]> git.ipfire.org Git - thirdparty/nftables.git/commit
ct: support for NFT_CT_{SRC,DST}_{IP,IP6}
authorPablo Neira Ayuso <pablo@netfilter.org>
Fri, 21 Jun 2019 08:28:37 +0000 (10:28 +0200)
committerPablo Neira Ayuso <pablo@netfilter.org>
Fri, 21 Jun 2019 16:49:07 +0000 (18:49 +0200)
commit7f742d0a9071f932836b4f8525a6d3f7261ae083
treecd972674de9ea2efbd6e39747acd435b100bf154
parentfb5a36ad5c1032244cf76171648fdefbbe571519
ct: support for NFT_CT_{SRC,DST}_{IP,IP6}

These keys are available since kernel >= 4.17.

You can still use NFT_CT_{SRC,DST}, however, you need to specify 'meta
protocol' in first place to provide layer 3 context.

Note that NFT_CT_{SRC,DST} are broken with set, maps and concatenations.
This patch is implicitly fixing these cases.

If your kernel is < 4.17, you can still use address matching via
explicit meta nfproto:

meta nfproto ipv4 ct original saddr 1.2.3.4

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 files changed:
include/ct.h
src/ct.c
src/evaluate.c
src/json.c
src/netlink_delinearize.c
src/parser_bison.y
src/parser_json.c
tests/py/any/ct.t
tests/py/inet/ct.t.json
tests/py/inet/ct.t.json.output
tests/py/inet/ct.t.payload
tests/py/ip/ct.t.json
tests/py/ip/ct.t.payload