From 7f742d0a9071f932836b4f8525a6d3f7261ae083 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 21 Jun 2019 10:28:37 +0200
Subject: ct: support for NFT_CT_{SRC,DST}_{IP,IP6}

These keys are available since kernel >= 4.17.

You can still use NFT_CT_{SRC,DST}, however, you need to specify 'meta
protocol' in first place to provide layer 3 context.

Note that NFT_CT_{SRC,DST} are broken with set, maps and concatenations.
This patch is implicitly fixing these cases.

If your kernel is < 4.17, you can still use address matching via
explicit meta nfproto:

	meta nfproto ipv4 ct original saddr 1.2.3.4

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/parser_json.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

(limited to 'src/parser_json.c')

diff --git a/src/parser_json.c b/src/parser_json.c
index af7701fc..30b17173 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -714,6 +714,10 @@ static bool ct_key_is_dir(enum nft_ct_keys key)
 		NFT_CT_BYTES,
 		NFT_CT_AVGPKT,
 		NFT_CT_ZONE,
+		NFT_CT_SRC_IP,
+		NFT_CT_DST_IP,
+		NFT_CT_SRC_IP6,
+		NFT_CT_DST_IP6,
 	};
 	unsigned int i;
 
@@ -727,9 +731,9 @@ static bool ct_key_is_dir(enum nft_ct_keys key)
 static struct expr *json_parse_ct_expr(struct json_ctx *ctx,
 				       const char *type, json_t *root)
 {
+	int dirval = -1, keyval = -1;
 	const char *key, *dir;
 	unsigned int i;
-	int dirval = -1, familyval, keyval = -1;
 
 	if (json_unpack_err(ctx, root, "{s:s}", "key", &key))
 		return NULL;
@@ -746,10 +750,6 @@ static struct expr *json_parse_ct_expr(struct json_ctx *ctx,
 		return NULL;
 	}
 
-	familyval = json_parse_family(ctx, root);
-	if (familyval < 0)
-		return NULL;
-
 	if (!json_unpack(root, "{s:s}", "dir", &dir)) {
 		if (!strcmp(dir, "original")) {
 			dirval = IP_CT_DIR_ORIGINAL;
@@ -766,7 +766,7 @@ static struct expr *json_parse_ct_expr(struct json_ctx *ctx,
 		}
 	}
 
-	return ct_expr_alloc(int_loc, keyval, dirval, familyval);
+	return ct_expr_alloc(int_loc, keyval, dirval);
 }
 
 static struct expr *json_parse_numgen_expr(struct json_ctx *ctx,
-- 
cgit v1.2.3