Hi Romain, On Thu, Dec 19, 2019 at 11:36:38AM +0100, Romain Bellan wrote: > Conntrack dump does not support kernel side filtering (only get exists, > but it returns only one entry. And user has to give a full valid tuple) > > It means that userspace has to implement filtering after receiving many > irrelevant entries, consuming ressources (conntrack table is sometimes > very huge, much more than a routing table for example). > > This patch adds filtering in kernel side. To achieve this goal, we: > > * Add a new CTA_FILTER netlink attributes, actually a flag list to > parametize filtering > * Convert some *nlattr_to_tuple() functions, to allow a partial parsing > of CTA_TUPLE_ORIG and CTA_TUPLE_REPLY (so nf_conntrack_tuple it not > fully set) > > Filtering is now possible on: > * IP SRC/DST values > * Ports for TCP and UDP flows > * IMCP(v6) codes types and IDs > > Filtering is done has an "AND" operator. For example, when flags > PROTO_SRC_PORT, PROTO_NUM and IP_SRC are sets, only entries matching all > values are dumped. Thanks for submitting this. I did not yet have a look at this in detail, will do asap. However, I would like to know if you would plan to submit userspace patches for libnetfilter_conntrack for this. Main problem here is backward compatibility (old conntrack tool and new kernel).
