[nft] ct: Add support for the 'id' key

Message ID	20190423201841.8539-1-bmastbergen@untangle.com
State	Changes Requested
Delegated to:	Pablo Neira
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> From: Brett Mastbergen <bmastbergen@untangle.com> To: netfilter-devel@vger.kernel.org Subject: [PATCH nft] ct: Add support for the 'id' key Date: Tue, 23 Apr 2019 16:18:41 -0400 Message-Id: <20190423201841.8539-1-bmastbergen@untangle.com> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk
Series	[nft] ct: Add support for the 'id' key \| expand [nft] ct: Add support for the 'id' key

Message ID

20190423201841.8539-1-bmastbergen@untangle.com

State

Changes Requested

Delegated to:

Pablo Neira

Headers

From: Brett Mastbergen <bmastbergen@untangle.com>
To: netfilter-devel@vger.kernel.org
Subject: [PATCH nft] ct: Add support for the 'id' key
Date: Tue, 23 Apr 2019 16:18:41 -0400
Message-Id: <20190423201841.8539-1-bmastbergen@untangle.com>
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk

Series

[nft] ct: Add support for the 'id' key | expand

Commit Message

Brett Mastbergen April 23, 2019, 8:18 p.m. UTC

The 'id' key allows for matching on the id of the conntrack entry.

This is most useful as a key for maps

nft add map nat conntoip { type ct_id: ipv4_addr \; }
nft add rule ip nat postrouting snat ct id map @conntoip

Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com>
---
 doc/payload-expression.txt          |  5 ++++-
 include/ct.h                        |  1 +
 include/datatype.h                  |  1 +
 include/linux/netfilter/nf_tables.h |  2 ++
 src/ct.c                            | 11 +++++++++++
 src/datatype.c                      |  1 +
 src/parser_bison.y                  |  1 +
 7 files changed, 21 insertions(+), 1 deletion(-)

Comments

Florian Westphal April 23, 2019, 8:55 p.m. UTC | #1

Brett Mastbergen <bmastbergen@untangle.com> wrote:
> +const struct datatype ct_id_type = {
> +	.type		= TYPE_CT_ID,
> +	.name		= "ct_id",
> +	.desc		= "conntrack id",
> +	.byteorder	= BYTEORDER_BIG_ENDIAN,
> +	.size		= 4 * BITS_PER_BYTE,
> +	.basetype	= &integer_type,
> +};

Pablo, I know we've discussed this in the past but I think
the ct id would be a good candidate to add a generic uint32_t
integer type.

AFAICS the ct_id_type is unneeded per this patch,
but IIRC to make use of this for set definitions we can't use generic
integer type as it has no fixed size.

This is the first data type that doesn't need any specific
parsing/printing, AFAICS its just needed to get a fixed 32bit size.

Brett Mastbergen April 26, 2019, 2:06 p.m. UTC | #2

On 23-04-19, Florian Westphal wrote:
> Brett Mastbergen <bmastbergen@untangle.com> wrote:
> > +const struct datatype ct_id_type = {
> > +	.type		= TYPE_CT_ID,
> > +	.name		= "ct_id",
> > +	.desc		= "conntrack id",
> > +	.byteorder	= BYTEORDER_BIG_ENDIAN,
> > +	.size		= 4 * BITS_PER_BYTE,
> > +	.basetype	= &integer_type,
> > +};
> 
> Pablo, I know we've discussed this in the past but I think
> the ct id would be a good candidate to add a generic uint32_t
> integer type.
> 
> AFAICS the ct_id_type is unneeded per this patch,
> but IIRC to make use of this for set definitions we can't use generic
> integer type as it has no fixed size.

Indeed, the only reason I added the ct_id type was so there would be
a fixed length integer type to use in sets and as a key to maps.  If
you'd like me to throw together a patch that creates a generic 32
bit integer type, and then use that for the ct id key, just say the
word.

> 
> This is the first data type that doesn't need any specific
> parsing/printing, AFAICS its just needed to get a fixed 32bit size.

diff --git a/doc/payload-expression.txt b/doc/payload-expression.txt
index 28061f3..e93022b 100644
--- a/doc/payload-expression.txt
+++ b/doc/payload-expression.txt
@@ -588,7 +588,7 @@  is true for the *zone*, if a direction is given, the zone is only matched if the
 zone id is tied to the given direction. +
 
 [verse]
-*ct* {state | direction | status | mark | expiration | helper | label | l3proto | protocol | bytes | packets | avgpkt | zone}
+*ct* {state | direction | status | mark | expiration | helper | label | l3proto | protocol | bytes | packets | avgpkt | zone | id}
 *ct* {original | reply} {l3proto | protocol | proto-src | proto-dst | bytes | packets | avgpkt | zone}
 *ct* {original | reply} {ip | ip6} {saddr | daddr}
 
@@ -650,6 +650,9 @@  integer (16 bit)
 |count|
 count number of connections
 integer (32 bit)
+|id|
+Connection id
+ct_id
 |==========================================
 A description of conntrack-specific types listed above can be found sub-section CONNTRACK TYPES above.
 
diff --git a/include/ct.h b/include/ct.h
index 4c5bd80..1e707e7 100644
--- a/include/ct.h
+++ b/include/ct.h
@@ -39,5 +39,6 @@  extern const char *ct_label2str(unsigned long value);
 extern const struct datatype ct_dir_type;
 extern const struct datatype ct_state_type;
 extern const struct datatype ct_status_type;
+extern const struct datatype ct_id_type;
 
 #endif /* NFTABLES_CT_H */
diff --git a/include/datatype.h b/include/datatype.h
index 14ece28..73a9cf2 100644
--- a/include/datatype.h
+++ b/include/datatype.h
@@ -90,6 +90,7 @@  enum datatypes {
 	TYPE_CT_EVENTBIT,
 	TYPE_IFNAME,
 	TYPE_IGMP_TYPE,
+	TYPE_CT_ID,
 	__TYPE_MAX
 };
 #define TYPE_MAX		(__TYPE_MAX - 1)
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 09a7b9e..150f32a 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -986,6 +986,7 @@  enum nft_osf_flags {
  * @NFT_CT_SRC_IP6: conntrack layer 3 protocol source (IPv6 address)
  * @NFT_CT_DST_IP6: conntrack layer 3 protocol destination (IPv6 address)
  * @NFT_CT_TIMEOUT: connection tracking timeout policy assigned to conntrack
+ * @NFT_CT_ID: conntrack id
  */
 enum nft_ct_keys {
 	NFT_CT_STATE,
@@ -1012,6 +1013,7 @@  enum nft_ct_keys {
 	NFT_CT_SRC_IP6,
 	NFT_CT_DST_IP6,
 	NFT_CT_TIMEOUT,
+	NFT_CT_ID,
 	__NFT_CT_MAX
 };
 #define NFT_CT_MAX		(__NFT_CT_MAX - 1)
diff --git a/src/ct.c b/src/ct.c
index 2256ce3..21bc182 100644
--- a/src/ct.c
+++ b/src/ct.c
@@ -239,6 +239,15 @@  void ct_label_table_exit(void)
 	rt_symbol_table_free(ct_label_tbl);
 }
 
+const struct datatype ct_id_type = {
+	.type		= TYPE_CT_ID,
+	.name		= "ct_id",
+	.desc		= "conntrack id",
+	.byteorder	= BYTEORDER_BIG_ENDIAN,
+	.size		= 4 * BITS_PER_BYTE,
+	.basetype	= &integer_type,
+};
+
 #ifndef NF_CT_HELPER_NAME_LEN
 #define NF_CT_HELPER_NAME_LEN	16
 #endif
@@ -291,6 +300,8 @@  const struct ct_template ct_templates[__NFT_CT_MAX] = {
 					      BYTEORDER_HOST_ENDIAN, 16),
 	[NFT_CT_EVENTMASK]	= CT_TEMPLATE("event", &ct_event_type,
 					      BYTEORDER_HOST_ENDIAN, 32),
+	[NFT_CT_ID]		= CT_TEMPLATE("id", &ct_id_type,
+					      BYTEORDER_BIG_ENDIAN, 32),
 };
 
 static void ct_print(enum nft_ct_keys key, int8_t dir, uint8_t nfproto,
diff --git a/src/datatype.c b/src/datatype.c
index ac9f2af..6b76fc9 100644
--- a/src/datatype.c
+++ b/src/datatype.c
@@ -71,6 +71,7 @@  static const struct datatype *datatypes[TYPE_MAX + 1] = {
 	[TYPE_BOOLEAN]		= &boolean_type,
 	[TYPE_IFNAME]		= &ifname_type,
 	[TYPE_IGMP_TYPE]	= &igmp_type_type,
+	[TYPE_CT_ID]		= &ct_id_type,
 };
 
 const struct datatype *datatype_lookup(enum datatypes type)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 4a2a81c..92660ce 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -4100,6 +4100,7 @@  ct_key			:	L3PROTOCOL	{ $$ = NFT_CT_L3PROTOCOL; }
 			|	LABEL		{ $$ = NFT_CT_LABELS; }
 			|	EVENT		{ $$ = NFT_CT_EVENTMASK; }
 			|	TIMEOUT 	{ $$ = NFT_CT_TIMEOUT; }
+			|	ID	 	{ $$ = NFT_CT_ID; }
 			|	ct_key_dir_optional
 			;

[nft] ct: Add support for the 'id' key

Commit Message

Comments

Patch