diff options
author | Felix Huettner <felix.huettner@mail.schwarz> | 2023-12-05 09:35:16 +0000 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2024-01-24 22:22:10 +0100 |
commit | 27f09380ebb0fc21c4cd20070b828a27430b5de1 (patch) | |
tree | 360d6ce202ac56056c7df17526a7145d09049c98 /utils | |
parent | 647de658b44b4942efe03bd8c1f89f2bd0a5f0e8 (diff) |
conntrack: support flush filtering
flushing already supports filtering on the kernel side for value like
mark, l3num or zone. This patch extends the userspace code to also
support this.
To reduce code duplication the `nfct_filter_dump` struct and associated
logic is reused. Note that filtering by tuple is not supported, since
`CTA_FILTER` is not yet supported on the kernel side for flushing.
Trying to use it returns ENOTSUP.
Signed-off-by: Felix Huettner <felix.huettner@mail.schwarz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'utils')
-rw-r--r-- | utils/.gitignore | 1 | ||||
-rw-r--r-- | utils/Makefile.am | 4 | ||||
-rw-r--r-- | utils/conntrack_flush_filter.c | 60 |
3 files changed, 65 insertions, 0 deletions
diff --git a/utils/.gitignore b/utils/.gitignore index 0de05c0..c63fd8b 100644 --- a/utils/.gitignore +++ b/utils/.gitignore @@ -7,6 +7,7 @@ /conntrack_events /conntrack_filter /conntrack_flush +/conntrack_flush_filter /conntrack_get /conntrack_grp_create /conntrack_master diff --git a/utils/Makefile.am b/utils/Makefile.am index 438ca74..7e7aef4 100644 --- a/utils/Makefile.am +++ b/utils/Makefile.am @@ -10,6 +10,7 @@ check_PROGRAMS = expect_dump expect_create expect_get expect_delete \ conntrack_grp_create \ conntrack_dump_filter \ conntrack_dump_filter_tuple \ + conntrack_flush_filter \ ctexp_events conntrack_grp_create_SOURCES = conntrack_grp_create.c @@ -42,6 +43,9 @@ conntrack_dump_filter_tuple_LDADD = ../src/libnetfilter_conntrack.la conntrack_flush_SOURCES = conntrack_flush.c conntrack_flush_LDADD = ../src/libnetfilter_conntrack.la +conntrack_flush_filter_SOURCES = conntrack_flush_filter.c +conntrack_flush_filter_LDADD = ../src/libnetfilter_conntrack.la + conntrack_events_SOURCES = conntrack_events.c conntrack_events_LDADD = ../src/libnetfilter_conntrack.la diff --git a/utils/conntrack_flush_filter.c b/utils/conntrack_flush_filter.c new file mode 100644 index 0000000..6e8d93b --- /dev/null +++ b/utils/conntrack_flush_filter.c @@ -0,0 +1,60 @@ +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <errno.h> + +#include <libnetfilter_conntrack/libnetfilter_conntrack.h> + +static int cb(enum nf_conntrack_msg_type type, + struct nf_conntrack *ct, + void *data) +{ + char buf[1024]; + + nfct_snprintf(buf, sizeof(buf), ct, NFCT_T_UNKNOWN, NFCT_O_DEFAULT, NFCT_OF_SHOW_LAYER3 | NFCT_OF_TIMESTAMP); + printf("%s\n", buf); + + return NFCT_CB_CONTINUE; +} + +int main(void) +{ + int ret; + struct nfct_handle *h; + + h = nfct_open(CONNTRACK, 0); + if (!h) { + perror("nfct_open"); + return -1; + } + struct nfct_filter_dump *filter_dump = nfct_filter_dump_create(); + if (filter_dump == NULL) { + perror("nfct_filter_dump_alloc"); + return -1; + } + struct nfct_filter_dump_mark filter_dump_mark = { + .val = 1, + .mask = 0xffffffff, + }; + nfct_filter_dump_set_attr(filter_dump, NFCT_FILTER_DUMP_MARK, + &filter_dump_mark); + nfct_filter_dump_set_attr_u8(filter_dump, NFCT_FILTER_DUMP_L3NUM, + AF_INET); + nfct_filter_dump_set_attr_u16(filter_dump, NFCT_FILTER_DUMP_ZONE, + 123); + + nfct_callback_register(h, NFCT_T_ALL, cb, NULL); + ret = nfct_query(h, NFCT_Q_FLUSH_FILTER, filter_dump); + + nfct_filter_dump_destroy(filter_dump); + + printf("TEST: get conntrack "); + if (ret == -1) + printf("(%d)(%s)\n", ret, strerror(errno)); + else + printf("(OK)\n"); + + nfct_close(h); + + ret == -1 ? exit(EXIT_FAILURE) : exit(EXIT_SUCCESS); +} |