git.ipfire.org Git - thirdparty/nftables.git/commit

author	Arturo Borrero <arturo.borrero.glez@gmail.com>
	Wed, 12 Mar 2014 18:03:19 +0000 (19:03 +0100)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Thu, 13 Mar 2014 13:16:45 +0000 (14:16 +0100)
commit	b573748a755f5f60449b53d85fb13093461530fb
tree	c8f4cba80408638478fd4e0760c139855fc78482	tree
parent	d8118b445fa6ef44e839d9717b10dbf8d095feaa	commit \| diff

ct: add support for setting ct mark

This patch adds the possibility to set ct keys using nft. Currently, the
connection mark is supported. This functionality enables creating rules
performing the same action as iptables -j CONNMARK --save-mark. For example:

table ip filter {
chain postrouting {
type filter hook postrouting priority 0;
ip protocol icmp ip daddr 8.8.8.8 ct mark set meta mark
}
}

My patch is based on the original http://patchwork.ozlabs.org/patch/307677/
by Kristian Evensen <kristian.evensen@gmail.com>.

I simply did a rebase and some testing. To test, I added rules like these:
counter meta mark set 1 counter
counter ct mark set mark counter
counter ct mark 1 counter

The last matching worked as expected, which means the second rule is also
working as expected.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Acked-by: Kristian Evensen <kristian.evensen@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/statement.h		diff \| blob \| blame \| history
src/ct.c		diff \| blob \| blame \| history
src/evaluate.c		diff \| blob \| blame \| history
src/netlink_delinearize.c		diff \| blob \| blame \| history
src/netlink_linearize.c		diff \| blob \| blame \| history
src/parser.y		diff \| blob \| blame \| history