ct: Add support for the 'id' key

The 'id' key allows for matching on the id of the conntrack entry.

v2: Remove ct_id_type

Signed-off-by: Brett Mastbergen <brett.mastbergen@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/doc/payload-expression.txt b/doc/payload-expression.txt
index 4bbf8d0538fc15841887ad29acb8778e0dc13a3b..e6f108b1db523f66b16967a22f6351f8b93a44d3 100644 (file)
--- a/doc/payload-expression.txt
+++ b/doc/payload-expression.txt
@@ -638,7 +638,7 @@ zone id is tied to the given direction. +
 
 [verse]
 *ct* {*state* | *direction* | *status* | *mark* | *expiration* | *helper* | *label*}
-*ct* [*original* | *reply*] {*l3proto* | *protocol* | *bytes* | *packets* | *avgpkt* | *zone*}
+*ct* [*original* | *reply*] {*l3proto* | *protocol* | *bytes* | *packets* | *avgpkt* | *zone* | *id*}
 *ct* {*original* | *reply*} {*proto-src* | *proto-dst*}
 *ct* {*original* | *reply*} {*ip* | *ip6*} {*saddr* | *daddr*}
 
@@ -700,6 +700,9 @@ integer (16 bit)
 |count|
 count number of connections
 integer (32 bit)
+|id|
+Connection id
+ct_id
 |==========================================
 A description of conntrack-specific types listed above can be found sub-section CONNTRACK TYPES above.
 

diff --git a/src/ct.c b/src/ct.c
index db1dabd319e99050ff6d9e2184f72dcbba362eaf..0842c838b913392379ec6fd6ed8667adfe319f39 100644 (file)
--- a/src/ct.c
+++ b/src/ct.c
@@ -301,6 +301,8 @@ const struct ct_template ct_templates[__NFT_CT_MAX] = {
                                              BYTEORDER_BIG_ENDIAN, 128),
        [NFT_CT_SECMARK]        = CT_TEMPLATE("secmark", &integer_type,
                                              BYTEORDER_HOST_ENDIAN, 32),
+       [NFT_CT_ID]             = CT_TEMPLATE("id", &integer_type,
+                                             BYTEORDER_BIG_ENDIAN, 32),
 };
 
 static void ct_print(enum nft_ct_keys key, int8_t dir, uint8_t nfproto,

diff --git a/src/parser_bison.y b/src/parser_bison.y
index b1e869d568a1bcbc22fffbf7637272e520c33bd2..3cd0559b2912e86e23efdf351a8412811fb576e8 100644 (file)
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -4550,6 +4550,7 @@ ct_key                    :       L3PROTOCOL      { $$ = NFT_CT_L3PROTOCOL; }
                        |       LABEL           { $$ = NFT_CT_LABELS; }
                        |       EVENT           { $$ = NFT_CT_EVENTMASK; }
                        |       SECMARK         { $$ = NFT_CT_SECMARK; }
+                       |       ID              { $$ = NFT_CT_ID; }
                        |       ct_key_dir_optional
                        ;
 

diff --git a/tests/py/any/ct.t b/tests/py/any/ct.t
index f65d275987cd3cc1e24a2dc181ef0e5d5754bc4d..cc09aebcbc4483e967660d248bc07be8005f5fb4 100644 (file)
--- a/tests/py/any/ct.t
+++ b/tests/py/any/ct.t
@@ -128,6 +128,8 @@ ct both zone 1;fail
 ct original zone 1;ok
 ct reply zone 1;ok
 
+ct id 12345;ok
+
 ct zone set 1;ok
 ct original zone set 1;ok
 ct reply zone set 1;ok

diff --git a/tests/py/any/ct.t.payload b/tests/py/any/ct.t.payload
index 6615912578044d1d21f5ac3f39c2a57eaec2b1df..ccbddc89959d72d145c77daa2662a503884ecb8e 100644 (file)
--- a/tests/py/any/ct.t.payload
+++ b/tests/py/any/ct.t.payload
@@ -520,3 +520,8 @@ ip test-ip4 output
   [ bitwise reg 1 = (reg=1 & 0xfffffffe ) ^ 0x00000001 ]
   [ ct set mark with reg 1 ]
 
+# ct id 12345
+ip test-ip4 output
+  [ ct load unknown => reg 1 ]
+  [ cmp eq reg 1 0x39300000 ]
+