[PATCH iproute2/net-next] tc: flower: Add support for ct_state reply flag

[PATCH iproute2/net-next] tc: flower: Add support for ct_state reply flag

[Paul Blakey]

Matches on conntrack rpl ct_state.

Example:
$ tc filter add dev ens1f0_0 ingress prio 1 chain 1 proto ip flower \
  ct_state +trk+est+rpl \
  action mirred egress redirect dev ens1f0_1
$ tc filter add dev ens1f0_1 ingress prio 1 chain 1 proto ip flower \
  ct_state +trk+est-rpl \
  action mirred egress redirect dev ens1f0_0

Signed-off-by: Paul Blakey <paulb@nvidia.com>
---
 man/man8/tc-flower.8 | 2 ++
 tc/f_flower.c        | 1 +
 2 files changed, 3 insertions(+)

diff --git a/man/man8/tc-flower.8 b/man/man8/tc-flower.8
index 226d1cc..f7336b6 100644
--- a/man/man8/tc-flower.8
+++ b/man/man8/tc-flower.8
@@ -387,6 +387,8 @@ new - New connection.
 .TP
 est - Established connection.
 .TP
+rpl - The packet is in the reply direction, meaning that it is in the opposite direction from the packet that initiated the connection.
+.TP
 inv - The state is invalid. The packet couldn't be associated to a connection.
 .TP
 Example: +trk+est
diff --git a/tc/f_flower.c b/tc/f_flower.c
index 85c1043..53822a9 100644
--- a/tc/f_flower.c
+++ b/tc/f_flower.c
@@ -346,6 +346,7 @@ static struct flower_ct_states {
 	{ "new", TCA_FLOWER_KEY_CT_FLAGS_NEW },
 	{ "est", TCA_FLOWER_KEY_CT_FLAGS_ESTABLISHED },
 	{ "inv", TCA_FLOWER_KEY_CT_FLAGS_INVALID },
+	{ "rpl", TCA_FLOWER_KEY_CT_FLAGS_REPLY },
 };
 
 static int flower_parse_ct_state(char *str, struct nlmsghdr *n)
-- 
1.8.3.1

Re: [PATCH iproute2/net-next] tc: flower: Add support for ct_state reply flag

[Marcelo Ricardo Leitner]

On Tue, Feb 02, 2021 at 02:24:42PM +0200, Paul Blakey wrote:
> Matches on conntrack rpl ct_state.
> 
> Example:
> $ tc filter add dev ens1f0_0 ingress prio 1 chain 1 proto ip flower \
>   ct_state +trk+est+rpl \
>   action mirred egress redirect dev ens1f0_1
> $ tc filter add dev ens1f0_1 ingress prio 1 chain 1 proto ip flower \
>   ct_state +trk+est-rpl \
>   action mirred egress redirect dev ens1f0_0
> 
> Signed-off-by: Paul Blakey <paulb@nvidia.com>
> ---
>  man/man8/tc-flower.8 | 2 ++
>  tc/f_flower.c        | 1 +
>  2 files changed, 3 insertions(+)

iproute has a header copy, include/uapi/linux/pkt_cls.h.
I think it needs updating as well.

  Marcelo

Re: [PATCH iproute2/net-next] tc: flower: Add support for ct_state reply flag

[Paul Blakey]

On Tue, 2 Feb 2021, Marcelo Ricardo Leitner wrote:

> On Tue, Feb 02, 2021 at 02:24:42PM +0200, Paul Blakey wrote:
> > Matches on conntrack rpl ct_state.
> > 
> > Example:
> > $ tc filter add dev ens1f0_0 ingress prio 1 chain 1 proto ip flower \
> >   ct_state +trk+est+rpl \
> >   action mirred egress redirect dev ens1f0_1
> > $ tc filter add dev ens1f0_1 ingress prio 1 chain 1 proto ip flower \
> >   ct_state +trk+est-rpl \
> >   action mirred egress redirect dev ens1f0_0
> > 
> > Signed-off-by: Paul Blakey <paulb@nvidia.com>
> > ---
> >  man/man8/tc-flower.8 | 2 ++
> >  tc/f_flower.c        | 1 +
> >  2 files changed, 3 insertions(+)
> 
> iproute has a header copy, include/uapi/linux/pkt_cls.h.
> I think it needs updating as well.
> 
>   Marcelo
> 

Hi,

Commit 1e6190218050 ("Update kernel headers") from 02/02/2021 updated the
headers to include the relevant flag.

Thanks,
Paul.

Re: [PATCH iproute2/net-next] tc: flower: Add support for ct_state reply flag

[David Ahern]

On 2/2/21 5:24 AM, Paul Blakey wrote:
> Matches on conntrack rpl ct_state.
> 
> Example:
> $ tc filter add dev ens1f0_0 ingress prio 1 chain 1 proto ip flower \
>   ct_state +trk+est+rpl \
>   action mirred egress redirect dev ens1f0_1
> $ tc filter add dev ens1f0_1 ingress prio 1 chain 1 proto ip flower \
>   ct_state +trk+est-rpl \
>   action mirred egress redirect dev ens1f0_0
> 
> Signed-off-by: Paul Blakey <paulb@nvidia.com>
> ---
>  man/man8/tc-flower.8 | 2 ++
>  tc/f_flower.c        | 1 +
>  2 files changed, 3 insertions(+)
> 

applied to iproute2-next. Thanks