Hi Florent, Romain,
On Mon, Mar 30, 2020 at 10:46:37PM +0200, Romain Bellan wrote:
> Conntrack dump does not support kernel side filtering (only get exists,
> but it returns only one entry. And user has to give a full valid tuple)
>
> It means that userspace has to implement filtering after receiving many
> irrelevant entries, consuming resources (conntrack table is sometimes
> very huge, much more than a routing table for example).
>
> This patch adds filtering in kernel side. To achieve this goal, we:
>
> * Add a new CTA_FILTER netlink attributes, actually a flag list to
> parametize filtering
> * Convert some *nlattr_to_tuple() functions, to allow a partial parsing
> of CTA_TUPLE_ORIG and CTA_TUPLE_REPLY (so nf_conntrack_tuple it not
> fully set)
Still some issues here running conntrack-tools/tests/conntrack/test-conntrack.c
with your patch v5 on top of nf-next, it reports:
OK: 84 BAD: 38
it should say:
OK: 122 BAD: 0
The test this needs to be compiled via:
gcc -lnetfilter_conntrack test-conntrack.c -o test
I'm attaching the log for the run of your patch v5.
Have a look at the "BAD" pattern which provides tells what conntrack
command stopped working.
Thanks for working on this.
