* [PATCH nft] ct: Add support for the 'id' key
@ 2019-04-23 20:18 Brett Mastbergen
2019-04-23 20:55 ` Florian Westphal
0 siblings, 1 reply; 5+ messages in thread
From: Brett Mastbergen @ 2019-04-23 20:18 UTC (permalink / raw)
To: netfilter-devel
The 'id' key allows for matching on the id of the conntrack entry.
This is most useful as a key for maps
nft add map nat conntoip { type ct_id: ipv4_addr \; }
nft add rule ip nat postrouting snat ct id map @conntoip
Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com>
---
doc/payload-expression.txt | 5 ++++-
include/ct.h | 1 +
include/datatype.h | 1 +
include/linux/netfilter/nf_tables.h | 2 ++
src/ct.c | 11 +++++++++++
src/datatype.c | 1 +
src/parser_bison.y | 1 +
7 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/doc/payload-expression.txt b/doc/payload-expression.txt
index 28061f3..e93022b 100644
--- a/doc/payload-expression.txt
+++ b/doc/payload-expression.txt
@@ -588,7 +588,7 @@ is true for the *zone*, if a direction is given, the zone is only matched if the
zone id is tied to the given direction. +
[verse]
-*ct* {state | direction | status | mark | expiration | helper | label | l3proto | protocol | bytes | packets | avgpkt | zone}
+*ct* {state | direction | status | mark | expiration | helper | label | l3proto | protocol | bytes | packets | avgpkt | zone | id}
*ct* {original | reply} {l3proto | protocol | proto-src | proto-dst | bytes | packets | avgpkt | zone}
*ct* {original | reply} {ip | ip6} {saddr | daddr}
@@ -650,6 +650,9 @@ integer (16 bit)
|count|
count number of connections
integer (32 bit)
+|id|
+Connection id
+ct_id
|==========================================
A description of conntrack-specific types listed above can be found sub-section CONNTRACK TYPES above.
diff --git a/include/ct.h b/include/ct.h
index 4c5bd80..1e707e7 100644
--- a/include/ct.h
+++ b/include/ct.h
@@ -39,5 +39,6 @@ extern const char *ct_label2str(unsigned long value);
extern const struct datatype ct_dir_type;
extern const struct datatype ct_state_type;
extern const struct datatype ct_status_type;
+extern const struct datatype ct_id_type;
#endif /* NFTABLES_CT_H */
diff --git a/include/datatype.h b/include/datatype.h
index 14ece28..73a9cf2 100644
--- a/include/datatype.h
+++ b/include/datatype.h
@@ -90,6 +90,7 @@ enum datatypes {
TYPE_CT_EVENTBIT,
TYPE_IFNAME,
TYPE_IGMP_TYPE,
+ TYPE_CT_ID,
__TYPE_MAX
};
#define TYPE_MAX (__TYPE_MAX - 1)
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 09a7b9e..150f32a 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -986,6 +986,7 @@ enum nft_osf_flags {
* @NFT_CT_SRC_IP6: conntrack layer 3 protocol source (IPv6 address)
* @NFT_CT_DST_IP6: conntrack layer 3 protocol destination (IPv6 address)
* @NFT_CT_TIMEOUT: connection tracking timeout policy assigned to conntrack
+ * @NFT_CT_ID: conntrack id
*/
enum nft_ct_keys {
NFT_CT_STATE,
@@ -1012,6 +1013,7 @@ enum nft_ct_keys {
NFT_CT_SRC_IP6,
NFT_CT_DST_IP6,
NFT_CT_TIMEOUT,
+ NFT_CT_ID,
__NFT_CT_MAX
};
#define NFT_CT_MAX (__NFT_CT_MAX - 1)
diff --git a/src/ct.c b/src/ct.c
index 2256ce3..21bc182 100644
--- a/src/ct.c
+++ b/src/ct.c
@@ -239,6 +239,15 @@ void ct_label_table_exit(void)
rt_symbol_table_free(ct_label_tbl);
}
+const struct datatype ct_id_type = {
+ .type = TYPE_CT_ID,
+ .name = "ct_id",
+ .desc = "conntrack id",
+ .byteorder = BYTEORDER_BIG_ENDIAN,
+ .size = 4 * BITS_PER_BYTE,
+ .basetype = &integer_type,
+};
+
#ifndef NF_CT_HELPER_NAME_LEN
#define NF_CT_HELPER_NAME_LEN 16
#endif
@@ -291,6 +300,8 @@ const struct ct_template ct_templates[__NFT_CT_MAX] = {
BYTEORDER_HOST_ENDIAN, 16),
[NFT_CT_EVENTMASK] = CT_TEMPLATE("event", &ct_event_type,
BYTEORDER_HOST_ENDIAN, 32),
+ [NFT_CT_ID] = CT_TEMPLATE("id", &ct_id_type,
+ BYTEORDER_BIG_ENDIAN, 32),
};
static void ct_print(enum nft_ct_keys key, int8_t dir, uint8_t nfproto,
diff --git a/src/datatype.c b/src/datatype.c
index ac9f2af..6b76fc9 100644
--- a/src/datatype.c
+++ b/src/datatype.c
@@ -71,6 +71,7 @@ static const struct datatype *datatypes[TYPE_MAX + 1] = {
[TYPE_BOOLEAN] = &boolean_type,
[TYPE_IFNAME] = &ifname_type,
[TYPE_IGMP_TYPE] = &igmp_type_type,
+ [TYPE_CT_ID] = &ct_id_type,
};
const struct datatype *datatype_lookup(enum datatypes type)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 4a2a81c..92660ce 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -4100,6 +4100,7 @@ ct_key : L3PROTOCOL { $$ = NFT_CT_L3PROTOCOL; }
| LABEL { $$ = NFT_CT_LABELS; }
| EVENT { $$ = NFT_CT_EVENTMASK; }
| TIMEOUT { $$ = NFT_CT_TIMEOUT; }
+ | ID { $$ = NFT_CT_ID; }
| ct_key_dir_optional
;
--
2.11.0
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH nft] ct: Add support for the 'id' key
2019-04-23 20:18 [PATCH nft] ct: Add support for the 'id' key Brett Mastbergen
@ 2019-04-23 20:55 ` Florian Westphal
2019-04-26 14:06 ` Brett Mastbergen
0 siblings, 1 reply; 5+ messages in thread
From: Florian Westphal @ 2019-04-23 20:55 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, Brett Mastbergen
Brett Mastbergen <bmastbergen@untangle.com> wrote:
> +const struct datatype ct_id_type = {
> + .type = TYPE_CT_ID,
> + .name = "ct_id",
> + .desc = "conntrack id",
> + .byteorder = BYTEORDER_BIG_ENDIAN,
> + .size = 4 * BITS_PER_BYTE,
> + .basetype = &integer_type,
> +};
Pablo, I know we've discussed this in the past but I think
the ct id would be a good candidate to add a generic uint32_t
integer type.
AFAICS the ct_id_type is unneeded per this patch,
but IIRC to make use of this for set definitions we can't use generic
integer type as it has no fixed size.
This is the first data type that doesn't need any specific
parsing/printing, AFAICS its just needed to get a fixed 32bit size.
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH nft] ct: Add support for the 'id' key
2019-04-23 20:55 ` Florian Westphal
@ 2019-04-26 14:06 ` Brett Mastbergen
0 siblings, 0 replies; 5+ messages in thread
From: Brett Mastbergen @ 2019-04-26 14:06 UTC (permalink / raw)
To: Florian Westphal; +Cc: pablo, netfilter-devel
On 23-04-19, Florian Westphal wrote:
> Brett Mastbergen <bmastbergen@untangle.com> wrote:
> > +const struct datatype ct_id_type = {
> > + .type = TYPE_CT_ID,
> > + .name = "ct_id",
> > + .desc = "conntrack id",
> > + .byteorder = BYTEORDER_BIG_ENDIAN,
> > + .size = 4 * BITS_PER_BYTE,
> > + .basetype = &integer_type,
> > +};
>
> Pablo, I know we've discussed this in the past but I think
> the ct id would be a good candidate to add a generic uint32_t
> integer type.
>
> AFAICS the ct_id_type is unneeded per this patch,
> but IIRC to make use of this for set definitions we can't use generic
> integer type as it has no fixed size.
Indeed, the only reason I added the ct_id type was so there would be
a fixed length integer type to use in sets and as a key to maps. If
you'd like me to throw together a patch that creates a generic 32
bit integer type, and then use that for the ct id key, just say the
word.
>
> This is the first data type that doesn't need any specific
> parsing/printing, AFAICS its just needed to get a fixed 32bit size.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH nft] ct: Add support for the 'id' key
@ 2020-05-01 17:55 Brett Mastbergen
2020-05-01 18:59 ` Pablo Neira Ayuso
0 siblings, 1 reply; 5+ messages in thread
From: Brett Mastbergen @ 2020-05-01 17:55 UTC (permalink / raw)
To: netfilter-devel
The 'id' key allows for matching on the id of the conntrack entry.
v2: Remove ct_id_type
Signed-off-by: Brett Mastbergen <brett.mastbergen@gmail.com>
---
doc/payload-expression.txt | 5 ++++-
src/ct.c | 2 ++
src/parser_bison.y | 1 +
3 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/doc/payload-expression.txt b/doc/payload-expression.txt
index 4bbf8d05..e6f108b1 100644
--- a/doc/payload-expression.txt
+++ b/doc/payload-expression.txt
@@ -638,7 +638,7 @@ zone id is tied to the given direction. +
[verse]
*ct* {*state* | *direction* | *status* | *mark* | *expiration* | *helper* | *label*}
-*ct* [*original* | *reply*] {*l3proto* | *protocol* | *bytes* | *packets* | *avgpkt* | *zone*}
+*ct* [*original* | *reply*] {*l3proto* | *protocol* | *bytes* | *packets* | *avgpkt* | *zone* | *id*}
*ct* {*original* | *reply*} {*proto-src* | *proto-dst*}
*ct* {*original* | *reply*} {*ip* | *ip6*} {*saddr* | *daddr*}
@@ -700,6 +700,9 @@ integer (16 bit)
|count|
count number of connections
integer (32 bit)
+|id|
+Connection id
+ct_id
|==========================================
A description of conntrack-specific types listed above can be found sub-section CONNTRACK TYPES above.
diff --git a/src/ct.c b/src/ct.c
index db1dabd3..0842c838 100644
--- a/src/ct.c
+++ b/src/ct.c
@@ -301,6 +301,8 @@ const struct ct_template ct_templates[__NFT_CT_MAX] = {
BYTEORDER_BIG_ENDIAN, 128),
[NFT_CT_SECMARK] = CT_TEMPLATE("secmark", &integer_type,
BYTEORDER_HOST_ENDIAN, 32),
+ [NFT_CT_ID] = CT_TEMPLATE("id", &integer_type,
+ BYTEORDER_BIG_ENDIAN, 32),
};
static void ct_print(enum nft_ct_keys key, int8_t dir, uint8_t nfproto,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index b1e869d5..3cd0559b 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -4550,6 +4550,7 @@ ct_key : L3PROTOCOL { $$ = NFT_CT_L3PROTOCOL; }
| LABEL { $$ = NFT_CT_LABELS; }
| EVENT { $$ = NFT_CT_EVENTMASK; }
| SECMARK { $$ = NFT_CT_SECMARK; }
+ | ID { $$ = NFT_CT_ID; }
| ct_key_dir_optional
;
--
2.11.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-05-01 18:59 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-23 20:18 [PATCH nft] ct: Add support for the 'id' key Brett Mastbergen
2019-04-23 20:55 ` Florian Westphal
2019-04-26 14:06 ` Brett Mastbergen
2020-05-01 17:55 Brett Mastbergen
2020-05-01 18:59 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).