On Sun, Mar 29, 2020 at 05:08:21PM +0200, Pablo Neira Ayuso wrote:
> On Fri, Mar 27, 2020 at 09:26:31AM +0100, Romain Bellan wrote:
> > Conntrack dump does not support kernel side filtering (only get exists,
> > but it returns only one entry. And user has to give a full valid tuple)
> >
> > It means that userspace has to implement filtering after receiving many
> > irrelevant entries, consuming resources (conntrack table is sometimes
> > very huge, much more than a routing table for example).
> >
> > This patch adds filtering in kernel side. To achieve this goal, we:
> >
> > * Add a new CTA_FILTER netlink attributes, actually a flag list to
> > parametize filtering
> > * Convert some *nlattr_to_tuple() functions, to allow a partial parsing
> > of CTA_TUPLE_ORIG and CTA_TUPLE_REPLY (so nf_conntrack_tuple it not
> > fully set)
> >
> > Filtering is now possible on:
> > * IP SRC/DST values
> > * Ports for TCP and UDP flows
> > * IMCP(v6) codes types and IDs
> >
> > Filtering is done has an "AND" operator. For example, when flags
> > PROTO_SRC_PORT, PROTO_NUM and IP_SRC are sets, only entries matching all
> > values are dumped.
>
> Applied, thanks.
I'm sorry, I have to keep back this patch.
# conntrack -L
breaks after this patch, and conntrack-tools/test/conntrack.c shows
several:
conntrack v1.4.5 (conntrack-tools): Operation failed: invalid parameters
I tried to fix it here but I would need a bit more time, I think this
is on the right track. However, the new flags logic makes ctnetlink
hit EINVAL in a number of cases.
Please, revamp and send v5. Thanks.
