summaryrefslogtreecommitdiff
path: root/src/netlink.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/netlink.c')
-rw-r--r--src/netlink.c11
1 files changed, 6 insertions, 5 deletions
diff --git a/src/netlink.c b/src/netlink.c
index c0a0805..89a4ebc 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -60,14 +60,14 @@ static int sanity_check(struct nf_conntrack *ct)
return 1;
}
-int ignore_conntrack(struct nf_conntrack *ct)
+/* we do user-space filtering for dump and resyncs */
+int ignore_conntrack(struct nf_conntrack *ct, int userspace)
{
/* missing mandatory attributes in object */
if (!sanity_check(ct))
return 1;
- /* Ignore traffic */
- if (!ct_filter_check(STATE(us_filter), ct)) {
+ if (userspace && !ct_filter_check(STATE(us_filter), ct)) {
debug_ct(ct, "ignore traffic");
return 1;
}
@@ -79,7 +79,8 @@ static int event_handler(enum nf_conntrack_msg_type type,
struct nf_conntrack *ct,
void *data)
{
- if (ignore_conntrack(ct))
+ /* skip user-space filtering if already do it in the kernel */
+ if (ignore_conntrack(ct, !CONFIG(kernel_support_netlink_bsf)))
return NFCT_CB_STOP;
switch(type) {
@@ -155,7 +156,7 @@ static int dump_handler(enum nf_conntrack_msg_type type,
struct nf_conntrack *ct,
void *data)
{
- if (ignore_conntrack(ct))
+ if (ignore_conntrack(ct, 1))
return NFCT_CB_CONTINUE;
switch(type) {
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-06 21:18:09 +0000