v2:
Address feedback from Pablo: don't reuse nft_ct_keys, but add extra
ct_trace attributes. No other changes.
Add the minimal relevant info needed for userspace ("nftables monitor
trace") to provide the conntrack view of the packet:
- state (new, related, established)
- direction (original, reply)
- status (e.g., if connection is subject to dnat)
- id (allows to query ctnetlink for remaining conntrack state info)
Example:
trace id a62 inet filter PRE_RAW packet: iif "enp0s3" ether [..]
[..]
trace id a62 inet filter PRE_MANGLE conntrack: ct direction original ct state new ct id 32
trace id a62 inet filter PRE_MANGLE packet: [..]
[..]
trace id a62 inet filter IN conntrack: ct direction original ct state new ct status dnat-done ct id 32
[..]
First patch is a needed prerequisite to avoid a module dependency.
Second patch adds the needed info.
Updated patch for libnftnl will follow shortly, the nftables patch
doesn't need adjustment: it uses libnftl for all trace accesses.
Florian Westphal (2):
netfilter: conntrack: make nf_conntrack_id callable without a module
dependency
netfilter: nf_tables: add packets conntrack state to debug trace info
include/linux/netfilter.h | 1 +
include/uapi/linux/netfilter/nf_tables.h | 8 ++++
net/netfilter/nf_conntrack_core.c | 6 +++
net/netfilter/nf_tables_trace.c | 54 +++++++++++++++++++++++-
4 files changed, 68 insertions(+), 1 deletion(-)
--
2.49.0
