Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ab23821f authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso
Browse files

netfilter: nft_ct: add zone id get support 



Just like with counters the direction attribute is optional.
We set priv->dir to MAX unconditionally to avoid duplicating the assignment
for all keys with optional direction.

For keys where direction is mandatory, existing code already returns
an error.

Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 665153ff

include/uapi/linux/netfilter/nf_tables.h

+2 −0
Original line number Original line Diff line number Diff line
@@ -870,6 +870,7 @@ enum nft_rt_attributes { 
 * @NFT_CT_PKTS: conntrack packets

 * @NFT_CT_PKTS: conntrack packets

 * @NFT_CT_BYTES: conntrack bytes

 * @NFT_CT_BYTES: conntrack bytes

 * @NFT_CT_AVGPKT: conntrack average bytes per packet

 * @NFT_CT_AVGPKT: conntrack average bytes per packet

 * @NFT_CT_ZONE: conntrack zone

 */

 */

enum nft_ct_keys {

enum nft_ct_keys {

	NFT_CT_STATE,

	NFT_CT_STATE,
@@ -889,6 +890,7 @@ enum nft_ct_keys { 
	NFT_CT_PKTS,

	NFT_CT_PKTS,

	NFT_CT_BYTES,

	NFT_CT_BYTES,

	NFT_CT_AVGPKT,

	NFT_CT_AVGPKT,

	NFT_CT_ZONE,

};

};





/**

/**

net/netfilter/nft_ct.c

+19 −3
Original line number Original line Diff line number Diff line
@@ -151,6 +151,18 @@ static void nft_ct_get_eval(const struct nft_expr *expr, 
	case NFT_CT_PROTOCOL:

	case NFT_CT_PROTOCOL:

		*dest = nf_ct_protonum(ct);

		*dest = nf_ct_protonum(ct);

		return;

		return;

#ifdef CONFIG_NF_CONNTRACK_ZONES

	case NFT_CT_ZONE: {

		const struct nf_conntrack_zone *zone = nf_ct_zone(ct);



		if (priv->dir < IP_CT_DIR_MAX)

			*dest = nf_ct_zone_id(zone, priv->dir);

		else

			*dest = zone->id;



		return;

	}

#endif

	default:

	default:

		break;

		break;

	}

	}
@@ -266,6 +278,7 @@ static int nft_ct_get_init(const struct nft_ctx *ctx, 
	int err;

	int err;





	priv->key = ntohl(nla_get_be32(tb[NFTA_CT_KEY]));

	priv->key = ntohl(nla_get_be32(tb[NFTA_CT_KEY]));

	priv->dir = IP_CT_DIR_MAX;

	switch (priv->key) {

	switch (priv->key) {

	case NFT_CT_DIRECTION:

	case NFT_CT_DIRECTION:

		if (tb[NFTA_CT_DIRECTION] != NULL)

		if (tb[NFTA_CT_DIRECTION] != NULL)
@@ -333,11 +346,13 @@ static int nft_ct_get_init(const struct nft_ctx *ctx, 
	case NFT_CT_BYTES:

	case NFT_CT_BYTES:

	case NFT_CT_PKTS:

	case NFT_CT_PKTS:

	case NFT_CT_AVGPKT:

	case NFT_CT_AVGPKT:

		/* no direction? return sum of original + reply */

		if (tb[NFTA_CT_DIRECTION] == NULL)

			priv->dir = IP_CT_DIR_MAX;

		len = sizeof(u64);

		len = sizeof(u64);

		break;

		break;

#ifdef CONFIG_NF_CONNTRACK_ZONES

	case NFT_CT_ZONE:

		len = sizeof(u16);

		break;

#endif

	default:

	default:

		return -EOPNOTSUPP;

		return -EOPNOTSUPP;

	}

	}
@@ -465,6 +480,7 @@ static int nft_ct_get_dump(struct sk_buff *skb, const struct nft_expr *expr) 
	case NFT_CT_BYTES:

	case NFT_CT_BYTES:

	case NFT_CT_PKTS:

	case NFT_CT_PKTS:

	case NFT_CT_AVGPKT:

	case NFT_CT_AVGPKT:

	case NFT_CT_ZONE:

		if (priv->dir < IP_CT_DIR_MAX &&

		if (priv->dir < IP_CT_DIR_MAX &&

		    nla_put_u8(skb, NFTA_CT_DIRECTION, priv->dir))

		    nla_put_u8(skb, NFTA_CT_DIRECTION, priv->dir))

			goto nla_put_failure;

			goto nla_put_failure;