* netfilter: nftables: ctnetlink event type set support
@ 2017-04-15 8:45 Florian Westphal
2017-04-15 8:45 ` [PATCH nf-next 1/3] netfilter: nft_ct: allow to set ctnetlink event types of a connection Florian Westphal
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Florian Westphal @ 2017-04-15 8:45 UTC (permalink / raw)
To: netfilter-devel
nftables equivalent for -j CT --ctevents.
Unlike iptables this doesn't work with conntrack templates,
it must be used with the real conntrack objects instead (i.e.,
after conntrack picked the packet up for processing).
patch #1 is for kernel, 2 and 3 for libnftnl/nftables userland.
^ permalink raw reply [flat|nested] 7+ messages in thread* [PATCH nf-next 1/3] netfilter: nft_ct: allow to set ctnetlink event types of a connection 2017-04-15 8:45 netfilter: nftables: ctnetlink event type set support Florian Westphal @ 2017-04-15 8:45 ` Florian Westphal 2017-04-15 9:09 ` Pablo Neira Ayuso 2017-04-15 8:45 ` [PATCH libnftnl 2/3] src: ct eventmask support Florian Westphal 2017-04-15 8:45 ` [PATCH nft 3/3] ct: add conntrack event mask support Florian Westphal 2 siblings, 1 reply; 7+ messages in thread From: Florian Westphal @ 2017-04-15 8:45 UTC (permalink / raw) To: netfilter-devel; +Cc: Florian Westphal by default the kernel emits all ctnetlink events for a connection. This allows to select the types of events to generate for a connection. This allows to e.g. only send DESTROY events but no NEW/UPDATE ones. This was already possible via iptables' CT target. The nft version has the advantage that it can also be used with already-established conntracks. Signed-off-by: Florian Westphal <fw@strlen.de> --- include/uapi/linux/netfilter/nf_tables.h | 2 ++ net/netfilter/nft_ct.c | 19 ++++++++++++++++++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h index 8f3842690d17..683f6f88fcac 100644 --- a/include/uapi/linux/netfilter/nf_tables.h +++ b/include/uapi/linux/netfilter/nf_tables.h @@ -901,6 +901,7 @@ enum nft_rt_attributes { * @NFT_CT_BYTES: conntrack bytes * @NFT_CT_AVGPKT: conntrack average bytes per packet * @NFT_CT_ZONE: conntrack zone + * @NFT_CT_EVENTMASK: ctnetlink events to be generated for this conntrack */ enum nft_ct_keys { NFT_CT_STATE, @@ -921,6 +922,7 @@ enum nft_ct_keys { NFT_CT_BYTES, NFT_CT_AVGPKT, NFT_CT_ZONE, + NFT_CT_EVENTMASK, }; /** diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c index 6e23dbbedd7f..4f642977f8a5 100644 --- a/net/netfilter/nft_ct.c +++ b/net/netfilter/nft_ct.c @@ -264,7 +264,7 @@ static void nft_ct_set_eval(const struct nft_expr *expr, struct nf_conn *ct; ct = nf_ct_get(skb, &ctinfo); - if (ct == NULL) + if (ct == NULL || nf_ct_is_template(ct)) return; switch (priv->key) { @@ -284,6 +284,16 @@ static void nft_ct_set_eval(const struct nft_expr *expr, NF_CT_LABELS_MAX_SIZE / sizeof(u32)); break; #endif +#ifdef CONFIG_NF_CONNTRACK_EVENTS + case NFT_CT_EVENTMASK: { + struct nf_conntrack_ecache *e = nf_ct_ecache_find(ct); + u16 ctmask = (u16)regs->data[priv->sreg]; + + if (e && e->ctmask != ctmask) + e->ctmask = ctmask; + break; + } +#endif default: break; } @@ -539,6 +549,13 @@ static int nft_ct_set_init(const struct nft_ctx *ctx, len = sizeof(u16); break; #endif +#ifdef CONFIG_NF_CONNTRACK_EVENTS + case NFT_CT_EVENTMASK: + if (tb[NFTA_CT_DIRECTION]) + return -EINVAL; + len = sizeof(u32); + break; +#endif default: return -EOPNOTSUPP; } -- 2.10.2 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH nf-next 1/3] netfilter: nft_ct: allow to set ctnetlink event types of a connection 2017-04-15 8:45 ` [PATCH nf-next 1/3] netfilter: nft_ct: allow to set ctnetlink event types of a connection Florian Westphal @ 2017-04-15 9:09 ` Pablo Neira Ayuso 2017-04-15 9:44 ` Florian Westphal 0 siblings, 1 reply; 7+ messages in thread From: Pablo Neira Ayuso @ 2017-04-15 9:09 UTC (permalink / raw) To: Florian Westphal; +Cc: netfilter-devel On Sat, Apr 15, 2017 at 10:45:03AM +0200, Florian Westphal wrote: > by default the kernel emits all ctnetlink events for a connection. > This allows to select the types of events to generate for a connection. > > This allows to e.g. only send DESTROY events but no NEW/UPDATE ones. > > This was already possible via iptables' CT target. > The nft version has the advantage that it can also be used with > already-established conntracks. > > Signed-off-by: Florian Westphal <fw@strlen.de> > --- > include/uapi/linux/netfilter/nf_tables.h | 2 ++ > net/netfilter/nft_ct.c | 19 ++++++++++++++++++- > 2 files changed, 20 insertions(+), 1 deletion(-) > > diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h > index 8f3842690d17..683f6f88fcac 100644 > --- a/include/uapi/linux/netfilter/nf_tables.h > +++ b/include/uapi/linux/netfilter/nf_tables.h > @@ -901,6 +901,7 @@ enum nft_rt_attributes { > * @NFT_CT_BYTES: conntrack bytes > * @NFT_CT_AVGPKT: conntrack average bytes per packet > * @NFT_CT_ZONE: conntrack zone > + * @NFT_CT_EVENTMASK: ctnetlink events to be generated for this conntrack > */ > enum nft_ct_keys { > NFT_CT_STATE, > @@ -921,6 +922,7 @@ enum nft_ct_keys { > NFT_CT_BYTES, > NFT_CT_AVGPKT, > NFT_CT_ZONE, > + NFT_CT_EVENTMASK, > }; > > /** > diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c > index 6e23dbbedd7f..4f642977f8a5 100644 > --- a/net/netfilter/nft_ct.c > +++ b/net/netfilter/nft_ct.c > @@ -264,7 +264,7 @@ static void nft_ct_set_eval(const struct nft_expr *expr, > struct nf_conn *ct; > > ct = nf_ct_get(skb, &ctinfo); > - if (ct == NULL) > + if (ct == NULL || nf_ct_is_template(ct)) I wonder if this should go in a oneliner, given this is fixing the fact that we may end up using the template. So someone has a chance to pass it to -stable. I'll be fine either way, no problem. Another comment below. > return; > > switch (priv->key) { > @@ -284,6 +284,16 @@ static void nft_ct_set_eval(const struct nft_expr *expr, > NF_CT_LABELS_MAX_SIZE / sizeof(u32)); > break; > #endif > +#ifdef CONFIG_NF_CONNTRACK_EVENTS > + case NFT_CT_EVENTMASK: { > + struct nf_conntrack_ecache *e = nf_ct_ecache_find(ct); > + u16 ctmask = (u16)regs->data[priv->sreg]; Liping added helpers to fetch data from registers, I think it applies to this case too. Thanks! ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH nf-next 1/3] netfilter: nft_ct: allow to set ctnetlink event types of a connection 2017-04-15 9:09 ` Pablo Neira Ayuso @ 2017-04-15 9:44 ` Florian Westphal 2017-04-15 9:50 ` Pablo Neira Ayuso 0 siblings, 1 reply; 7+ messages in thread From: Florian Westphal @ 2017-04-15 9:44 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: Florian Westphal, netfilter-devel Pablo Neira Ayuso <pablo@netfilter.org> wrote: > I wonder if this should go in a oneliner, given this is fixing the > fact that we may end up using the template. So someone has a chance to > pass it to -stable. I'll be fine either way, no problem. Ok. will do. > > +#ifdef CONFIG_NF_CONNTRACK_EVENTS > > + case NFT_CT_EVENTMASK: { > > + struct nf_conntrack_ecache *e = nf_ct_ecache_find(ct); > > + u16 ctmask = (u16)regs->data[priv->sreg]; > > Liping added helpers to fetch data from registers, I think it > applies to this case too. Right, I forgot about this, thanks for noticing. Having such huge backlog is crap, I won't do this again, ever :( ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH nf-next 1/3] netfilter: nft_ct: allow to set ctnetlink event types of a connection 2017-04-15 9:44 ` Florian Westphal @ 2017-04-15 9:50 ` Pablo Neira Ayuso 0 siblings, 0 replies; 7+ messages in thread From: Pablo Neira Ayuso @ 2017-04-15 9:50 UTC (permalink / raw) To: Florian Westphal; +Cc: netfilter-devel On Sat, Apr 15, 2017 at 11:44:39AM +0200, Florian Westphal wrote: > Pablo Neira Ayuso <pablo@netfilter.org> wrote: > > I wonder if this should go in a oneliner, given this is fixing the > > fact that we may end up using the template. So someone has a chance to > > pass it to -stable. I'll be fine either way, no problem. > > Ok. will do. Thanks Florian. > > > +#ifdef CONFIG_NF_CONNTRACK_EVENTS > > > + case NFT_CT_EVENTMASK: { > > > + struct nf_conntrack_ecache *e = nf_ct_ecache_find(ct); > > > + u16 ctmask = (u16)regs->data[priv->sreg]; > > > > Liping added helpers to fetch data from registers, I think it > > applies to this case too. > > Right, I forgot about this, thanks for noticing. > Having such huge backlog is crap, I won't do this again, ever :( I tend to repeat this to myself... but sometimes it doesn't seem to work ;) ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH libnftnl 2/3] src: ct eventmask support 2017-04-15 8:45 netfilter: nftables: ctnetlink event type set support Florian Westphal 2017-04-15 8:45 ` [PATCH nf-next 1/3] netfilter: nft_ct: allow to set ctnetlink event types of a connection Florian Westphal @ 2017-04-15 8:45 ` Florian Westphal 2017-04-15 8:45 ` [PATCH nft 3/3] ct: add conntrack event mask support Florian Westphal 2 siblings, 0 replies; 7+ messages in thread From: Florian Westphal @ 2017-04-15 8:45 UTC (permalink / raw) To: netfilter-devel; +Cc: Florian Westphal Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org> --- include/linux/netfilter/nf_tables.h | 2 ++ src/expr/ct.c | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index 8f3842690d17..683f6f88fcac 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -901,6 +901,7 @@ enum nft_rt_attributes { * @NFT_CT_BYTES: conntrack bytes * @NFT_CT_AVGPKT: conntrack average bytes per packet * @NFT_CT_ZONE: conntrack zone + * @NFT_CT_EVENTMASK: ctnetlink events to be generated for this conntrack */ enum nft_ct_keys { NFT_CT_STATE, @@ -921,6 +922,7 @@ enum nft_ct_keys { NFT_CT_BYTES, NFT_CT_AVGPKT, NFT_CT_ZONE, + NFT_CT_EVENTMASK, }; /** diff --git a/src/expr/ct.c b/src/expr/ct.c index cdd08e95c86c..0fba0d668010 100644 --- a/src/expr/ct.c +++ b/src/expr/ct.c @@ -32,7 +32,7 @@ struct nftnl_expr_ct { #define IP_CT_DIR_REPLY 1 #ifndef NFT_CT_MAX -#define NFT_CT_MAX (NFT_CT_ZONE + 1) +#define NFT_CT_MAX (NFT_CT_EVENTMASK + 1) #endif static int @@ -171,6 +171,7 @@ static const char *ctkey2str_array[NFT_CT_MAX] = { [NFT_CT_BYTES] = "bytes", [NFT_CT_AVGPKT] = "avgpkt", [NFT_CT_ZONE] = "zone", + [NFT_CT_EVENTMASK] = "eventmask", }; static const char *ctkey2str(uint32_t ctkey) -- 2.10.2 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH nft 3/3] ct: add conntrack event mask support 2017-04-15 8:45 netfilter: nftables: ctnetlink event type set support Florian Westphal 2017-04-15 8:45 ` [PATCH nf-next 1/3] netfilter: nft_ct: allow to set ctnetlink event types of a connection Florian Westphal 2017-04-15 8:45 ` [PATCH libnftnl 2/3] src: ct eventmask support Florian Westphal @ 2017-04-15 8:45 ` Florian Westphal 2 siblings, 0 replies; 7+ messages in thread From: Florian Westphal @ 2017-04-15 8:45 UTC (permalink / raw) To: netfilter-devel; +Cc: Florian Westphal Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org> --- doc/nft.xml | 15 +++++ include/datatype.h | 1 + include/linux/netfilter/nf_conntrack_common.h | 80 ++++++--------------------- include/linux/netfilter/nf_tables.h | 2 + src/ct.c | 30 ++++++++++ tests/py/any/ct.t | 6 ++ tests/py/any/ct.t.payload | 20 +++++++ 7 files changed, 90 insertions(+), 64 deletions(-) diff --git a/doc/nft.xml b/doc/nft.xml index 57cf5cf11352..4d0e89cd2054 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -3864,6 +3864,7 @@ ip6 filter output log flags all <command>ct</command> <group choice="req"> <arg>mark</arg> + <arg>eventmask</arg> <arg>label</arg> <arg>zone</arg> </group> @@ -3894,6 +3895,12 @@ ip6 filter output log flags all </thead> <tbody> <row> + <entry>eventmask</entry> + <entry>conntrack event bits</entry> + <entry>bitmask, integer (32 bit)</entry> + </row> + + <row> <entry>helper</entry> <entry>name of ct helper object to assign to the connection</entry> <entry>quoted string</entry> @@ -3940,6 +3947,14 @@ table inet raw { } </programlisting> </example> + <example> + <title>restrict events reported by ctnetlink</title> + <programlisting> +ct eventmask set new or related or destroy + </programlisting> + </example> + + </para> </refsect2> <refsect2> diff --git a/include/datatype.h b/include/datatype.h index e614b96e880b..04b7d8808cea 100644 --- a/include/datatype.h +++ b/include/datatype.h @@ -83,6 +83,7 @@ enum datatypes { TYPE_ECN, TYPE_FIB_ADDR, TYPE_BOOLEAN, + TYPE_CT_EVENTBIT, __TYPE_MAX }; #define TYPE_MAX (__TYPE_MAX - 1) diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h index 27a1895218db..768ff251308b 100644 --- a/include/linux/netfilter/nf_conntrack_common.h +++ b/include/linux/netfilter/nf_conntrack_common.h @@ -79,73 +79,25 @@ enum ip_conntrack_status { IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT), }; -/* Connection tracking event bits */ -enum ip_conntrack_events -{ - /* New conntrack */ - IPCT_NEW_BIT = 0, - IPCT_NEW = (1 << IPCT_NEW_BIT), - - /* Expected connection */ - IPCT_RELATED_BIT = 1, - IPCT_RELATED = (1 << IPCT_RELATED_BIT), - - /* Destroyed conntrack */ - IPCT_DESTROY_BIT = 2, - IPCT_DESTROY = (1 << IPCT_DESTROY_BIT), - - /* Timer has been refreshed */ - IPCT_REFRESH_BIT = 3, - IPCT_REFRESH = (1 << IPCT_REFRESH_BIT), - - /* Status has changed */ - IPCT_STATUS_BIT = 4, - IPCT_STATUS = (1 << IPCT_STATUS_BIT), - - /* Update of protocol info */ - IPCT_PROTOINFO_BIT = 5, - IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT), - - /* Volatile protocol info */ - IPCT_PROTOINFO_VOLATILE_BIT = 6, - IPCT_PROTOINFO_VOLATILE = (1 << IPCT_PROTOINFO_VOLATILE_BIT), - - /* New helper for conntrack */ - IPCT_HELPER_BIT = 7, - IPCT_HELPER = (1 << IPCT_HELPER_BIT), - - /* Update of helper info */ - IPCT_HELPINFO_BIT = 8, - IPCT_HELPINFO = (1 << IPCT_HELPINFO_BIT), - - /* Volatile helper info */ - IPCT_HELPINFO_VOLATILE_BIT = 9, - IPCT_HELPINFO_VOLATILE = (1 << IPCT_HELPINFO_VOLATILE_BIT), - - /* NAT info */ - IPCT_NATINFO_BIT = 10, - IPCT_NATINFO = (1 << IPCT_NATINFO_BIT), - - /* Counter highest bit has been set, unused */ - IPCT_COUNTER_FILLING_BIT = 11, - IPCT_COUNTER_FILLING = (1 << IPCT_COUNTER_FILLING_BIT), - - /* Mark is set */ - IPCT_MARK_BIT = 12, - IPCT_MARK = (1 << IPCT_MARK_BIT), - - /* NAT sequence adjustment */ - IPCT_NATSEQADJ_BIT = 13, - IPCT_NATSEQADJ = (1 << IPCT_NATSEQADJ_BIT), - - /* Secmark is set */ - IPCT_SECMARK_BIT = 14, - IPCT_SECMARK = (1 << IPCT_SECMARK_BIT), +/* Connection tracking event types */ +enum ip_conntrack_events { + IPCT_NEW, /* new conntrack */ + IPCT_RELATED, /* related conntrack */ + IPCT_DESTROY, /* destroyed conntrack */ + IPCT_REPLY, /* connection has seen two-way traffic */ + IPCT_ASSURED, /* connection status has changed to assured */ + IPCT_PROTOINFO, /* protocol information has changed */ + IPCT_HELPER, /* new helper has been set */ + IPCT_MARK, /* new mark has been set */ + IPCT_SEQADJ, /* sequence adjustment has changed */ + IPCT_NATSEQADJ = IPCT_SEQADJ, + IPCT_SECMARK, /* new security mark has been set */ + IPCT_LABEL, /* new connlabel has been set */ }; enum ip_conntrack_expect_events { - IPEXP_NEW_BIT = 0, - IPEXP_NEW = (1 << IPEXP_NEW_BIT), + IPEXP_NEW, /* new expectation */ + IPEXP_DESTROY, /* destroyed expectation */ }; diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index 8f3842690d17..683f6f88fcac 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -901,6 +901,7 @@ enum nft_rt_attributes { * @NFT_CT_BYTES: conntrack bytes * @NFT_CT_AVGPKT: conntrack average bytes per packet * @NFT_CT_ZONE: conntrack zone + * @NFT_CT_EVENTMASK: ctnetlink events to be generated for this conntrack */ enum nft_ct_keys { NFT_CT_STATE, @@ -921,6 +922,7 @@ enum nft_ct_keys { NFT_CT_BYTES, NFT_CT_AVGPKT, NFT_CT_ZONE, + NFT_CT_EVENTMASK, }; /** diff --git a/src/ct.c b/src/ct.c index fd8ca87a21fb..5014265a3427 100644 --- a/src/ct.c +++ b/src/ct.c @@ -100,6 +100,34 @@ static const struct datatype ct_status_type = { .sym_tbl = &ct_status_tbl, }; +static const struct symbol_table ct_events_tbl = { + .base = BASE_HEXADECIMAL, + .symbols = { + SYMBOL("new", 1 << IPCT_NEW), + SYMBOL("related", 1 << IPCT_RELATED), + SYMBOL("destroy", 1 << IPCT_DESTROY), + SYMBOL("reply", 1 << IPCT_REPLY), + SYMBOL("assured", 1 << IPCT_ASSURED), + SYMBOL("protoinfo", 1 << IPCT_PROTOINFO), + SYMBOL("helper", 1 << IPCT_HELPER), + SYMBOL("mark", 1 << IPCT_MARK), + SYMBOL("seqadj", 1 << IPCT_SEQADJ), + SYMBOL("secmark", 1 << IPCT_SECMARK), + SYMBOL("label", 1 << IPCT_LABEL), + SYMBOL_LIST_END + }, +}; + +static const struct datatype ct_event_type = { + .type = TYPE_CT_EVENTBIT, + .name = "ct_event", + .desc = "conntrack event bits", + .byteorder = BYTEORDER_HOST_ENDIAN, + .size = 4 * BITS_PER_BYTE, + .basetype = &bitmask_type, + .sym_tbl = &ct_events_tbl, +}; + static struct symbol_table *ct_label_tbl; #define CT_LABEL_BIT_SIZE 128 @@ -236,6 +264,8 @@ static const struct ct_template ct_templates[] = { BYTEORDER_HOST_ENDIAN, 64), [NFT_CT_ZONE] = CT_TEMPLATE("zone", &integer_type, BYTEORDER_HOST_ENDIAN, 16), + [NFT_CT_EVENTMASK] = CT_TEMPLATE("eventmask", &ct_event_type, + BYTEORDER_HOST_ENDIAN, 32), }; static void ct_print(enum nft_ct_keys key, int8_t dir) diff --git a/tests/py/any/ct.t b/tests/py/any/ct.t index 6f32d29c0c40..96a80f84a218 100644 --- a/tests/py/any/ct.t +++ b/tests/py/any/ct.t @@ -96,6 +96,12 @@ ct original mark 42;fail # swapped key and direction ct mark original;fail +ct eventmask set new;ok +ct eventmask set new or related or destroy or foobar;fail +ct eventmask set 'new | related | destroy | label';ok;ct eventmask set new | related | destroy | label +ct eventmask set 1;ok;ct eventmask set new +ct eventmask set 0x0;ok + ct label 127;ok ct label set 127;ok ct label 128;fail diff --git a/tests/py/any/ct.t.payload b/tests/py/any/ct.t.payload index e4c7f62b69f5..6077e5da63b8 100644 --- a/tests/py/any/ct.t.payload +++ b/tests/py/any/ct.t.payload @@ -391,6 +391,26 @@ ip test-ip4 output [ bitwise reg 1 = (reg=1 & 0x00000020 ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000000 ] +# ct eventmask set new +ip test-ip4 output + [ immediate reg 1 0x00000001 ] + [ ct set eventmask with reg 1 ] + +# ct eventmask set 'new | related | destroy | label' +ip test-ip4 output + [ immediate reg 1 0x00000407 ] + [ ct set eventmask with reg 1 ] + +# ct eventmask set 1 +ip test-ip4 output + [ immediate reg 1 0x00000001 ] + [ ct set eventmask with reg 1 ] + +# ct eventmask set 0x0 +ip test-ip4 output + [ immediate reg 1 0x00000000 ] + [ ct set eventmask with reg 1 ] + # ct label 127 ip test-ip4 output [ ct load label => reg 1 ] -- 2.10.2 ^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2017-04-15 9:50 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-04-15 8:45 netfilter: nftables: ctnetlink event type set support Florian Westphal 2017-04-15 8:45 ` [PATCH nf-next 1/3] netfilter: nft_ct: allow to set ctnetlink event types of a connection Florian Westphal 2017-04-15 9:09 ` Pablo Neira Ayuso 2017-04-15 9:44 ` Florian Westphal 2017-04-15 9:50 ` Pablo Neira Ayuso 2017-04-15 8:45 ` [PATCH libnftnl 2/3] src: ct eventmask support Florian Westphal 2017-04-15 8:45 ` [PATCH nft 3/3] ct: add conntrack event mask support Florian Westphal
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).