summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2012-02-14 03:17:56 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2012-02-14 03:22:21 +0100
commitaa925010951e79a860d0c1e4365f72d68eedf02d (patch)
tree039bcbf4551ce9068b641a3dfb8c7caf7db7d896
parent167eb3e2028561ab2cc0f2b7b6ff9d24c56514f6 (diff)
downloadconntrack-tools-aa925010951e79a860d0c1e4365f72d68eedf02d.tar.gz
conntrack-tools-aa925010951e79a860d0c1e4365f72d68eedf02d.zip
conntrack: allow to filter by mark from kernel-space
This patch uses the new infrastructure that allows us to filter by mark from kernel-space. This change ensures backward compatibility with kernels with no support for filtering by mark (Linux kernel <= 3.4.x). This requires lastest libnetfilter_conntrack library. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--src/conntrack.c41
1 files changed, 37 insertions, 4 deletions
diff --git a/src/conntrack.c b/src/conntrack.c
index 31beba5..b065211 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -1,5 +1,6 @@
/*
- * (C) 2005-2008 by Pablo Neira Ayuso <pablo@netfilter.org>
+ * (C) 2005-2012 by Pablo Neira Ayuso <pablo@netfilter.org>
+ * (C) 2012 by Intra2net AG <http://www.intra2net.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -72,6 +73,9 @@ static struct {
/* Allows filtering/setting specific bits in the ctmark */
struct u32_mask mark;
+
+ /* Allow to filter by mark from kernel-space. */
+ struct nfct_filter_dump_mark filter_mark_kernel;
} tmpl;
static int alloc_tmpl_objects(void)
@@ -1632,6 +1636,8 @@ int main(int argc, char *argv[])
case 'm':
options |= opt2type[c];
parse_u32_mask(optarg, &tmpl.mark);
+ tmpl.filter_mark_kernel.val = tmpl.mark.value;
+ tmpl.filter_mark_kernel.mask = tmpl.mark.mask;
break;
case 'a':
fprintf(stderr, "WARNING: ignoring -%c, "
@@ -1705,6 +1711,7 @@ int main(int argc, char *argv[])
h->final_check(l4flags, cmd, tmpl.ct);
switch(command) {
+ struct nfct_filter_dump *filter_dump;
case CT_LIST:
cth = nfct_open(CONNTRACK, 0);
@@ -1718,10 +1725,23 @@ int main(int argc, char *argv[])
nfct_callback_register(cth, NFCT_T_ALL, dump_cb, tmpl.ct);
+ filter_dump = nfct_filter_dump_create();
+ if (filter_dump == NULL)
+ exit_error(OTHER_PROBLEM, "OOM");
+
+ nfct_filter_dump_set_attr(filter_dump, NFCT_FILTER_DUMP_MARK,
+ &tmpl.filter_mark_kernel);
+ nfct_filter_dump_set_attr_u8(filter_dump,
+ NFCT_FILTER_DUMP_L3NUM,
+ family);
+
if (options & CT_OPT_ZERO)
- res = nfct_query(cth, NFCT_Q_DUMP_RESET, &family);
+ res = nfct_query(cth, NFCT_Q_DUMP_FILTER_RESET,
+ filter_dump);
else
- res = nfct_query(cth, NFCT_Q_DUMP, &family);
+ res = nfct_query(cth, NFCT_Q_DUMP_FILTER, filter_dump);
+
+ nfct_filter_dump_destroy(filter_dump);
if (dump_xml_header_done == 0) {
printf("</conntrack>\n");
@@ -1800,7 +1820,20 @@ int main(int argc, char *argv[])
nfct_callback_register(cth, NFCT_T_ALL, delete_cb, tmpl.ct);
- res = nfct_query(cth, NFCT_Q_DUMP, &family);
+ filter_dump = nfct_filter_dump_create();
+ if (filter_dump == NULL)
+ exit_error(OTHER_PROBLEM, "OOM");
+
+ nfct_filter_dump_set_attr(filter_dump, NFCT_FILTER_DUMP_MARK,
+ &tmpl.filter_mark_kernel);
+ nfct_filter_dump_set_attr_u8(filter_dump,
+ NFCT_FILTER_DUMP_L3NUM,
+ family);
+
+ res = nfct_query(cth, NFCT_Q_DUMP_FILTER, filter_dump);
+
+ nfct_filter_dump_destroy(filter_dump);
+
nfct_close(ith);
nfct_close(cth);
break;