mark filter fix #54
mark filter fix #54
Conversation
| @@ -317,6 +323,67 @@ func constructFilter(subsys Table, filters []ConnAttr) ([]bpf.RawInstruction, er | |||
| return raw, nil | |||
| } | |||
|
|
|||
| func filterMarkAttribute(filters []ConnAttr) []bpf.RawInstruction { | |||
There was a problem hiding this comment.
Thanks for your contribution! 🙏
As filterMarkAttribute() is similar to filterAttribute() I'm wondering if both functions should be combined into one. What do you think?
I'm testing it and it seems to be working fine. Please let me know what do you think about it. If you say it's ok, I will add tests which will cover this filter.
Adding a test would be great 👍
There was a problem hiding this comment.
@dvomartin are you still working on this?
There was a problem hiding this comment.
Hi @florianl,
sorry, I was sick and forgot about this :)
I can try to prepare second merge request which will adjust original function(s), but I'm afraid there will be too many ifs.
There was a problem hiding this comment.
Thanks @dvomartin for #56 and hope you're fine again.
would you mind sharing your testcase? I'm fine with refactoring code later on with this (#54) PR applied, if we can make sure with a testcase, that things don't break.
There was a problem hiding this comment.
Sure,
I have added some tests. My tests are slightly different - instructions are visible and invalid instructions in failed tests are printed to quickly find where is the problem.
I also added possibility to enable debug option to Nfct object which will print bpf instructions if enabled.
Print format is the same as in original C library to quickly compare results.
PR is still marked as WIP. It should be OK as it is, but I want to verify some things before I create final PR.
There was a problem hiding this comment.
thanks for the update!
please feel free to mark the PR as ready for review, if you are.
There was a problem hiding this comment.
It should be ready. Please check the changes.
I can update your original tests to the same format in separate PR, if you want.
Co-authored-by: Florian Lehner <florianl@users.noreply.github.com>
Hi @florianl,
I tried to use Mark filter for my application, but I found out that current implementation doesn't work.
So I checked the original source and found out that mark filter creation is little bit different than for example ipfilter:
https://git.netfilter.org/libnetfilter_conntrack/tree/src/conntrack/bsf.c#n685
Here is a comparison of filter generated by original library and this go package (example with mark set to 11):
I implemented the filter according to original version. As this filter contains different instructions and flow of instructions, I decided to put it into different function.
I'm testing it and it seems to be working fine. Please let me know what do you think about it. If you say it's ok, I will add tests which will cover this filter.
Regards,
Martin