@@ -29,4 +29,7 @@ extern void ct_expr_update_type(struct proto_ctx *ctx, struct expr *expr);
extern struct error_record *ct_dir_parse(const struct location *loc,
const char *str, int8_t *dir);
+
+extern struct stmt *notrack_stmt_alloc(const struct location *loc);
+
#endif /* NFTABLES_CT_H */
@@ -208,6 +208,7 @@ extern struct stmt *xt_stmt_alloc(const struct location *loc);
* @STMT_FWD: forward statement
* @STMT_XT: XT statement
* @STMT_QUOTA: quota statement
+ * @STMT_NOTRACK: notrack statement
*/
enum stmt_types {
STMT_INVALID,
@@ -230,6 +231,7 @@ enum stmt_types {
STMT_FWD,
STMT_XT,
STMT_QUOTA,
+ STMT_NOTRACK,
};
/**
@@ -379,6 +379,22 @@ struct stmt *ct_stmt_alloc(const struct location *loc, enum nft_ct_keys key,
return stmt;
}
+static void notrack_stmt_print(const struct stmt *stmt)
+{
+ printf("notrack");
+}
+
+static const struct stmt_ops notrack_stmt_ops = {
+ .type = STMT_NOTRACK,
+ .name = "notrack",
+ .print = notrack_stmt_print,
+};
+
+struct stmt *notrack_stmt_alloc(const struct location *loc)
+{
+ return stmt_alloc(loc, ¬rack_stmt_ops);
+}
+
static void __init ct_init(void)
{
datatype_register(&ct_state_type);
@@ -2443,6 +2443,7 @@ int stmt_evaluate(struct eval_ctx *ctx, struct stmt *stmt)
case STMT_COUNTER:
case STMT_LIMIT:
case STMT_QUOTA:
+ case STMT_NOTRACK:
return 0;
case STMT_EXPRESSION:
return stmt_evaluate_expr(ctx, stmt);
@@ -601,6 +601,13 @@ static void netlink_parse_numgen(struct netlink_parse_ctx *ctx,
netlink_set_register(ctx, dreg, expr);
}
+static void netlink_parse_notrack(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ ctx->stmt = notrack_stmt_alloc(loc);
+}
+
static void netlink_parse_ct_stmt(struct netlink_parse_ctx *ctx,
const struct location *loc,
const struct nftnl_expr *nle)
@@ -1092,6 +1099,7 @@ static const struct {
{ .name = "range", .parse = netlink_parse_range },
{ .name = "reject", .parse = netlink_parse_reject },
{ .name = "nat", .parse = netlink_parse_nat },
+ { .name = "notrack", .parse = netlink_parse_notrack },
{ .name = "masq", .parse = netlink_parse_masq },
{ .name = "redir", .parse = netlink_parse_redir },
{ .name = "dup", .parse = netlink_parse_dup },
@@ -1063,6 +1063,15 @@ static void netlink_gen_ct_stmt(struct netlink_linearize_ctx *ctx,
nftnl_rule_add_expr(ctx->nlr, nle);
}
+static void netlink_gen_notrack_stmt(struct netlink_linearize_ctx *ctx,
+ const struct stmt *stmt)
+{
+ struct nftnl_expr *nle;
+
+ nle = alloc_nft_expr("notrack");
+ nftnl_rule_add_expr(ctx->nlr, nle);
+}
+
static void netlink_gen_set_stmt(struct netlink_linearize_ctx *ctx,
const struct stmt *stmt)
{
@@ -1158,6 +1167,8 @@ static void netlink_gen_stmt(struct netlink_linearize_ctx *ctx,
nle = netlink_gen_stmt_stateful(ctx, stmt);
nftnl_rule_add_expr(ctx->nlr, nle);
break;
+ case STMT_NOTRACK:
+ return netlink_gen_notrack_stmt(ctx, stmt);
default:
BUG("unknown statement type %s\n", stmt->ops->name);
}
@@ -420,6 +420,8 @@ static void location_update(struct location *loc, struct location *rhs, int n)
%token XML "xml"
%token JSON "json"
+%token NOTRACK "notrack"
+
%type <string> identifier type_identifier string comment_spec
%destructor { xfree($$); } identifier type_identifier string comment_spec
@@ -2534,6 +2536,10 @@ ct_stmt : CT ct_key SET expr
{
$$ = ct_stmt_alloc(&@$, $2, $4);
}
+ | NOTRACK
+ {
+ $$ = notrack_stmt_alloc(&@$);
+ }
;
payload_stmt : payload_expr SET expr
@@ -477,6 +477,8 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"dup" { return DUP; }
"fwd" { return FWD; }
+"notrack" { return NOTRACK; }
+
"xml" { return XML; }
"json" { return JSON; }
This patch adds the notrack statement, to skip connection tracking for certain packets. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- include/ct.h | 3 +++ include/statement.h | 2 ++ src/ct.c | 16 ++++++++++++++++ src/evaluate.c | 1 + src/netlink_delinearize.c | 8 ++++++++ src/netlink_linearize.c | 11 +++++++++++ src/parser_bison.y | 6 ++++++ src/scanner.l | 2 ++ 8 files changed, 49 insertions(+)