src: add notrack support

This patch adds the notrack statement, to skip connection tracking for
certain packets.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/ct.h b/include/ct.h
index 0aeeed60bfaa7dfc054388038b6a028fc6044b92..03e76e619e236f578aedb80404e135c9d65b4121 100644 (file)
--- a/include/ct.h
+++ b/include/ct.h
@@ -31,4 +31,7 @@ extern struct error_record *ct_dir_parse(const struct location *loc,
                                         const char *str, int8_t *dir);
 extern struct error_record *ct_key_parse(const struct location *loc, const char *str,
                                         unsigned int *key);
+
+extern struct stmt *notrack_stmt_alloc(const struct location *loc);
+
 #endif /* NFTABLES_CT_H */

diff --git a/include/statement.h b/include/statement.h
index e278b70637c46489da02b952467c51f7ecc0fb3d..fe83717f0697cb6ac98449a3bdf72a60e2d6cf6c 100644 (file)
--- a/include/statement.h
+++ b/include/statement.h
@@ -208,6 +208,7 @@ extern struct stmt *xt_stmt_alloc(const struct location *loc);
  * @STMT_FWD:          forward statement
  * @STMT_XT:           XT statement
  * @STMT_QUOTA:                quota statement
+ * @STMT_NOTRACK:      notrack statement
  */
 enum stmt_types {
        STMT_INVALID,
@@ -230,6 +231,7 @@ enum stmt_types {
        STMT_FWD,
        STMT_XT,
        STMT_QUOTA,
+       STMT_NOTRACK,
 };
 
 /**

diff --git a/src/ct.c b/src/ct.c
index 819187642e6a884314b9ef1e26b0238fd2bbb356..e5327539e935a56c47e6aa7296fb21a902f2f980 100644 (file)
--- a/src/ct.c
+++ b/src/ct.c
@@ -414,6 +414,22 @@ struct stmt *ct_stmt_alloc(const struct location *loc, enum nft_ct_keys key,
        return stmt;
 }
 
+static void notrack_stmt_print(const struct stmt *stmt)
+{
+       printf("notrack");
+}
+
+static const struct stmt_ops notrack_stmt_ops = {
+       .type           = STMT_NOTRACK,
+       .name           = "notrack",
+       .print          = notrack_stmt_print,
+};
+
+struct stmt *notrack_stmt_alloc(const struct location *loc)
+{
+       return stmt_alloc(loc, &notrack_stmt_ops);
+}
+
 static void __init ct_init(void)
 {
        datatype_register(&ct_state_type);

diff --git a/src/evaluate.c b/src/evaluate.c
index 878efacd94bcaa09d11f7bcbcf612e84493f9331..c60e0f112b4f51f8a7aeb28af84367b372f8aec6 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2478,6 +2478,7 @@ int stmt_evaluate(struct eval_ctx *ctx, struct stmt *stmt)
        case STMT_COUNTER:
        case STMT_LIMIT:
        case STMT_QUOTA:
+       case STMT_NOTRACK:
                return 0;
        case STMT_EXPRESSION:
                return stmt_evaluate_expr(ctx, stmt);

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 434089b714dc2721e55b7e8e43fe9ff749cff969..66d38caa04bed2ec68297fd787c3b7a9da9c3bfe 100644 (file)
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -635,6 +635,13 @@ static void netlink_parse_numgen(struct netlink_parse_ctx *ctx,
        netlink_set_register(ctx, dreg, expr);
 }
 
+static void netlink_parse_notrack(struct netlink_parse_ctx *ctx,
+                                 const struct location *loc,
+                                 const struct nftnl_expr *nle)
+{
+       ctx->stmt = notrack_stmt_alloc(loc);
+}
+
 static void netlink_parse_ct_stmt(struct netlink_parse_ctx *ctx,
                                  const struct location *loc,
                                  const struct nftnl_expr *nle)
@@ -1127,6 +1134,7 @@ static const struct {
        { .name = "range",      .parse = netlink_parse_range },
        { .name = "reject",     .parse = netlink_parse_reject },
        { .name = "nat",        .parse = netlink_parse_nat },
+       { .name = "notrack",    .parse = netlink_parse_notrack },
        { .name = "masq",       .parse = netlink_parse_masq },
        { .name = "redir",      .parse = netlink_parse_redir },
        { .name = "dup",        .parse = netlink_parse_dup },

diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index 6c0f39bf40cff1df212e4147bdfc48f1da7ce845..2bee68448d32951e51b50b16ae68e79712afdd18 100644 (file)
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -1095,6 +1095,15 @@ static void netlink_gen_ct_stmt(struct netlink_linearize_ctx *ctx,
        nftnl_rule_add_expr(ctx->nlr, nle);
 }
 
+static void netlink_gen_notrack_stmt(struct netlink_linearize_ctx *ctx,
+                                    const struct stmt *stmt)
+{
+       struct nftnl_expr *nle;
+
+       nle = alloc_nft_expr("notrack");
+       nftnl_rule_add_expr(ctx->nlr, nle);
+}
+
 static void netlink_gen_set_stmt(struct netlink_linearize_ctx *ctx,
                                 const struct stmt *stmt)
 {
@@ -1190,6 +1199,8 @@ static void netlink_gen_stmt(struct netlink_linearize_ctx *ctx,
                nle = netlink_gen_stmt_stateful(ctx, stmt);
                nftnl_rule_add_expr(ctx->nlr, nle);
                break;
+       case STMT_NOTRACK:
+               return netlink_gen_notrack_stmt(ctx, stmt);
        default:
                BUG("unknown statement type %s\n", stmt->ops->name);
        }

diff --git a/src/parser_bison.y b/src/parser_bison.y
index 74f24a52549a14442c6e7ebc245bbb60236dfa9c..91955c187f3f0e1a1fc538bd7ee3ef204a4928dd 100644 (file)
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -425,6 +425,8 @@ static void location_update(struct location *loc, struct location *rhs, int n)
 %token XML                     "xml"
 %token JSON                    "json"
 
+%token NOTRACK                 "notrack"
+
 %type <string>                 identifier type_identifier string comment_spec
 %destructor { xfree($$); }     identifier type_identifier string comment_spec
 
@@ -2564,6 +2566,10 @@ meta_stmt                :       META    meta_key        SET     expr
 
                                $$ = meta_stmt_alloc(&@$, key, $4);
                        }
+                       |       NOTRACK
+                       {
+                               $$ = notrack_stmt_alloc(&@$);
+                       }
                        ;
 
 offset_opt             :       /* empty */     { $$ = 0; }

diff --git a/src/scanner.l b/src/scanner.l
index 9cb8d77851d368396247fe3138f3c88605637cf6..cd7398b4e534d2f49c4e4fc5233f7310162d5dc9 100644 (file)
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -467,6 +467,8 @@ addrstring  ({macaddr}|{ip4addr}|{ip6addr})
 
 "fib"                  { return FIB; }
 
+"notrack"              { return NOTRACK; }
+
 "xml"                  { return XML; }
 "json"                 { return JSON; }
 

diff --git a/tests/py/any/ct.t b/tests/py/any/ct.t
index cc4f8e19c6196e2c09896472e076508a6db693e3..7cb49c26b6b4040eae41051832cd392bc8f41d8b 100644 (file)
--- a/tests/py/any/ct.t
+++ b/tests/py/any/ct.t
@@ -101,3 +101,5 @@ ct invalid;fail
 ct invalid original;fail
 ct set invalid original 42;fail
 ct set invalid 42;fail
+
+notrack;ok

diff --git a/tests/py/any/ct.t.payload b/tests/py/any/ct.t.payload
index 746b75e3f4d0d48909264cd78e6f9e8f3d9fe724..26aeec314c7de2def4ad9aa9de8e4e649b1cca1c 100644 (file)
--- a/tests/py/any/ct.t.payload
+++ b/tests/py/any/ct.t.payload
@@ -341,3 +341,7 @@ ip test-ip4 output
   [ immediate reg 1 0x00000000 0x00000000 0x00000000 0x80000000 ]
   [ ct set label with reg 1 ]
 
+# notrack
+ip test-ip4 output
+  [ notrack ]
+