diff options
| author | Harsha Sharma <harshasharmaiitr@gmail.com> | 2018-08-10 20:23:39 +0530 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-08-13 12:29:43 +0200 |
| commit | 0adceeab1597a3de87f5e0cc8ef364b0e1df8a4f (patch) | |
| tree | 6e6f289b1f9c1c5ca98305788832a26181c665ef /include | |
| parent | b220a86d0975e38940942cbad39beb4f52d9ffc6 (diff) | |
src: add ct timeout support
Add support for ct timeout objects, used to assign connection tracking
timeout policies.
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
| -rw-r--r-- | include/libnftnl/object.h | 27 | ||||
| -rw-r--r-- | include/linux/netfilter/nf_tables.h | 14 | ||||
| -rw-r--r-- | include/obj.h | 6 |
3 files changed, 46 insertions, 1 deletions
diff --git a/include/libnftnl/object.h b/include/libnftnl/object.h index 6f9edfd..e846698 100644 --- a/include/libnftnl/object.h +++ b/include/libnftnl/object.h @@ -41,6 +41,33 @@ enum { NFTNL_OBJ_CT_HELPER_L4PROTO, }; +enum nftnl_cttimeout_array_tcp { + NFTNL_CTTIMEOUT_TCP_SYN_SENT = 0, + NFTNL_CTTIMEOUT_TCP_SYN_RECV, + NFTNL_CTTIMEOUT_TCP_ESTABLISHED, + NFTNL_CTTIMEOUT_TCP_FIN_WAIT, + NFTNL_CTTIMEOUT_TCP_CLOSE_WAIT, + NFTNL_CTTIMEOUT_TCP_LAST_ACK, + NFTNL_CTTIMEOUT_TCP_TIME_WAIT, + NFTNL_CTTIMEOUT_TCP_CLOSE, + NFTNL_CTTIMEOUT_TCP_SYN_SENT2, + NFTNL_CTTIMEOUT_TCP_RETRANS, + NFTNL_CTTIMEOUT_TCP_UNACK, + NFTNL_CTTIMEOUT_TCP_MAX +}; + +enum nftnl_cttimeout_array_udp { + NFTNL_CTTIMEOUT_UDP_UNREPLIED = 0, + NFTNL_CTTIMEOUT_UDP_REPLIED, + NFTNL_CTTIMEOUT_UDP_MAX +}; + +enum { + NFTNL_OBJ_CT_TIMEOUT_L3PROTO = NFTNL_OBJ_BASE, + NFTNL_OBJ_CT_TIMEOUT_L4PROTO, + NFTNL_OBJ_CT_TIMEOUT_ARRAY, +}; + enum { NFTNL_OBJ_LIMIT_RATE = NFTNL_OBJ_BASE, NFTNL_OBJ_LIMIT_UNIT, diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index 6dc00c6..382ca54 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -969,6 +969,7 @@ enum nft_osf_attributes { * @NFT_CT_DST_IP: conntrack layer 3 protocol destination (IPv4 address) * @NFT_CT_SRC_IP6: conntrack layer 3 protocol source (IPv6 address) * @NFT_CT_DST_IP6: conntrack layer 3 protocol destination (IPv6 address) + * @NFT_CT_TIMEOUT: connection tracking timeout policy assigned to conntrack */ enum nft_ct_keys { NFT_CT_STATE, @@ -994,6 +995,7 @@ enum nft_ct_keys { NFT_CT_DST_IP, NFT_CT_SRC_IP6, NFT_CT_DST_IP6, + NFT_CT_TIMEOUT, __NFT_CT_MAX }; #define NFT_CT_MAX (__NFT_CT_MAX - 1) @@ -1395,6 +1397,15 @@ enum nft_ct_helper_attributes { }; #define NFTA_CT_HELPER_MAX (__NFTA_CT_HELPER_MAX - 1) +enum nft_ct_timeout_attributes { + NFTA_CT_TIMEOUT_UNSPEC, + NFTA_CT_TIMEOUT_L3PROTO, + NFTA_CT_TIMEOUT_L4PROTO, + NFTA_CT_TIMEOUT_DATA, + __NFTA_CT_TIMEOUT_MAX, +}; +#define NFTA_CT_TIMEOUT_MAX (__NFTA_CT_TIMEOUT_MAX - 1) + #define NFT_OBJECT_UNSPEC 0 #define NFT_OBJECT_COUNTER 1 #define NFT_OBJECT_QUOTA 2 @@ -1402,7 +1413,8 @@ enum nft_ct_helper_attributes { #define NFT_OBJECT_LIMIT 4 #define NFT_OBJECT_CONNLIMIT 5 #define NFT_OBJECT_TUNNEL 6 -#define __NFT_OBJECT_MAX 7 +#define NFT_OBJECT_CT_TIMEOUT 7 +#define __NFT_OBJECT_MAX 8 #define NFT_OBJECT_MAX (__NFT_OBJECT_MAX - 1) /** diff --git a/include/obj.h b/include/obj.h index 9363a69..837a54a 100644 --- a/include/obj.h +++ b/include/obj.h @@ -36,6 +36,11 @@ struct nftnl_obj { uint8_t l4proto; char name[16]; } ct_helper; + struct nftnl_obj_ct_timeout { + uint16_t l3proto; + uint8_t l4proto; + uint32_t *timeout; + } ct_timeout; struct nftnl_obj_limit { uint64_t rate; uint64_t unit; @@ -91,6 +96,7 @@ struct obj_ops { extern struct obj_ops obj_ops_counter; extern struct obj_ops obj_ops_quota; extern struct obj_ops obj_ops_ct_helper; +extern struct obj_ops obj_ops_ct_timeout; extern struct obj_ops obj_ops_limit; extern struct obj_ops obj_ops_tunnel; |