-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mark filter fix #54
mark filter fix #54
Conversation
@@ -317,6 +323,67 @@ func constructFilter(subsys Table, filters []ConnAttr) ([]bpf.RawInstruction, er | |||
return raw, nil | |||
} | |||
|
|||
func filterMarkAttribute(filters []ConnAttr) []bpf.RawInstruction { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your contribution! 🙏
As filterMarkAttribute()
is similar to filterAttribute()
I'm wondering if both functions should be combined into one. What do you think?
I'm testing it and it seems to be working fine. Please let me know what do you think about it. If you say it's ok, I will add tests which will cover this filter.
Adding a test would be great 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dvomartin are you still working on this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @florianl,
sorry, I was sick and forgot about this :)
I can try to prepare second merge request which will adjust original function(s), but I'm afraid there will be too many ifs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @dvomartin for #56 and hope you're fine again.
would you mind sharing your testcase? I'm fine with refactoring code later on with this (#54) PR applied, if we can make sure with a testcase, that things don't break.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure,
I have added some tests. My tests are slightly different - instructions are visible and invalid instructions in failed tests are printed to quickly find where is the problem.
I also added possibility to enable debug option to Nfct object which will print bpf instructions if enabled.
Print format is the same as in original C library to quickly compare results.
PR is still marked as WIP. It should be OK as it is, but I want to verify some things before I create final PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for the update!
please feel free to mark the PR as ready for review, if you are.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should be ready. Please check the changes.
I can update your original tests to the same format in separate PR, if you want.
Co-authored-by: Florian Lehner <[email protected]>
Hi @florianl,
I tried to use Mark filter for my application, but I found out that current implementation doesn't work.
So I checked the original source and found out that mark filter creation is little bit different than for example ipfilter:
https://git.netfilter.org/libnetfilter_conntrack/tree/src/conntrack/bsf.c#n685
Here is a comparison of filter generated by original library and this go package (example with mark set to 11):
I implemented the filter according to original version. As this filter contains different instructions and flow of instructions, I decided to put it into different function.
I'm testing it and it seems to be working fine. Please let me know what do you think about it. If you say it's ok, I will add tests which will cover this filter.
Regards,
Martin