summaryrefslogtreecommitdiffstats
path: root/src/ct.c
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2019-06-21 10:28:37 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2019-06-21 18:49:07 +0200
commit7f742d0a9071f932836b4f8525a6d3f7261ae083 (patch)
treecd972674de9ea2efbd6e39747acd435b100bf154 /src/ct.c
parentfb5a36ad5c1032244cf76171648fdefbbe571519 (diff)
ct: support for NFT_CT_{SRC,DST}_{IP,IP6}
These keys are available since kernel >= 4.17. You can still use NFT_CT_{SRC,DST}, however, you need to specify 'meta protocol' in first place to provide layer 3 context. Note that NFT_CT_{SRC,DST} are broken with set, maps and concatenations. This patch is implicitly fixing these cases. If your kernel is < 4.17, you can still use address matching via explicit meta nfproto: meta nfproto ipv4 ct original saddr 1.2.3.4 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/ct.c')
-rw-r--r--src/ct.c21
1 files changed, 19 insertions, 2 deletions
diff --git a/src/ct.c b/src/ct.c
index 72346cd5..4f7807de 100644
--- a/src/ct.c
+++ b/src/ct.c
@@ -291,6 +291,14 @@ const struct ct_template ct_templates[__NFT_CT_MAX] = {
BYTEORDER_HOST_ENDIAN, 16),
[NFT_CT_EVENTMASK] = CT_TEMPLATE("event", &ct_event_type,
BYTEORDER_HOST_ENDIAN, 32),
+ [NFT_CT_SRC_IP] = CT_TEMPLATE("ip saddr", &ipaddr_type,
+ BYTEORDER_BIG_ENDIAN, 0),
+ [NFT_CT_DST_IP] = CT_TEMPLATE("ip daddr", &ipaddr_type,
+ BYTEORDER_BIG_ENDIAN, 0),
+ [NFT_CT_SRC_IP6] = CT_TEMPLATE("ip6 saddr", &ip6addr_type,
+ BYTEORDER_BIG_ENDIAN, 0),
+ [NFT_CT_DST_IP6] = CT_TEMPLATE("ip6 daddr", &ip6addr_type,
+ BYTEORDER_BIG_ENDIAN, 0),
};
static void ct_print(enum nft_ct_keys key, int8_t dir, uint8_t nfproto,
@@ -368,7 +376,7 @@ const struct expr_ops ct_expr_ops = {
};
struct expr *ct_expr_alloc(const struct location *loc, enum nft_ct_keys key,
- int8_t direction, uint8_t nfproto)
+ int8_t direction)
{
const struct ct_template *tmpl = &ct_templates[key];
struct expr *expr;
@@ -377,7 +385,6 @@ struct expr *ct_expr_alloc(const struct location *loc, enum nft_ct_keys key,
tmpl->byteorder, tmpl->len);
expr->ct.key = key;
expr->ct.direction = direction;
- expr->ct.nfproto = nfproto;
switch (key) {
case NFT_CT_SRC:
@@ -428,6 +435,16 @@ void ct_expr_update_type(struct proto_ctx *ctx, struct expr *expr)
break;
datatype_set(expr, &inet_service_type);
break;
+ case NFT_CT_SRC_IP:
+ case NFT_CT_DST_IP:
+ expr->dtype = &ipaddr_type;
+ expr->len = expr->dtype->size;
+ break;
+ case NFT_CT_SRC_IP6:
+ case NFT_CT_DST_IP6:
+ expr->dtype = &ip6addr_type;
+ expr->len = expr->dtype->size;
+ break;
default:
break;
}