leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
cb8aa9a3af
linux/include
History
Romain Bellan cb8aa9a3af netfilter: ctnetlink: add kernel side filtering for dump 
Conntrack dump does not support kernel side filtering (only get exists,
but it returns only one entry. And user has to give a full valid tuple)

It means that userspace has to implement filtering after receiving many
irrelevant entries, consuming resources (conntrack table is sometimes
very huge, much more than a routing table for example).

This patch adds filtering in kernel side. To achieve this goal, we:

 * Add a new CTA_FILTER netlink attributes, actually a flag list to
   parametize filtering
 * Convert some *nlattr_to_tuple() functions, to allow a partial parsing
   of CTA_TUPLE_ORIG and CTA_TUPLE_REPLY (so nf_conntrack_tuple it not
   fully set)

Filtering is now possible on:
 * IP SRC/DST values
 * Ports for TCP and UDP flows
 * IMCP(v6) codes types and IDs

Filtering is done as an "AND" operator. For example, when flags
PROTO_SRC_PORT, PROTO_NUM and IP_SRC are sets, only entries matching all
values are dumped.

Changes since v1:
  Set NLM_F_DUMP_FILTERED in nlm flags if entries are filtered

Changes since v2:
  Move several constants to nf_internals.h
  Move a fix on netlink values check in a separate patch
  Add a check on not-supported flags
  Return EOPNOTSUPP if CDA_FILTER is set in ctnetlink_flush_conntrack
  (not yet implemented)
  Code style issues

Changes since v3:
  Fix compilation warning reported by kbuild test robot

Changes since v4:
  Fix a regression introduced in v3 (returned EINVAL for valid netlink
  messages without CTA_MARK)

Changes since v5:
  Change definition of CTA_FILTER_F_ALL
  Fix a regression when CTA_TUPLE_ZONE is not set

Signed-off-by: Romain Bellan <romain.bellan@wifirst.fr>
Signed-off-by: Florent Fourcot <florent.fourcot@wifirst.fr>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2020-05-27 22:20:34 +02:00
..
acpi Additional ACPI updates for 5.7-rc1 2020-04-06 10:35:06 -07:00
asm-generic arch: split MODULE_ARCH_VERMAGIC definitions out to <asm/vermagic.h> 2020-04-23 10:50:26 +09:00
clocksource
crypto crypto: curve25519 - do not pollute dispatcher based on assembler 2020-04-09 00:01:59 +09:00
drm drm: fix trivial field description cut-and-paste error 2020-05-11 10:48:53 -07:00
dt-bindings RISC-V Patches for the 5.7 Merge Window, Part 1 2020-04-09 10:51:30 -07:00
keys
kunit
kvm
linux net: ethtool: Allow PHY cable test TDR data to configured 2020-05-26 23:22:21 -07:00
math-emu
media
misc
net netfilter: ctnetlink: add kernel side filtering for dump 2020-05-27 22:20:34 +02:00
pcmcia
ras
rdma
scsi SCSI misc on 20200402 2020-04-02 17:03:53 -07:00
soc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-05-06 22:10:13 -07:00
sound ALSA: rawmidi: Fix racy buffer resize under concurrent accesses 2020-05-07 22:29:14 +02:00
target
trace Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-05-24 13:47:27 -07:00
uapi netfilter: ctnetlink: add kernel side filtering for dump 2020-05-27 22:20:34 +02:00
vdso vdso/datapage: Use correct clock mode name in comment 2020-04-20 19:19:52 +02:00
video
xen xen: Use evtchn_type_t as a type for event channels 2020-04-07 12:12:54 +02:00