From 5ca4eb30d62e0ab2768d64de5c70931292213338 Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Tue, 21 Feb 2017 18:11:31 +0100 Subject: src: add initial ct helper support This adds initial support for defining conntrack helper objects which can then be assigned to connections using the objref infrastructure: table ip filter { ct helper ftp-standard { type "ftp" protocol tcp } chain y { tcp dport 21 ct helper set "ftp-standard" } } Signed-off-by: Florian Westphal Acked-by: Pablo Neira Ayuso --- include/ct.h | 1 + include/linux/netfilter/nf_tables.h | 12 +++++++++++- include/rule.h | 7 +++++++ 3 files changed, 19 insertions(+), 1 deletion(-) (limited to 'include') diff --git a/include/ct.h b/include/ct.h index 03e76e61..ae900ee4 100644 --- a/include/ct.h +++ b/include/ct.h @@ -31,6 +31,7 @@ extern struct error_record *ct_dir_parse(const struct location *loc, const char *str, int8_t *dir); extern struct error_record *ct_key_parse(const struct location *loc, const char *str, unsigned int *key); +extern struct error_record *ct_objtype_parse(const struct location *loc, const char *str, int *type); extern struct stmt *notrack_stmt_alloc(const struct location *loc); diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index a9280a65..8f384269 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -1260,10 +1260,20 @@ enum nft_fib_flags { NFTA_FIB_F_PRESENT = 1 << 5, /* check existence only */ }; +enum nft_ct_helper_attributes { + NFTA_CT_HELPER_UNSPEC, + NFTA_CT_HELPER_NAME, + NFTA_CT_HELPER_L3PROTO, + NFTA_CT_HELPER_L4PROTO, + __NFTA_CT_HELPER_MAX, +}; +#define NFTA_CT_HELPER_MAX (__NFTA_CT_HELPER_MAX - 1) + #define NFT_OBJECT_UNSPEC 0 #define NFT_OBJECT_COUNTER 1 #define NFT_OBJECT_QUOTA 2 -#define __NFT_OBJECT_MAX 3 +#define NFT_OBJECT_CT_HELPER 3 +#define __NFT_OBJECT_MAX 4 #define NFT_OBJECT_MAX (__NFT_OBJECT_MAX - 1) /** diff --git a/include/rule.h b/include/rule.h index ed12774d..d89a963d 100644 --- a/include/rule.h +++ b/include/rule.h @@ -260,6 +260,12 @@ struct quota { uint32_t flags; }; +struct ct { + char helper_name[16]; + uint16_t l3proto; + uint8_t l4proto; +}; + /** * struct obj - nftables stateful object statement * @@ -277,6 +283,7 @@ struct obj { union { struct counter counter; struct quota quota; + struct ct ct; }; }; -- cgit v1.2.3