diff options
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/netfilter/nf_tables.h | 14 | ||||
-rw-r--r-- | include/rule.h | 28 |
2 files changed, 41 insertions, 1 deletions
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index fe656525..143ebe28 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -972,6 +972,7 @@ enum nft_osf_attributes { * @NFT_CT_DST_IP: conntrack layer 3 protocol destination (IPv4 address) * @NFT_CT_SRC_IP6: conntrack layer 3 protocol source (IPv6 address) * @NFT_CT_DST_IP6: conntrack layer 3 protocol destination (IPv6 address) + * @NFT_CT_TIMEOUT: connection tracking timeout policy assigned to conntrack */ enum nft_ct_keys { NFT_CT_STATE, @@ -997,6 +998,7 @@ enum nft_ct_keys { NFT_CT_DST_IP, NFT_CT_SRC_IP6, NFT_CT_DST_IP6, + NFT_CT_TIMEOUT, __NFT_CT_MAX }; #define NFT_CT_MAX (__NFT_CT_MAX - 1) @@ -1403,13 +1405,23 @@ enum nft_ct_helper_attributes { }; #define NFTA_CT_HELPER_MAX (__NFTA_CT_HELPER_MAX - 1) +enum nft_ct_timeout_attributes { + NFTA_CT_TIMEOUT_L3PROTO, + NFTA_CT_TIMEOUT_L4PROTO, + NFTA_CT_TIMEOUT_DATA, + __NFTA_CT_TIMEOUT_MAX, +}; +#define NFTA_CT_TIMEOUT_MAX (__NFTA_CT_TIMEOUT_MAX - 1) + #define NFT_OBJECT_UNSPEC 0 #define NFT_OBJECT_COUNTER 1 #define NFT_OBJECT_QUOTA 2 #define NFT_OBJECT_CT_HELPER 3 #define NFT_OBJECT_LIMIT 4 #define NFT_OBJECT_CONNLIMIT 5 -#define __NFT_OBJECT_MAX 6 +#define NFT_OBJECT_TUNNEL 6 +#define NFT_OBJECT_CT_TIMEOUT 7 +#define __NFT_OBJECT_MAX 8 #define NFT_OBJECT_MAX (__NFT_OBJECT_MAX - 1) /** diff --git a/include/rule.h b/include/rule.h index cfbbcf1f..88478aa6 100644 --- a/include/rule.h +++ b/include/rule.h @@ -4,6 +4,8 @@ #include <stdint.h> #include <nftables.h> #include <list.h> +#include <netinet/in.h> +#include <libnftnl/object.h> /* For NFTNL_CTTIMEOUT_ARRAY_MAX. */ /** * struct handle_spec - handle ID @@ -324,6 +326,21 @@ struct ct_helper { uint8_t l4proto; }; +struct timeout_state { + struct list_head head; + struct location location; + uint8_t timeout_index; + const char *timeout_str; + unsigned int timeout_value; +}; + +struct ct_timeout { + uint16_t l3proto; + uint8_t l4proto; + uint32_t timeout[NFTNL_CTTIMEOUT_ARRAY_MAX]; + struct list_head timeout_list; +}; + struct limit { uint64_t rate; uint64_t unit; @@ -352,6 +369,7 @@ struct obj { struct quota quota; struct ct_helper ct_helper; struct limit limit; + struct ct_timeout ct_timeout; }; }; @@ -478,6 +496,7 @@ enum cmd_obj { CMD_OBJ_LIMITS, CMD_OBJ_FLOWTABLE, CMD_OBJ_FLOWTABLES, + CMD_OBJ_CT_TIMEOUT, }; struct markup { @@ -633,4 +652,13 @@ enum udata_set_elem_flags { SET_ELEM_F_INTERVAL_OPEN = 0x1, }; +struct timeout_protocol { + uint32_t array_size; + const char *const *state_to_name; + uint32_t *dflt_timeout; +}; + +extern struct timeout_protocol timeout_protocol[IPPROTO_MAX]; +extern int timeout_str2num(uint16_t l4proto, struct timeout_state *ts); + #endif /* NFTABLES_RULE_H */ |