* netfilter: nftables: ctnetlink event type set support
@ 2017-04-15 8:45 Florian Westphal
2017-04-15 8:45 ` [PATCH nf-next 1/3] netfilter: nft_ct: allow to set ctnetlink event types of a connection Florian Westphal
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Florian Westphal @ 2017-04-15 8:45 UTC (permalink / raw)
To: netfilter-devel
nftables equivalent for -j CT --ctevents.
Unlike iptables this doesn't work with conntrack templates,
it must be used with the real conntrack objects instead (i.e.,
after conntrack picked the packet up for processing).
patch #1 is for kernel, 2 and 3 for libnftnl/nftables userland.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH nf-next 1/3] netfilter: nft_ct: allow to set ctnetlink event types of a connection
2017-04-15 8:45 netfilter: nftables: ctnetlink event type set support Florian Westphal
@ 2017-04-15 8:45 ` Florian Westphal
2017-04-15 9:09 ` Pablo Neira Ayuso
2017-04-15 8:45 ` [PATCH libnftnl 2/3] src: ct eventmask support Florian Westphal
2017-04-15 8:45 ` [PATCH nft 3/3] ct: add conntrack event mask support Florian Westphal
2 siblings, 1 reply; 7+ messages in thread
From: Florian Westphal @ 2017-04-15 8:45 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
by default the kernel emits all ctnetlink events for a connection.
This allows to select the types of events to generate for a connection.
This allows to e.g. only send DESTROY events but no NEW/UPDATE ones.
This was already possible via iptables' CT target.
The nft version has the advantage that it can also be used with
already-established conntracks.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nft_ct.c | 19 ++++++++++++++++++-
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 8f3842690d17..683f6f88fcac 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -901,6 +901,7 @@ enum nft_rt_attributes {
* @NFT_CT_BYTES: conntrack bytes
* @NFT_CT_AVGPKT: conntrack average bytes per packet
* @NFT_CT_ZONE: conntrack zone
+ * @NFT_CT_EVENTMASK: ctnetlink events to be generated for this conntrack
*/
enum nft_ct_keys {
NFT_CT_STATE,
@@ -921,6 +922,7 @@ enum nft_ct_keys {
NFT_CT_BYTES,
NFT_CT_AVGPKT,
NFT_CT_ZONE,
+ NFT_CT_EVENTMASK,
};
/**
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index 6e23dbbedd7f..4f642977f8a5 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -264,7 +264,7 @@ static void nft_ct_set_eval(const struct nft_expr *expr,
struct nf_conn *ct;
ct = nf_ct_get(skb, &ctinfo);
- if (ct == NULL)
+ if (ct == NULL || nf_ct_is_template(ct))
return;
switch (priv->key) {
@@ -284,6 +284,16 @@ static void nft_ct_set_eval(const struct nft_expr *expr,
NF_CT_LABELS_MAX_SIZE / sizeof(u32));
break;
#endif
+#ifdef CONFIG_NF_CONNTRACK_EVENTS
+ case NFT_CT_EVENTMASK: {
+ struct nf_conntrack_ecache *e = nf_ct_ecache_find(ct);
+ u16 ctmask = (u16)regs->data[priv->sreg];
+
+ if (e && e->ctmask != ctmask)
+ e->ctmask = ctmask;
+ break;
+ }
+#endif
default:
break;
}
@@ -539,6 +549,13 @@ static int nft_ct_set_init(const struct nft_ctx *ctx,
len = sizeof(u16);
break;
#endif
+#ifdef CONFIG_NF_CONNTRACK_EVENTS
+ case NFT_CT_EVENTMASK:
+ if (tb[NFTA_CT_DIRECTION])
+ return -EINVAL;
+ len = sizeof(u32);
+ break;
+#endif
default:
return -EOPNOTSUPP;
}
--
2.10.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH libnftnl 2/3] src: ct eventmask support
2017-04-15 8:45 netfilter: nftables: ctnetlink event type set support Florian Westphal
2017-04-15 8:45 ` [PATCH nf-next 1/3] netfilter: nft_ct: allow to set ctnetlink event types of a connection Florian Westphal
@ 2017-04-15 8:45 ` Florian Westphal
2017-04-15 8:45 ` [PATCH nft 3/3] ct: add conntrack event mask support Florian Westphal
2 siblings, 0 replies; 7+ messages in thread
From: Florian Westphal @ 2017-04-15 8:45 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/linux/netfilter/nf_tables.h | 2 ++
src/expr/ct.c | 3 ++-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 8f3842690d17..683f6f88fcac 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -901,6 +901,7 @@ enum nft_rt_attributes {
* @NFT_CT_BYTES: conntrack bytes
* @NFT_CT_AVGPKT: conntrack average bytes per packet
* @NFT_CT_ZONE: conntrack zone
+ * @NFT_CT_EVENTMASK: ctnetlink events to be generated for this conntrack
*/
enum nft_ct_keys {
NFT_CT_STATE,
@@ -921,6 +922,7 @@ enum nft_ct_keys {
NFT_CT_BYTES,
NFT_CT_AVGPKT,
NFT_CT_ZONE,
+ NFT_CT_EVENTMASK,
};
/**
diff --git a/src/expr/ct.c b/src/expr/ct.c
index cdd08e95c86c..0fba0d668010 100644
--- a/src/expr/ct.c
+++ b/src/expr/ct.c
@@ -32,7 +32,7 @@ struct nftnl_expr_ct {
#define IP_CT_DIR_REPLY 1
#ifndef NFT_CT_MAX
-#define NFT_CT_MAX (NFT_CT_ZONE + 1)
+#define NFT_CT_MAX (NFT_CT_EVENTMASK + 1)
#endif
static int
@@ -171,6 +171,7 @@ static const char *ctkey2str_array[NFT_CT_MAX] = {
[NFT_CT_BYTES] = "bytes",
[NFT_CT_AVGPKT] = "avgpkt",
[NFT_CT_ZONE] = "zone",
+ [NFT_CT_EVENTMASK] = "eventmask",
};
static const char *ctkey2str(uint32_t ctkey)
--
2.10.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH nft 3/3] ct: add conntrack event mask support
2017-04-15 8:45 netfilter: nftables: ctnetlink event type set support Florian Westphal
2017-04-15 8:45 ` [PATCH nf-next 1/3] netfilter: nft_ct: allow to set ctnetlink event types of a connection Florian Westphal
2017-04-15 8:45 ` [PATCH libnftnl 2/3] src: ct eventmask support Florian Westphal
@ 2017-04-15 8:45 ` Florian Westphal
2 siblings, 0 replies; 7+ messages in thread
From: Florian Westphal @ 2017-04-15 8:45 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
doc/nft.xml | 15 +++++
include/datatype.h | 1 +
include/linux/netfilter/nf_conntrack_common.h | 80 ++++++---------------------
include/linux/netfilter/nf_tables.h | 2 +
src/ct.c | 30 ++++++++++
tests/py/any/ct.t | 6 ++
tests/py/any/ct.t.payload | 20 +++++++
7 files changed, 90 insertions(+), 64 deletions(-)
diff --git a/doc/nft.xml b/doc/nft.xml
index 57cf5cf11352..4d0e89cd2054 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -3864,6 +3864,7 @@ ip6 filter output log flags all
<command>ct</command>
<group choice="req">
<arg>mark</arg>
+ <arg>eventmask</arg>
<arg>label</arg>
<arg>zone</arg>
</group>
@@ -3894,6 +3895,12 @@ ip6 filter output log flags all
</thead>
<tbody>
<row>
+ <entry>eventmask</entry>
+ <entry>conntrack event bits</entry>
+ <entry>bitmask, integer (32 bit)</entry>
+ </row>
+
+ <row>
<entry>helper</entry>
<entry>name of ct helper object to assign to the connection</entry>
<entry>quoted string</entry>
@@ -3940,6 +3947,14 @@ table inet raw {
}
</programlisting>
</example>
+ <example>
+ <title>restrict events reported by ctnetlink</title>
+ <programlisting>
+ct eventmask set new or related or destroy
+ </programlisting>
+ </example>
+
+
</para>
</refsect2>
<refsect2>
diff --git a/include/datatype.h b/include/datatype.h
index e614b96e880b..04b7d8808cea 100644
--- a/include/datatype.h
+++ b/include/datatype.h
@@ -83,6 +83,7 @@ enum datatypes {
TYPE_ECN,
TYPE_FIB_ADDR,
TYPE_BOOLEAN,
+ TYPE_CT_EVENTBIT,
__TYPE_MAX
};
#define TYPE_MAX (__TYPE_MAX - 1)
diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h
index 27a1895218db..768ff251308b 100644
--- a/include/linux/netfilter/nf_conntrack_common.h
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -79,73 +79,25 @@ enum ip_conntrack_status {
IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
};
-/* Connection tracking event bits */
-enum ip_conntrack_events
-{
- /* New conntrack */
- IPCT_NEW_BIT = 0,
- IPCT_NEW = (1 << IPCT_NEW_BIT),
-
- /* Expected connection */
- IPCT_RELATED_BIT = 1,
- IPCT_RELATED = (1 << IPCT_RELATED_BIT),
-
- /* Destroyed conntrack */
- IPCT_DESTROY_BIT = 2,
- IPCT_DESTROY = (1 << IPCT_DESTROY_BIT),
-
- /* Timer has been refreshed */
- IPCT_REFRESH_BIT = 3,
- IPCT_REFRESH = (1 << IPCT_REFRESH_BIT),
-
- /* Status has changed */
- IPCT_STATUS_BIT = 4,
- IPCT_STATUS = (1 << IPCT_STATUS_BIT),
-
- /* Update of protocol info */
- IPCT_PROTOINFO_BIT = 5,
- IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT),
-
- /* Volatile protocol info */
- IPCT_PROTOINFO_VOLATILE_BIT = 6,
- IPCT_PROTOINFO_VOLATILE = (1 << IPCT_PROTOINFO_VOLATILE_BIT),
-
- /* New helper for conntrack */
- IPCT_HELPER_BIT = 7,
- IPCT_HELPER = (1 << IPCT_HELPER_BIT),
-
- /* Update of helper info */
- IPCT_HELPINFO_BIT = 8,
- IPCT_HELPINFO = (1 << IPCT_HELPINFO_BIT),
-
- /* Volatile helper info */
- IPCT_HELPINFO_VOLATILE_BIT = 9,
- IPCT_HELPINFO_VOLATILE = (1 << IPCT_HELPINFO_VOLATILE_BIT),
-
- /* NAT info */
- IPCT_NATINFO_BIT = 10,
- IPCT_NATINFO = (1 << IPCT_NATINFO_BIT),
-
- /* Counter highest bit has been set, unused */
- IPCT_COUNTER_FILLING_BIT = 11,
- IPCT_COUNTER_FILLING = (1 << IPCT_COUNTER_FILLING_BIT),
-
- /* Mark is set */
- IPCT_MARK_BIT = 12,
- IPCT_MARK = (1 << IPCT_MARK_BIT),
-
- /* NAT sequence adjustment */
- IPCT_NATSEQADJ_BIT = 13,
- IPCT_NATSEQADJ = (1 << IPCT_NATSEQADJ_BIT),
-
- /* Secmark is set */
- IPCT_SECMARK_BIT = 14,
- IPCT_SECMARK = (1 << IPCT_SECMARK_BIT),
+/* Connection tracking event types */
+enum ip_conntrack_events {
+ IPCT_NEW, /* new conntrack */
+ IPCT_RELATED, /* related conntrack */
+ IPCT_DESTROY, /* destroyed conntrack */
+ IPCT_REPLY, /* connection has seen two-way traffic */
+ IPCT_ASSURED, /* connection status has changed to assured */
+ IPCT_PROTOINFO, /* protocol information has changed */
+ IPCT_HELPER, /* new helper has been set */
+ IPCT_MARK, /* new mark has been set */
+ IPCT_SEQADJ, /* sequence adjustment has changed */
+ IPCT_NATSEQADJ = IPCT_SEQADJ,
+ IPCT_SECMARK, /* new security mark has been set */
+ IPCT_LABEL, /* new connlabel has been set */
};
enum ip_conntrack_expect_events {
- IPEXP_NEW_BIT = 0,
- IPEXP_NEW = (1 << IPEXP_NEW_BIT),
+ IPEXP_NEW, /* new expectation */
+ IPEXP_DESTROY, /* destroyed expectation */
};
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 8f3842690d17..683f6f88fcac 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -901,6 +901,7 @@ enum nft_rt_attributes {
* @NFT_CT_BYTES: conntrack bytes
* @NFT_CT_AVGPKT: conntrack average bytes per packet
* @NFT_CT_ZONE: conntrack zone
+ * @NFT_CT_EVENTMASK: ctnetlink events to be generated for this conntrack
*/
enum nft_ct_keys {
NFT_CT_STATE,
@@ -921,6 +922,7 @@ enum nft_ct_keys {
NFT_CT_BYTES,
NFT_CT_AVGPKT,
NFT_CT_ZONE,
+ NFT_CT_EVENTMASK,
};
/**
diff --git a/src/ct.c b/src/ct.c
index fd8ca87a21fb..5014265a3427 100644
--- a/src/ct.c
+++ b/src/ct.c
@@ -100,6 +100,34 @@ static const struct datatype ct_status_type = {
.sym_tbl = &ct_status_tbl,
};
+static const struct symbol_table ct_events_tbl = {
+ .base = BASE_HEXADECIMAL,
+ .symbols = {
+ SYMBOL("new", 1 << IPCT_NEW),
+ SYMBOL("related", 1 << IPCT_RELATED),
+ SYMBOL("destroy", 1 << IPCT_DESTROY),
+ SYMBOL("reply", 1 << IPCT_REPLY),
+ SYMBOL("assured", 1 << IPCT_ASSURED),
+ SYMBOL("protoinfo", 1 << IPCT_PROTOINFO),
+ SYMBOL("helper", 1 << IPCT_HELPER),
+ SYMBOL("mark", 1 << IPCT_MARK),
+ SYMBOL("seqadj", 1 << IPCT_SEQADJ),
+ SYMBOL("secmark", 1 << IPCT_SECMARK),
+ SYMBOL("label", 1 << IPCT_LABEL),
+ SYMBOL_LIST_END
+ },
+};
+
+static const struct datatype ct_event_type = {
+ .type = TYPE_CT_EVENTBIT,
+ .name = "ct_event",
+ .desc = "conntrack event bits",
+ .byteorder = BYTEORDER_HOST_ENDIAN,
+ .size = 4 * BITS_PER_BYTE,
+ .basetype = &bitmask_type,
+ .sym_tbl = &ct_events_tbl,
+};
+
static struct symbol_table *ct_label_tbl;
#define CT_LABEL_BIT_SIZE 128
@@ -236,6 +264,8 @@ static const struct ct_template ct_templates[] = {
BYTEORDER_HOST_ENDIAN, 64),
[NFT_CT_ZONE] = CT_TEMPLATE("zone", &integer_type,
BYTEORDER_HOST_ENDIAN, 16),
+ [NFT_CT_EVENTMASK] = CT_TEMPLATE("eventmask", &ct_event_type,
+ BYTEORDER_HOST_ENDIAN, 32),
};
static void ct_print(enum nft_ct_keys key, int8_t dir)
diff --git a/tests/py/any/ct.t b/tests/py/any/ct.t
index 6f32d29c0c40..96a80f84a218 100644
--- a/tests/py/any/ct.t
+++ b/tests/py/any/ct.t
@@ -96,6 +96,12 @@ ct original mark 42;fail
# swapped key and direction
ct mark original;fail
+ct eventmask set new;ok
+ct eventmask set new or related or destroy or foobar;fail
+ct eventmask set 'new | related | destroy | label';ok;ct eventmask set new | related | destroy | label
+ct eventmask set 1;ok;ct eventmask set new
+ct eventmask set 0x0;ok
+
ct label 127;ok
ct label set 127;ok
ct label 128;fail
diff --git a/tests/py/any/ct.t.payload b/tests/py/any/ct.t.payload
index e4c7f62b69f5..6077e5da63b8 100644
--- a/tests/py/any/ct.t.payload
+++ b/tests/py/any/ct.t.payload
@@ -391,6 +391,26 @@ ip test-ip4 output
[ bitwise reg 1 = (reg=1 & 0x00000020 ) ^ 0x00000000 ]
[ cmp neq reg 1 0x00000000 ]
+# ct eventmask set new
+ip test-ip4 output
+ [ immediate reg 1 0x00000001 ]
+ [ ct set eventmask with reg 1 ]
+
+# ct eventmask set 'new | related | destroy | label'
+ip test-ip4 output
+ [ immediate reg 1 0x00000407 ]
+ [ ct set eventmask with reg 1 ]
+
+# ct eventmask set 1
+ip test-ip4 output
+ [ immediate reg 1 0x00000001 ]
+ [ ct set eventmask with reg 1 ]
+
+# ct eventmask set 0x0
+ip test-ip4 output
+ [ immediate reg 1 0x00000000 ]
+ [ ct set eventmask with reg 1 ]
+
# ct label 127
ip test-ip4 output
[ ct load label => reg 1 ]
--
2.10.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH nf-next 1/3] netfilter: nft_ct: allow to set ctnetlink event types of a connection
2017-04-15 8:45 ` [PATCH nf-next 1/3] netfilter: nft_ct: allow to set ctnetlink event types of a connection Florian Westphal
@ 2017-04-15 9:09 ` Pablo Neira Ayuso
2017-04-15 9:44 ` Florian Westphal
0 siblings, 1 reply; 7+ messages in thread
From: Pablo Neira Ayuso @ 2017-04-15 9:09 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
On Sat, Apr 15, 2017 at 10:45:03AM +0200, Florian Westphal wrote:
> by default the kernel emits all ctnetlink events for a connection.
> This allows to select the types of events to generate for a connection.
>
> This allows to e.g. only send DESTROY events but no NEW/UPDATE ones.
>
> This was already possible via iptables' CT target.
> The nft version has the advantage that it can also be used with
> already-established conntracks.
>
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
> include/uapi/linux/netfilter/nf_tables.h | 2 ++
> net/netfilter/nft_ct.c | 19 ++++++++++++++++++-
> 2 files changed, 20 insertions(+), 1 deletion(-)
>
> diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
> index 8f3842690d17..683f6f88fcac 100644
> --- a/include/uapi/linux/netfilter/nf_tables.h
> +++ b/include/uapi/linux/netfilter/nf_tables.h
> @@ -901,6 +901,7 @@ enum nft_rt_attributes {
> * @NFT_CT_BYTES: conntrack bytes
> * @NFT_CT_AVGPKT: conntrack average bytes per packet
> * @NFT_CT_ZONE: conntrack zone
> + * @NFT_CT_EVENTMASK: ctnetlink events to be generated for this conntrack
> */
> enum nft_ct_keys {
> NFT_CT_STATE,
> @@ -921,6 +922,7 @@ enum nft_ct_keys {
> NFT_CT_BYTES,
> NFT_CT_AVGPKT,
> NFT_CT_ZONE,
> + NFT_CT_EVENTMASK,
> };
>
> /**
> diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
> index 6e23dbbedd7f..4f642977f8a5 100644
> --- a/net/netfilter/nft_ct.c
> +++ b/net/netfilter/nft_ct.c
> @@ -264,7 +264,7 @@ static void nft_ct_set_eval(const struct nft_expr *expr,
> struct nf_conn *ct;
>
> ct = nf_ct_get(skb, &ctinfo);
> - if (ct == NULL)
> + if (ct == NULL || nf_ct_is_template(ct))
I wonder if this should go in a oneliner, given this is fixing the
fact that we may end up using the template. So someone has a chance to
pass it to -stable. I'll be fine either way, no problem.
Another comment below.
> return;
>
> switch (priv->key) {
> @@ -284,6 +284,16 @@ static void nft_ct_set_eval(const struct nft_expr *expr,
> NF_CT_LABELS_MAX_SIZE / sizeof(u32));
> break;
> #endif
> +#ifdef CONFIG_NF_CONNTRACK_EVENTS
> + case NFT_CT_EVENTMASK: {
> + struct nf_conntrack_ecache *e = nf_ct_ecache_find(ct);
> + u16 ctmask = (u16)regs->data[priv->sreg];
Liping added helpers to fetch data from registers, I think it
applies to this case too.
Thanks!
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH nf-next 1/3] netfilter: nft_ct: allow to set ctnetlink event types of a connection
2017-04-15 9:09 ` Pablo Neira Ayuso
@ 2017-04-15 9:44 ` Florian Westphal
2017-04-15 9:50 ` Pablo Neira Ayuso
0 siblings, 1 reply; 7+ messages in thread
From: Florian Westphal @ 2017-04-15 9:44 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Florian Westphal, netfilter-devel
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> I wonder if this should go in a oneliner, given this is fixing the
> fact that we may end up using the template. So someone has a chance to
> pass it to -stable. I'll be fine either way, no problem.
Ok. will do.
> > +#ifdef CONFIG_NF_CONNTRACK_EVENTS
> > + case NFT_CT_EVENTMASK: {
> > + struct nf_conntrack_ecache *e = nf_ct_ecache_find(ct);
> > + u16 ctmask = (u16)regs->data[priv->sreg];
>
> Liping added helpers to fetch data from registers, I think it
> applies to this case too.
Right, I forgot about this, thanks for noticing.
Having such huge backlog is crap, I won't do this again, ever :(
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH nf-next 1/3] netfilter: nft_ct: allow to set ctnetlink event types of a connection
2017-04-15 9:44 ` Florian Westphal
@ 2017-04-15 9:50 ` Pablo Neira Ayuso
0 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2017-04-15 9:50 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
On Sat, Apr 15, 2017 at 11:44:39AM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > I wonder if this should go in a oneliner, given this is fixing the
> > fact that we may end up using the template. So someone has a chance to
> > pass it to -stable. I'll be fine either way, no problem.
>
> Ok. will do.
Thanks Florian.
> > > +#ifdef CONFIG_NF_CONNTRACK_EVENTS
> > > + case NFT_CT_EVENTMASK: {
> > > + struct nf_conntrack_ecache *e = nf_ct_ecache_find(ct);
> > > + u16 ctmask = (u16)regs->data[priv->sreg];
> >
> > Liping added helpers to fetch data from registers, I think it
> > applies to this case too.
>
> Right, I forgot about this, thanks for noticing.
> Having such huge backlog is crap, I won't do this again, ever :(
I tend to repeat this to myself... but sometimes it doesn't seem to
work ;)
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2017-04-15 9:50 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-04-15 8:45 netfilter: nftables: ctnetlink event type set support Florian Westphal
2017-04-15 8:45 ` [PATCH nf-next 1/3] netfilter: nft_ct: allow to set ctnetlink event types of a connection Florian Westphal
2017-04-15 9:09 ` Pablo Neira Ayuso
2017-04-15 9:44 ` Florian Westphal
2017-04-15 9:50 ` Pablo Neira Ayuso
2017-04-15 8:45 ` [PATCH libnftnl 2/3] src: ct eventmask support Florian Westphal
2017-04-15 8:45 ` [PATCH nft 3/3] ct: add conntrack event mask support Florian Westphal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).