netfilter/ct: support optional CTA_ZONE attribute

Newer kernels support conntrack zones, which help to partition the
conntrack table into virtual conntrack tables.

This patch is for adding support for the optional attribute, adds
setters and getters, and adds support for the zone ID in the conntrack
dumper.

An example entry in NL_DUMP_LINE format looks like:

  tcp SYN_SENT 10.128.128.99:43354 <-> 10.128.129.20:22 zone 1

Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
Signed-off-by: Thomas Graf <tgraf@suug.ch>

diff --git a/include/netlink-private/types.h b/include/netlink-private/types.h
index ab5eea45a0a39442bf1762f27d3bf28370ecef6f..0fda9ac68e268038afd9b48ef794e40c08391bba 100644 (file)
--- a/include/netlink-private/types.h
+++ b/include/netlink-private/types.h
@@ -792,6 +792,7 @@ struct nfnl_ct {
        uint32_t                ct_mark;
        uint32_t                ct_use;
        uint32_t                ct_id;
+       uint16_t                ct_zone;
 
        struct nfnl_ct_dir      ct_orig;
        struct nfnl_ct_dir      ct_repl;

diff --git a/include/netlink/netfilter/ct.h b/include/netlink/netfilter/ct.h
index 776e3b3dcfe1049aebd5da93241d1a4581e4757c..31deeb46fd64cc675189329583207dcbfbd17672 100644 (file)
--- a/include/netlink/netfilter/ct.h
+++ b/include/netlink/netfilter/ct.h
@@ -90,6 +90,10 @@ extern void  nfnl_ct_set_id(struct nfnl_ct *, uint32_t);
 extern int     nfnl_ct_test_id(const struct nfnl_ct *);
 extern uint32_t        nfnl_ct_get_id(const struct nfnl_ct *);
 
+extern void    nfnl_ct_set_zone(struct nfnl_ct *, uint16_t);
+extern int     nfnl_ct_test_zone(const struct nfnl_ct *);
+extern uint16_t        nfnl_ct_get_zone(const struct nfnl_ct *);
+
 extern int     nfnl_ct_set_src(struct nfnl_ct *, int, struct nl_addr *);
 extern struct nl_addr *        nfnl_ct_get_src(const struct nfnl_ct *, int);
 

diff --git a/lib/netfilter/ct.c b/lib/netfilter/ct.c
index 362cd2886a4ffee06d88608d295e973d0f5cdb31..130f4b1137017aac08f2b81992bf2b3a117f3f54 100644 (file)
--- a/lib/netfilter/ct.c
+++ b/lib/netfilter/ct.c
@@ -55,6 +55,7 @@ static struct nla_policy ct_policy[CTA_MAX+1] = {
        [CTA_COUNTERS_REPLY]    = { .type = NLA_NESTED },
        [CTA_USE]               = { .type = NLA_U32 },
        [CTA_ID]                = { .type = NLA_U32 },
+       [CTA_ZONE]              = { .type = NLA_U16 },
        //[CTA_NAT_DST]
 };
 
@@ -369,6 +370,8 @@ int nfnlmsg_ct_parse(struct nlmsghdr *nlh, struct nfnl_ct **result)
                nfnl_ct_set_use(ct, ntohl(nla_get_u32(tb[CTA_USE])));
        if (tb[CTA_ID])
                nfnl_ct_set_id(ct, ntohl(nla_get_u32(tb[CTA_ID])));
+       if (tb[CTA_ZONE])
+               nfnl_ct_set_zone(ct, ntohs(nla_get_u16(tb[CTA_ZONE])));
 
        if (tb[CTA_COUNTERS_ORIG]) {
                err = ct_parse_counters(ct, 0, tb[CTA_COUNTERS_ORIG]);

diff --git a/lib/netfilter/ct_obj.c b/lib/netfilter/ct_obj.c
index 685879b264f1b242623d84e8371c0e840119f879..48e07822ecd27334c942a17ed5e0866ac344a30d 100644 (file)
--- a/lib/netfilter/ct_obj.c
+++ b/lib/netfilter/ct_obj.c
@@ -52,6 +52,7 @@
 #define CT_ATTR_REPL_PACKETS   (1UL << 24)
 #define CT_ATTR_REPL_BYTES     (1UL << 25)
 #define CT_ATTR_TIMESTAMP      (1UL << 26)
+#define CT_ATTR_ZONE   (1UL << 27)
 /** @endcond */
 
 static void ct_free_data(struct nl_object *c)
@@ -193,6 +194,9 @@ static void ct_dump_line(struct nl_object *a, struct nl_dump_params *p)
        if (nfnl_ct_test_mark(ct) && nfnl_ct_get_mark(ct))
                nl_dump(p, "mark %u ", nfnl_ct_get_mark(ct));
 
+       if (nfnl_ct_test_zone(ct))
+               nl_dump(p, "zone %hu ", nfnl_ct_get_zone(ct));
+
        if (nfnl_ct_test_timestamp(ct)) {
                const struct nfnl_ct_timestamp *tstamp = nfnl_ct_get_timestamp(ct);
                int64_t delta_time = tstamp->stop - tstamp->start;
@@ -584,6 +588,22 @@ uint32_t nfnl_ct_get_id(const struct nfnl_ct *ct)
        return ct->ct_id;
 }
 
+void nfnl_ct_set_zone(struct nfnl_ct *ct, uint16_t zone)
+{
+       ct->ct_zone = zone;
+       ct->ce_mask |= CT_ATTR_ZONE;
+}
+
+int nfnl_ct_test_zone(const struct nfnl_ct *ct)
+{
+       return !!(ct->ce_mask & CT_ATTR_ZONE);
+}
+
+uint16_t nfnl_ct_get_zone(const struct nfnl_ct *ct)
+{
+       return ct->ct_zone;
+}
+
 static int ct_set_addr(struct nfnl_ct *ct, struct nl_addr *addr,
                int attr, struct nl_addr ** ct_addr)
 {