ct: add packet/byte counter support

packets and bytes need special treatment -- we want to be able to get
packet/byte counter in either direction, but also express
'fetch in *BOTH* directions', i.e.

ct packets original + ct packets reply > 1000

This either requires a '+' expression, a new 'both' direction, or
keys where direction is optional, i.e.

ct packets > 12345	; original + reply
ct original packets > 12345 ; original

Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 70a9619e5f06d9920dfbf324e99644c650e3c4d8..49de2b8a65abcd407a3cd9685006c8208fd4e553 100644 (file)
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -744,6 +744,8 @@ enum nft_ct_keys {
        NFT_CT_PROTO_SRC,
        NFT_CT_PROTO_DST,
        NFT_CT_LABELS,
+       NFT_CT_PKTS,
+       NFT_CT_BYTES,
 };
 
 /**

diff --git a/src/ct.c b/src/ct.c
index ff6cd61bde75417f1f48194f04ff449692126910..b971ba16aedccb0d389bdc57d3a9dcb0f6e8ffca 100644 (file)
--- a/src/ct.c
+++ b/src/ct.c
@@ -203,6 +203,10 @@ static const struct ct_template ct_templates[] = {
        [NFT_CT_LABELS]         = CT_TEMPLATE("label", &ct_label_type,
                                              BYTEORDER_HOST_ENDIAN,
                                              CT_LABEL_BIT_SIZE),
+       [NFT_CT_BYTES]          = CT_TEMPLATE("bytes", &integer_type,
+                                             BYTEORDER_HOST_ENDIAN, 64),
+       [NFT_CT_PKTS]           = CT_TEMPLATE("packets", &integer_type,
+                                             BYTEORDER_HOST_ENDIAN, 64),
 };
 
 static void ct_expr_print(const struct expr *expr)

diff --git a/src/parser_bison.y b/src/parser_bison.y
index ca9b757a84777381c5cd6ecbd24356c504f2bbfd..833e7f5d60dafea3dbb1d7d07811577e5b8f31ef 100644 (file)
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -565,7 +565,7 @@ static void location_update(struct location *loc, struct location *rhs, int n)
 
 %type <expr>                   ct_expr
 %destructor { expr_free($$); } ct_expr
-%type <val>                    ct_key          ct_key_dir
+%type <val>                    ct_key          ct_key_dir      ct_key_counters
 
 %type <val>                    export_format
 %type <string>                 monitor_event
@@ -2274,6 +2274,7 @@ ct_key                    :       STATE           { $$ = NFT_CT_STATE; }
                        |       EXPIRATION      { $$ = NFT_CT_EXPIRATION; }
                        |       HELPER          { $$ = NFT_CT_HELPER; }
                        |       LABEL           { $$ = NFT_CT_LABELS; }
+                       |       ct_key_counters
                        ;
 ct_key_dir             :       SADDR           { $$ = NFT_CT_SRC; }
                        |       DADDR           { $$ = NFT_CT_DST; }
@@ -2281,6 +2282,11 @@ ct_key_dir               :       SADDR           { $$ = NFT_CT_SRC; }
                        |       PROTOCOL        { $$ = NFT_CT_PROTOCOL; }
                        |       PROTO_SRC       { $$ = NFT_CT_PROTO_SRC; }
                        |       PROTO_DST       { $$ = NFT_CT_PROTO_DST; }
+                       |       ct_key_counters
+                       ;
+
+ct_key_counters                :       BYTES           { $$ = NFT_CT_BYTES; }
+                       |       PACKETS         { $$ = NFT_CT_PKTS; }
                        ;
 
 ct_stmt                        :       CT      ct_key          SET     expr