diff options
| -rw-r--r-- | include/netlink.h | 2 | ||||
| -rw-r--r-- | src/netlink.c | 11 | ||||
| -rw-r--r-- | src/stats-mode.c | 2 | ||||
| -rw-r--r-- | src/sync-mode.c | 2 |
4 files changed, 9 insertions, 8 deletions
diff --git a/include/netlink.h b/include/netlink.h index 6d28ac6..d13d33d 100644 --- a/include/netlink.h +++ b/include/netlink.h @@ -6,7 +6,7 @@ struct nf_conntrack; struct nfct_handle; -int ignore_conntrack(struct nf_conntrack *ct); +int ignore_conntrack(struct nf_conntrack *ct, int userspace); int nl_init_event_handler(void); diff --git a/src/netlink.c b/src/netlink.c index c0a0805..89a4ebc 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -60,14 +60,14 @@ static int sanity_check(struct nf_conntrack *ct) return 1; } -int ignore_conntrack(struct nf_conntrack *ct) +/* we do user-space filtering for dump and resyncs */ +int ignore_conntrack(struct nf_conntrack *ct, int userspace) { /* missing mandatory attributes in object */ if (!sanity_check(ct)) return 1; - /* Ignore traffic */ - if (!ct_filter_check(STATE(us_filter), ct)) { + if (userspace && !ct_filter_check(STATE(us_filter), ct)) { debug_ct(ct, "ignore traffic"); return 1; } @@ -79,7 +79,8 @@ static int event_handler(enum nf_conntrack_msg_type type, struct nf_conntrack *ct, void *data) { - if (ignore_conntrack(ct)) + /* skip user-space filtering if already do it in the kernel */ + if (ignore_conntrack(ct, !CONFIG(kernel_support_netlink_bsf))) return NFCT_CB_STOP; switch(type) { @@ -155,7 +156,7 @@ static int dump_handler(enum nf_conntrack_msg_type type, struct nf_conntrack *ct, void *data) { - if (ignore_conntrack(ct)) + if (ignore_conntrack(ct, 1)) return NFCT_CB_CONTINUE; switch(type) { diff --git a/src/stats-mode.c b/src/stats-mode.c index 1650d5d..763afe0 100644 --- a/src/stats-mode.c +++ b/src/stats-mode.c @@ -104,7 +104,7 @@ static int overrun_stats(enum nf_conntrack_msg_type type, struct nf_conntrack *ct, void *data) { - if (ignore_conntrack(ct)) + if (ignore_conntrack(ct, 1)) return NFCT_CB_CONTINUE; /* This is required by kernels < 2.6.20 */ diff --git a/src/sync-mode.c b/src/sync-mode.c index db199bc..4c22745 100644 --- a/src/sync-mode.c +++ b/src/sync-mode.c @@ -432,7 +432,7 @@ static int overrun_sync(enum nf_conntrack_msg_type type, { struct us_conntrack *u; - if (ignore_conntrack(ct)) + if (ignore_conntrack(ct, 1)) return NFCT_CB_CONTINUE; /* This is required by kernels < 2.6.20 */ |