Dear Pablo,
I think you already mentioned, but it should be possible to extend the conntrack utility to support for kernel side filtering seamlessly. The idea is to keep the userspace filtering as a fallback, regardless the kernel supports for CTA_FILTER or not.
We agree, and we are currently working on a transparent implementation for another netlink userspace library (pyroute2).
About our patches on libnetfilter_conntrack, first step is probably one small refresh, since kernel part change a little bit. And we saw a first issue. Definitions of CTA_FILTER_* are now in nf_internals.h in kernel, so synchronization of linux_nfnetlink_conntrack.h will not be enough to export FILTER_FLAGS values. What do you think about the best way to synchronize flags values between userspace and kernel?
After this refresh, we can extend code of the submitted example for a full support.
I'm missing one feature in the CTA_FILTER, that is the netmask filtering for IP addresses. It would be also good to make this fit into libnetfilter_conntrack.
Yes, but it needs some extensions in kernel before. It's in our planning, but not done yet.
Probably rename NFCT_FILTER_DUMP_TUPLE to NFCT_FILTER_DUMP, which would provide the most generic version to request kernel side filtering.
Ok, we will do that. Thanks for the follow-up, -- Florent.
