git.ipfire.org Git - thirdparty/linux.git/commit

author	Florian Westphal <fw@strlen.de>
	Thu, 22 May 2025 13:49:34 +0000 (15:49 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Fri, 23 May 2025 11:57:12 +0000 (13:57 +0200)
commit	7e5c6aa67e6f6133c5a2c53852e1dd9af2c0c3fc
tree	413e201ebe3b7983d3bc650ad641624a1f4563f5	tree
parent	90869f43d06dfc836def2f53850a878f829e443e	commit \| diff

netfilter: nf_tables: add packets conntrack state to debug trace info

Add the minimal relevant info needed for userspace ("nftables monitor
trace") to provide the conntrack view of the packet:

- state (new, related, established)
- direction (original, reply)
- status (e.g., if connection is subject to dnat)
- id (allows to query ctnetlink for remaining conntrack state info)

Example:
trace id a62 inet filter PRE_RAW packet: iif "enp0s3" ether [..]
[..]
trace id a62 inet filter PRE_MANGLE conntrack: ct direction original ct state new ct id 32
trace id a62 inet filter PRE_MANGLE packet: [..]
[..]
trace id a62 inet filter IN conntrack: ct direction original ct state new ct status dnat-done ct id 32
[..]

In this case one can see that while NAT is active, the new connection
isn't subject to a translation.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/uapi/linux/netfilter/nf_tables.h		diff \| blob \| blame \| history
net/netfilter/nf_tables_trace.c		diff \| blob \| blame \| history