filter: do not filter in user-space if kernel supports BSF

This patch avoids a double filtering in user-space and kernel-space if the kernel support BSF. Since we do not use BSF for dumps and resyncs, we add a new parameter to ignore_conntrack to indicate if we have to perform the filtering in user-space or not. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2008-10-21 19:11:42 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2008-10-21 19:11:42 +0200
commit: 50162d3c19e38a491d95ec26767438ec25bab0dc (patch)
tree: ccd81e73eeb254cf6fb9ab00c35be2628fe9bc3a /src/netlink.c
parent: 6d6ebd1247076c88ceeb8d9528d62cd38a5e909a (diff)
download: conntrack-tools-50162d3c19e38a491d95ec26767438ec25bab0dc.tar.gz
conntrack-tools-50162d3c19e38a491d95ec26767438ec25bab0dc.zip
1 files changed, 6 insertions, 5 deletions
diff --git a/src/netlink.c b/src/netlink.c
index c0a0805..89a4ebc 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -60,14 +60,14 @@ static int sanity_check(struct nf_conntrack *ct)
 	return 1;
 }
 
-int ignore_conntrack(struct nf_conntrack *ct)
+/* we do user-space filtering for dump and resyncs */
+int ignore_conntrack(struct nf_conntrack *ct, int userspace)
 {
 	/* missing mandatory attributes in object */
 	if (!sanity_check(ct))
 		return 1;
 
-	/* Ignore traffic */
-	if (!ct_filter_check(STATE(us_filter), ct)) {
+	if (userspace && !ct_filter_check(STATE(us_filter), ct)) {
 		debug_ct(ct, "ignore traffic");
 		return 1;
 	}
@@ -79,7 +79,8 @@ static int event_handler(enum nf_conntrack_msg_type type,
 			 struct nf_conntrack *ct,
 			 void *data)
 {
-	if (ignore_conntrack(ct))
+	/* skip user-space filtering if already do it in the kernel */
+	if (ignore_conntrack(ct, !CONFIG(kernel_support_netlink_bsf)))
 		return NFCT_CB_STOP;
 
 	switch(type) {
@@ -155,7 +156,7 @@ static int dump_handler(enum nf_conntrack_msg_type type,
 			struct nf_conntrack *ct,
 			void *data)
 {
-	if (ignore_conntrack(ct))
+	if (ignore_conntrack(ct, 1))
 		return NFCT_CB_CONTINUE;
 
 	switch(type) {
author	Pablo Neira Ayuso <pablo@netfilter.org>	2008-10-21 19:11:42 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2008-10-21 19:11:42 +0200
commit	50162d3c19e38a491d95ec26767438ec25bab0dc (patch)
tree	ccd81e73eeb254cf6fb9ab00c35be2628fe9bc3a /src/netlink.c
parent	6d6ebd1247076c88ceeb8d9528d62cd38a5e909a (diff)
download	conntrack-tools-50162d3c19e38a491d95ec26767438ec25bab0dc.tar.gz conntrack-tools-50162d3c19e38a491d95ec26767438ec25bab0dc.zip