conntrack: support flush filtering

flushing already supports filtering on the kernel side for value like
mark, l3num or zone. This patch extends the userspace code to also
support this.

To reduce code duplication the `nfct_filter_dump` struct and associated
logic is reused. Note that filtering by tuple is not supported, since
`CTA_FILTER` is not yet supported on the kernel side for flushing.
Trying to use it returns ENOTSUP.

Signed-off-by: Felix Huettner <felix.huettner@mail.schwarz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

2 files changed, 12 insertions, 0 deletions

diff --git a/src/conntrack/api.c b/src/conntrack/api.c
index 22965f1..2efb175 100644
--- a/src/conntrack/api.c
+++ b/src/conntrack/api.c
@@ -835,6 +835,8 @@ __build_query_ct(struct nfnl_subsys_handle *ssh,
 		break;
 	case NFCT_Q_FLUSH_FILTER:
 		nfct_fill_hdr(req, IPCTNL_MSG_CT_DELETE, NLM_F_ACK, *family, 1);
+		if (__build_filter_flush(req, size, data) < 0)
+			return -1;
 		break;
 	case NFCT_Q_DUMP:
 		nfct_fill_hdr(req, IPCTNL_MSG_CT_GET, NLM_F_DUMP, *family,
diff --git a/src/conntrack/filter_dump.c b/src/conntrack/filter_dump.c
index 0a19985..fd2d002 100644
--- a/src/conntrack/filter_dump.c
+++ b/src/conntrack/filter_dump.c
@@ -64,3 +64,13 @@ int __build_filter_dump(struct nfnlhdr *req, size_t size,
 {
 	return nfct_nlmsg_build_filter(&req->nlh, filter_dump);
 }
+
+int __build_filter_flush(struct nfnlhdr *req, size_t size,
+			const struct nfct_filter_dump *filter_dump)
+{
+	if (filter_dump->set & (1 << NFCT_FILTER_DUMP_TUPLE)) {
+		errno = ENOTSUP;
+		return -1;
+	}
+	return nfct_nlmsg_build_filter(&req->nlh, filter_dump);
+}