filter: support filtering dump/flush by flow status

Signed-off-by: Timo Beckers <[email protected]>

Author: ti-mo

attributetype_string.go

@@ -44,31 +44,34 @@ type attributeType uint8
 
 // enum ctattr_type
 const (
-	ctaUnspec        attributeType = iota // CTA_UNSPEC
-	ctaTupleOrig                          // CTA_TUPLE_ORIG
-	ctaTupleReply                         // CTA_TUPLE_REPLY
-	ctaStatus                             // CTA_STATUS
-	ctaProtoInfo                          // CTA_PROTOINFO
-	ctaHelp                               // CTA_HELP
-	ctaNatSrc                             // CTA_NAT_SRC, Deprecated
-	ctaTimeout                            // CTA_TIMEOUT
-	ctaMark                               // CTA_MARK
-	ctaCountersOrig                       // CTA_COUNTERS_ORIG
-	ctaCountersReply                      // CTA_COUNTERS_REPLY
-	ctaUse                                // CTA_USE
-	ctaID                                 // CTA_ID
-	ctaNatDst                             // CTA_NAT_DST, Deprecated
-	ctaTupleMaster                        // CTA_TUPLE_MASTER
-	ctaSeqAdjOrig                         // CTA_SEQ_ADJ_ORIG
-	ctaSeqAdjReply                        // CTA_SEQ_ADJ_REPLY
-	ctaSecMark                            // CTA_SECMARK, Deprecated
-	ctaZone                               // CTA_ZONE
-	ctaSecCtx                             // CTA_SECCTX
-	ctaTimestamp                          // CTA_TIMESTAMP
-	ctaMarkMask                           // CTA_MARK_MASK
-	ctaLabels                             // CTA_LABELS
-	ctaLabelsMask                         // CTA_LABELS_MASK
-	ctaSynProxy                           // CTA_SYNPROXY
+	ctaUnspec         attributeType = iota // CTA_UNSPEC
+	ctaTupleOrig                           // CTA_TUPLE_ORIG
+	ctaTupleReply                          // CTA_TUPLE_REPLY
+	ctaStatus                              // CTA_STATUS
+	ctaProtoInfo                           // CTA_PROTOINFO
+	ctaHelp                                // CTA_HELP
+	ctaNatSrc                              // CTA_NAT_SRC, Deprecated
+	ctaTimeout                             // CTA_TIMEOUT
+	ctaMark                                // CTA_MARK
+	ctaCountersOrig                        // CTA_COUNTERS_ORIG
+	ctaCountersReply                       // CTA_COUNTERS_REPLY
+	ctaUse                                 // CTA_USE
+	ctaID                                  // CTA_ID
+	ctaNatDst                              // CTA_NAT_DST, Deprecated
+	ctaTupleMaster                         // CTA_TUPLE_MASTER
+	ctaSeqAdjOrig                          // CTA_SEQ_ADJ_ORIG
+	ctaSeqAdjReply                         // CTA_SEQ_ADJ_REPLY
+	ctaSecMark                             // CTA_SECMARK, Deprecated
+	ctaZone                                // CTA_ZONE
+	ctaSecCtx                              // CTA_SECCTX
+	ctaTimestamp                           // CTA_TIMESTAMP
+	ctaMarkMask                            // CTA_MARK_MASK
+	ctaLabels                              // CTA_LABELS
+	ctaLabelsMask                          // CTA_LABELS_MASK
+	ctaSynProxy                            // CTA_SYNPROXY
+	ctaFilter                              // CTA_FILTER
+	ctaStatusMask                          // CTA_STATUS_MASK
+	ctaTimestampEvent                      // CTA_TIMESTAMP_EVENT
 )
 
 // tupleType describes the type of tuple contained in this container.

enum.go

@@ -6,7 +6,8 @@ import (
 
 // Filter is an object used to limit dump and flush operations to flows matching
 // certain fields. Use [NewFilter] to create a new filter, then chain methods to
-// set filter fields.
+// set filter fields. Methods mutate the Filter in place and return it for
+// chaining purposes.
 //
 // Pass a filter to [Conn.DumpFilter] or [Conn.FlushFilter].
 type Filter interface {
@@ -23,6 +24,22 @@ type Filter interface {
 	// match exactly.
 	MarkMask(mask uint32) Filter
 
+	// Status sets the conntrack status bits to filter on, similar to conntrack's
+	// -u/--status option.
+	//
+	// Requires Linux 5.15 or later.
+	Status(status Status) Filter
+
+	// StatusMask overrides the mask to apply before filtering on flow status.
+	// Since Status is a bitfield, mask defaults to the mark value itself since
+	// matching on the entire field would typically yield few matches. It's
+	// recommended to leave this unset unless you have a specific need.
+	//
+	// Doesn't have an equivalent in the conntrack CLI.
+	//
+	// Requires Linux 5.15 or later.
+	StatusMask(mask uint32) Filter
+
 	// Zone sets the conntrack zone to filter on, similar to conntrack's -w/--zone
 	// option.
 	//
@@ -53,6 +70,16 @@ func (f *filter) MarkMask(mask uint32) Filter {
 	return f
 }
 
+func (f *filter) Status(status Status) Filter {
+	f.f[ctaStatus] = netfilter.Uint32Bytes(uint32(status.Value))
+	return f
+}
+
+func (f *filter) StatusMask(mask uint32) Filter {
+	f.f[ctaStatusMask] = netfilter.Uint32Bytes(mask)
+	return f
+}
+
 func (f *filter) Zone(zone uint16) Filter {
 	f.f[ctaZone] = netfilter.Uint16Bytes(zone)
 	return f

filter.go

@@ -10,8 +10,16 @@ import (
 )
 
 func TestFilterMarshal(t *testing.T) {
-	f := NewFilter().Mark(0xf0000000).MarkMask(0x0000000f).Zone(42)
+	f := NewFilter().
+		Mark(0xf0000000).MarkMask(0x0000000f).
+		Zone(42).
+		Status(Status{StatusDying}).StatusMask(0xdeadbeef)
+
 	want := []netfilter.Attribute{
+		{
+			Type: uint16(ctaStatus),
+			Data: []byte{0, 0, 0x2, 0},
+		},
 		{
 			Type: uint16(ctaMark),
 			Data: []byte{0xf0, 0, 0, 0},
@@ -24,6 +32,10 @@ func TestFilterMarshal(t *testing.T) {
 			Type: uint16(ctaMarkMask),
 			Data: []byte{0, 0, 0, 0x0f},
 		},
+		{
+			Type: uint16(ctaStatusMask),
+			Data: []byte{0xde, 0xad, 0xbe, 0xef},
+		},
 	}
 
 	got := f.marshal()

filter_test.go

@@ -413,8 +413,6 @@ func BenchmarkCreateDeleteFlow(b *testing.B) {
 	}
 }
 
-// Creates flows in a specific zone, dumps them using zone filter, flushes them using zone filter,
-// and verifies they are removed. Requires Linux kernel 6.8 or greater for zone filtering support.
 func TestZoneFilter(t *testing.T) {
 	c, _, err := makeNSConn()
 	require.NoError(t, err)
@@ -467,3 +465,28 @@ func TestZoneFilter(t *testing.T) {
 	require.NoError(t, err)
 	assert.Empty(t, flows, "expected no flows in zone 100 after flush")
 }
+
+func TestStatusFilter(t *testing.T) {
+	c, _, err := makeNSConn()
+	require.NoError(t, err)
+
+	require.NoError(t, c.Create(NewFlow(6, StatusConfirmed, netip.MustParseAddr("1.2.3.4"), netip.MustParseAddr("0.0.0.0"), 1234, 80, 120, 0)))
+	require.NoError(t, c.Create(NewFlow(6, StatusConfirmed, netip.MustParseAddr("5.6.7.8"), netip.MustParseAddr("0.0.0.0"), 1234, 80, 120, 0)))
+
+	flows, err := c.Dump(nil)
+	require.NoError(t, err)
+	assert.Len(t, flows, 2, "expected 2 flows in total")
+
+	flows, err = c.DumpFilter(NewFilter().Status(Status{StatusConfirmed}), nil)
+	require.NoError(t, err)
+	assert.Len(t, flows, 2)
+
+	flows, err = c.DumpFilter(NewFilter().Status(Status{StatusDying}), nil)
+	require.NoError(t, err)
+	assert.Len(t, flows, 0)
+
+	// This filter can never return anything since status and mask don't overlap.
+	flows, err = c.DumpFilter(NewFilter().Status(Status{StatusConfirmed}).StatusMask(0x1), nil)
+	require.NoError(t, err)
+	assert.Len(t, flows, 0)
+}