netfilter: add connlabel conntrack extension
similar to connmarks, except labels are bit-based; i.e. all labels may be attached to a flow at the same time. Up to 128 labels are supported. Supporting more labels is possible, but requires increasing the ct offset delta from u8 to u16 type due to increased extension sizes. Mapping of bit-identifier to label name is done in userspace. The extension is enabled at run-time once "-m connlabel" netfilter rules are added. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Florian Westphal
committed by
Pablo Neira Ayuso
Pablo Neira Ayuso
parent
7266507d89
commit
c539f01717
12
include/uapi/linux/netfilter/xt_connlabel.h
Normal file
12
include/uapi/linux/netfilter/xt_connlabel.h
Normal file
@@ -0,0 +1,12 @@
|
||||
#include <linux/types.h>
|
||||
|
||||
#define XT_CONNLABEL_MAXBIT 127
|
||||
enum xt_connlabel_mtopts {
|
||||
XT_CONNLABEL_OP_INVERT = 1 << 0,
|
||||
XT_CONNLABEL_OP_SET = 1 << 1,
|
||||
};
|
||||
|
||||
struct xt_connlabel_mtinfo {
|
||||
__u16 bit;
|
||||
__u16 options;
|
||||
};
|
||||
Reference in New Issue
Block a user