summaryrefslogtreecommitdiffstats
path: root/src/conntrack/filter_dump.c
Commit message (Collapse)AuthorAgeFilesLines
* conntrack: support flush filteringHEADmasterFelix Huettner2024-01-241-0/+10
| | | | | | | | | | | | | | flushing already supports filtering on the kernel side for value like mark, l3num or zone. This patch extends the userspace code to also support this. To reduce code duplication the `nfct_filter_dump` struct and associated logic is reused. Note that filtering by tuple is not supported, since `CTA_FILTER` is not yet supported on the kernel side for flushing. Trying to use it returns ENOTSUP. Signed-off-by: Felix Huettner <felix.huettner@mail.schwarz> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* dump: support filtering by zoneFelix Huettner2024-01-241-0/+8
| | | | | | | | | | | | based on a kernel side extension of the conntrack api, this patch brings this extension to userspace. When dumping the conntrack table we can now filter based on the conntrack zone directly in kernel space. If the kernel does not yet support this feature this filtering is ignored. Signed-off-by: Felix Huettner <felix.huettner@mail.schwarz> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Adding NFCT_FILTER_DUMP_TUPLE in filter_dump_attr, using kernel CTA_FILTER APIRomain Bellan2023-09-141-3/+11
| | | | | | | | | | | | | Following kernel side new conntrack filtering API, this patch implements userspace part. This patch: * Update headers to get new flag value from kernel * Use a conntrack struct to configure filtering * Set netlink flags according to values set in conntrack struct Signed-off-by: Romain Bellan <romain.bellan@wifirst.fr> Signed-off-by: Florent Fourcot <florent.fourcot@wifirst.fr> Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrack: add nfct_nlmsg_build_filter() helperPablo Neira Ayuso2021-11-141-16/+2
| | | | | | | This helper function builds the payload of the netlink dump request including the filtering criteria. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for status dump filterFlorian Westphal2021-08-051-0/+17
| | | | | | | | | | | This tells kernel to suppress conntrack entries that do not match the status bits/bitmask filter. This is useful to e.g. only list entries that are not assured (value 0, mask == ASSUED) or entries that only saw one-way traffic (value 0, mask == SEEN_REPLY). Signed-off-by: Florian Westphal <fw@strlen.de>
* src: Use stdint types everywhereFelix Janda2015-05-251-1/+1
| | | | | Signed-off-by: Felix Janda <felix.janda@posteo.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: remove duplicate codeKen-ichirou MATSUZAWA2014-06-211-2/+0
| | | | | | | nfct_filter_dump_set_attr() will set the bit. Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp> Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrack: add support for CTA_MARK_MASK and filtered dumpingPablo Neira Ayuso2012-02-091-0/+49
This patch adds the infrastructure to allow filtered dumping. See utils/conntrack_dump_filter.c for instance. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>