On 2021-10-12, at 20:16:37 +0900, Ken-ichirou MATSUZAWA wrote:
> put nf_conntrack in ct output key when 'attach_conntrack' is specified.
>
> Signed-off-by: Ken-ichirou MATSUZAWA <chamas@xxxxxxxxxxxxx>
> ---
> input/packet/Makefile.am | 5 ++-
> input/packet/ulogd_inppkt_NFLOG.c | 68 +++++++++++++++++++++++++++++--
> 2 files changed, 67 insertions(+), 6 deletions(-)
>
> diff --git a/input/packet/Makefile.am b/input/packet/Makefile.am
> index 1c3151d..0f9c316 100644
> --- a/input/packet/Makefile.am
> +++ b/input/packet/Makefile.am
> @@ -1,5 +1,5 @@
>
> -AM_CPPFLAGS = -I$(top_srcdir)/include ${LIBNETFILTER_LOG_CFLAGS}
> +AM_CPPFLAGS = -I$(top_srcdir)/include ${LIBNETFILTER_LOG_CFLAGS} ${LIBNETFILTER_CONNTRACK_CFLAGS}
> AM_CFLAGS = ${regular_CFLAGS}
>
> pkglib_LTLIBRARIES = ulogd_inppkt_UNIXSOCK.la
> @@ -13,7 +13,8 @@ pkglib_LTLIBRARIES += ulogd_inppkt_NFLOG.la
> endif
>
> ulogd_inppkt_NFLOG_la_SOURCES = ulogd_inppkt_NFLOG.c
> -ulogd_inppkt_NFLOG_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_LOG_LIBS)
> +ulogd_inppkt_NFLOG_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_LOG_LIBS) \
> + $(LIBNETFILTER_CONNTRACK_LIBS)
>
> ulogd_inppkt_ULOG_la_SOURCES = ulogd_inppkt_ULOG.c
> ulogd_inppkt_ULOG_la_LDFLAGS = -avoid-version -module
> diff --git a/input/packet/ulogd_inppkt_NFLOG.c b/input/packet/ulogd_inppkt_NFLOG.c
> index ea6fb0e..c8b1836 100644
> --- a/input/packet/ulogd_inppkt_NFLOG.c
> +++ b/input/packet/ulogd_inppkt_NFLOG.c
> @@ -12,6 +12,11 @@
> #include <ulogd/ulogd.h>
> #include <libnfnetlink/libnfnetlink.h>
> #include <libnetfilter_log/libnetfilter_log.h>
> +#ifdef BUILD_NFCT
> +#include <libmnl/libmnl.h>
> +#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
> +#endif
> +
I would declare `struct nf_conntrack` here if BUILD_NFCT is not defined:
+#ifdef BUILD_NFCT
+#include <libmnl/libmnl.h>
+#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+#else
+struct nf_conntrack;
+#endif
Then we can declare `build_ct` as always returning
`struct nf_conntrack *`:
+struct nf_conntrack *build_ct(struct nfgenmsg *nfmsg) {
+#ifdef BUILD_NFCT
+ struct nlattr *attr, *ctattr = NULL;
+ struct nf_conntrack *ct = NULL;
+ ...
+ return ct;
+#else
+ return NULL;
+#endif
+}
and `ct` as `struct nf_conntrack *` instead of `void *` below.
> #ifndef NFLOG_GROUP_DEFAULT
> #define NFLOG_GROUP_DEFAULT 0
> @@ -148,6 +153,7 @@ enum nflog_keys {
> NFLOG_KEY_RAW_MAC_SADDR,
> NFLOG_KEY_RAW_MAC_ADDRLEN,
> NFLOG_KEY_RAW,
> + NFLOG_KEY_RAW_CT,
> };
>
> static struct ulogd_key output_keys[] = {
> @@ -319,11 +325,53 @@ static struct ulogd_key output_keys[] = {
> .flags = ULOGD_RETF_NONE,
> .name = "raw",
> },
> + [NFLOG_KEY_RAW_CT] = {
> + .type = ULOGD_RET_RAW,
> + .flags = ULOGD_RETF_NONE,
> + .name = "ct",
> + },
> };
>
You have used spaces, not tabs:
> +#ifdef BUILD_NFCT
> +struct nf_conntrack *build_ct(struct nfgenmsg *nfmsg) {
> + struct nlattr *attr, *ctattr = NULL;
> + struct nf_conntrack *ct = NULL;
> + struct nlmsghdr *nlh
> + = (struct nlmsghdr *)((void *)nfmsg - sizeof(*nlh));
> +
> + mnl_attr_for_each(attr, nlh, sizeof(struct nfgenmsg)) {
> + if (mnl_attr_get_type(attr) == NFULA_CT) {
> + ctattr = attr;
> + break;
> + }
> + }
> + if (ctattr == NULL)
> + return NULL;
> +
> + ct = nfct_new();
> + if (ct == NULL) {
> + ulogd_log(ULOGD_ERROR, "failed to allocate nfct\n");
> + return NULL;
> + }
> + if (nfct_payload_parse(mnl_attr_get_payload(ctattr),
> + mnl_attr_get_payload_len(ctattr),
> + nfmsg->nfgen_family, ct) < 0) {
> + ulogd_log(ULOGD_ERROR, "failed to parse nfct payload\n");
> + nfct_destroy(ct);
> + return NULL;
> + }
> +
> + return ct;
> +}
> +#else
> +void *build_ct(struct nfgenmsg *nfmsg) {
> + return NULL;
> +}
> +#endif
> static inline int
> interp_packet(struct ulogd_pluginstance *upi, uint8_t pf_family,
> - struct nflog_data *ldata)
> + struct nflog_data *ldata, void *ct)
> {
> struct ulogd_key *ret = upi->output.keys;
>
> @@ -404,6 +452,9 @@ interp_packet(struct ulogd_pluginstance *upi, uint8_t pf_family,
>
> okey_set_ptr(&ret[NFLOG_KEY_RAW], ldata);
>
Spaces, not tabs:
> + if (ct != NULL)
> + okey_set_ptr(&ret[NFLOG_KEY_RAW_CT], ct);
> +
> ulogd_propagate_results(upi);
> return 0;
> }
> @@ -479,15 +530,24 @@ static int msg_cb(struct nflog_g_handle *gh, struct nfgenmsg *nfmsg,
> struct ulogd_pluginstance *upi = data;
> struct ulogd_pluginstance *npi = NULL;
> int ret = 0;
Spaces, not tabs:
> + void *ct = build_ct(nfmsg);
>
> /* since we support the re-use of one instance in several
> * different stacks, we duplicate the message to let them know */
> llist_for_each_entry(npi, &upi->plist, plist) {
> - ret = interp_packet(npi, nfmsg->nfgen_family, nfa);
> + ret = interp_packet(npi, nfmsg->nfgen_family, nfa, ct);
> if (ret != 0)
Spaces, not tabs:
> - return ret;
> + goto release_ct;
> }
Spaces, not tabs:
> - return interp_packet(upi, nfmsg->nfgen_family, nfa);
> + ret = interp_packet(upi, nfmsg->nfgen_family, nfa, ct);
> +
> +release_ct:
> +#ifdef BUILD_NFCT
> + if (ct != NULL)
> + nfct_destroy(ct);
> +#endif
> +
> + return ret;
> }
>
> static int configure(struct ulogd_pluginstance *upi,
> --
> 2.30.2
>
>
Attachment:
signature.asc
Description: PGP signature
