lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 21 May 2021 20:07:06 +0300
From:   Ariel Levkovich <lariel@...dia.com>
To:     <netdev@...r.kernel.org>
CC:     Ariel Levkovich <lariel@...dia.com>, Jiri Pirko <jiri@...dia.com>
Subject: [PATCH iproute2-next 1/2] tc: f_flower: Add option to match on related ct state

Add support for matching on ct_state flag related.
The related state indicates a packet is associated with an existing
connection.

Example:
$ tc filter add dev ens1f0_0 ingress prio 1 chain 1 proto ip flower \
  ct_state -est-rel+trk \
  action mirred egress redirect dev ens1f0_1

$ tc filter add dev ens1f0_0 ingress prio 1 chain 1 proto ip flower \
  ct_state +rel+trk \
  action mirred egress redirect dev ens1f0_1

Signed-off-by: Ariel Levkovich <lariel@...dia.com>
Reviewed-by: Jiri Pirko <jiri@...dia.com>
---
 man/man8/tc-flower.8 | 2 ++
 tc/f_flower.c        | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/man/man8/tc-flower.8 b/man/man8/tc-flower.8
index f7336b62..4541d937 100644
--- a/man/man8/tc-flower.8
+++ b/man/man8/tc-flower.8
@@ -391,6 +391,8 @@ rpl - The packet is in the reply direction, meaning that it is in the opposite d
 .TP
 inv - The state is invalid. The packet couldn't be associated to a connection.
 .TP
+rel - The packet is related to an existing connection.
+.TP
 Example: +trk+est
 .RE
 .TP
diff --git a/tc/f_flower.c b/tc/f_flower.c
index 53822a95..29db2e23 100644
--- a/tc/f_flower.c
+++ b/tc/f_flower.c
@@ -94,7 +94,7 @@ static void explain(void)
 		"	LSE := lse depth DEPTH { label LABEL | tc TC | bos BOS | ttl TTL }\n"
 		"	FILTERID := X:Y:Z\n"
 		"	MASKED_LLADDR := { LLADDR | LLADDR/MASK | LLADDR/BITS }\n"
-		"	MASKED_CT_STATE := combination of {+|-} and flags trk,est,new\n"
+		"	MASKED_CT_STATE := combination of {+|-} and flags trk,est,new,rel\n"
 		"	ACTION-SPEC := ... look at individual actions\n"
 		"\n"
 		"NOTE:	CLASSID, IP-PROTO are parsed as hexadecimal input.\n"
@@ -345,6 +345,7 @@ static struct flower_ct_states {
 	{ "trk", TCA_FLOWER_KEY_CT_FLAGS_TRACKED },
 	{ "new", TCA_FLOWER_KEY_CT_FLAGS_NEW },
 	{ "est", TCA_FLOWER_KEY_CT_FLAGS_ESTABLISHED },
+	{ "rel", TCA_FLOWER_KEY_CT_FLAGS_RELATED },
 	{ "inv", TCA_FLOWER_KEY_CT_FLAGS_INVALID },
 	{ "rpl", TCA_FLOWER_KEY_CT_FLAGS_REPLY },
 };
-- 
2.25.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ