From 0adceeab1597a3de87f5e0cc8ef364b0e1df8a4f Mon Sep 17 00:00:00 2001
From: Harsha Sharma <harshasharmaiitr@gmail.com>
Date: Fri, 10 Aug 2018 20:23:39 +0530
Subject: src: add ct timeout support

Add support for ct timeout objects, used to assign connection tracking
timeout policies.

Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/libnftnl/object.h           | 27 +++++++++++++++++++++++++++
 include/linux/netfilter/nf_tables.h | 14 +++++++++++++-
 include/obj.h                       |  6 ++++++
 3 files changed, 46 insertions(+), 1 deletion(-)

(limited to 'include')

diff --git a/include/libnftnl/object.h b/include/libnftnl/object.h
index 6f9edfd..e846698 100644
--- a/include/libnftnl/object.h
+++ b/include/libnftnl/object.h
@@ -41,6 +41,33 @@ enum {
 	NFTNL_OBJ_CT_HELPER_L4PROTO,
 };
 
+enum nftnl_cttimeout_array_tcp {
+	NFTNL_CTTIMEOUT_TCP_SYN_SENT = 0,
+	NFTNL_CTTIMEOUT_TCP_SYN_RECV,
+	NFTNL_CTTIMEOUT_TCP_ESTABLISHED,
+	NFTNL_CTTIMEOUT_TCP_FIN_WAIT,
+	NFTNL_CTTIMEOUT_TCP_CLOSE_WAIT,
+	NFTNL_CTTIMEOUT_TCP_LAST_ACK,
+	NFTNL_CTTIMEOUT_TCP_TIME_WAIT,
+	NFTNL_CTTIMEOUT_TCP_CLOSE,
+	NFTNL_CTTIMEOUT_TCP_SYN_SENT2,
+	NFTNL_CTTIMEOUT_TCP_RETRANS,
+	NFTNL_CTTIMEOUT_TCP_UNACK,
+	NFTNL_CTTIMEOUT_TCP_MAX
+};
+
+enum nftnl_cttimeout_array_udp {
+	NFTNL_CTTIMEOUT_UDP_UNREPLIED = 0,
+	NFTNL_CTTIMEOUT_UDP_REPLIED,
+	NFTNL_CTTIMEOUT_UDP_MAX
+};
+
+enum {
+	NFTNL_OBJ_CT_TIMEOUT_L3PROTO = NFTNL_OBJ_BASE,
+	NFTNL_OBJ_CT_TIMEOUT_L4PROTO,
+	NFTNL_OBJ_CT_TIMEOUT_ARRAY,
+};
+
 enum {
 	NFTNL_OBJ_LIMIT_RATE	= NFTNL_OBJ_BASE,
 	NFTNL_OBJ_LIMIT_UNIT,
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 6dc00c6..382ca54 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -969,6 +969,7 @@ enum nft_osf_attributes {
  * @NFT_CT_DST_IP: conntrack layer 3 protocol destination (IPv4 address)
  * @NFT_CT_SRC_IP6: conntrack layer 3 protocol source (IPv6 address)
  * @NFT_CT_DST_IP6: conntrack layer 3 protocol destination (IPv6 address)
+ * @NFT_CT_TIMEOUT: connection tracking timeout policy assigned to conntrack
  */
 enum nft_ct_keys {
 	NFT_CT_STATE,
@@ -994,6 +995,7 @@ enum nft_ct_keys {
 	NFT_CT_DST_IP,
 	NFT_CT_SRC_IP6,
 	NFT_CT_DST_IP6,
+	NFT_CT_TIMEOUT,
 	__NFT_CT_MAX
 };
 #define NFT_CT_MAX		(__NFT_CT_MAX - 1)
@@ -1395,6 +1397,15 @@ enum nft_ct_helper_attributes {
 };
 #define NFTA_CT_HELPER_MAX	(__NFTA_CT_HELPER_MAX - 1)
 
+enum nft_ct_timeout_attributes {
+	NFTA_CT_TIMEOUT_UNSPEC,
+	NFTA_CT_TIMEOUT_L3PROTO,
+	NFTA_CT_TIMEOUT_L4PROTO,
+	NFTA_CT_TIMEOUT_DATA,
+	__NFTA_CT_TIMEOUT_MAX,
+};
+#define NFTA_CT_TIMEOUT_MAX	(__NFTA_CT_TIMEOUT_MAX - 1)
+
 #define NFT_OBJECT_UNSPEC	0
 #define NFT_OBJECT_COUNTER	1
 #define NFT_OBJECT_QUOTA	2
@@ -1402,7 +1413,8 @@ enum nft_ct_helper_attributes {
 #define NFT_OBJECT_LIMIT	4
 #define NFT_OBJECT_CONNLIMIT	5
 #define NFT_OBJECT_TUNNEL	6
-#define __NFT_OBJECT_MAX	7
+#define NFT_OBJECT_CT_TIMEOUT	7
+#define __NFT_OBJECT_MAX	8
 #define NFT_OBJECT_MAX		(__NFT_OBJECT_MAX - 1)
 
 /**
diff --git a/include/obj.h b/include/obj.h
index 9363a69..837a54a 100644
--- a/include/obj.h
+++ b/include/obj.h
@@ -36,6 +36,11 @@ struct nftnl_obj {
 			uint8_t		l4proto;
 			char		name[16];
 		} ct_helper;
+		struct nftnl_obj_ct_timeout {
+			uint16_t	l3proto;
+			uint8_t 	l4proto;
+			uint32_t	*timeout;
+		} ct_timeout;
 		struct nftnl_obj_limit {
 			uint64_t	rate;
 			uint64_t	unit;
@@ -91,6 +96,7 @@ struct obj_ops {
 extern struct obj_ops obj_ops_counter;
 extern struct obj_ops obj_ops_quota;
 extern struct obj_ops obj_ops_ct_helper;
+extern struct obj_ops obj_ops_ct_timeout;
 extern struct obj_ops obj_ops_limit;
 extern struct obj_ops obj_ops_tunnel;
 
-- 
cgit v1.2.3