Re: [RFC PATCH libnetfilter_conntrack] add userspace dump filter

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

 Thank you for your understandable explanation. 
 
2014-06-18 17:59 GMT+09:00 Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>:
> On Tue, Jun 17, 2014 at 09:37:18PM +0900, Ken-ichirou MATSUZAWA wrote:
> Please, if you work on this, first send us a patch to generalize the
> filtering "framework" for ctnetlink dumps and then add the filtering
> by zone.
 
How about using sk_filter? I could have understood it's not efficient
than the way you told me but BPF seems more versatile and can work
on the socket which both dumping and listening event.
 
# I think your nfct-daemon.c example in libmnl
 
Also I know this changes dump behavior, I need to include an indication
in nla or somewhere which distinguishes from normal dump, but it's not
included. 
 
--------

This patch enables dump filtering by bpf. It is not efficient since every
nf_conn needs to be translated into skb, but it can be used both event and
dump socket.

Signed-off-by: Ken-ichirou MATSUZAWA <chamas@xxxxxxxxxxxxx>
---
 net/netfilter/nf_conntrack_netlink.c |   20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index f77024d..189f19d 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -831,10 +831,26 @@ restart:
 					    cb->nlh->nlmsg_seq,
 					    NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
 					    ct);
-			rcu_read_unlock();
-			if (res < 0) {
+			if (res >= 0) {
+				struct sk_filter *skfilter
+					= rcu_dereference(skb->sk->sk_filter);
+				int ret = 0;
+
+				if (skfilter != NULL) {
+					skb_pull(skb, cb->args[2]);
+					ret = SK_RUN_FILTER(skfilter, skb);
+					skb_push(skb, cb->args[2]);
+					if (ret)
+						cb->args[2] = res;
+					else
+						skb_trim(skb, cb->args[2]);
+				}
+				rcu_read_unlock();
+			} else {
+				rcu_read_unlock();
 				nf_conntrack_get(&ct->ct_general);
 				cb->args[1] = (unsigned long)ct;
+				cb->args[2] = 0;
 				spin_unlock(lockp);
 				goto out;
 			}
-- 
1.7.10.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux