From 62ed08f2d25ef0f332fe65fd40a97ff4dc4eda93 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 9 Feb 2012 18:56:59 +0100
Subject: conntrack: add support for CTA_MARK_MASK and filtered dumping

This patch adds the infrastructure to allow filtered dumping.

See utils/conntrack_dump_filter.c for instance.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/internal/extern.h                          |  2 ++
 include/internal/object.h                          | 10 +++++++
 include/internal/prototypes.h                      |  2 ++
 include/internal/types.h                           |  1 +
 .../libnetfilter_conntrack.h                       | 31 +++++++++++++++++++++-
 .../linux_nfnetlink_conntrack.h                    |  1 +
 6 files changed, 46 insertions(+), 1 deletion(-)

(limited to 'include')

diff --git a/include/internal/extern.h b/include/internal/extern.h
index 2a3ef06..fb9ca54 100644
--- a/include/internal/extern.h
+++ b/include/internal/extern.h
@@ -13,6 +13,8 @@ extern const get_exp_attr	get_exp_attr_array[];
 
 extern const uint32_t attr_grp_bitmask[ATTR_GRP_MAX][__NFCT_BITSET];
 
+extern const set_filter_dump_attr	set_filter_dump_attr_array[];
+
 /* for the snprintf infrastructure */
 extern const char *const l3proto2str[AF_MAX];
 extern const char *const proto2str[IPPROTO_MAX];
diff --git a/include/internal/object.h b/include/internal/object.h
index 94433bf..55fa4f5 100644
--- a/include/internal/object.h
+++ b/include/internal/object.h
@@ -260,6 +260,16 @@ struct nfct_filter {
 	u_int32_t 		set[1];
 };
 
+/*
+ * conntrack filter dump object
+ */
+
+struct nfct_filter_dump {
+	struct nfct_filter_dump_mark	mark;
+	u_int8_t			l3num;
+	u_int32_t			set;
+};
+
 /*
  * expectation object
  */
diff --git a/include/internal/prototypes.h b/include/internal/prototypes.h
index 532c60e..730eb6b 100644
--- a/include/internal/prototypes.h
+++ b/include/internal/prototypes.h
@@ -37,6 +37,8 @@ void __copy_fast(struct nf_conntrack *ct1, const struct nf_conntrack *ct);
 
 int __setup_netlink_socket_filter(int fd, struct nfct_filter *filter);
 
+void __build_filter_dump(struct nfnlhdr *req, size_t size, const struct nfct_filter_dump *filter_dump);
+
 /*
  * expectation internal prototypes
  */
diff --git a/include/internal/types.h b/include/internal/types.h
index 433de5b..3459200 100644
--- a/include/internal/types.h
+++ b/include/internal/types.h
@@ -15,6 +15,7 @@ typedef int (*getobjopt)(const struct nf_conntrack *ct);
 typedef void (*setobjopt)(struct nf_conntrack *ct);
 typedef void (*set_attr_grp)(struct nf_conntrack *ct, const void *value);
 typedef void (*get_attr_grp)(const struct nf_conntrack *ct, void *data);
+typedef void (*set_filter_dump_attr)(struct nfct_filter_dump *filter_dump, const void *value);
 
 /*
  * expectation types
diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack.h b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
index 538dc2d..a4a60cb 100644
--- a/include/libnetfilter_conntrack/libnetfilter_conntrack.h
+++ b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
@@ -392,6 +392,8 @@ enum nf_conntrack_query {
 	NFCT_Q_DUMP,
 	NFCT_Q_DUMP_RESET,
 	NFCT_Q_CREATE_UPDATE,
+	NFCT_Q_DUMP_FILTER,
+	NFCT_Q_DUMP_FILTER_RESET,
 };
 
 extern int nfct_query(struct nfct_handle *h,
@@ -421,7 +423,7 @@ extern void nfct_copy_attr(struct nf_conntrack *ct1,
 			   const struct nf_conntrack *ct2,
 			   const enum nf_conntrack_attr type);
 
-/* filter */
+/* event filtering */
 
 struct nfct_filter;
 
@@ -472,6 +474,33 @@ extern int nfct_filter_set_logic(struct nfct_filter *filter,
 extern int nfct_filter_attach(int fd, struct nfct_filter *filter);
 extern int nfct_filter_detach(int fd);
 
+/* dump filtering */
+
+struct nfct_filter_dump;
+
+struct nfct_filter_dump_mark {
+	u_int32_t val;
+	u_int32_t mask;
+};
+
+enum nfct_filter_dump_attr {
+	NFCT_FILTER_DUMP_MARK = 0,	/* struct nfct_filter_dump_mark */
+	NFCT_FILTER_DUMP_L3NUM,		/* u_int8_t */
+	NFCT_FILTER_DUMP_MAX
+};
+
+struct nfct_filter_dump *nfct_filter_dump_create(void);
+
+void nfct_filter_dump_destroy(struct nfct_filter_dump *filter);
+
+void nfct_filter_dump_set_attr(struct nfct_filter_dump *filter_dump,
+			       const enum nfct_filter_dump_attr type,
+			       const void *data);
+
+void nfct_filter_dump_set_attr_u8(struct nfct_filter_dump *filter_dump,
+				  const enum nfct_filter_dump_attr type,
+				  u_int8_t data);
+
 /* low level API: netlink functions */
 
 extern __attribute__((deprecated)) int
diff --git a/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h b/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h
index 2175799..1cf938b 100644
--- a/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h
+++ b/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h
@@ -47,6 +47,7 @@ enum ctattr_type {
 	CTA_ZONE,
 	CTA_SECCTX,
 	CTA_TIMESTAMP,
+	CTA_MARK_MASK,
 	__CTA_MAX
 };
 #define CTA_MAX (__CTA_MAX - 1)
-- 
cgit v1.2.3