summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRomain Bellan <romain.bellan@wifirst.fr>2020-01-29 10:47:19 +0100
committerFlorian Westphal <fw@strlen.de>2023-09-14 13:15:44 +0200
commitf38c0a03091f3090df45c3e6a09ffc048e92b3c9 (patch)
tree02ba2a08316ed3811091ccd2786c24f6a7aa28e6
parentc2136262802f31cb19267dacf0c0fdecdea4ae16 (diff)
utils: add NFCT_FILTER_DUMP_TUPLE example
Simple example to see conntrack kernel side filtering configuration. Callback is reading the kernel result, and user is notified when kernel does not support filtering (so filtering must be done in userspace) Signed-off-by: Romain Bellan <romain.bellan@wifirst.fr> Signed-off-by: Florent Fourcot <florent.fourcot@wifirst.fr> Signed-off-by: Florian Westphal <fw@strlen.de>
-rw-r--r--utils/.gitignore1
-rw-r--r--utils/Makefile.am4
-rw-r--r--utils/conntrack_dump_filter_tuple.c70
3 files changed, 75 insertions, 0 deletions
diff --git a/utils/.gitignore b/utils/.gitignore
index 63dfcb2..0de05c0 100644
--- a/utils/.gitignore
+++ b/utils/.gitignore
@@ -3,6 +3,7 @@
/conntrack_delete
/conntrack_dump
/conntrack_dump_filter
+/conntrack_dump_filter_tuple
/conntrack_events
/conntrack_filter
/conntrack_flush
diff --git a/utils/Makefile.am b/utils/Makefile.am
index 69bafe6..438ca74 100644
--- a/utils/Makefile.am
+++ b/utils/Makefile.am
@@ -9,6 +9,7 @@ check_PROGRAMS = expect_dump expect_create expect_get expect_delete \
conntrack_master conntrack_filter \
conntrack_grp_create \
conntrack_dump_filter \
+ conntrack_dump_filter_tuple \
ctexp_events
conntrack_grp_create_SOURCES = conntrack_grp_create.c
@@ -35,6 +36,9 @@ conntrack_dump_LDADD = ../src/libnetfilter_conntrack.la
conntrack_dump_filter_SOURCES = conntrack_dump_filter.c
conntrack_dump_filter_LDADD = ../src/libnetfilter_conntrack.la
+conntrack_dump_filter_tuple_SOURCES = conntrack_dump_filter_tuple.c
+conntrack_dump_filter_tuple_LDADD = ../src/libnetfilter_conntrack.la
+
conntrack_flush_SOURCES = conntrack_flush.c
conntrack_flush_LDADD = ../src/libnetfilter_conntrack.la
diff --git a/utils/conntrack_dump_filter_tuple.c b/utils/conntrack_dump_filter_tuple.c
new file mode 100644
index 0000000..44633da
--- /dev/null
+++ b/utils/conntrack_dump_filter_tuple.c
@@ -0,0 +1,70 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <arpa/inet.h>
+
+#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+
+static int cb(const struct nlmsghdr *nlh,
+ enum nf_conntrack_msg_type type,
+ struct nf_conntrack *ct,
+ void *data)
+{
+ char buf[1024];
+
+ if (!(nlh->nlmsg_flags & NLM_F_DUMP_FILTERED))
+ {
+ fprintf(stderr, "No filtering in kernel, do filtering in userspace\n");
+ return NFCT_CB_FAILURE;
+ }
+
+ nfct_snprintf(buf, sizeof(buf), ct, NFCT_T_UNKNOWN, NFCT_O_DEFAULT, NFCT_OF_SHOW_LAYER3 | NFCT_OF_TIMESTAMP);
+ printf("%s\n", buf);
+
+ return NFCT_CB_CONTINUE;
+}
+
+int main(void)
+{
+ int ret;
+ struct nfct_handle *h;
+
+ h = nfct_open(CONNTRACK, 0);
+ if (!h) {
+ perror("nfct_open");
+ return -1;
+ }
+ struct nfct_filter_dump *filter_dump = nfct_filter_dump_create();
+ if (filter_dump == NULL) {
+ perror("nfct_filter_dump_alloc");
+ return -1;
+ }
+
+ struct nf_conntrack *ct;
+ ct = nfct_new();
+ if (!ct) {
+ perror("nfct_new");
+ return 0;
+ }
+
+ nfct_set_attr_u8(ct, ATTR_ORIG_L3PROTO, AF_INET);
+ nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_ICMP);
+ nfct_set_attr_u32(ct, ATTR_ORIG_IPV4_DST, inet_addr("203.0.113.55"));
+ nfct_filter_dump_set_attr(filter_dump, NFCT_FILTER_DUMP_TUPLE, ct);
+
+ nfct_callback_register2(h, NFCT_T_ALL, cb, NULL);
+ ret = nfct_query(h, NFCT_Q_DUMP_FILTER, filter_dump);
+
+ nfct_filter_dump_destroy(filter_dump);
+
+ printf("TEST: get conntrack ");
+ if (ret == -1)
+ printf("(%d)(%s)\n", ret, strerror(errno));
+ else
+ printf("(OK)\n");
+
+ nfct_close(h);
+
+ ret == -1 ? exit(EXIT_FAILURE) : exit(EXIT_SUCCESS);
+}