[PATCH nft] ct: Add support for the 'id' key

[PATCH nft] ct: Add support for the 'id' key

[Brett Mastbergen]

The 'id' key allows for matching on the id of the conntrack entry.

v2: Remove ct_id_type

Signed-off-by: Brett Mastbergen <brett.mastbergen@gmail.com>
---
 doc/payload-expression.txt | 5 ++++-
 src/ct.c                   | 2 ++
 src/parser_bison.y         | 1 +
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/doc/payload-expression.txt b/doc/payload-expression.txt
index 4bbf8d05..e6f108b1 100644
--- a/doc/payload-expression.txt
+++ b/doc/payload-expression.txt
@@ -638,7 +638,7 @@ zone id is tied to the given direction. +
 
 [verse]
 *ct* {*state* | *direction* | *status* | *mark* | *expiration* | *helper* | *label*}
-*ct* [*original* | *reply*] {*l3proto* | *protocol* | *bytes* | *packets* | *avgpkt* | *zone*}
+*ct* [*original* | *reply*] {*l3proto* | *protocol* | *bytes* | *packets* | *avgpkt* | *zone* | *id*}
 *ct* {*original* | *reply*} {*proto-src* | *proto-dst*}
 *ct* {*original* | *reply*} {*ip* | *ip6*} {*saddr* | *daddr*}
 
@@ -700,6 +700,9 @@ integer (16 bit)
 |count|
 count number of connections
 integer (32 bit)
+|id|
+Connection id
+ct_id
 |==========================================
 A description of conntrack-specific types listed above can be found sub-section CONNTRACK TYPES above.
 
diff --git a/src/ct.c b/src/ct.c
index db1dabd3..0842c838 100644
--- a/src/ct.c
+++ b/src/ct.c
@@ -301,6 +301,8 @@ const struct ct_template ct_templates[__NFT_CT_MAX] = {
 					      BYTEORDER_BIG_ENDIAN, 128),
 	[NFT_CT_SECMARK]	= CT_TEMPLATE("secmark", &integer_type,
 					      BYTEORDER_HOST_ENDIAN, 32),
+	[NFT_CT_ID]		= CT_TEMPLATE("id", &integer_type,
+					      BYTEORDER_BIG_ENDIAN, 32),
 };
 
 static void ct_print(enum nft_ct_keys key, int8_t dir, uint8_t nfproto,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index b1e869d5..3cd0559b 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -4550,6 +4550,7 @@ ct_key			:	L3PROTOCOL	{ $$ = NFT_CT_L3PROTOCOL; }
 			|	LABEL		{ $$ = NFT_CT_LABELS; }
 			|	EVENT		{ $$ = NFT_CT_EVENTMASK; }
 			|	SECMARK		{ $$ = NFT_CT_SECMARK; }
+			|	ID	 	{ $$ = NFT_CT_ID; }
 			|	ct_key_dir_optional
 			;
 
-- 
2.11.0

Re: [PATCH nft] ct: Add support for the 'id' key

[Pablo Neira Ayuso]

On Fri, May 01, 2020 at 01:55:35PM -0400, Brett Mastbergen wrote:
> The 'id' key allows for matching on the id of the conntrack entry.

Applied, thanks Brett.

Re: [PATCH nft] ct: Add support for the 'id' key

[Brett Mastbergen]

On 23-04-19, Florian Westphal wrote:
> Brett Mastbergen <bmastbergen@untangle.com> wrote:
> > +const struct datatype ct_id_type = {
> > +	.type		= TYPE_CT_ID,
> > +	.name		= "ct_id",
> > +	.desc		= "conntrack id",
> > +	.byteorder	= BYTEORDER_BIG_ENDIAN,
> > +	.size		= 4 * BITS_PER_BYTE,
> > +	.basetype	= &integer_type,
> > +};
> 
> Pablo, I know we've discussed this in the past but I think
> the ct id would be a good candidate to add a generic uint32_t
> integer type.
> 
> AFAICS the ct_id_type is unneeded per this patch,
> but IIRC to make use of this for set definitions we can't use generic
> integer type as it has no fixed size.

Indeed, the only reason I added the ct_id type was so there would be
a fixed length integer type to use in sets and as a key to maps.  If
you'd like me to throw together a patch that creates a generic 32
bit integer type, and then use that for the ct id key, just say the
word.

> 
> This is the first data type that doesn't need any specific
> parsing/printing, AFAICS its just needed to get a fixed 32bit size.

Re: [PATCH nft] ct: Add support for the 'id' key

[Florian Westphal]

Brett Mastbergen <bmastbergen@untangle.com> wrote:
> +const struct datatype ct_id_type = {
> +	.type		= TYPE_CT_ID,
> +	.name		= "ct_id",
> +	.desc		= "conntrack id",
> +	.byteorder	= BYTEORDER_BIG_ENDIAN,
> +	.size		= 4 * BITS_PER_BYTE,
> +	.basetype	= &integer_type,
> +};

Pablo, I know we've discussed this in the past but I think
the ct id would be a good candidate to add a generic uint32_t
integer type.

AFAICS the ct_id_type is unneeded per this patch,
but IIRC to make use of this for set definitions we can't use generic
integer type as it has no fixed size.

This is the first data type that doesn't need any specific
parsing/printing, AFAICS its just needed to get a fixed 32bit size.

[PATCH nft] ct: Add support for the 'id' key

[Brett Mastbergen]

The 'id' key allows for matching on the id of the conntrack entry.

This is most useful as a key for maps

nft add map nat conntoip { type ct_id: ipv4_addr \; }
nft add rule ip nat postrouting snat ct id map @conntoip

Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com>
---
 doc/payload-expression.txt          |  5 ++++-
 include/ct.h                        |  1 +
 include/datatype.h                  |  1 +
 include/linux/netfilter/nf_tables.h |  2 ++
 src/ct.c                            | 11 +++++++++++
 src/datatype.c                      |  1 +
 src/parser_bison.y                  |  1 +
 7 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/doc/payload-expression.txt b/doc/payload-expression.txt
index 28061f3..e93022b 100644
--- a/doc/payload-expression.txt
+++ b/doc/payload-expression.txt
@@ -588,7 +588,7 @@ is true for the *zone*, if a direction is given, the zone is only matched if the
 zone id is tied to the given direction. +
 
 [verse]
-*ct* {state | direction | status | mark | expiration | helper | label | l3proto | protocol | bytes | packets | avgpkt | zone}
+*ct* {state | direction | status | mark | expiration | helper | label | l3proto | protocol | bytes | packets | avgpkt | zone | id}
 *ct* {original | reply} {l3proto | protocol | proto-src | proto-dst | bytes | packets | avgpkt | zone}
 *ct* {original | reply} {ip | ip6} {saddr | daddr}
 
@@ -650,6 +650,9 @@ integer (16 bit)
 |count|
 count number of connections
 integer (32 bit)
+|id|
+Connection id
+ct_id
 |==========================================
 A description of conntrack-specific types listed above can be found sub-section CONNTRACK TYPES above.
 
diff --git a/include/ct.h b/include/ct.h
index 4c5bd80..1e707e7 100644
--- a/include/ct.h
+++ b/include/ct.h
@@ -39,5 +39,6 @@ extern const char *ct_label2str(unsigned long value);
 extern const struct datatype ct_dir_type;
 extern const struct datatype ct_state_type;
 extern const struct datatype ct_status_type;
+extern const struct datatype ct_id_type;
 
 #endif /* NFTABLES_CT_H */
diff --git a/include/datatype.h b/include/datatype.h
index 14ece28..73a9cf2 100644
--- a/include/datatype.h
+++ b/include/datatype.h
@@ -90,6 +90,7 @@ enum datatypes {
 	TYPE_CT_EVENTBIT,
 	TYPE_IFNAME,
 	TYPE_IGMP_TYPE,
+	TYPE_CT_ID,
 	__TYPE_MAX
 };
 #define TYPE_MAX		(__TYPE_MAX - 1)
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 09a7b9e..150f32a 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -986,6 +986,7 @@ enum nft_osf_flags {
  * @NFT_CT_SRC_IP6: conntrack layer 3 protocol source (IPv6 address)
  * @NFT_CT_DST_IP6: conntrack layer 3 protocol destination (IPv6 address)
  * @NFT_CT_TIMEOUT: connection tracking timeout policy assigned to conntrack
+ * @NFT_CT_ID: conntrack id
  */
 enum nft_ct_keys {
 	NFT_CT_STATE,
@@ -1012,6 +1013,7 @@ enum nft_ct_keys {
 	NFT_CT_SRC_IP6,
 	NFT_CT_DST_IP6,
 	NFT_CT_TIMEOUT,
+	NFT_CT_ID,
 	__NFT_CT_MAX
 };
 #define NFT_CT_MAX		(__NFT_CT_MAX - 1)
diff --git a/src/ct.c b/src/ct.c
index 2256ce3..21bc182 100644
--- a/src/ct.c
+++ b/src/ct.c
@@ -239,6 +239,15 @@ void ct_label_table_exit(void)
 	rt_symbol_table_free(ct_label_tbl);
 }
 
+const struct datatype ct_id_type = {
+	.type		= TYPE_CT_ID,
+	.name		= "ct_id",
+	.desc		= "conntrack id",
+	.byteorder	= BYTEORDER_BIG_ENDIAN,
+	.size		= 4 * BITS_PER_BYTE,
+	.basetype	= &integer_type,
+};
+
 #ifndef NF_CT_HELPER_NAME_LEN
 #define NF_CT_HELPER_NAME_LEN	16
 #endif
@@ -291,6 +300,8 @@ const struct ct_template ct_templates[__NFT_CT_MAX] = {
 					      BYTEORDER_HOST_ENDIAN, 16),
 	[NFT_CT_EVENTMASK]	= CT_TEMPLATE("event", &ct_event_type,
 					      BYTEORDER_HOST_ENDIAN, 32),
+	[NFT_CT_ID]		= CT_TEMPLATE("id", &ct_id_type,
+					      BYTEORDER_BIG_ENDIAN, 32),
 };
 
 static void ct_print(enum nft_ct_keys key, int8_t dir, uint8_t nfproto,
diff --git a/src/datatype.c b/src/datatype.c
index ac9f2af..6b76fc9 100644
--- a/src/datatype.c
+++ b/src/datatype.c
@@ -71,6 +71,7 @@ static const struct datatype *datatypes[TYPE_MAX + 1] = {
 	[TYPE_BOOLEAN]		= &boolean_type,
 	[TYPE_IFNAME]		= &ifname_type,
 	[TYPE_IGMP_TYPE]	= &igmp_type_type,
+	[TYPE_CT_ID]		= &ct_id_type,
 };
 
 const struct datatype *datatype_lookup(enum datatypes type)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 4a2a81c..92660ce 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -4100,6 +4100,7 @@ ct_key			:	L3PROTOCOL	{ $$ = NFT_CT_L3PROTOCOL; }
 			|	LABEL		{ $$ = NFT_CT_LABELS; }
 			|	EVENT		{ $$ = NFT_CT_EVENTMASK; }
 			|	TIMEOUT 	{ $$ = NFT_CT_TIMEOUT; }
+			|	ID	 	{ $$ = NFT_CT_ID; }
 			|	ct_key_dir_optional
 			;
 
-- 
2.11.0