review.tizen.org Git - platform/kernel/linux-starfive.git/commit

author	Harsha Sharma <harshasharmaiitr@gmail.com>
	Tue, 7 Aug 2018 15:14:23 +0000 (17:14 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Tue, 7 Aug 2018 15:14:23 +0000 (17:14 +0200)
commit	7e0b2b57f01d183e1c84114f1f2287737358d748
tree	fbcb423c2a0ee428ff74bd18cc040eab7b809b07	tree \| snapshot
parent	ad83f2a9ce37a264202f48f4fd8889ee9056b703	commit \| diff

netfilter: nft_ct: add ct timeout support

This patch allows to add, list and delete connection tracking timeout
policies via nft objref infrastructure and assigning these timeout
via nft rule.

%./libnftnl/examples/nft-ct-timeout-add ip raw cttime tcp

Ruleset:

table ip raw {
   ct timeout cttime {
       protocol tcp;
       policy = {established: 111, close: 13 }
   }

   chain output {
       type filter hook output priority -300; policy accept;
       ct timeout set "cttime"
   }
}

%./libnftnl/examples/nft-rule-ct-timeout-add ip raw output cttime

%conntrack -E
[NEW] tcp      6 111 ESTABLISHED src=172.16.19.128 dst=172.16.19.1
sport=22 dport=41360 [UNREPLIED] src=172.16.19.1 dst=172.16.19.128
sport=41360 dport=22

%nft delete rule ip raw output handle <handle>
%./libnftnl/examples/nft-ct-timeout-del ip raw cttime

Joint work with Pablo Neira.

Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/uapi/linux/netfilter/nf_tables.h		diff \| blob \| history
net/netfilter/nft_ct.c		diff \| blob \| history