summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--conntrack.84
-rw-r--r--include/conntrack.h7
-rw-r--r--include/linux/netfilter/nf_conntrack_common.h24
-rw-r--r--src/conntrack.c7
4 files changed, 32 insertions, 10 deletions
diff --git a/conntrack.8 b/conntrack.8
index 3c1e960..1174c6c 100644
--- a/conntrack.8
+++ b/conntrack.8
@@ -1,4 +1,4 @@
-.TH CONNTRACK 8 "Sep 26, 2017" "" ""
+.TH CONNTRACK 8 "Aug 9, 2019" "" ""
.\" Man page written by Harald Welte <laforge@netfilter.org (Jun 2005)
.\" Maintained by Pablo Neira Ayuso <pablo@netfilter.org (May 2007)
@@ -193,7 +193,7 @@ This option is only available in conjunction with "\-U, \-\-update".
.BI "-c, --secmark " "SECMARK"
Specify the conntrack selinux security mark.
.TP
-.BI "-u, --status " "[ASSURED|SEEN_REPLY|FIXED_TIMEOUT|EXPECTED|UNSET][,...]"
+.BI "-u, --status " "[ASSURED|SEEN_REPLY|FIXED_TIMEOUT|EXPECTED|OFFLOAD|UNSET][,...]"
Specify the conntrack status.
.TP
.BI "-n, --src-nat "
diff --git a/include/conntrack.h b/include/conntrack.h
index 6659a64..37ccf6e 100644
--- a/include/conntrack.h
+++ b/include/conntrack.h
@@ -3,7 +3,6 @@
#include "linux_list.h"
#include <stdint.h>
-#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
#define PROGNAME "conntrack"
@@ -12,6 +11,8 @@
#define NUMBER_OF_CMD 19
#define NUMBER_OF_OPT 29
+struct nf_conntrack;
+
struct ctproto_handler {
struct list_head head;
@@ -19,8 +20,8 @@ struct ctproto_handler {
uint16_t protonum;
const char *version;
- enum ctattr_protoinfo protoinfo_attr;
-
+ uint32_t protoinfo_attr;
+
int (*parse_opts)(char c,
struct nf_conntrack *ct,
struct nf_conntrack *exptuple,
diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h
index 4cf003f..8023e5b 100644
--- a/include/linux/netfilter/nf_conntrack_common.h
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -1,3 +1,4 @@
+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
#ifndef _NF_CONNTRACK_COMMON_H
#define _NF_CONNTRACK_COMMON_H
/* Connection state tracking for netfilter. This is separated from,
@@ -28,12 +29,14 @@ enum ip_conntrack_info {
/* only for userspace compatibility */
#ifndef __KERNEL__
IP_CT_NEW_REPLY = IP_CT_NUMBER,
+#else
+ IP_CT_UNTRACKED = 7,
#endif
};
#define NF_CT_STATE_INVALID_BIT (1 << 0)
#define NF_CT_STATE_BIT(ctinfo) (1 << ((ctinfo) % IP_CT_IS_REPLY + 1))
-#define NF_CT_STATE_UNTRACKED_BIT (1 << (IP_CT_NUMBER + 1))
+#define NF_CT_STATE_UNTRACKED_BIT (1 << 6)
/* Bitset representing status of connection. */
enum ip_conntrack_status {
@@ -90,13 +93,26 @@ enum ip_conntrack_status {
IPS_TEMPLATE_BIT = 11,
IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT),
- /* Conntrack is a fake untracked entry */
+ /* Conntrack is a fake untracked entry. Obsolete and not used anymore */
IPS_UNTRACKED_BIT = 12,
IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT),
/* Conntrack got a helper explicitly attached via CT target. */
IPS_HELPER_BIT = 13,
IPS_HELPER = (1 << IPS_HELPER_BIT),
+
+ /* Conntrack has been offloaded to flow table. */
+ IPS_OFFLOAD_BIT = 14,
+ IPS_OFFLOAD = (1 << IPS_OFFLOAD_BIT),
+
+ /* Be careful here, modifying these bits can make things messy,
+ * so don't let users modify them directly.
+ */
+ IPS_UNCHANGEABLE_MASK = (IPS_NAT_DONE_MASK | IPS_NAT_MASK |
+ IPS_EXPECTED | IPS_CONFIRMED | IPS_DYING |
+ IPS_SEQ_ADJUST | IPS_TEMPLATE | IPS_OFFLOAD),
+
+ __IPS_MAX_BIT = 15,
};
/* Connection tracking event types */
@@ -113,6 +129,10 @@ enum ip_conntrack_events {
IPCT_NATSEQADJ = IPCT_SEQADJ,
IPCT_SECMARK, /* new security mark has been set */
IPCT_LABEL, /* new connlabel has been set */
+ IPCT_SYNPROXY, /* synproxy has been set */
+#ifdef __KERNEL__
+ __IPCT_MAX
+#endif
};
enum ip_conntrack_expect_events {
diff --git a/src/conntrack.c b/src/conntrack.c
index 97132a9..c980a13 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -62,6 +62,7 @@
#include <sys/stat.h>
#include <fcntl.h>
#include <libmnl/libmnl.h>
+#include <linux/netfilter/nf_conntrack_common.h>
#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
static struct nfct_mnl_socket {
@@ -867,10 +868,10 @@ enum {
static struct parse_parameter {
const char *parameter[7];
size_t size;
- unsigned int value[7];
+ unsigned int value[8];
} parse_array[PARSE_MAX] = {
- { {"ASSURED", "SEEN_REPLY", "UNSET", "FIXED_TIMEOUT", "EXPECTED"}, 5,
- { IPS_ASSURED, IPS_SEEN_REPLY, 0, IPS_FIXED_TIMEOUT, IPS_EXPECTED} },
+ { {"ASSURED", "SEEN_REPLY", "UNSET", "FIXED_TIMEOUT", "EXPECTED", "OFFLOAD"}, 6,
+ { IPS_ASSURED, IPS_SEEN_REPLY, 0, IPS_FIXED_TIMEOUT, IPS_EXPECTED, IPS_OFFLOAD} },
{ {"ALL", "NEW", "UPDATES", "DESTROY"}, 4,
{ CT_EVENT_F_ALL, CT_EVENT_F_NEW, CT_EVENT_F_UPD, CT_EVENT_F_DEL } },
{ {"xml", "extended", "timestamp", "id", "ktimestamp", "labels", "userspace" }, 7,