From 62ed08f2d25ef0f332fe65fd40a97ff4dc4eda93 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Thu, 9 Feb 2012 18:56:59 +0100 Subject: conntrack: add support for CTA_MARK_MASK and filtered dumping This patch adds the infrastructure to allow filtered dumping. See utils/conntrack_dump_filter.c for instance. Signed-off-by: Pablo Neira Ayuso --- include/internal/extern.h | 2 + include/internal/object.h | 10 +++ include/internal/prototypes.h | 2 + include/internal/types.h | 1 + .../libnetfilter_conntrack.h | 31 ++++++++- .../linux_nfnetlink_conntrack.h | 1 + src/conntrack/Makefile.am | 2 +- src/conntrack/api.c | 80 +++++++++++++++++++++- src/conntrack/filter_dump.c | 49 +++++++++++++ utils/Makefile.am | 5 ++ utils/conntrack_dump_filter.c | 58 ++++++++++++++++ 11 files changed, 238 insertions(+), 3 deletions(-) create mode 100644 src/conntrack/filter_dump.c create mode 100644 utils/conntrack_dump_filter.c diff --git a/include/internal/extern.h b/include/internal/extern.h index 2a3ef06..fb9ca54 100644 --- a/include/internal/extern.h +++ b/include/internal/extern.h @@ -13,6 +13,8 @@ extern const get_exp_attr get_exp_attr_array[]; extern const uint32_t attr_grp_bitmask[ATTR_GRP_MAX][__NFCT_BITSET]; +extern const set_filter_dump_attr set_filter_dump_attr_array[]; + /* for the snprintf infrastructure */ extern const char *const l3proto2str[AF_MAX]; extern const char *const proto2str[IPPROTO_MAX]; diff --git a/include/internal/object.h b/include/internal/object.h index 94433bf..55fa4f5 100644 --- a/include/internal/object.h +++ b/include/internal/object.h @@ -260,6 +260,16 @@ struct nfct_filter { u_int32_t set[1]; }; +/* + * conntrack filter dump object + */ + +struct nfct_filter_dump { + struct nfct_filter_dump_mark mark; + u_int8_t l3num; + u_int32_t set; +}; + /* * expectation object */ diff --git a/include/internal/prototypes.h b/include/internal/prototypes.h index 532c60e..730eb6b 100644 --- a/include/internal/prototypes.h +++ b/include/internal/prototypes.h @@ -37,6 +37,8 @@ void __copy_fast(struct nf_conntrack *ct1, const struct nf_conntrack *ct); int __setup_netlink_socket_filter(int fd, struct nfct_filter *filter); +void __build_filter_dump(struct nfnlhdr *req, size_t size, const struct nfct_filter_dump *filter_dump); + /* * expectation internal prototypes */ diff --git a/include/internal/types.h b/include/internal/types.h index 433de5b..3459200 100644 --- a/include/internal/types.h +++ b/include/internal/types.h @@ -15,6 +15,7 @@ typedef int (*getobjopt)(const struct nf_conntrack *ct); typedef void (*setobjopt)(struct nf_conntrack *ct); typedef void (*set_attr_grp)(struct nf_conntrack *ct, const void *value); typedef void (*get_attr_grp)(const struct nf_conntrack *ct, void *data); +typedef void (*set_filter_dump_attr)(struct nfct_filter_dump *filter_dump, const void *value); /* * expectation types diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack.h b/include/libnetfilter_conntrack/libnetfilter_conntrack.h index 538dc2d..a4a60cb 100644 --- a/include/libnetfilter_conntrack/libnetfilter_conntrack.h +++ b/include/libnetfilter_conntrack/libnetfilter_conntrack.h @@ -392,6 +392,8 @@ enum nf_conntrack_query { NFCT_Q_DUMP, NFCT_Q_DUMP_RESET, NFCT_Q_CREATE_UPDATE, + NFCT_Q_DUMP_FILTER, + NFCT_Q_DUMP_FILTER_RESET, }; extern int nfct_query(struct nfct_handle *h, @@ -421,7 +423,7 @@ extern void nfct_copy_attr(struct nf_conntrack *ct1, const struct nf_conntrack *ct2, const enum nf_conntrack_attr type); -/* filter */ +/* event filtering */ struct nfct_filter; @@ -472,6 +474,33 @@ extern int nfct_filter_set_logic(struct nfct_filter *filter, extern int nfct_filter_attach(int fd, struct nfct_filter *filter); extern int nfct_filter_detach(int fd); +/* dump filtering */ + +struct nfct_filter_dump; + +struct nfct_filter_dump_mark { + u_int32_t val; + u_int32_t mask; +}; + +enum nfct_filter_dump_attr { + NFCT_FILTER_DUMP_MARK = 0, /* struct nfct_filter_dump_mark */ + NFCT_FILTER_DUMP_L3NUM, /* u_int8_t */ + NFCT_FILTER_DUMP_MAX +}; + +struct nfct_filter_dump *nfct_filter_dump_create(void); + +void nfct_filter_dump_destroy(struct nfct_filter_dump *filter); + +void nfct_filter_dump_set_attr(struct nfct_filter_dump *filter_dump, + const enum nfct_filter_dump_attr type, + const void *data); + +void nfct_filter_dump_set_attr_u8(struct nfct_filter_dump *filter_dump, + const enum nfct_filter_dump_attr type, + u_int8_t data); + /* low level API: netlink functions */ extern __attribute__((deprecated)) int diff --git a/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h b/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h index 2175799..1cf938b 100644 --- a/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h +++ b/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h @@ -47,6 +47,7 @@ enum ctattr_type { CTA_ZONE, CTA_SECCTX, CTA_TIMESTAMP, + CTA_MARK_MASK, __CTA_MAX }; #define CTA_MAX (__CTA_MAX - 1) diff --git a/src/conntrack/Makefile.am b/src/conntrack/Makefile.am index fb6b048..3f7fb64 100644 --- a/src/conntrack/Makefile.am +++ b/src/conntrack/Makefile.am @@ -10,6 +10,6 @@ libnfconntrack_la_SOURCES = api.c \ objopt.c \ compare.c \ copy.c \ - filter.c bsf.c \ + filter.c bsf.c filter_dump.c \ grp.c grp_getter.c grp_setter.c \ stack.c diff --git a/src/conntrack/api.c b/src/conntrack/api.c index d3d9bdb..683b2ce 100644 --- a/src/conntrack/api.c +++ b/src/conntrack/api.c @@ -766,7 +766,14 @@ __build_query_ct(struct nfnl_subsys_handle *ssh, case NFCT_Q_CREATE_UPDATE: __build_conntrack(ssh, req, size, IPCTNL_MSG_CT_NEW, NLM_F_REQUEST|NLM_F_CREATE|NLM_F_ACK, data); break; - + case NFCT_Q_DUMP_FILTER: + nfnl_fill_hdr(ssh, &req->nlh, 0, AF_UNSPEC, 0, IPCTNL_MSG_CT_GET, NLM_F_REQUEST|NLM_F_DUMP); + __build_filter_dump(req, size, data); + break; + case NFCT_Q_DUMP_FILTER_RESET: + nfnl_fill_hdr(ssh, &req->nlh, 0, AF_UNSPEC, 0, IPCTNL_MSG_CT_GET_CTRZERO, NLM_F_REQUEST|NLM_F_DUMP); + __build_filter_dump(req, size, data); + break; default: errno = ENOTSUP; return -1; @@ -802,6 +809,8 @@ __build_query_ct(struct nfnl_subsys_handle *ssh, * - NFCT_Q_FLUSH: flush the conntrack table * - NFCT_Q_DUMP: dump the conntrack table * - NFCT_Q_DUMP_RESET: dump the conntrack table and reset counters + * - NFCT_Q_DUMP_FILTER: dump the conntrack table + * - NFCT_Q_DUMP_FILTER_RESET: dump the conntrack table and reset counters * * Pass a valid pointer to the protocol family (u_int32_t) * @@ -1356,3 +1365,72 @@ int nfct_filter_detach(int fd) /** * @} */ + +/** + * \defgroup dumpfilter Kernel-space filtering for dumping + * + * @{ + */ + +/** + * nfct_filter_dump_create - create a dump filter + * + * This function returns a valid pointer on success, otherwise NULL is + * returned and errno is appropriately set. + */ +struct nfct_filter_dump *nfct_filter_dump_create(void) +{ + return calloc(sizeof(struct nfct_filter_dump), 1); +} + +/** + * nfct_filter_dump_destroy - destroy a dump filter + * \param filter filter that we want to destroy + * + * This function releases the memory that is used by the filter object. + */ +void nfct_filter_dump_destroy(struct nfct_filter_dump *filter) +{ + assert(filter != NULL); + free(filter); + filter = NULL; +} + +/** + * nfct_filter_dump_attr_set - set filter attribute + * \param filter dump filter object that we want to modify + * \param type filter attribute type + * \param value pointer to the value of the filter attribute + */ +void nfct_filter_dump_set_attr(struct nfct_filter_dump *filter_dump, + const enum nfct_filter_dump_attr type, + const void *value) +{ + assert(filter_dump != NULL); + assert(value != NULL); + + if (unlikely(type >= NFCT_FILTER_DUMP_MAX)) + return; + + if (set_filter_dump_attr_array[type]) { + set_filter_dump_attr_array[type](filter_dump, value); + filter_dump->set |= (1 << type); + } +} + +/** + * nfct_filter_dump_attr_set_u8 - set u8 dump filter attribute + * \param filter dump filter object that we want to modify + * \param type filter attribute type + * \param value value of the filter attribute using unsigned int (32 bits). + */ +void nfct_filter_dump_set_attr_u8(struct nfct_filter_dump *filter_dump, + const enum nfct_filter_dump_attr type, + u_int8_t value) +{ + nfct_filter_dump_set_attr(filter_dump, type, &value); +} + +/** + * @} + */ diff --git a/src/conntrack/filter_dump.c b/src/conntrack/filter_dump.c new file mode 100644 index 0000000..9e2e169 --- /dev/null +++ b/src/conntrack/filter_dump.c @@ -0,0 +1,49 @@ +/* + * (C) 2005-2012 by Pablo Neira Ayuso + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + */ + +#include "internal/internal.h" + +static void +set_filter_dump_attr_mark(struct nfct_filter_dump *filter_dump, + const void *value) +{ + const struct nfct_filter_dump_mark *this = value; + + filter_dump->mark.val = this->val; + filter_dump->mark.mask = this->mask; + filter_dump->set |= (1 << NFCT_FILTER_DUMP_MARK); +} + +static void +set_filter_dump_attr_family(struct nfct_filter_dump *filter_dump, + const void *value) +{ + filter_dump->l3num = *((u_int8_t *)value); + filter_dump->set |= (1 << NFCT_FILTER_DUMP_L3NUM); +} + +const set_filter_dump_attr set_filter_dump_attr_array[NFCT_FILTER_DUMP_MAX] = { + [NFCT_FILTER_DUMP_MARK] = set_filter_dump_attr_mark, + [NFCT_FILTER_DUMP_L3NUM] = set_filter_dump_attr_family, +}; + +void __build_filter_dump(struct nfnlhdr *req, size_t size, + const struct nfct_filter_dump *filter_dump) +{ + if (filter_dump->set & (1 << NFCT_FILTER_DUMP_MARK)) { + nfnl_addattr32(&req->nlh, size, CTA_MARK, + htonl(filter_dump->mark.val)); + nfnl_addattr32(&req->nlh, size, CTA_MARK_MASK, + htonl(filter_dump->mark.mask)); + } + if (filter_dump->set & (1 << NFCT_FILTER_DUMP_L3NUM)) { + struct nfgenmsg *nfg = NLMSG_DATA(&req->nlh); + nfg->nfgen_family = filter_dump->l3num; + } +} diff --git a/utils/Makefile.am b/utils/Makefile.am index dcb3fec..35a7e0a 100644 --- a/utils/Makefile.am +++ b/utils/Makefile.am @@ -7,6 +7,7 @@ check_PROGRAMS = expect_dump expect_create expect_get expect_delete \ conntrack_get conntrack_events \ conntrack_master conntrack_filter \ conntrack_grp_create \ + conntrack_dump_filter \ ctexp_events conntrack_grp_create_SOURCES = conntrack_grp_create.c @@ -37,6 +38,10 @@ conntrack_dump_SOURCES = conntrack_dump.c conntrack_dump_LDADD = ../src/libnetfilter_conntrack.la conntrack_dump_LDFLAGS = -dynamic -ldl +conntrack_dump_filter_SOURCES = conntrack_dump_filter.c +conntrack_dump_filter_LDADD = ../src/libnetfilter_conntrack.la +conntrack_dump_filter_LDFLAGS = -dynamic -ldl + conntrack_flush_SOURCES = conntrack_flush.c conntrack_flush_LDADD = ../src/libnetfilter_conntrack.la conntrack_flush_LDFLAGS = -dynamic -ldl diff --git a/utils/conntrack_dump_filter.c b/utils/conntrack_dump_filter.c new file mode 100644 index 0000000..41e3f0c --- /dev/null +++ b/utils/conntrack_dump_filter.c @@ -0,0 +1,58 @@ +#include +#include +#include +#include + +#include + +static int cb(enum nf_conntrack_msg_type type, + struct nf_conntrack *ct, + void *data) +{ + char buf[1024]; + + nfct_snprintf(buf, sizeof(buf), ct, NFCT_T_UNKNOWN, NFCT_O_DEFAULT, NFCT_OF_SHOW_LAYER3 | NFCT_OF_TIMESTAMP); + printf("%s\n", buf); + + return NFCT_CB_CONTINUE; +} + +int main(void) +{ + int ret; + struct nfct_handle *h; + + h = nfct_open(CONNTRACK, 0); + if (!h) { + perror("nfct_open"); + return -1; + } + struct nfct_filter_dump *filter_dump = nfct_filter_dump_create(); + if (filter_dump == NULL) { + perror("nfct_filter_dump_alloc"); + return -1; + } + struct nfct_filter_dump_mark filter_dump_mark = { + .val = 1, + .mask = 0xffffffff, + }; + nfct_filter_dump_set_attr(filter_dump, NFCT_FILTER_DUMP_MARK, + &filter_dump_mark); + nfct_filter_dump_set_attr_u8(filter_dump, NFCT_FILTER_DUMP_L3NUM, + AF_INET); + + nfct_callback_register(h, NFCT_T_ALL, cb, NULL); + ret = nfct_query(h, NFCT_Q_DUMP_FILTER, filter_dump); + + nfct_filter_dump_destroy(filter_dump); + + printf("TEST: get conntrack "); + if (ret == -1) + printf("(%d)(%s)\n", ret, strerror(errno)); + else + printf("(OK)\n"); + + nfct_close(h); + + ret == -1 ? exit(EXIT_FAILURE) : exit(EXIT_SUCCESS); +} -- cgit v1.2.3