conntrack: support flush filteringHEAD master

flushing already supports filtering on the kernel side for value like mark, l3num or zone. This patch extends the userspace code to also support this. To reduce code duplication the `nfct_filter_dump` struct and associated logic is reused. Note that filtering by tuple is not supported, since `CTA_FILTER` is not yet supported on the kernel side for flushing. Trying to use it returns ENOTSUP. Signed-off-by: Felix Huettner <felix.huettner@mail.schwarz> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Felix Huettner <felix.huettner@mail.schwarz> 2023-12-05 09:35:16 +0000
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2024-01-24 22:22:10 +0100
commit: 27f09380ebb0fc21c4cd20070b828a27430b5de1 (patch)
tree: 360d6ce202ac56056c7df17526a7145d09049c98 /src/conntrack/filter_dump.c
parent: 647de658b44b4942efe03bd8c1f89f2bd0a5f0e8 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/src/conntrack/filter_dump.c b/src/conntrack/filter_dump.c
index 0a19985..fd2d002 100644
--- a/src/conntrack/filter_dump.c
+++ b/src/conntrack/filter_dump.c
@@ -64,3 +64,13 @@ int __build_filter_dump(struct nfnlhdr *req, size_t size,
 {
 	return nfct_nlmsg_build_filter(&req->nlh, filter_dump);
 }
+
+int __build_filter_flush(struct nfnlhdr *req, size_t size,
+			const struct nfct_filter_dump *filter_dump)
+{
+	if (filter_dump->set & (1 << NFCT_FILTER_DUMP_TUPLE)) {
+		errno = ENOTSUP;
+		return -1;
+	}
+	return nfct_nlmsg_build_filter(&req->nlh, filter_dump);
+}
author	Felix Huettner <felix.huettner@mail.schwarz>	2023-12-05 09:35:16 +0000
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2024-01-24 22:22:10 +0100
commit	27f09380ebb0fc21c4cd20070b828a27430b5de1 (patch)
tree	360d6ce202ac56056c7df17526a7145d09049c98 /src/conntrack/filter_dump.c
parent	647de658b44b4942efe03bd8c1f89f2bd0a5f0e8 (diff)