git.baikalelectronics.ru Git - kernel.git/commit

author	Florian Westphal <fw@strlen.de>
	Wed, 8 Mar 2017 15:48:44 +0000 (16:48 +0100)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Mon, 13 Mar 2017 12:42:09 +0000 (13:42 +0100)
commit	db18fd84e2c76bd96aff7905c2f91b1fd0d19050
tree	3256d122501a216f23ab53975cdd891e86628d9c	tree \| snapshot
parent	920a79747e0e3b6d9e3d79f4b65f1afb2aedde03	commit \| diff

netfilter: nft_ct: add helper set support

this allows to assign connection tracking helpers to
connections via nft objref infrastructure.

The idea is to first specifiy a helper object:

table ip filter {
    ct helper some-name {
      type "ftp"
      protocol tcp
      l3proto ip
    }
}

and then assign it via

nft add ... ct helper set "some-name"

helper assignment works for new conntracks only as we cannot expand the
conntrack extension area once it has been committed to the main conntrack
table.

ipv4 and ipv6 protocols are tracked stored separately so
we can also handle families that observe both ipv4 and ipv6 traffic.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/uapi/linux/netfilter/nf_tables.h		diff \| blob \| history
net/netfilter/nft_ct.c		diff \| blob \| history