From 282aba753f7bd3b8c02a96e3752798c4e7651f3b Mon Sep 17 00:00:00 2001 From: Priyankar Jain Date: Fri, 30 Aug 2024 14:35:30 +0530 Subject: conntrack: Add zone filtering for conntrack events This patch adds support for filtering CT entries by their zones using bsf. Max number of zones for filtering is 127. (Although it can be supported till 255 but keeping it consistent with IPv4 and mark filtering). Entries which does not have ct-zone set will be treated as ct-zone=0. Signed-off-by: Priyankar Jain Signed-off-by: Pablo Neira Ayuso --- src/conntrack/filter.c | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'src/conntrack/filter.c') diff --git a/src/conntrack/filter.c b/src/conntrack/filter.c index 57b2294..9feff80 100644 --- a/src/conntrack/filter.c +++ b/src/conntrack/filter.c @@ -104,6 +104,15 @@ static void filter_attr_mark(struct nfct_filter *filter, const void *value) filter->mark_elems++; } +static void filter_attr_zone(struct nfct_filter *filter, const void *value) +{ + if (filter->zone_elems >= __FILTER_ZONE_MAX) + return; + + filter->zone[filter->zone_elems] = *(uint16_t *) value; + filter->zone_elems++; +} + const filter_attr filter_attr_array[NFCT_FILTER_MAX] = { [NFCT_FILTER_L4PROTO] = filter_attr_l4proto, [NFCT_FILTER_L4PROTO_STATE] = filter_attr_l4proto_state, @@ -112,4 +121,5 @@ const filter_attr filter_attr_array[NFCT_FILTER_MAX] = { [NFCT_FILTER_SRC_IPV6] = filter_attr_src_ipv6, [NFCT_FILTER_DST_IPV6] = filter_attr_dst_ipv6, [NFCT_FILTER_MARK] = filter_attr_mark, + [NFCT_FILTER_ZONE] = filter_attr_zone, }; -- cgit v1.2.3