summaryrefslogtreecommitdiff
path: root/src/netlink.c
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2008-07-22 12:13:43 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2008-07-22 12:13:43 +0200
commit77b1fdb824eb45213df4f57224e8e799fed43ded (patch)
tree282a395e7ab2d8fe8cfe12f34e6d09535d067101 /src/netlink.c
parent2de606c2458067c48e72058a31af384574cf9c70 (diff)
downloadconntrack-tools-77b1fdb824eb45213df4f57224e8e799fed43ded.tar.gz
conntrack-tools-77b1fdb824eb45213df4f57224e8e799fed43ded.zip
Major rework of the user-space event filtering
This patch reworks the user-space filtering. Although we have kernel-space filtering since Linux kernel >= 2.6.26, we keep userspace filtering to ensure backward compatibility. Moreover, this patch prepares the implementation of the kernel-space filtering via libnetfilter_conntrack's high-level berkeley socket filter API. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/netlink.c')
-rw-r--r--src/netlink.c16
1 files changed, 2 insertions, 14 deletions
diff --git a/src/netlink.c b/src/netlink.c
index 387062d..1823280 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -19,7 +19,7 @@
#include "netlink.h"
#include "conntrackd.h"
#include "traffic_stats.h"
-#include "ignore.h"
+#include "filter.h"
#include "log.h"
#include "debug.h"
@@ -28,10 +28,6 @@
int ignore_conntrack(struct nf_conntrack *ct)
{
- /* ignore a certain protocol */
- if (CONFIG(ignore_protocol)[nfct_get_attr_u8(ct, ATTR_ORIG_L4PROTO)])
- return 1;
-
/* Accept DNAT'ed traffic: not really coming to the local machine */
if (nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT)) {
debug_ct(ct, "DNAT");
@@ -45,7 +41,7 @@ int ignore_conntrack(struct nf_conntrack *ct)
}
/* Ignore traffic */
- if (ignore_pool_test(STATE(ignore_pool), ct)) {
+ if (!ct_filter_check(STATE(us_filter), ct)) {
debug_ct(ct, "ignore traffic");
return 1;
}
@@ -57,10 +53,6 @@ static int event_handler(enum nf_conntrack_msg_type type,
struct nf_conntrack *ct,
void *data)
{
- /*
- * Ignore this conntrack: it talks about a
- * connection that is not interesting for us.
- */
if (ignore_conntrack(ct))
return NFCT_CB_STOP;
@@ -125,10 +117,6 @@ static int dump_handler(enum nf_conntrack_msg_type type,
struct nf_conntrack *ct,
void *data)
{
- /*
- * Ignore this conntrack: it talks about a
- * connection that is not interesting for us.
- */
if (ignore_conntrack(ct))
return NFCT_CB_CONTINUE;