net/netfilter/nft_ct_fast.c

   1 // SPDX-License-Identifier: GPL-2.0-only
   2 #if IS_ENABLED(CONFIG_NFT_CT)
   3 #include <linux/netfilter/nf_tables.h>
   4 #include <net/netfilter/nf_tables_core.h>
   5 #include <net/netfilter/nf_conntrack.h>
   6
   7 void nft_ct_get_fast_eval(const struct nft_expr *expr,
   8                           struct nft_regs *regs,
   9                           const struct nft_pktinfo *pkt)
  10 {
  11         const struct nft_ct *priv = nft_expr_priv(expr);
  12         u32 *dest = &regs->data[priv->dreg];
  13         enum ip_conntrack_info ctinfo;
  14         const struct nf_conn *ct;
  15         unsigned int state;
  16
  17         ct = nf_ct_get(pkt->skb, &ctinfo);
  18         if (!ct) {
  19                 regs->verdict.code = NFT_BREAK;
  20                 return;
  21         }
  22
  23         switch (priv->key) {
  24         case NFT_CT_STATE:
  25                 if (ct)
  26                         state = NF_CT_STATE_BIT(ctinfo);
  27                 else if (ctinfo == IP_CT_UNTRACKED)
  28                         state = NF_CT_STATE_UNTRACKED_BIT;
  29                 else
  30                         state = NF_CT_STATE_INVALID_BIT;
  31                 *dest = state;
  32                 return;
  33         case NFT_CT_DIRECTION:
  34                 nft_reg_store8(dest, CTINFO2DIR(ctinfo));
  35                 return;
  36         case NFT_CT_STATUS:
  37                 *dest = ct->status;
  38                 return;
  39 #ifdef CONFIG_NF_CONNTRACK_MARK
  40         case NFT_CT_MARK:
  41                 *dest = ct->mark;
  42                 return;
  43 #endif
  44 #ifdef CONFIG_NF_CONNTRACK_SECMARK
  45         case NFT_CT_SECMARK:
  46                 *dest = ct->secmark;
  47                 return;
  48 #endif
  49         default:
  50                 WARN_ON_ONCE(1);
  51                 regs->verdict.code = NFT_BREAK;
  52                 break;
  53         }
  54 }
  55 EXPORT_SYMBOL_GPL(nft_ct_get_fast_eval);
  56 #endif