diff options
author | Florian Westphal <fw@strlen.de> | 2017-02-21 18:11:31 +0100 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2017-03-16 10:09:42 +0100 |
commit | 5ca4eb30d62e0ab2768d64de5c70931292213338 (patch) | |
tree | a54d95ecbb4de9deeeee83f1353421ef690f135e /include | |
parent | f2af2b2ad1c4dd68bd5bbf3c763f0f1513281c0c (diff) |
src: add initial ct helper support
This adds initial support for defining conntrack helper objects
which can then be assigned to connections using the objref infrastructure:
table ip filter {
ct helper ftp-standard {
type "ftp" protocol tcp
}
chain y {
tcp dport 21 ct helper set "ftp-standard"
}
}
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
-rw-r--r-- | include/ct.h | 1 | ||||
-rw-r--r-- | include/linux/netfilter/nf_tables.h | 12 | ||||
-rw-r--r-- | include/rule.h | 7 |
3 files changed, 19 insertions, 1 deletions
diff --git a/include/ct.h b/include/ct.h index 03e76e61..ae900ee4 100644 --- a/include/ct.h +++ b/include/ct.h @@ -31,6 +31,7 @@ extern struct error_record *ct_dir_parse(const struct location *loc, const char *str, int8_t *dir); extern struct error_record *ct_key_parse(const struct location *loc, const char *str, unsigned int *key); +extern struct error_record *ct_objtype_parse(const struct location *loc, const char *str, int *type); extern struct stmt *notrack_stmt_alloc(const struct location *loc); diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index a9280a65..8f384269 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -1260,10 +1260,20 @@ enum nft_fib_flags { NFTA_FIB_F_PRESENT = 1 << 5, /* check existence only */ }; +enum nft_ct_helper_attributes { + NFTA_CT_HELPER_UNSPEC, + NFTA_CT_HELPER_NAME, + NFTA_CT_HELPER_L3PROTO, + NFTA_CT_HELPER_L4PROTO, + __NFTA_CT_HELPER_MAX, +}; +#define NFTA_CT_HELPER_MAX (__NFTA_CT_HELPER_MAX - 1) + #define NFT_OBJECT_UNSPEC 0 #define NFT_OBJECT_COUNTER 1 #define NFT_OBJECT_QUOTA 2 -#define __NFT_OBJECT_MAX 3 +#define NFT_OBJECT_CT_HELPER 3 +#define __NFT_OBJECT_MAX 4 #define NFT_OBJECT_MAX (__NFT_OBJECT_MAX - 1) /** diff --git a/include/rule.h b/include/rule.h index ed12774d..d89a963d 100644 --- a/include/rule.h +++ b/include/rule.h @@ -260,6 +260,12 @@ struct quota { uint32_t flags; }; +struct ct { + char helper_name[16]; + uint16_t l3proto; + uint8_t l4proto; +}; + /** * struct obj - nftables stateful object statement * @@ -277,6 +283,7 @@ struct obj { union { struct counter counter; struct quota quota; + struct ct ct; }; }; |