netfilter: conntrack: tag conntracks picked up in local out hook

This allows to identify flows that originate from local machine in a followup patch. It would be possible to make this a ->status bit instead. For now I did not do that yet because I don't have a use-case for exposing this info to userspace. If one comes up the toggle can be replaced with a status bit. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

netfilter: conntrack: tag conntracks picked up in local out hook
This allows to identify flows that originate from local machine in a followup patch. It would be possible to make this a ->status bit instead. For now I did not do that yet because I don't have a use-case for exposing this info to userspace. If one comes up the toggle can be replaced with a status bit. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
4a6fbdd8 · Florian Westphal · Pablo Neira Ayuso · 023223df · 4a6fbdd8 · 4a6fbdd8
Commit 4a6fbdd8 authored Dec 17, 2021 by Florian Westphal Committed by Pablo Neira Ayuso Dec 23, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

include/net/netfilter/nf_conntrack.h include/net/netfilter/nf_conntrack.h +1 -0

net/netfilter/nf_conntrack_core.c net/netfilter/nf_conntrack_core.c +3 -0

No files found.
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -95,6 +95,7 @@ struct nf_conn {
 	unsigned long status;

 	u16		cpu;
+	u16		local_origin:1;
 	possible_net_t ct_net;

 #if IS_ENABLED(CONFIG_NF_NAT)

--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1747,6 +1747,9 @@ resolve_normal_ct(struct nf_conn *tmpl,
 			return 0;
 		if (IS_ERR(h))
 			return PTR_ERR(h);
+
+		ct = nf_ct_tuplehash_to_ctrack(h);
+		ct->local_origin = state->hook == NF_INET_LOCAL_OUT;
 	}
 	ct = nf_ct_tuplehash_to_ctrack(h);