| 1 | // SPDX-License-Identifier: GPL-2.0-only |
|---|---|
| 2 | #if IS_ENABLED(CONFIG_NFT_CT) |
| 3 | #include <linux/netfilter/nf_tables.h> |
| 4 | #include <net/netfilter/nf_tables_core.h> |
| 5 | #include <net/netfilter/nf_conntrack.h> |
| 6 | |
| 7 | void nft_ct_get_fast_eval(const struct nft_expr *expr, |
| 8 | struct nft_regs *regs, |
| 9 | const struct nft_pktinfo *pkt) |
| 10 | { |
| 11 | const struct nft_ct *priv = nft_expr_priv(expr); |
| 12 | u32 *dest = ®s->data[priv->dreg]; |
| 13 | enum ip_conntrack_info ctinfo; |
| 14 | const struct nf_conn *ct; |
| 15 | unsigned int state; |
| 16 | |
| 17 | ct = nf_ct_get(skb: pkt->skb, ctinfo: &ctinfo); |
| 18 | |
| 19 | switch (priv->key) { |
| 20 | case NFT_CT_STATE: |
| 21 | if (ct) |
| 22 | state = NF_CT_STATE_BIT(ctinfo); |
| 23 | else if (ctinfo == IP_CT_UNTRACKED) |
| 24 | state = NF_CT_STATE_UNTRACKED_BIT; |
| 25 | else |
| 26 | state = NF_CT_STATE_INVALID_BIT; |
| 27 | *dest = state; |
| 28 | return; |
| 29 | default: |
| 30 | break; |
| 31 | } |
| 32 | |
| 33 | if (!ct) { |
| 34 | regs->verdict.code = NFT_BREAK; |
| 35 | return; |
| 36 | } |
| 37 | |
| 38 | switch (priv->key) { |
| 39 | case NFT_CT_DIRECTION: |
| 40 | nft_reg_store8(dreg: dest, CTINFO2DIR(ctinfo)); |
| 41 | return; |
| 42 | case NFT_CT_STATUS: |
| 43 | *dest = ct->status; |
| 44 | return; |
| 45 | #ifdef CONFIG_NF_CONNTRACK_MARK |
| 46 | case NFT_CT_MARK: |
| 47 | *dest = ct->mark; |
| 48 | return; |
| 49 | #endif |
| 50 | #ifdef CONFIG_NF_CONNTRACK_SECMARK |
| 51 | case NFT_CT_SECMARK: |
| 52 | *dest = ct->secmark; |
| 53 | return; |
| 54 | #endif |
| 55 | default: |
| 56 | WARN_ON_ONCE(1); |
| 57 | regs->verdict.code = NFT_BREAK; |
| 58 | break; |
| 59 | } |
| 60 | } |
| 61 | EXPORT_SYMBOL_GPL(nft_ct_get_fast_eval); |
| 62 | #endif |
| 63 |