lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZsOTMHeMPgtjU6ZZ@calendula>
Date: Mon, 19 Aug 2024 20:47:12 +0200
From: Pablo Neira Ayuso <pablo@...filter.org>
To: Changliang Wu <changliang.wu@...rtx.com>
Cc: kadlec@...filter.org, davem@...emloft.net, edumazet@...gle.com,
	kuba@...nel.org, pabeni@...hat.com, netfilter-devel@...r.kernel.org,
	coreteam@...filter.org, netdev@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] netfilter: ctnetlink: support CTA_FILTER for flush

Please, provide an example program for libnetfilter_conntrack.

See:

commit 27f09380ebb0fc21c4cd20070b828a27430b5de1
Author: Felix Huettner <felix.huettner@...l.schwarz>
Date:   Tue Dec 5 09:35:16 2023 +0000

    conntrack: support flush filtering

for instance.

thanks

On Thu, Jul 11, 2024 at 01:40:02PM +0800, Changliang Wu wrote:
> PING
> 
> 
> Changliang Wu <changliang.wu@...rtx.com> 于2024年6月20日周四 19:35写道:
> >
> > From cb8aa9a, we can use kernel side filtering for dump, but
> > this capability is not available for flush.
> >
> > This Patch allows advanced filter with CTA_FILTER for flush
> >
> > Performace
> > 1048576 ct flows in total, delete 50,000 flows by origin src ip
> > 3.06s -> dump all, compare and delete
> > 584ms -> directly flush with filter
> >
> > Signed-off-by: Changliang Wu <changliang.wu@...rtx.com>
> > ---
> >  net/netfilter/nf_conntrack_netlink.c | 9 +++------
> >  1 file changed, 3 insertions(+), 6 deletions(-)
> >
> > diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
> > index 3b846cbdc..93afe57d9 100644
> > --- a/net/netfilter/nf_conntrack_netlink.c
> > +++ b/net/netfilter/nf_conntrack_netlink.c
> > @@ -1579,9 +1579,6 @@ static int ctnetlink_flush_conntrack(struct net *net,
> >         };
> >
> >         if (ctnetlink_needs_filter(family, cda)) {
> > -               if (cda[CTA_FILTER])
> > -                       return -EOPNOTSUPP;
> > -
> >                 filter = ctnetlink_alloc_filter(cda, family);
> >                 if (IS_ERR(filter))
> >                         return PTR_ERR(filter);
> > @@ -1610,14 +1607,14 @@ static int ctnetlink_del_conntrack(struct sk_buff *skb,
> >         if (err < 0)
> >                 return err;
> >
> > -       if (cda[CTA_TUPLE_ORIG])
> > +       if (cda[CTA_TUPLE_ORIG] && !cda[CTA_FILTER])
> >                 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
> >                                             family, &zone);
> > -       else if (cda[CTA_TUPLE_REPLY])
> > +       else if (cda[CTA_TUPLE_REPLY] && !cda[CTA_FILTER])
> >                 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
> >                                             family, &zone);
> >         else {
> > -               u_int8_t u3 = info->nfmsg->version ? family : AF_UNSPEC;
> > +               u8 u3 = info->nfmsg->version || cda[CTA_FILTER] ? family : AF_UNSPEC;
> >
> >                 return ctnetlink_flush_conntrack(info->net, cda,
> >                                                  NETLINK_CB(skb).portid,
> > --
> > 2.43.0
> >

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ