On Mon, May 04, 2020 at 09:34:29PM +0200, Romain Bellan wrote: > Conntrack dump does not support kernel side filtering (only get exists, > but it returns only one entry. And user has to give a full valid tuple) > > It means that userspace has to implement filtering after receiving many > irrelevant entries, consuming resources (conntrack table is sometimes > very huge, much more than a routing table for example). > > This patch adds filtering in kernel side. To achieve this goal, we: > > * Add a new CTA_FILTER netlink attributes, actually a flag list to > parametize filtering > * Convert some *nlattr_to_tuple() functions, to allow a partial parsing > of CTA_TUPLE_ORIG and CTA_TUPLE_REPLY (so nf_conntrack_tuple it not > fully set) > > Filtering is now possible on: > * IP SRC/DST values > * Ports for TCP and UDP flows > * IMCP(v6) codes types and IDs > > Filtering is done as an "AND" operator. For example, when flags > PROTO_SRC_PORT, PROTO_NUM and IP_SRC are sets, only entries matching all > values are dumped. > > Changes since v1: > Set NLM_F_DUMP_FILTERED in nlm flags if entries are filtered > > Changes since v2: > Move several constants to nf_internals.h > Move a fix on netlink values check in a separate patch > Add a check on not-supported flags > Return EOPNOTSUPP if CDA_FILTER is set in ctnetlink_flush_conntrack > (not yet implemented) > Code style issues > > Changes since v3: > Fix compilation warning reported by kbuild test robot > > Changes since v4: > Fix a regression introduced in v3 (returned EINVAL for valid netlink > messages without CTA_MARK) > > Changes since v5: > Change definition of CTA_FILTER_F_ALL > Fix a regression when CTA_TUPLE_ZONE is not set Applied, thanks for your patience.
