On Sat, Apr 15, 2017 at 10:45:03AM +0200, Florian Westphal wrote:
> by default the kernel emits all ctnetlink events for a connection.
> This allows to select the types of events to generate for a connection.
>
> This allows to e.g. only send DESTROY events but no NEW/UPDATE ones.
>
> This was already possible via iptables' CT target.
> The nft version has the advantage that it can also be used with
> already-established conntracks.
>
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
> ---
> include/uapi/linux/netfilter/nf_tables.h | 2 ++
> net/netfilter/nft_ct.c | 19 ++++++++++++++++++-
> 2 files changed, 20 insertions(+), 1 deletion(-)
>
> diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
> index 8f3842690d17..683f6f88fcac 100644
> --- a/include/uapi/linux/netfilter/nf_tables.h
> +++ b/include/uapi/linux/netfilter/nf_tables.h
> @@ -901,6 +901,7 @@ enum nft_rt_attributes {
> * @NFT_CT_BYTES: conntrack bytes
> * @NFT_CT_AVGPKT: conntrack average bytes per packet
> * @NFT_CT_ZONE: conntrack zone
> + * @NFT_CT_EVENTMASK: ctnetlink events to be generated for this conntrack
> */
> enum nft_ct_keys {
> NFT_CT_STATE,
> @@ -921,6 +922,7 @@ enum nft_ct_keys {
> NFT_CT_BYTES,
> NFT_CT_AVGPKT,
> NFT_CT_ZONE,
> + NFT_CT_EVENTMASK,
> };
>
> /**
> diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
> index 6e23dbbedd7f..4f642977f8a5 100644
> --- a/net/netfilter/nft_ct.c
> +++ b/net/netfilter/nft_ct.c
> @@ -264,7 +264,7 @@ static void nft_ct_set_eval(const struct nft_expr *expr,
> struct nf_conn *ct;
>
> ct = nf_ct_get(skb, &ctinfo);
> - if (ct == NULL)
> + if (ct == NULL || nf_ct_is_template(ct))
I wonder if this should go in a oneliner, given this is fixing the
fact that we may end up using the template. So someone has a chance to
pass it to -stable. I'll be fine either way, no problem.
Another comment below.
> return;
>
> switch (priv->key) {
> @@ -284,6 +284,16 @@ static void nft_ct_set_eval(const struct nft_expr *expr,
> NF_CT_LABELS_MAX_SIZE / sizeof(u32));
> break;
> #endif
> +#ifdef CONFIG_NF_CONNTRACK_EVENTS
> + case NFT_CT_EVENTMASK: {
> + struct nf_conntrack_ecache *e = nf_ct_ecache_find(ct);
> + u16 ctmask = (u16)regs->data[priv->sreg];
Liping added helpers to fetch data from registers, I think it
applies to this case too.
Thanks!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
