1 // SPDX-License-Identifier: GPL-2.0-only 2 #if IS_ENABLED(CONFIG_NFT_CT) 3 #include <linux/netfilter/nf_tables.h> 4 #include <net/netfilter/nf_tables_core.h> 5 #include <net/netfilter/nf_conntrack.h> 6 nft_ct_get_fast_eval(const struct nft_expr * expr,struct nft_regs * regs,const struct nft_pktinfo * pkt)7void nft_ct_get_fast_eval(const struct nft_expr *expr, 8 struct nft_regs *regs, 9 const struct nft_pktinfo *pkt) 10 { 11 const struct nft_ct *priv = nft_expr_priv(expr); 12 u32 *dest = ®s->data[priv->dreg]; 13 enum ip_conntrack_info ctinfo; 14 const struct nf_conn *ct; 15 unsigned int state; 16 17 ct = nf_ct_get(pkt->skb, &ctinfo); 18 if (!ct) { 19 regs->verdict.code = NFT_BREAK; 20 return; 21 } 22 23 switch (priv->key) { 24 case NFT_CT_STATE: 25 if (ct) 26 state = NF_CT_STATE_BIT(ctinfo); 27 else if (ctinfo == IP_CT_UNTRACKED) 28 state = NF_CT_STATE_UNTRACKED_BIT; 29 else 30 state = NF_CT_STATE_INVALID_BIT; 31 *dest = state; 32 return; 33 case NFT_CT_DIRECTION: 34 nft_reg_store8(dest, CTINFO2DIR(ctinfo)); 35 return; 36 case NFT_CT_STATUS: 37 *dest = ct->status; 38 return; 39 #ifdef CONFIG_NF_CONNTRACK_MARK 40 case NFT_CT_MARK: 41 *dest = ct->mark; 42 return; 43 #endif 44 #ifdef CONFIG_NF_CONNTRACK_SECMARK 45 case NFT_CT_SECMARK: 46 *dest = ct->secmark; 47 return; 48 #endif 49 default: 50 WARN_ON_ONCE(1); 51 regs->verdict.code = NFT_BREAK; 52 break; 53 } 54 } 55 EXPORT_SYMBOL_GPL(nft_ct_get_fast_eval); 56 #endif 57