summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2012-02-09 18:56:59 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2012-02-09 18:58:22 +0100
commit62ed08f2d25ef0f332fe65fd40a97ff4dc4eda93 (patch)
tree99adfaf00c3a56bb20a2463878bec32ffd5c03ef
parentd383b7281ac6beecc8775c8d220a9fb611f99f94 (diff)
conntrack: add support for CTA_MARK_MASK and filtered dumping
This patch adds the infrastructure to allow filtered dumping. See utils/conntrack_dump_filter.c for instance. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--include/internal/extern.h2
-rw-r--r--include/internal/object.h10
-rw-r--r--include/internal/prototypes.h2
-rw-r--r--include/internal/types.h1
-rw-r--r--include/libnetfilter_conntrack/libnetfilter_conntrack.h31
-rw-r--r--include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h1
-rw-r--r--src/conntrack/Makefile.am2
-rw-r--r--src/conntrack/api.c80
-rw-r--r--src/conntrack/filter_dump.c49
-rw-r--r--utils/Makefile.am5
-rw-r--r--utils/conntrack_dump_filter.c58
11 files changed, 238 insertions, 3 deletions
diff --git a/include/internal/extern.h b/include/internal/extern.h
index 2a3ef06..fb9ca54 100644
--- a/include/internal/extern.h
+++ b/include/internal/extern.h
@@ -13,6 +13,8 @@ extern const get_exp_attr get_exp_attr_array[];
extern const uint32_t attr_grp_bitmask[ATTR_GRP_MAX][__NFCT_BITSET];
+extern const set_filter_dump_attr set_filter_dump_attr_array[];
+
/* for the snprintf infrastructure */
extern const char *const l3proto2str[AF_MAX];
extern const char *const proto2str[IPPROTO_MAX];
diff --git a/include/internal/object.h b/include/internal/object.h
index 94433bf..55fa4f5 100644
--- a/include/internal/object.h
+++ b/include/internal/object.h
@@ -261,6 +261,16 @@ struct nfct_filter {
};
/*
+ * conntrack filter dump object
+ */
+
+struct nfct_filter_dump {
+ struct nfct_filter_dump_mark mark;
+ u_int8_t l3num;
+ u_int32_t set;
+};
+
+/*
* expectation object
*/
diff --git a/include/internal/prototypes.h b/include/internal/prototypes.h
index 532c60e..730eb6b 100644
--- a/include/internal/prototypes.h
+++ b/include/internal/prototypes.h
@@ -37,6 +37,8 @@ void __copy_fast(struct nf_conntrack *ct1, const struct nf_conntrack *ct);
int __setup_netlink_socket_filter(int fd, struct nfct_filter *filter);
+void __build_filter_dump(struct nfnlhdr *req, size_t size, const struct nfct_filter_dump *filter_dump);
+
/*
* expectation internal prototypes
*/
diff --git a/include/internal/types.h b/include/internal/types.h
index 433de5b..3459200 100644
--- a/include/internal/types.h
+++ b/include/internal/types.h
@@ -15,6 +15,7 @@ typedef int (*getobjopt)(const struct nf_conntrack *ct);
typedef void (*setobjopt)(struct nf_conntrack *ct);
typedef void (*set_attr_grp)(struct nf_conntrack *ct, const void *value);
typedef void (*get_attr_grp)(const struct nf_conntrack *ct, void *data);
+typedef void (*set_filter_dump_attr)(struct nfct_filter_dump *filter_dump, const void *value);
/*
* expectation types
diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack.h b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
index 538dc2d..a4a60cb 100644
--- a/include/libnetfilter_conntrack/libnetfilter_conntrack.h
+++ b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
@@ -392,6 +392,8 @@ enum nf_conntrack_query {
NFCT_Q_DUMP,
NFCT_Q_DUMP_RESET,
NFCT_Q_CREATE_UPDATE,
+ NFCT_Q_DUMP_FILTER,
+ NFCT_Q_DUMP_FILTER_RESET,
};
extern int nfct_query(struct nfct_handle *h,
@@ -421,7 +423,7 @@ extern void nfct_copy_attr(struct nf_conntrack *ct1,
const struct nf_conntrack *ct2,
const enum nf_conntrack_attr type);
-/* filter */
+/* event filtering */
struct nfct_filter;
@@ -472,6 +474,33 @@ extern int nfct_filter_set_logic(struct nfct_filter *filter,
extern int nfct_filter_attach(int fd, struct nfct_filter *filter);
extern int nfct_filter_detach(int fd);
+/* dump filtering */
+
+struct nfct_filter_dump;
+
+struct nfct_filter_dump_mark {
+ u_int32_t val;
+ u_int32_t mask;
+};
+
+enum nfct_filter_dump_attr {
+ NFCT_FILTER_DUMP_MARK = 0, /* struct nfct_filter_dump_mark */
+ NFCT_FILTER_DUMP_L3NUM, /* u_int8_t */
+ NFCT_FILTER_DUMP_MAX
+};
+
+struct nfct_filter_dump *nfct_filter_dump_create(void);
+
+void nfct_filter_dump_destroy(struct nfct_filter_dump *filter);
+
+void nfct_filter_dump_set_attr(struct nfct_filter_dump *filter_dump,
+ const enum nfct_filter_dump_attr type,
+ const void *data);
+
+void nfct_filter_dump_set_attr_u8(struct nfct_filter_dump *filter_dump,
+ const enum nfct_filter_dump_attr type,
+ u_int8_t data);
+
/* low level API: netlink functions */
extern __attribute__((deprecated)) int
diff --git a/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h b/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h
index 2175799..1cf938b 100644
--- a/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h
+++ b/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h
@@ -47,6 +47,7 @@ enum ctattr_type {
CTA_ZONE,
CTA_SECCTX,
CTA_TIMESTAMP,
+ CTA_MARK_MASK,
__CTA_MAX
};
#define CTA_MAX (__CTA_MAX - 1)
diff --git a/src/conntrack/Makefile.am b/src/conntrack/Makefile.am
index fb6b048..3f7fb64 100644
--- a/src/conntrack/Makefile.am
+++ b/src/conntrack/Makefile.am
@@ -10,6 +10,6 @@ libnfconntrack_la_SOURCES = api.c \
objopt.c \
compare.c \
copy.c \
- filter.c bsf.c \
+ filter.c bsf.c filter_dump.c \
grp.c grp_getter.c grp_setter.c \
stack.c
diff --git a/src/conntrack/api.c b/src/conntrack/api.c
index d3d9bdb..683b2ce 100644
--- a/src/conntrack/api.c
+++ b/src/conntrack/api.c
@@ -766,7 +766,14 @@ __build_query_ct(struct nfnl_subsys_handle *ssh,
case NFCT_Q_CREATE_UPDATE:
__build_conntrack(ssh, req, size, IPCTNL_MSG_CT_NEW, NLM_F_REQUEST|NLM_F_CREATE|NLM_F_ACK, data);
break;
-
+ case NFCT_Q_DUMP_FILTER:
+ nfnl_fill_hdr(ssh, &req->nlh, 0, AF_UNSPEC, 0, IPCTNL_MSG_CT_GET, NLM_F_REQUEST|NLM_F_DUMP);
+ __build_filter_dump(req, size, data);
+ break;
+ case NFCT_Q_DUMP_FILTER_RESET:
+ nfnl_fill_hdr(ssh, &req->nlh, 0, AF_UNSPEC, 0, IPCTNL_MSG_CT_GET_CTRZERO, NLM_F_REQUEST|NLM_F_DUMP);
+ __build_filter_dump(req, size, data);
+ break;
default:
errno = ENOTSUP;
return -1;
@@ -802,6 +809,8 @@ __build_query_ct(struct nfnl_subsys_handle *ssh,
* - NFCT_Q_FLUSH: flush the conntrack table
* - NFCT_Q_DUMP: dump the conntrack table
* - NFCT_Q_DUMP_RESET: dump the conntrack table and reset counters
+ * - NFCT_Q_DUMP_FILTER: dump the conntrack table
+ * - NFCT_Q_DUMP_FILTER_RESET: dump the conntrack table and reset counters
*
* Pass a valid pointer to the protocol family (u_int32_t)
*
@@ -1356,3 +1365,72 @@ int nfct_filter_detach(int fd)
/**
* @}
*/
+
+/**
+ * \defgroup dumpfilter Kernel-space filtering for dumping
+ *
+ * @{
+ */
+
+/**
+ * nfct_filter_dump_create - create a dump filter
+ *
+ * This function returns a valid pointer on success, otherwise NULL is
+ * returned and errno is appropriately set.
+ */
+struct nfct_filter_dump *nfct_filter_dump_create(void)
+{
+ return calloc(sizeof(struct nfct_filter_dump), 1);
+}
+
+/**
+ * nfct_filter_dump_destroy - destroy a dump filter
+ * \param filter filter that we want to destroy
+ *
+ * This function releases the memory that is used by the filter object.
+ */
+void nfct_filter_dump_destroy(struct nfct_filter_dump *filter)
+{
+ assert(filter != NULL);
+ free(filter);
+ filter = NULL;
+}
+
+/**
+ * nfct_filter_dump_attr_set - set filter attribute
+ * \param filter dump filter object that we want to modify
+ * \param type filter attribute type
+ * \param value pointer to the value of the filter attribute
+ */
+void nfct_filter_dump_set_attr(struct nfct_filter_dump *filter_dump,
+ const enum nfct_filter_dump_attr type,
+ const void *value)
+{
+ assert(filter_dump != NULL);
+ assert(value != NULL);
+
+ if (unlikely(type >= NFCT_FILTER_DUMP_MAX))
+ return;
+
+ if (set_filter_dump_attr_array[type]) {
+ set_filter_dump_attr_array[type](filter_dump, value);
+ filter_dump->set |= (1 << type);
+ }
+}
+
+/**
+ * nfct_filter_dump_attr_set_u8 - set u8 dump filter attribute
+ * \param filter dump filter object that we want to modify
+ * \param type filter attribute type
+ * \param value value of the filter attribute using unsigned int (32 bits).
+ */
+void nfct_filter_dump_set_attr_u8(struct nfct_filter_dump *filter_dump,
+ const enum nfct_filter_dump_attr type,
+ u_int8_t value)
+{
+ nfct_filter_dump_set_attr(filter_dump, type, &value);
+}
+
+/**
+ * @}
+ */
diff --git a/src/conntrack/filter_dump.c b/src/conntrack/filter_dump.c
new file mode 100644
index 0000000..9e2e169
--- /dev/null
+++ b/src/conntrack/filter_dump.c
@@ -0,0 +1,49 @@
+/*
+ * (C) 2005-2012 by Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ */
+
+#include "internal/internal.h"
+
+static void
+set_filter_dump_attr_mark(struct nfct_filter_dump *filter_dump,
+ const void *value)
+{
+ const struct nfct_filter_dump_mark *this = value;
+
+ filter_dump->mark.val = this->val;
+ filter_dump->mark.mask = this->mask;
+ filter_dump->set |= (1 << NFCT_FILTER_DUMP_MARK);
+}
+
+static void
+set_filter_dump_attr_family(struct nfct_filter_dump *filter_dump,
+ const void *value)
+{
+ filter_dump->l3num = *((u_int8_t *)value);
+ filter_dump->set |= (1 << NFCT_FILTER_DUMP_L3NUM);
+}
+
+const set_filter_dump_attr set_filter_dump_attr_array[NFCT_FILTER_DUMP_MAX] = {
+ [NFCT_FILTER_DUMP_MARK] = set_filter_dump_attr_mark,
+ [NFCT_FILTER_DUMP_L3NUM] = set_filter_dump_attr_family,
+};
+
+void __build_filter_dump(struct nfnlhdr *req, size_t size,
+ const struct nfct_filter_dump *filter_dump)
+{
+ if (filter_dump->set & (1 << NFCT_FILTER_DUMP_MARK)) {
+ nfnl_addattr32(&req->nlh, size, CTA_MARK,
+ htonl(filter_dump->mark.val));
+ nfnl_addattr32(&req->nlh, size, CTA_MARK_MASK,
+ htonl(filter_dump->mark.mask));
+ }
+ if (filter_dump->set & (1 << NFCT_FILTER_DUMP_L3NUM)) {
+ struct nfgenmsg *nfg = NLMSG_DATA(&req->nlh);
+ nfg->nfgen_family = filter_dump->l3num;
+ }
+}
diff --git a/utils/Makefile.am b/utils/Makefile.am
index dcb3fec..35a7e0a 100644
--- a/utils/Makefile.am
+++ b/utils/Makefile.am
@@ -7,6 +7,7 @@ check_PROGRAMS = expect_dump expect_create expect_get expect_delete \
conntrack_get conntrack_events \
conntrack_master conntrack_filter \
conntrack_grp_create \
+ conntrack_dump_filter \
ctexp_events
conntrack_grp_create_SOURCES = conntrack_grp_create.c
@@ -37,6 +38,10 @@ conntrack_dump_SOURCES = conntrack_dump.c
conntrack_dump_LDADD = ../src/libnetfilter_conntrack.la
conntrack_dump_LDFLAGS = -dynamic -ldl
+conntrack_dump_filter_SOURCES = conntrack_dump_filter.c
+conntrack_dump_filter_LDADD = ../src/libnetfilter_conntrack.la
+conntrack_dump_filter_LDFLAGS = -dynamic -ldl
+
conntrack_flush_SOURCES = conntrack_flush.c
conntrack_flush_LDADD = ../src/libnetfilter_conntrack.la
conntrack_flush_LDFLAGS = -dynamic -ldl
diff --git a/utils/conntrack_dump_filter.c b/utils/conntrack_dump_filter.c
new file mode 100644
index 0000000..41e3f0c
--- /dev/null
+++ b/utils/conntrack_dump_filter.c
@@ -0,0 +1,58 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+
+#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+
+static int cb(enum nf_conntrack_msg_type type,
+ struct nf_conntrack *ct,
+ void *data)
+{
+ char buf[1024];
+
+ nfct_snprintf(buf, sizeof(buf), ct, NFCT_T_UNKNOWN, NFCT_O_DEFAULT, NFCT_OF_SHOW_LAYER3 | NFCT_OF_TIMESTAMP);
+ printf("%s\n", buf);
+
+ return NFCT_CB_CONTINUE;
+}
+
+int main(void)
+{
+ int ret;
+ struct nfct_handle *h;
+
+ h = nfct_open(CONNTRACK, 0);
+ if (!h) {
+ perror("nfct_open");
+ return -1;
+ }
+ struct nfct_filter_dump *filter_dump = nfct_filter_dump_create();
+ if (filter_dump == NULL) {
+ perror("nfct_filter_dump_alloc");
+ return -1;
+ }
+ struct nfct_filter_dump_mark filter_dump_mark = {
+ .val = 1,
+ .mask = 0xffffffff,
+ };
+ nfct_filter_dump_set_attr(filter_dump, NFCT_FILTER_DUMP_MARK,
+ &filter_dump_mark);
+ nfct_filter_dump_set_attr_u8(filter_dump, NFCT_FILTER_DUMP_L3NUM,
+ AF_INET);
+
+ nfct_callback_register(h, NFCT_T_ALL, cb, NULL);
+ ret = nfct_query(h, NFCT_Q_DUMP_FILTER, filter_dump);
+
+ nfct_filter_dump_destroy(filter_dump);
+
+ printf("TEST: get conntrack ");
+ if (ret == -1)
+ printf("(%d)(%s)\n", ret, strerror(errno));
+ else
+ printf("(OK)\n");
+
+ nfct_close(h);
+
+ ret == -1 ? exit(EXIT_FAILURE) : exit(EXIT_SUCCESS);
+}