Re: [PATCH] netfilter: ctnetlink: support CTA_FILTER for flush

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Please, provide an example program for libnetfilter_conntrack.

See:

commit 27f09380ebb0fc21c4cd20070b828a27430b5de1
Author: Felix Huettner <felix.huettner@mail.schwarz>
Date:   Tue Dec 5 09:35:16 2023 +0000

    conntrack: support flush filtering

for instance.

thanks

On Thu, Jul 11, 2024 at 01:40:02PM +0800, Changliang Wu wrote:
> PING
> 
> 
> Changliang Wu <changliang.wu@xxxxxxxxxx> 于2024年6月20日周四 19:35写道:
> >
> > From cb8aa9a, we can use kernel side filtering for dump, but
> > this capability is not available for flush.
> >
> > This Patch allows advanced filter with CTA_FILTER for flush
> >
> > Performace
> > 1048576 ct flows in total, delete 50,000 flows by origin src ip
> > 3.06s -> dump all, compare and delete
> > 584ms -> directly flush with filter
> >
> > Signed-off-by: Changliang Wu <changliang.wu@xxxxxxxxxx>
> > ---
> >  net/netfilter/nf_conntrack_netlink.c | 9 +++------
> >  1 file changed, 3 insertions(+), 6 deletions(-)
> >
> > diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
> > index 3b846cbdc..93afe57d9 100644
> > --- a/net/netfilter/nf_conntrack_netlink.c
> > +++ b/net/netfilter/nf_conntrack_netlink.c
> > @@ -1579,9 +1579,6 @@ static int ctnetlink_flush_conntrack(struct net *net,
> >         };
> >
> >         if (ctnetlink_needs_filter(family, cda)) {
> > -               if (cda[CTA_FILTER])
> > -                       return -EOPNOTSUPP;
> > -
> >                 filter = ctnetlink_alloc_filter(cda, family);
> >                 if (IS_ERR(filter))
> >                         return PTR_ERR(filter);
> > @@ -1610,14 +1607,14 @@ static int ctnetlink_del_conntrack(struct sk_buff *skb,
> >         if (err < 0)
> >                 return err;
> >
> > -       if (cda[CTA_TUPLE_ORIG])
> > +       if (cda[CTA_TUPLE_ORIG] && !cda[CTA_FILTER])
> >                 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
> >                                             family, &zone);
> > -       else if (cda[CTA_TUPLE_REPLY])
> > +       else if (cda[CTA_TUPLE_REPLY] && !cda[CTA_FILTER])
> >                 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
> >                                             family, &zone);
> >         else {
> > -               u_int8_t u3 = info->nfmsg->version ? family : AF_UNSPEC;
> > +               u8 u3 = info->nfmsg->version || cda[CTA_FILTER] ? family : AF_UNSPEC;
> >
> >                 return ctnetlink_flush_conntrack(info->net, cda,
> >                                                  NETLINK_CB(skb).portid,
> > --
> > 2.43.0
> >
[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux