summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2008-10-21 19:11:42 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2008-10-21 19:11:42 +0200
commit50162d3c19e38a491d95ec26767438ec25bab0dc (patch)
treeccd81e73eeb254cf6fb9ab00c35be2628fe9bc3a
parent6d6ebd1247076c88ceeb8d9528d62cd38a5e909a (diff)
downloadconntrack-tools-50162d3c19e38a491d95ec26767438ec25bab0dc.tar.gz
conntrack-tools-50162d3c19e38a491d95ec26767438ec25bab0dc.zip
filter: do not filter in user-space if kernel supports BSF
This patch avoids a double filtering in user-space and kernel-space if the kernel support BSF. Since we do not use BSF for dumps and resyncs, we add a new parameter to ignore_conntrack to indicate if we have to perform the filtering in user-space or not. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--include/netlink.h2
-rw-r--r--src/netlink.c11
-rw-r--r--src/stats-mode.c2
-rw-r--r--src/sync-mode.c2
4 files changed, 9 insertions, 8 deletions
diff --git a/include/netlink.h b/include/netlink.h
index 6d28ac6..d13d33d 100644
--- a/include/netlink.h
+++ b/include/netlink.h
@@ -6,7 +6,7 @@
struct nf_conntrack;
struct nfct_handle;
-int ignore_conntrack(struct nf_conntrack *ct);
+int ignore_conntrack(struct nf_conntrack *ct, int userspace);
int nl_init_event_handler(void);
diff --git a/src/netlink.c b/src/netlink.c
index c0a0805..89a4ebc 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -60,14 +60,14 @@ static int sanity_check(struct nf_conntrack *ct)
return 1;
}
-int ignore_conntrack(struct nf_conntrack *ct)
+/* we do user-space filtering for dump and resyncs */
+int ignore_conntrack(struct nf_conntrack *ct, int userspace)
{
/* missing mandatory attributes in object */
if (!sanity_check(ct))
return 1;
- /* Ignore traffic */
- if (!ct_filter_check(STATE(us_filter), ct)) {
+ if (userspace && !ct_filter_check(STATE(us_filter), ct)) {
debug_ct(ct, "ignore traffic");
return 1;
}
@@ -79,7 +79,8 @@ static int event_handler(enum nf_conntrack_msg_type type,
struct nf_conntrack *ct,
void *data)
{
- if (ignore_conntrack(ct))
+ /* skip user-space filtering if already do it in the kernel */
+ if (ignore_conntrack(ct, !CONFIG(kernel_support_netlink_bsf)))
return NFCT_CB_STOP;
switch(type) {
@@ -155,7 +156,7 @@ static int dump_handler(enum nf_conntrack_msg_type type,
struct nf_conntrack *ct,
void *data)
{
- if (ignore_conntrack(ct))
+ if (ignore_conntrack(ct, 1))
return NFCT_CB_CONTINUE;
switch(type) {
diff --git a/src/stats-mode.c b/src/stats-mode.c
index 1650d5d..763afe0 100644
--- a/src/stats-mode.c
+++ b/src/stats-mode.c
@@ -104,7 +104,7 @@ static int overrun_stats(enum nf_conntrack_msg_type type,
struct nf_conntrack *ct,
void *data)
{
- if (ignore_conntrack(ct))
+ if (ignore_conntrack(ct, 1))
return NFCT_CB_CONTINUE;
/* This is required by kernels < 2.6.20 */
diff --git a/src/sync-mode.c b/src/sync-mode.c
index db199bc..4c22745 100644
--- a/src/sync-mode.c
+++ b/src/sync-mode.c
@@ -432,7 +432,7 @@ static int overrun_sync(enum nf_conntrack_msg_type type,
{
struct us_conntrack *u;
- if (ignore_conntrack(ct))
+ if (ignore_conntrack(ct, 1))
return NFCT_CB_CONTINUE;
/* This is required by kernels < 2.6.20 */