From 7f742d0a9071f932836b4f8525a6d3f7261ae083 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 21 Jun 2019 10:28:37 +0200
Subject: ct: support for NFT_CT_{SRC,DST}_{IP,IP6}

These keys are available since kernel >= 4.17.

You can still use NFT_CT_{SRC,DST}, however, you need to specify 'meta
protocol' in first place to provide layer 3 context.

Note that NFT_CT_{SRC,DST} are broken with set, maps and concatenations.
This patch is implicitly fixing these cases.

If your kernel is < 4.17, you can still use address matching via
explicit meta nfproto:

	meta nfproto ipv4 ct original saddr 1.2.3.4

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/ct.h | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'include/ct.h')

diff --git a/include/ct.h b/include/ct.h
index 4c5bd804..063f8cdf 100644
--- a/include/ct.h
+++ b/include/ct.h
@@ -26,8 +26,7 @@ extern const struct ct_template ct_templates[__NFT_CT_MAX];
 }
 
 extern struct expr *ct_expr_alloc(const struct location *loc,
-				  enum nft_ct_keys key, int8_t direction,
-				  uint8_t nfproto);
+				  enum nft_ct_keys key, int8_t direction);
 extern void ct_expr_update_type(struct proto_ctx *ctx, struct expr *expr);
 
 extern struct stmt *notrack_stmt_alloc(const struct location *loc);
-- 
cgit v1.2.3