summaryrefslogtreecommitdiffstats
path: root/src/filter.c
Commit message (Collapse)AuthorAgeFilesLines
* filter: remove useless branch in the check functionsPablo Neira Ayuso2008-11-151-8/+2
| | | | | | | | | If the logic is set to -1, this means that we do not perform any filtering for this sort of network address. Therefore, we don't need to re-check if there is any filter later. This patch also inlines the check functions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* filter: use jhash2 instead of jhash for IPv6 addressesPablo Neira Ayuso2008-11-151-1/+1
| | | | | | | Since an IPv6 address can be seen as an array of uint32_t. Use the optimized jhash2() function instead of the generic jhash(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* filter: use XOR instead of branchesPablo Neira Ayuso2008-11-091-13/+5
| | | | | | use XOR instead of branches in ct_filter_check. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* filter: fix NAT detection tweakPablo Neira Ayuso2008-09-161-6/+3
| | | | | | | | With this patch, we rely on the real source and destination of the packet to perform the filter. The current NAT detection tweak is broken for certain situations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* filter: skip protocol state filtering if state not presentPablo Neira Ayuso2008-07-291-0/+3
| | | | | | | Skip user-space the protocol state filter if the protocol state is not present in the event message. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Major rework of the user-space event filteringPablo Neira Ayuso2008-07-221-0/+250
This patch reworks the user-space filtering. Although we have kernel-space filtering since Linux kernel >= 2.6.26, we keep userspace filtering to ensure backward compatibility. Moreover, this patch prepares the implementation of the kernel-space filtering via libnetfilter_conntrack's high-level berkeley socket filter API. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>