review.tizen.org Git - platform/kernel/linux-starfive.git/commit

author	Stéphane Veyret <sveyret@gmail.com>
	Sat, 25 May 2019 13:30:58 +0000 (15:30 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Mon, 17 Jun 2019 14:35:20 +0000 (16:35 +0200)
commit	857b46027d6f91150797295752581b7155b9d0e1
tree	c3408c8afa62515ec21cfc5f007af55ea8291dc5	tree \| snapshot
parent	16e6427c88c5b7e7b6612f6c286d5f71d659e5be	commit \| diff

netfilter: nft_ct: add ct expectations support

This patch allows to add, list and delete expectations via nft objref
infrastructure and assigning these expectations via nft rule.

This allows manual port triggering when no helper is defined to manage a
specific protocol. For example, if I have an online game which protocol
is based on initial connection to TCP port 9753 of the server, and where
the server opens a connection to port 9876, I can set rules as follow:

table ip filter {
    ct expectation mygame {
        protocol udp;
        dport 9876;
        timeout 2m;
        size 1;
    }

    chain input {
        type filter hook input priority 0; policy drop;
        tcp dport 9753 ct expectation set "mygame";
    }

    chain output {
        type filter hook output priority 0; policy drop;
        udp dport 9876 ct status expected accept;
    }
}

Signed-off-by: Stéphane Veyret <sveyret@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/uapi/linux/netfilter/nf_tables.h		diff \| blob \| history
net/netfilter/nft_ct.c		diff \| blob \| history