RepoMirrors
/
netlink
mirror of https://github.com/vishvananda/netlink
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Adjust conntrack filters 

Today the filter implementation implements
only ip matching for src,dst,reply src,reply dst.
Updating the comments on the filter to reflect that
more clearly and deprecate confusing constants

Signed-off-by: Flavio Crisciani <flavio.crisciani@docker.com>
This commit is contained in:
Flavio Crisciani 2018-07-26 14:05:25 -07:00 committed by Alessandro Boch
parent d3a23fd178
commit 02a383156a
2 changed files with 19 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
conntrack_linux.go
View File

@ -309,7 +309,7 @@ func parseRawData(data []byte) *ConntrackFlow {
// Common parameters and options: // Common parameters and options:
// -s, --src, --orig-src ip Source address from original direction // -s, --src, --orig-src ip Source address from original direction
// -d, --dst, --orig-dst ip Destination address from original direction // -d, --dst, --orig-dst ip Destination address from original direction
// -r, --reply-src ip Source addres from reply direction // -r, --reply-src ip Source address from reply direction
// -q, --reply-dst ip Destination address from reply direction // -q, --reply-dst ip Destination address from reply direction
// -p, --protonum proto Layer 4 Protocol, eg. 'tcp' // -p, --protonum proto Layer 4 Protocol, eg. 'tcp'
// -f, --family proto Layer 3 Protocol, eg. 'ipv6' // -f, --family proto Layer 3 Protocol, eg. 'ipv6'
@ -328,9 +328,12 @@ type ConntrackFilterType uint8
const ( const (
ConntrackOrigSrcIP = iota // -orig-src ip Source address from original direction ConntrackOrigSrcIP = iota // -orig-src ip Source address from original direction
ConntrackOrigDstIP // -orig-dst ip Destination address from original direction ConntrackOrigDstIP // -orig-dst ip Destination address from original direction
ConntrackNatSrcIP // -src-nat ip Source NAT ip ConntrackReplySrcIP // --reply-src ip Reply Source IP
ConntrackNatDstIP // -dst-nat ip Destination NAT ip ConntrackReplyDstIP // --reply-dst ip Reply Destination IP
ConntrackNatAnyIP // -any-nat ip Source or destination NAT ip ConntrackReplyAnyIP // Match source or destination reply IP
ConntrackNatSrcIP = ConntrackReplySrcIP // deprecated use instead ConntrackReplySrcIP
ConntrackNatDstIP = ConntrackReplyDstIP // deprecated use instead ConntrackReplyDstIP
ConntrackNatAnyIP = ConntrackReplyAnyIP // deprecated use instaed ConntrackReplyAnyIP
) )
type CustomConntrackFilter interface { type CustomConntrackFilter interface {
@ -375,17 +378,17 @@ func (f *ConntrackFilter) MatchConntrackFlow(flow *ConntrackFlow) bool {
} }
// -src-nat ip Source NAT ip // -src-nat ip Source NAT ip
if elem, found := f.ipFilter[ConntrackNatSrcIP]; match && found { if elem, found := f.ipFilter[ConntrackReplySrcIP]; match && found {
match = match && elem.Equal(flow.Reverse.SrcIP) match = match && elem.Equal(flow.Reverse.SrcIP)
} }
// -dst-nat ip Destination NAT ip // -dst-nat ip Destination NAT ip
if elem, found := f.ipFilter[ConntrackNatDstIP]; match && found { if elem, found := f.ipFilter[ConntrackReplyDstIP]; match && found {
match = match && elem.Equal(flow.Reverse.DstIP) match = match && elem.Equal(flow.Reverse.DstIP)
} }
// -any-nat ip Source or destination NAT ip // Match source or destination reply IP
if elem, found := f.ipFilter[ConntrackNatAnyIP]; match && found { if elem, found := f.ipFilter[ConntrackReplyAnyIP]; match && found {
match = match && (elem.Equal(flow.Reverse.SrcIP) || elem.Equal(flow.Reverse.DstIP)) match = match && (elem.Equal(flow.Reverse.SrcIP) || elem.Equal(flow.Reverse.DstIP))
} }

12
conntrack_test.go
View File

@ -371,10 +371,10 @@ func TestConntrackFilter(t *testing.T) {
// SrcIP for NAT // SrcIP for NAT
filterV4 = &ConntrackFilter{} filterV4 = &ConntrackFilter{}
filterV4.AddIP(ConntrackNatSrcIP, net.ParseIP("20.0.0.1")) filterV4.AddIP(ConntrackReplySrcIP, net.ParseIP("20.0.0.1"))
filterV6 = &ConntrackFilter{} filterV6 = &ConntrackFilter{}
filterV6.AddIP(ConntrackNatSrcIP, net.ParseIP("dddd:dddd:dddd:dddd:dddd:dddd:dddd:dddd")) filterV6.AddIP(ConntrackReplySrcIP, net.ParseIP("dddd:dddd:dddd:dddd:dddd:dddd:dddd:dddd"))
v4Match, v6Match = applyFilter(flowList, filterV4, filterV6) v4Match, v6Match = applyFilter(flowList, filterV4, filterV6)
if v4Match != 1 || v6Match != 1 { if v4Match != 1 || v6Match != 1 {
@ -383,10 +383,10 @@ func TestConntrackFilter(t *testing.T) {
// DstIP for NAT // DstIP for NAT
filterV4 = &ConntrackFilter{} filterV4 = &ConntrackFilter{}
filterV4.AddIP(ConntrackNatDstIP, net.ParseIP("192.168.1.1")) filterV4.AddIP(ConntrackReplyDstIP, net.ParseIP("192.168.1.1"))
filterV6 = &ConntrackFilter{} filterV6 = &ConntrackFilter{}
filterV6.AddIP(ConntrackNatDstIP, net.ParseIP("dddd:dddd:dddd:dddd:dddd:dddd:dddd:dddd")) filterV6.AddIP(ConntrackReplyDstIP, net.ParseIP("dddd:dddd:dddd:dddd:dddd:dddd:dddd:dddd"))
v4Match, v6Match = applyFilter(flowList, filterV4, filterV6) v4Match, v6Match = applyFilter(flowList, filterV4, filterV6)
if v4Match != 2 || v6Match != 0 { if v4Match != 2 || v6Match != 0 {
@ -395,10 +395,10 @@ func TestConntrackFilter(t *testing.T) {
// AnyIp for Nat // AnyIp for Nat
filterV4 = &ConntrackFilter{} filterV4 = &ConntrackFilter{}
filterV4.AddIP(ConntrackNatAnyIP, net.ParseIP("192.168.1.1")) filterV4.AddIP(ConntrackReplyAnyIP, net.ParseIP("192.168.1.1"))
filterV6 = &ConntrackFilter{} filterV6 = &ConntrackFilter{}
filterV6.AddIP(ConntrackNatAnyIP, net.ParseIP("eeee:eeee:eeee:eeee:eeee:eeee:eeee:eeee")) filterV6.AddIP(ConntrackReplyAnyIP, net.ParseIP("eeee:eeee:eeee:eeee:eeee:eeee:eeee:eeee"))
v4Match, v6Match = applyFilter(flowList, filterV4, filterV6) v4Match, v6Match = applyFilter(flowList, filterV4, filterV6)
if v4Match != 2 || v6Match != 1 { if v4Match != 2 || v6Match != 1 {