From: Brett Mastbergen <bmastbergen@untangle.com>
To: netfilter-devel@vger.kernel.org
Subject: [PATCH nft] ct: Add support for the 'id' key
Date: Tue, 23 Apr 2019 16:18:41 -0400 [thread overview]
Message-ID: <20190423201841.8539-1-bmastbergen@untangle.com> (raw)
The 'id' key allows for matching on the id of the conntrack entry.
This is most useful as a key for maps
nft add map nat conntoip { type ct_id: ipv4_addr \; }
nft add rule ip nat postrouting snat ct id map @conntoip
Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com>
---
doc/payload-expression.txt | 5 ++++-
include/ct.h | 1 +
include/datatype.h | 1 +
include/linux/netfilter/nf_tables.h | 2 ++
src/ct.c | 11 +++++++++++
src/datatype.c | 1 +
src/parser_bison.y | 1 +
7 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/doc/payload-expression.txt b/doc/payload-expression.txt
index 28061f3..e93022b 100644
--- a/doc/payload-expression.txt
+++ b/doc/payload-expression.txt
@@ -588,7 +588,7 @@ is true for the *zone*, if a direction is given, the zone is only matched if the
zone id is tied to the given direction. +
[verse]
-*ct* {state | direction | status | mark | expiration | helper | label | l3proto | protocol | bytes | packets | avgpkt | zone}
+*ct* {state | direction | status | mark | expiration | helper | label | l3proto | protocol | bytes | packets | avgpkt | zone | id}
*ct* {original | reply} {l3proto | protocol | proto-src | proto-dst | bytes | packets | avgpkt | zone}
*ct* {original | reply} {ip | ip6} {saddr | daddr}
@@ -650,6 +650,9 @@ integer (16 bit)
|count|
count number of connections
integer (32 bit)
+|id|
+Connection id
+ct_id
|==========================================
A description of conntrack-specific types listed above can be found sub-section CONNTRACK TYPES above.
diff --git a/include/ct.h b/include/ct.h
index 4c5bd80..1e707e7 100644
--- a/include/ct.h
+++ b/include/ct.h
@@ -39,5 +39,6 @@ extern const char *ct_label2str(unsigned long value);
extern const struct datatype ct_dir_type;
extern const struct datatype ct_state_type;
extern const struct datatype ct_status_type;
+extern const struct datatype ct_id_type;
#endif /* NFTABLES_CT_H */
diff --git a/include/datatype.h b/include/datatype.h
index 14ece28..73a9cf2 100644
--- a/include/datatype.h
+++ b/include/datatype.h
@@ -90,6 +90,7 @@ enum datatypes {
TYPE_CT_EVENTBIT,
TYPE_IFNAME,
TYPE_IGMP_TYPE,
+ TYPE_CT_ID,
__TYPE_MAX
};
#define TYPE_MAX (__TYPE_MAX - 1)
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 09a7b9e..150f32a 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -986,6 +986,7 @@ enum nft_osf_flags {
* @NFT_CT_SRC_IP6: conntrack layer 3 protocol source (IPv6 address)
* @NFT_CT_DST_IP6: conntrack layer 3 protocol destination (IPv6 address)
* @NFT_CT_TIMEOUT: connection tracking timeout policy assigned to conntrack
+ * @NFT_CT_ID: conntrack id
*/
enum nft_ct_keys {
NFT_CT_STATE,
@@ -1012,6 +1013,7 @@ enum nft_ct_keys {
NFT_CT_SRC_IP6,
NFT_CT_DST_IP6,
NFT_CT_TIMEOUT,
+ NFT_CT_ID,
__NFT_CT_MAX
};
#define NFT_CT_MAX (__NFT_CT_MAX - 1)
diff --git a/src/ct.c b/src/ct.c
index 2256ce3..21bc182 100644
--- a/src/ct.c
+++ b/src/ct.c
@@ -239,6 +239,15 @@ void ct_label_table_exit(void)
rt_symbol_table_free(ct_label_tbl);
}
+const struct datatype ct_id_type = {
+ .type = TYPE_CT_ID,
+ .name = "ct_id",
+ .desc = "conntrack id",
+ .byteorder = BYTEORDER_BIG_ENDIAN,
+ .size = 4 * BITS_PER_BYTE,
+ .basetype = &integer_type,
+};
+
#ifndef NF_CT_HELPER_NAME_LEN
#define NF_CT_HELPER_NAME_LEN 16
#endif
@@ -291,6 +300,8 @@ const struct ct_template ct_templates[__NFT_CT_MAX] = {
BYTEORDER_HOST_ENDIAN, 16),
[NFT_CT_EVENTMASK] = CT_TEMPLATE("event", &ct_event_type,
BYTEORDER_HOST_ENDIAN, 32),
+ [NFT_CT_ID] = CT_TEMPLATE("id", &ct_id_type,
+ BYTEORDER_BIG_ENDIAN, 32),
};
static void ct_print(enum nft_ct_keys key, int8_t dir, uint8_t nfproto,
diff --git a/src/datatype.c b/src/datatype.c
index ac9f2af..6b76fc9 100644
--- a/src/datatype.c
+++ b/src/datatype.c
@@ -71,6 +71,7 @@ static const struct datatype *datatypes[TYPE_MAX + 1] = {
[TYPE_BOOLEAN] = &boolean_type,
[TYPE_IFNAME] = &ifname_type,
[TYPE_IGMP_TYPE] = &igmp_type_type,
+ [TYPE_CT_ID] = &ct_id_type,
};
const struct datatype *datatype_lookup(enum datatypes type)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 4a2a81c..92660ce 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -4100,6 +4100,7 @@ ct_key : L3PROTOCOL { $$ = NFT_CT_L3PROTOCOL; }
| LABEL { $$ = NFT_CT_LABELS; }
| EVENT { $$ = NFT_CT_EVENTMASK; }
| TIMEOUT { $$ = NFT_CT_TIMEOUT; }
+ | ID { $$ = NFT_CT_ID; }
| ct_key_dir_optional
;
--
2.11.0
next reply other threads:[~2019-04-23 20:18 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-23 20:18 Brett Mastbergen [this message]
2019-04-23 20:55 ` [PATCH nft] ct: Add support for the 'id' key Florian Westphal
2019-04-26 14:06 ` Brett Mastbergen
-- strict thread matches above, loose matches on Subject: below --
2020-05-01 17:55 Brett Mastbergen
2020-05-01 18:59 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190423201841.8539-1-bmastbergen@untangle.com \
--to=bmastbergen@untangle.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.