From c7c94802679cd9ba09aa78f332f533ecae1b9e0c Mon Sep 17 00:00:00 2001 From: Harsha Sharma Date: Tue, 14 Aug 2018 01:06:56 +0200 Subject: src: add ct timeout support This patch adds support for adding, listing and deleting ct timeout objects which can be assigned via rule to assign connection tracking timeout policies via objref infrastructure. % nft add table filter % nft add chain filter output % nft add ct timeout filter test-tcp { protocol tcp \; policy = { established: 132, close: 13, close_wait: 17 } \; } % nft add rule filter output ct timeout set test-tcp % nft list ruleset table ip filter { ct timeout test-tcp { protocol tcp; l3proto ip policy = {established: 132, close_wait: 17, close: 13} } chain output { ct timeout set "test-tcp" } } % nft delete rule filter output handle % nft delete ct timeout filter test-tcp Note: Original patch has been rework to use fixed size array for timeouts and to validate timeout policy from the evaluation phase, once we have access to the layer 4 protocol number. --pablo Signed-off-by: Harsha Sharma Signed-off-by: Pablo Neira Ayuso --- src/netlink.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'src/netlink.c') diff --git a/src/netlink.c b/src/netlink.c index bd472799..f795d984 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -334,6 +334,14 @@ alloc_nftnl_obj(const struct handle *h, struct obj *obj) nftnl_obj_set_u16(nlo, NFTNL_OBJ_CT_HELPER_L3PROTO, obj->ct_helper.l3proto); break; + case NFT_OBJECT_CT_TIMEOUT: + nftnl_obj_set_u8(nlo, NFTNL_OBJ_CT_TIMEOUT_L4PROTO, + obj->ct_timeout.l4proto); + if (obj->ct_timeout.l3proto) + nftnl_obj_set_u16(nlo, NFTNL_OBJ_CT_TIMEOUT_L3PROTO, + obj->ct_timeout.l3proto); + nftnl_obj_set(nlo, NFTNL_OBJ_CT_TIMEOUT_ARRAY, obj->ct_timeout.timeout); + break; case NFT_OBJECT_LIMIT: nftnl_obj_set_u64(nlo, NFTNL_OBJ_LIMIT_RATE, obj->limit.rate); nftnl_obj_set_u64(nlo, NFTNL_OBJ_LIMIT_UNIT, obj->limit.unit); @@ -1437,6 +1445,13 @@ struct obj *netlink_delinearize_obj(struct netlink_ctx *ctx, obj->ct_helper.l3proto = nftnl_obj_get_u16(nlo, NFTNL_OBJ_CT_HELPER_L3PROTO); obj->ct_helper.l4proto = nftnl_obj_get_u8(nlo, NFTNL_OBJ_CT_HELPER_L4PROTO); break; + case NFT_OBJECT_CT_TIMEOUT: + obj->ct_timeout.l3proto = nftnl_obj_get_u16(nlo, NFTNL_OBJ_CT_TIMEOUT_L3PROTO); + obj->ct_timeout.l4proto = nftnl_obj_get_u8(nlo, NFTNL_OBJ_CT_TIMEOUT_L4PROTO); + memcpy(obj->ct_timeout.timeout, + nftnl_obj_get(nlo, NFTNL_OBJ_CT_TIMEOUT_ARRAY), + NFTNL_CTTIMEOUT_ARRAY_MAX * sizeof(uint32_t)); + break; case NFT_OBJECT_LIMIT: obj->limit.rate = nftnl_obj_get_u64(nlo, NFTNL_OBJ_LIMIT_RATE); -- cgit v1.2.3