mirror of
https://github.com/torvalds/linux
synced 2024-07-21 10:41:44 +00:00
cb8aa9a3af
Conntrack dump does not support kernel side filtering (only get exists, but it returns only one entry. And user has to give a full valid tuple) It means that userspace has to implement filtering after receiving many irrelevant entries, consuming resources (conntrack table is sometimes very huge, much more than a routing table for example). This patch adds filtering in kernel side. To achieve this goal, we: * Add a new CTA_FILTER netlink attributes, actually a flag list to parametize filtering * Convert some *nlattr_to_tuple() functions, to allow a partial parsing of CTA_TUPLE_ORIG and CTA_TUPLE_REPLY (so nf_conntrack_tuple it not fully set) Filtering is now possible on: * IP SRC/DST values * Ports for TCP and UDP flows * IMCP(v6) codes types and IDs Filtering is done as an "AND" operator. For example, when flags PROTO_SRC_PORT, PROTO_NUM and IP_SRC are sets, only entries matching all values are dumped. Changes since v1: Set NLM_F_DUMP_FILTERED in nlm flags if entries are filtered Changes since v2: Move several constants to nf_internals.h Move a fix on netlink values check in a separate patch Add a check on not-supported flags Return EOPNOTSUPP if CDA_FILTER is set in ctnetlink_flush_conntrack (not yet implemented) Code style issues Changes since v3: Fix compilation warning reported by kbuild test robot Changes since v4: Fix a regression introduced in v3 (returned EINVAL for valid netlink messages without CTA_MARK) Changes since v5: Change definition of CTA_FILTER_F_ALL Fix a regression when CTA_TUPLE_ZONE is not set Signed-off-by: Romain Bellan <romain.bellan@wifirst.fr> Signed-off-by: Florent Fourcot <florent.fourcot@wifirst.fr> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
38 lines
1.3 KiB
C
38 lines
1.3 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef _NF_INTERNALS_H
|
|
#define _NF_INTERNALS_H
|
|
|
|
#include <linux/list.h>
|
|
#include <linux/skbuff.h>
|
|
#include <linux/netdevice.h>
|
|
|
|
/* nf_conntrack_netlink.c: applied on tuple filters */
|
|
#define CTA_FILTER_F_CTA_IP_SRC (1 << 0)
|
|
#define CTA_FILTER_F_CTA_IP_DST (1 << 1)
|
|
#define CTA_FILTER_F_CTA_TUPLE_ZONE (1 << 2)
|
|
#define CTA_FILTER_F_CTA_PROTO_NUM (1 << 3)
|
|
#define CTA_FILTER_F_CTA_PROTO_SRC_PORT (1 << 4)
|
|
#define CTA_FILTER_F_CTA_PROTO_DST_PORT (1 << 5)
|
|
#define CTA_FILTER_F_CTA_PROTO_ICMP_TYPE (1 << 6)
|
|
#define CTA_FILTER_F_CTA_PROTO_ICMP_CODE (1 << 7)
|
|
#define CTA_FILTER_F_CTA_PROTO_ICMP_ID (1 << 8)
|
|
#define CTA_FILTER_F_CTA_PROTO_ICMPV6_TYPE (1 << 9)
|
|
#define CTA_FILTER_F_CTA_PROTO_ICMPV6_CODE (1 << 10)
|
|
#define CTA_FILTER_F_CTA_PROTO_ICMPV6_ID (1 << 11)
|
|
#define CTA_FILTER_F_MAX (1 << 12)
|
|
#define CTA_FILTER_F_ALL (CTA_FILTER_F_MAX-1)
|
|
#define CTA_FILTER_FLAG(ctattr) CTA_FILTER_F_ ## ctattr
|
|
|
|
/* nf_queue.c */
|
|
void nf_queue_nf_hook_drop(struct net *net);
|
|
|
|
/* nf_log.c */
|
|
int __init netfilter_log_init(void);
|
|
|
|
/* core.c */
|
|
void nf_hook_entries_delete_raw(struct nf_hook_entries __rcu **pp,
|
|
const struct nf_hook_ops *reg);
|
|
int nf_hook_entries_insert_raw(struct nf_hook_entries __rcu **pp,
|
|
const struct nf_hook_ops *reg);
|
|
#endif
|