+1;
+ continue;
+ }
+
if (!do_parse_parameter(arg, comma-arg, value, parse_type))
exit_error(PARAMETER_PROBLEM,"Bad parameter `%s'", arg);
arg = comma+1;
@@ -1225,6 +1232,11 @@ parse_parameter_mask(const char *arg, unsigned int *status, unsigned int *mask,
arg++;
value = negated ? mask : status;
+ if (!negated && strncmp(arg, unreplied, strlen(unreplied)) == 0) {
+ *mask |= IPS_SEEN_REPLY;
+ return;
+ }
+
if (strlen(arg) == 0
|| !do_parse_parameter(arg, strlen(arg),
value, parse_type))
--
2.31.1
^ permalink raw reply related [flat|nested] 5+ messages in thread