conntrack: Add zone filtering for conntrack events

This patch adds support for filtering CT entries by their zones using bsf. Max number of zones for filtering is 127. (Although it can be supported till 255 but keeping it consistent with IPv4 and mark filtering). Entries which does not have ct-zone set will be treated as ct-zone=0. Signed-off-by: Priyankar Jain <priyankar.jain@nutanix.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Priyankar Jain <priyankar.jain@nutanix.com> 2024-08-30 14:35:30 +0530
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2024-09-03 10:49:34 +0200
commit: 282aba753f7bd3b8c02a96e3752798c4e7651f3b (patch)
tree: 082994122c9c1e5fbaf328e7210f930fc9cabb63 /include/internal/object.h
parent: 7b02fb5704585e07f8788389de1c33ed72de1555 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/include/internal/object.h b/include/internal/object.h
index 8854ef2..658e4d2 100644
--- a/include/internal/object.h
+++ b/include/internal/object.h
@@ -280,6 +280,10 @@ struct nfct_filter {
 		uint32_t 	mask;
 	} mark[__FILTER_MARK_MAX];
 
+	uint32_t	  zone_elems;
+#define __FILTER_ZONE_MAX	127
+	uint16_t zone[__FILTER_ZONE_MAX];
+
 	uint32_t 		set[1];
 };
author	Priyankar Jain <priyankar.jain@nutanix.com>	2024-08-30 14:35:30 +0530
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2024-09-03 10:49:34 +0200
commit	282aba753f7bd3b8c02a96e3752798c4e7651f3b (patch)
tree	082994122c9c1e5fbaf328e7210f930fc9cabb63 /include/internal/object.h
parent	7b02fb5704585e07f8788389de1c33ed72de1555 (diff)