conntrackd: implement selective flushing for `-t' and `-F' commands

This patch changes the current behaviour of `-t' and `-F' commands,
that results in flushing the kernel conntrack table. With this patch,
the entries that match the Filter clauses in conntrackd.conf are
ignored.

This fixes the situation in which some local ssh connection to the
firewall is lost during the failover (since `-t' is invoked from the
primary-backup.sh script).

Note that the Filter clause tells what entries have to be ignored,
ie. the entries that do not need to be replicated. It makes sense
not to flush entries that are not replicated (usually traffic to
the local firewall).

Reported-by: Gaurav Sinha <gaurav.sinha@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 35 insertions, 2 deletions

diff --git a/src/netlink.c b/src/netlink.c
index fe979e3..bd38d99 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -151,9 +151,42 @@ int nl_dump_conntrack_table(struct nfct_handle *h)
 	return nfct_query(h, NFCT_Q_DUMP, &CONFIG(family));
 }
 
-int nl_flush_conntrack_table(struct nfct_handle *h)
+static int
+nl_flush_selective_cb(enum nf_conntrack_msg_type type,
+		      struct nf_conntrack *ct, void *data)
 {
-	return nfct_query(h, NFCT_Q_FLUSH, &CONFIG(family));
+	/* don't delete this conntrack, it's in the ignore filter */
+	if (ct_filter_conntrack(ct, 1))
+		return NFCT_CB_CONTINUE;
+
+	switch(type) {
+	case NFCT_T_UPDATE:
+		nl_destroy_conntrack(STATE(flush), ct);
+		break;
+	default:
+		STATE(stats).nl_dump_unknown_type++;
+		break;
+	}
+	return NFCT_CB_CONTINUE;
+}
+
+int nl_flush_conntrack_table_selective(void)
+{
+	struct nfct_handle *h;
+	int ret;
+
+	h = nfct_open(CONNTRACK, 0);
+	if (h == NULL) {
+		dlog(LOG_ERR, "cannot open handle");
+		return -1;
+	}
+	nfct_callback_register(h, NFCT_T_ALL, nl_flush_selective_cb, NULL);
+
+	ret = nfct_query(h, NFCT_Q_DUMP, &CONFIG(family));
+
+	nfct_close(h);
+
+	return ret;
 }
 
 int nl_send_resync(struct nfct_handle *h)