filter: support filtering dump/flush by conntrack zone

Support for the CTA_ZONE attribute for dump and flush requests was added
to the kernel in 6.8: eff3c558bb7e ("netfilter: ctnetlink: support filtering
by zone"). This commit adds a Zone() method to allow filtering by zone ID.

On older kernels, the attribute will be ignored and flows from all zones will
be returned.

Fixes: #23

Signed-off-by: Timo Beckers <[email protected]>
Co-authored-by: Antonin Bas <[email protected]>

Author: ti-mo

README.md

@@ -23,7 +23,7 @@ With this library, the user can:
 - Interact with conntrack connections and expectations through Flow and Expect types respectively
 - Create, get, update and delete Flows in an idiomatic way (and Expects, to an extent)
 - Listen for create/update/destroy events
-- Flush (empty) and dump (display) the whole conntrack table, optionally filtering on specific connection marks
+- Flush (empty) and dump (display) the whole conntrack table, optionally filtering on specific flow fields
 
 There are many usage examples in the [godoc](https://godoc.org/github.com/ti-mo/conntrack).
 

conn_test.go

@@ -94,6 +94,39 @@ func ExampleConn_dumpFilter() {
 	log.Print(df)
 }
 
+func ExampleConn_dumpFilterZone() {
+	// Open a Conntrack connection.
+	c, err := conntrack.Dial(nil)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Create flows in different zones
+	f1 := conntrack.NewFlow(
+		6, 0, netip.MustParseAddr("1.2.3.4"), netip.MustParseAddr("5.6.7.8"),
+		1234, 80, 120, 0,
+	)
+	f1.Zone = 10
+
+	f2 := conntrack.NewFlow(
+		17, 0, netip.MustParseAddr("2a00:1450:400e:804::200e"), netip.MustParseAddr("2a00:1450:400e:804::200f"),
+		1234, 80, 120, 0,
+	)
+	f2.Zone = 20
+
+	_ = c.Create(f1)
+	_ = c.Create(f2)
+
+	// Dump all flows in table 20.
+	df, err := c.DumpFilter(conntrack.NewFilter().Zone(20), nil)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Print the result. Only f2 is displayed.
+	log.Print(df)
+}
+
 func ExampleConn_flush() {
 	// Open a Conntrack connection.
 	c, err := conntrack.Dial(nil)

filter.go

@@ -23,6 +23,14 @@ type Filter interface {
 	// match exactly.
 	MarkMask(mask uint32) Filter
 
+	// Zone sets the conntrack zone to filter on, similar to conntrack's -w/--zone
+	// option.
+	//
+	// If not specified, flows from all zones are returned.
+	//
+	// Requires Linux 6.8 or later.
+	Zone(zone uint16) Filter
+
 	marshal() []netfilter.Attribute
 }
 
@@ -45,6 +53,11 @@ func (f *filter) MarkMask(mask uint32) Filter {
 	return f
 }
 
+func (f *filter) Zone(zone uint16) Filter {
+	f.f[ctaZone] = netfilter.Uint16Bytes(zone)
+	return f
+}
+
 func (f *filter) marshal() []netfilter.Attribute {
 	attrs := make([]netfilter.Attribute, 0, len(f.f))
 

filter_test.go

@@ -1,25 +1,35 @@
 package conntrack
 
 import (
+	"slices"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
 
 	"github.com/ti-mo/netfilter"
 )
 
-func TestFilterMarkMask(t *testing.T) {
-	f := NewFilter().Mark(0xf0000000).MarkMask(0x0000000f)
-	fm := []netfilter.Attribute{
+func TestFilterMarshal(t *testing.T) {
+	f := NewFilter().Mark(0xf0000000).MarkMask(0x0000000f).Zone(42)
+	want := []netfilter.Attribute{
 		{
 			Type: uint16(ctaMark),
 			Data: []byte{0xf0, 0, 0, 0},
 		},
+		{
+			Type: uint16(ctaZone),
+			Data: []byte{0, 42},
+		},
 		{
 			Type: uint16(ctaMarkMask),
 			Data: []byte{0, 0, 0, 0x0f},
 		},
 	}
 
-	assert.Equal(t, fm, f.marshal(), "unexpected Filter marshal")
+	got := f.marshal()
+	slices.SortStableFunc(got, func(a, b netfilter.Attribute) int {
+		return int(a.Type) - int(b.Type)
+	})
+
+	assert.Equal(t, want, got)
 }

flow_integration_test.go

@@ -412,3 +412,58 @@ func BenchmarkCreateDeleteFlow(b *testing.B) {
 		}
 	}
 }
+
+// Creates flows in a specific zone, dumps them using zone filter, flushes them using zone filter,
+// and verifies they are removed. Requires Linux kernel 6.8 or greater for zone filtering support.
+func TestZoneFilter(t *testing.T) {
+	c, _, err := makeNSConn()
+	require.NoError(t, err)
+
+	// One flow in the default zone (0).
+	require.NoError(t, c.Create(NewFlow(6, 0, netip.MustParseAddr("1.2.3.4"), netip.MustParseAddr("5.6.7.8"), 1234, 80, 120, 0)))
+
+	// Two flows in zone 100.
+	f1 := NewFlow(6, 0, netip.MustParseAddr("1.2.3.4"), netip.MustParseAddr("5.6.7.8"), 1234, 80, 120, 0)
+	f1.Zone = 100
+	require.NoError(t, c.Create(f1))
+
+	f2 := NewFlow(17, 0, netip.MustParseAddr("2a00:1450:400e:804::200e"), netip.MustParseAddr("2a00:1450:400e:804::200f"), 1234, 80, 120, 0)
+	f2.Zone = 100
+	require.NoError(t, c.Create(f2))
+
+	z0 := NewFilter().Zone(0)
+	z100 := NewFilter().Zone(100)
+
+	// 3 flows in total.
+	flows, err := c.Dump(nil)
+	require.NoError(t, err)
+	assert.Len(t, flows, 3, "expected 3 flows in total")
+
+	// Zone 0 should contain 1 flow.
+	flows, err = c.DumpFilter(z0, nil)
+	require.NoError(t, err)
+	assert.Len(t, flows, 1, "expected 1 flow in zone 0")
+
+	// Zone 100 should contain 2 flows.
+	flows, err = c.DumpFilter(z100, nil)
+	require.NoError(t, err)
+	assert.Len(t, flows, 2, "expected 2 flows in zone 100")
+
+	// Flush zone 100.
+	require.NoError(t, c.FlushFilter(z100))
+
+	// 1 flow should remain in total.
+	flows, err = c.Dump(nil)
+	require.NoError(t, err)
+	assert.Len(t, flows, 1, "expected 1 flow in total after flush")
+
+	// Zone 0 should still contain 1 flow.
+	flows, err = c.DumpFilter(z0, nil)
+	require.NoError(t, err)
+	assert.Len(t, flows, 1, "expected 1 flow in zone 0 after flush")
+
+	// Zone 100 should be empty.
+	flows, err = c.DumpFilter(z100, nil)
+	require.NoError(t, err)
+	assert.Empty(t, flows, "expected no flows in zone 100 after flush")
+}