Major rework of the user-space event filtering

This patch reworks the user-space filtering. Although we have
kernel-space filtering since Linux kernel >= 2.6.26, we keep userspace
filtering to ensure backward compatibility. Moreover, this patch
prepares the implementation of the kernel-space filtering via
libnetfilter_conntrack's high-level berkeley socket filter API.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

6 files changed, 71 insertions, 44 deletions

diff --git a/include/Makefile.am b/include/Makefile.am
index 01be0df..3287a0c 100644
--- a/include/Makefile.am
+++ b/include/Makefile.am
@@ -2,6 +2,6 @@
 noinst_HEADERS = alarm.h jhash.h slist.h cache.h linux_list.h linux_rbtree.h \
 		 sync.h conntrackd.h local.h us-conntrack.h \
 		 debug.h log.h hash.h mcast.h conntrack.h \
-		 state_helper.h network.h ignore.h queue.h \
-		 traffic_stats.h netlink.h fds.h event.h
+		 network.h filter.h queue.h \
+		 traffic_stats.h netlink.h fds.h event.h bitops.h
 
diff --git a/include/bitops.h b/include/bitops.h
new file mode 100644
index 0000000..51f4289
--- /dev/null
+++ b/include/bitops.h
@@ -0,0 +1,36 @@
+#ifndef _BITOPS_H_
+#define _BITOPS_H_
+
+#include <stdlib.h>
+
+static inline void set_bit_u32(int nr, u_int32_t *addr)
+{
+	addr[nr >> 5] |= (1UL << (nr & 31));
+}
+
+static inline void unset_bit_u32(int nr, u_int32_t *addr)
+{
+	addr[nr >> 5] &= ~(1UL << (nr & 31));
+}
+
+static inline int test_bit_u32(int nr, const u_int32_t *addr)
+{
+	return ((1UL << (nr & 31)) & (addr[nr >> 5])) != 0;
+}
+
+static inline void set_bit_u16(int nr, u_int16_t *addr)
+{
+	addr[nr >> 4] |= (1UL << (nr & 15));
+}
+
+static inline void unset_bit_u16(int nr, u_int16_t *addr)
+{
+	addr[nr >> 4] &= ~(1UL << (nr & 15));
+}
+
+static inline int test_bit_u16(int nr, const u_int16_t *addr)
+{
+	return ((1UL << (nr & 15)) & (addr[nr >> 4])) != 0;
+}
+
+#endif
diff --git a/include/conntrackd.h b/include/conntrackd.h
index 8a6e8d2..cd02f1f 100644
--- a/include/conntrackd.h
+++ b/include/conntrackd.h
@@ -4,6 +4,7 @@
 #include "mcast.h"
 #include "local.h"
 #include "alarm.h"
+#include "filter.h"
 
 #include <stdint.h>
 #include <stdio.h>
@@ -80,7 +81,6 @@ struct ct_conf {
 	int del_timeout;
 	unsigned int netlink_buffer_size;
 	unsigned int netlink_buffer_size_max_grown;
-	unsigned char ignore_protocol[IPPROTO_MAX];
 	union inet_address *listen_to;
 	unsigned int listen_to_len;
 	unsigned int flags;
@@ -103,7 +103,7 @@ struct ct_general_state {
 	FILE				*stats_log;
 	struct local_server		local;
 	struct ct_mode 			*mode;
-	struct ignore_pool		*ignore_pool;
+	struct ct_filter		*us_filter;
 
 	struct nfct_handle		*event;         /* event handler */
 	struct nfct_handle		*dump;		/* dump handler */
diff --git a/include/filter.h b/include/filter.h
new file mode 100644
index 0000000..de0754e
--- /dev/null
+++ b/include/filter.h
@@ -0,0 +1,31 @@
+#ifndef _FILTER_H_
+#define _FILTER_H_
+
+#include <stdint.h>
+
+enum ct_filter_type {
+	CT_FILTER_L4PROTO,
+	CT_FILTER_STATE,
+	CT_FILTER_ADDRESS,
+	CT_FILTER_MAX
+};
+
+enum ct_filter_logic {
+	CT_FILTER_NEGATIVE = 0,
+	CT_FILTER_POSITIVE = 1,
+};
+
+struct nf_conntrack;
+struct ct_filter;
+
+struct ct_filter *ct_filter_create(void);
+void ct_filter_destroy(struct ct_filter *filter);
+int ct_filter_add_ip(struct ct_filter *filter, void *data, uint8_t family);
+void ct_filter_add_proto(struct ct_filter *filter, int protonum);
+void ct_filter_add_state(struct ct_filter *f, int protonum, int state);
+void ct_filter_set_logic(struct ct_filter *f,
+			 enum ct_filter_type type,
+			 enum ct_filter_logic logic);
+int ct_filter_check(struct ct_filter *filter, struct nf_conntrack *ct);
+
+#endif
diff --git a/include/ignore.h b/include/ignore.h
deleted file mode 100644
index e5e96ff..0000000
--- a/include/ignore.h
+++ /dev/null
@@ -1,18 +0,0 @@
-#ifndef _IGNORE_H_
-#define _IGNORE_H_
-
-#include <stdint.h>
-
-struct nf_conntrack;
-
-struct ignore_pool {
-	struct hashtable *h;
-	struct hashtable *h6;
-};
-
-struct ignore_pool *ignore_pool_create(void);
-void ignore_pool_destroy(struct ignore_pool *ip);
-int ignore_pool_add(struct ignore_pool *ip, void *data, uint8_t family);
-int ignore_pool_test(struct ignore_pool *ip, struct nf_conntrack *ct);
-
-#endif
diff --git a/include/state_helper.h b/include/state_helper.h
deleted file mode 100644
index 1a68b04..0000000
--- a/include/state_helper.h
+++ /dev/null
@@ -1,22 +0,0 @@
-#ifndef _STATE_HELPER_H_
-#define _STATE_HELPER_H_
-
-#include <stdint.h>
-
-enum {
-	ST_H_SKIP,
-	ST_H_REPLICATE
-};
-
-struct state_replication_helper {
-	uint8_t 		proto;
-	unsigned int		state;
-
-	int (*verdict)(const struct state_replication_helper *h,
-		       const struct nf_conntrack *ct); 
-};
-
-int state_helper_verdict(int type, struct nf_conntrack *ct);
-void state_helper_register(struct state_replication_helper *h, int h_state);
-
-#endif