# conntrack -L -u OFFLOAD tcp 6 431984 ESTABLISHED src=192.168.10.2 dst=10.0.1.2 sport=32824 dport=5201 src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=32824 [OFFLOAD] mark=0 secctx=null use=2 tcp 6 431984 ESTABLISHED src=192.168.10.2 dst=10.0.1.2 sport=32826 dport=5201 src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=32826 [OFFLOAD] mark=0 secctx=null use=2
Signed-off-by: Pablo Neira Ayuso <[email protected]> --- conntrack.8 | 4 ++-- include/conntrack.h | 7 ++++--- include/linux/netfilter/nf_conntrack_common.h | 24 ++++++++++++++++++++++-- src/conntrack.c | 7 ++++--- 4 files changed, 32 insertions(+), 10 deletions(-) diff --git a/conntrack.8 b/conntrack.8 index 3c1e960e910e..1174c6cec73c 100644 --- a/conntrack.8 +++ b/conntrack.8 @@ -1,4 +1,4 @@ -.TH CONNTRACK 8 "Sep 26, 2017" "" "" +.TH CONNTRACK 8 "Aug 9, 2019" "" "" .\" Man page written by Harald Welte <[email protected] (Jun 2005) .\" Maintained by Pablo Neira Ayuso <[email protected] (May 2007) @@ -193,7 +193,7 @@ This option is only available in conjunction with "\-U, \-\-update". .BI "-c, --secmark " "SECMARK" Specify the conntrack selinux security mark. .TP -.BI "-u, --status " "[ASSURED|SEEN_REPLY|FIXED_TIMEOUT|EXPECTED|UNSET][,...]" +.BI "-u, --status " "[ASSURED|SEEN_REPLY|FIXED_TIMEOUT|EXPECTED|OFFLOAD|UNSET][,...]" Specify the conntrack status. .TP .BI "-n, --src-nat " diff --git a/include/conntrack.h b/include/conntrack.h index 6659a6454bc0..37ccf6e9a87e 100644 --- a/include/conntrack.h +++ b/include/conntrack.h @@ -3,7 +3,6 @@ #include "linux_list.h" #include <stdint.h> -#include <libnetfilter_conntrack/libnetfilter_conntrack.h> #define PROGNAME "conntrack" @@ -12,6 +11,8 @@ #define NUMBER_OF_CMD 19 #define NUMBER_OF_OPT 29 +struct nf_conntrack; + struct ctproto_handler { struct list_head head; @@ -19,8 +20,8 @@ struct ctproto_handler { uint16_t protonum; const char *version; - enum ctattr_protoinfo protoinfo_attr; - + uint32_t protoinfo_attr; + int (*parse_opts)(char c, struct nf_conntrack *ct, struct nf_conntrack *exptuple, diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h index 4cf003f43076..8023e5b6572f 100644 --- a/include/linux/netfilter/nf_conntrack_common.h +++ b/include/linux/netfilter/nf_conntrack_common.h @@ -1,3 +1,4 @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ #ifndef _NF_CONNTRACK_COMMON_H #define _NF_CONNTRACK_COMMON_H /* Connection state tracking for netfilter. This is separated from, @@ -28,12 +29,14 @@ enum ip_conntrack_info { /* only for userspace compatibility */ #ifndef __KERNEL__ IP_CT_NEW_REPLY = IP_CT_NUMBER, +#else + IP_CT_UNTRACKED = 7, #endif }; #define NF_CT_STATE_INVALID_BIT (1 << 0) #define NF_CT_STATE_BIT(ctinfo) (1 << ((ctinfo) % IP_CT_IS_REPLY + 1)) -#define NF_CT_STATE_UNTRACKED_BIT (1 << (IP_CT_NUMBER + 1)) +#define NF_CT_STATE_UNTRACKED_BIT (1 << 6) /* Bitset representing status of connection. */ enum ip_conntrack_status { @@ -90,13 +93,26 @@ enum ip_conntrack_status { IPS_TEMPLATE_BIT = 11, IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT), - /* Conntrack is a fake untracked entry */ + /* Conntrack is a fake untracked entry. Obsolete and not used anymore */ IPS_UNTRACKED_BIT = 12, IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT), /* Conntrack got a helper explicitly attached via CT target. */ IPS_HELPER_BIT = 13, IPS_HELPER = (1 << IPS_HELPER_BIT), + + /* Conntrack has been offloaded to flow table. */ + IPS_OFFLOAD_BIT = 14, + IPS_OFFLOAD = (1 << IPS_OFFLOAD_BIT), + + /* Be careful here, modifying these bits can make things messy, + * so don't let users modify them directly. + */ + IPS_UNCHANGEABLE_MASK = (IPS_NAT_DONE_MASK | IPS_NAT_MASK | + IPS_EXPECTED | IPS_CONFIRMED | IPS_DYING | + IPS_SEQ_ADJUST | IPS_TEMPLATE | IPS_OFFLOAD), + + __IPS_MAX_BIT = 15, }; /* Connection tracking event types */ @@ -113,6 +129,10 @@ enum ip_conntrack_events { IPCT_NATSEQADJ = IPCT_SEQADJ, IPCT_SECMARK, /* new security mark has been set */ IPCT_LABEL, /* new connlabel has been set */ + IPCT_SYNPROXY, /* synproxy has been set */ +#ifdef __KERNEL__ + __IPCT_MAX +#endif }; enum ip_conntrack_expect_events { diff --git a/src/conntrack.c b/src/conntrack.c index 97132a977221..c980a13f33d2 100644 --- a/src/conntrack.c +++ b/src/conntrack.c @@ -62,6 +62,7 @@ #include <sys/stat.h> #include <fcntl.h> #include <libmnl/libmnl.h> +#include <linux/netfilter/nf_conntrack_common.h> #include <libnetfilter_conntrack/libnetfilter_conntrack.h> static struct nfct_mnl_socket { @@ -867,10 +868,10 @@ enum { static struct parse_parameter { const char *parameter[7]; size_t size; - unsigned int value[7]; + unsigned int value[8]; } parse_array[PARSE_MAX] = { - { {"ASSURED", "SEEN_REPLY", "UNSET", "FIXED_TIMEOUT", "EXPECTED"}, 5, - { IPS_ASSURED, IPS_SEEN_REPLY, 0, IPS_FIXED_TIMEOUT, IPS_EXPECTED} }, + { {"ASSURED", "SEEN_REPLY", "UNSET", "FIXED_TIMEOUT", "EXPECTED", "OFFLOAD"}, 6, + { IPS_ASSURED, IPS_SEEN_REPLY, 0, IPS_FIXED_TIMEOUT, IPS_EXPECTED, IPS_OFFLOAD} }, { {"ALL", "NEW", "UPDATES", "DESTROY"}, 4, { CT_EVENT_F_ALL, CT_EVENT_F_NEW, CT_EVENT_F_UPD, CT_EVENT_F_DEL } }, { {"xml", "extended", "timestamp", "id", "ktimestamp", "labels", "userspace" }, 7, -- 2.11.0
