diff mbox series

[conntrack-tools] conntrack: support for IPS_OFFLOAD

Message ID 20190809105539.4115-1-pablo@netfilter.org
State Accepted
Delegated to: Pablo Neira
Headers show
Series [conntrack-tools] conntrack: support for IPS_OFFLOAD | expand

Commit Message

Pablo Neira Ayuso Aug. 9, 2019, 10:55 a.m. UTC 
# conntrack -L -u OFFLOAD
 tcp      6 431984 ESTABLISHED src=192.168.10.2 dst=10.0.1.2 sport=32824 dport=5201 src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=32824 [OFFLOAD] mark=0 secctx=null use=2
 tcp      6 431984 ESTABLISHED src=192.168.10.2 dst=10.0.1.2 sport=32826 dport=5201 src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=32826 [OFFLOAD] mark=0 secctx=null use=2

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 conntrack.8                                   |  4 ++--
 include/conntrack.h                           |  7 ++++---
 include/linux/netfilter/nf_conntrack_common.h | 24 ++++++++++++++++++++++--
 src/conntrack.c                               |  7 ++++---
 4 files changed, 32 insertions(+), 10 deletions(-)
diff mbox series

Patch

diff --git a/conntrack.8 b/conntrack.8
index 3c1e960e910e..1174c6cec73c 100644
--- a/conntrack.8
+++ b/conntrack.8
@@ -1,4 +1,4 @@ 
-.TH CONNTRACK 8 "Sep 26, 2017" "" ""
+.TH CONNTRACK 8 "Aug 9, 2019" "" ""
 
 .\" Man page written by Harald Welte <laforge@netfilter.org (Jun 2005)
 .\" Maintained by Pablo Neira Ayuso <pablo@netfilter.org (May 2007)
@@ -193,7 +193,7 @@  This option is only available in conjunction with "\-U, \-\-update".
 .BI "-c, --secmark " "SECMARK"
 Specify the conntrack selinux security mark.
 .TP
-.BI "-u, --status " "[ASSURED|SEEN_REPLY|FIXED_TIMEOUT|EXPECTED|UNSET][,...]"
+.BI "-u, --status " "[ASSURED|SEEN_REPLY|FIXED_TIMEOUT|EXPECTED|OFFLOAD|UNSET][,...]"
 Specify the conntrack status.
 .TP
 .BI "-n, --src-nat "
diff --git a/include/conntrack.h b/include/conntrack.h
index 6659a6454bc0..37ccf6e9a87e 100644
--- a/include/conntrack.h
+++ b/include/conntrack.h
@@ -3,7 +3,6 @@ 
 
 #include "linux_list.h"
 #include <stdint.h>
-#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
 
 #define PROGNAME "conntrack"
 
@@ -12,6 +11,8 @@ 
 #define NUMBER_OF_CMD   19
 #define NUMBER_OF_OPT   29
 
+struct nf_conntrack;
+
 struct ctproto_handler {
 	struct list_head 	head;
 
@@ -19,8 +20,8 @@  struct ctproto_handler {
 	uint16_t 		protonum;
 	const char		*version;
 
-	enum ctattr_protoinfo	protoinfo_attr;
-	
+	uint32_t		protoinfo_attr;
+
 	int (*parse_opts)(char c,
 			  struct nf_conntrack *ct,
 			  struct nf_conntrack *exptuple,
diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h
index 4cf003f43076..8023e5b6572f 100644
--- a/include/linux/netfilter/nf_conntrack_common.h
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -1,3 +1,4 @@ 
+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
 #ifndef _NF_CONNTRACK_COMMON_H
 #define _NF_CONNTRACK_COMMON_H
 /* Connection state tracking for netfilter.  This is separated from,
@@ -28,12 +29,14 @@  enum ip_conntrack_info {
 	/* only for userspace compatibility */
 #ifndef __KERNEL__
 	IP_CT_NEW_REPLY = IP_CT_NUMBER,
+#else
+	IP_CT_UNTRACKED = 7,
 #endif
 };
 
 #define NF_CT_STATE_INVALID_BIT			(1 << 0)
 #define NF_CT_STATE_BIT(ctinfo)			(1 << ((ctinfo) % IP_CT_IS_REPLY + 1))
-#define NF_CT_STATE_UNTRACKED_BIT		(1 << (IP_CT_NUMBER + 1))
+#define NF_CT_STATE_UNTRACKED_BIT		(1 << 6)
 
 /* Bitset representing status of connection. */
 enum ip_conntrack_status {
@@ -90,13 +93,26 @@  enum ip_conntrack_status {
 	IPS_TEMPLATE_BIT = 11,
 	IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT),
 
-	/* Conntrack is a fake untracked entry */
+	/* Conntrack is a fake untracked entry.  Obsolete and not used anymore */
 	IPS_UNTRACKED_BIT = 12,
 	IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT),
 
 	/* Conntrack got a helper explicitly attached via CT target. */
 	IPS_HELPER_BIT = 13,
 	IPS_HELPER = (1 << IPS_HELPER_BIT),
+
+	/* Conntrack has been offloaded to flow table. */
+	IPS_OFFLOAD_BIT = 14,
+	IPS_OFFLOAD = (1 << IPS_OFFLOAD_BIT),
+
+	/* Be careful here, modifying these bits can make things messy,
+	 * so don't let users modify them directly.
+	 */
+	IPS_UNCHANGEABLE_MASK = (IPS_NAT_DONE_MASK | IPS_NAT_MASK |
+				 IPS_EXPECTED | IPS_CONFIRMED | IPS_DYING |
+				 IPS_SEQ_ADJUST | IPS_TEMPLATE | IPS_OFFLOAD),
+
+	__IPS_MAX_BIT = 15,
 };
 
 /* Connection tracking event types */
@@ -113,6 +129,10 @@  enum ip_conntrack_events {
 	IPCT_NATSEQADJ = IPCT_SEQADJ,
 	IPCT_SECMARK,		/* new security mark has been set */
 	IPCT_LABEL,		/* new connlabel has been set */
+	IPCT_SYNPROXY,		/* synproxy has been set */
+#ifdef __KERNEL__
+	__IPCT_MAX
+#endif
 };
 
 enum ip_conntrack_expect_events {
diff --git a/src/conntrack.c b/src/conntrack.c
index 97132a977221..c980a13f33d2 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -62,6 +62,7 @@ 
 #include <sys/stat.h>
 #include <fcntl.h>
 #include <libmnl/libmnl.h>
+#include <linux/netfilter/nf_conntrack_common.h>
 #include <libnetfilter_conntrack/libnetfilter_conntrack.h>
 
 static struct nfct_mnl_socket {
@@ -867,10 +868,10 @@  enum {
 static struct parse_parameter {
 	const char	*parameter[7];
 	size_t  size;
-	unsigned int value[7];
+	unsigned int value[8];
 } parse_array[PARSE_MAX] = {
-	{ {"ASSURED", "SEEN_REPLY", "UNSET", "FIXED_TIMEOUT", "EXPECTED"}, 5,
-	  { IPS_ASSURED, IPS_SEEN_REPLY, 0, IPS_FIXED_TIMEOUT, IPS_EXPECTED} },
+	{ {"ASSURED", "SEEN_REPLY", "UNSET", "FIXED_TIMEOUT", "EXPECTED", "OFFLOAD"}, 6,
+	  { IPS_ASSURED, IPS_SEEN_REPLY, 0, IPS_FIXED_TIMEOUT, IPS_EXPECTED, IPS_OFFLOAD} },
 	{ {"ALL", "NEW", "UPDATES", "DESTROY"}, 4,
 	  { CT_EVENT_F_ALL, CT_EVENT_F_NEW, CT_EVENT_F_UPD, CT_EVENT_F_DEL } },
 	{ {"xml", "extended", "timestamp", "id", "ktimestamp", "labels", "userspace" }, 7,