tc: f_flower: Add option to match on related ct state

Add support for matching on ct_state flag related. The related state indicates a packet is associated with an existing connection. Example: $ tc filter add dev ens1f0_0 ingress prio 1 chain 1 proto ip flower \ ct_state -est-rel+trk \ action mirred egress redirect dev ens1f0_1 $ tc filter add dev ens1f0_0 ingress prio 1 chain 1 proto ip flower \ ct_state +rel+trk \ action mirred egress redirect dev ens1f0_1 Signed-off-by: Ariel Levkovich <lariel@nvidia.com> Reviewed-by: Jiri Pirko <jiri@nvidia.com> Signed-off-by: David Ahern <dsahern@kernel.org>
2021-05-21 20:07:06 +03:00 · 2021-05-21 20:07:06 +03:00 · 7fda6c588a
parent c5b72cc56b
commit 7fda6c588a
2 changed files with 4 additions and 1 deletions
--- a/man/man8/tc-flower.8
+++ b/man/man8/tc-flower.8
@ -391,6 +391,8 @@ rpl - The packet is in the reply direction, meaning that it is in the opposite d
 .TP
 inv - The state is invalid. The packet couldn't be associated to a connection.
 .TP
+rel - The packet is related to an existing connection.
+.TP
 Example: +trk+est
 .RE
 .TP
--- a/tc/f_flower.c
+++ b/tc/f_flower.c
@ -94,7 +94,7 @@ static void explain(void)
 		"	LSE := lse depth DEPTH { label LABEL | tc TC | bos BOS | ttl TTL }\n"
 		"	FILTERID := X:Y:Z\n"
 		"	MASKED_LLADDR := { LLADDR | LLADDR/MASK | LLADDR/BITS }\n"
-		"	MASKED_CT_STATE := combination of {+|-} and flags trk,est,new\n"
+		"	MASKED_CT_STATE := combination of {+|-} and flags trk,est,new,rel\n"
 		"	ACTION-SPEC := ... look at individual actions\n"
 		"\n"
 		"NOTE:	CLASSID, IP-PROTO are parsed as hexadecimal input.\n"
@ -345,6 +345,7 @@ static struct flower_ct_states {
 	{ "trk", TCA_FLOWER_KEY_CT_FLAGS_TRACKED },
 	{ "new", TCA_FLOWER_KEY_CT_FLAGS_NEW },
 	{ "est", TCA_FLOWER_KEY_CT_FLAGS_ESTABLISHED },
+	{ "rel", TCA_FLOWER_KEY_CT_FLAGS_RELATED },
 	{ "inv", TCA_FLOWER_KEY_CT_FLAGS_INVALID },
 	{ "rpl", TCA_FLOWER_KEY_CT_FLAGS_REPLY },
 };