Allow filtering by name for conntrack status flags

include/netlink-types.h

@@ -717,6 +717,7 @@ struct nfnl_ct {
 	union nfnl_ct_protoinfo	ct_protoinfo;
 
 	uint32_t		ct_status;
+	uint32_t		ct_status_mask;
 	uint32_t		ct_timeout;
 	uint32_t		ct_mark;
 	uint32_t		ct_use;

include/netlink/netfilter/ct.h

@@ -53,7 +53,7 @@ extern char *		nfnl_ct_tcp_state2str(uint8_t, char *, size_t);
 extern int		nfnl_ct_str2tcp_state(const char *name);
 
 extern void		nfnl_ct_set_status(struct nfnl_ct *, uint32_t);
-extern int		nfnl_ct_test_status(const struct nfnl_ct *);
+extern void		nfnl_ct_unset_status(struct nfnl_ct *, uint32_t);
 extern uint32_t		nfnl_ct_get_status(const struct nfnl_ct *);
 
 extern void		nfnl_ct_set_timeout(struct nfnl_ct *, uint32_t);

lib/netfilter/ct_obj.c

@@ -204,7 +204,6 @@ static int ct_compare(struct nl_object *_a, struct nl_object *_b,
 	diff |= CT_DIFF_VAL(FAMILY,		ct_family);
 	diff |= CT_DIFF_VAL(PROTO,		ct_proto);
 	diff |= CT_DIFF_VAL(TCP_STATE,		ct_protoinfo.tcp.state);
-	diff |= CT_DIFF_VAL(STATUS,		ct_status);
 	diff |= CT_DIFF_VAL(TIMEOUT,		ct_timeout);
 	diff |= CT_DIFF_VAL(MARK,		ct_mark);
 	diff |= CT_DIFF_VAL(USE,		ct_use);
@@ -228,6 +227,12 @@ static int ct_compare(struct nl_object *_a, struct nl_object *_b,
 	diff |= CT_DIFF_VAL(REPL_PACKETS,	ct_repl.packets);
 	diff |= CT_DIFF_VAL(REPL_BYTES,		ct_repl.bytes);
 
+	if (flags & LOOSE_FLAG_COMPARISON)
+		diff |= CT_DIFF(STATUS, (a->ct_status ^ b->ct_status) &
+					b->ct_status_mask);
+	else
+		diff |= CT_DIFF(STATUS, a->ct_status != b->ct_status);
+
 #undef CT_DIFF
 #undef CT_DIFF_VAL
 #undef CT_DIFF_ADDR
@@ -367,13 +372,16 @@ int nfnl_ct_str2tcp_state(const char *name)
 
 void nfnl_ct_set_status(struct nfnl_ct *ct, uint32_t status)
 {
-	ct->ct_status = status;
+	ct->ct_status_mask |= status;
+	ct->ct_status |= status;
 	ct->ce_mask |= CT_ATTR_STATUS;
 }
 
-int nfnl_ct_test_status(const struct nfnl_ct *ct)
+void nfnl_ct_unset_status(struct nfnl_ct *ct, uint32_t status)
 {
-	return !!(ct->ce_mask & CT_ATTR_STATUS);
+	ct->ct_status_mask |= status;
+	ct->ct_status &= ~status;
+	ct->ce_mask |= CT_ATTR_STATUS;
 }
 
 uint32_t nfnl_ct_get_status(const struct nfnl_ct *ct)

src/f_ct.c

@@ -38,8 +38,11 @@ static void get_filter(struct nfnl_ct *ct, int argc, char **argv, int idx)
 				nfnl_ct_set_tcp_state(ct, state);
 			}
 		} else if (arg_match("status")) {
-			if (argc > ++idx)
-				nfnl_ct_set_status(ct, strtoul(argv[idx++], NULL, 0));
+			if (argc > ++idx) {
+				int status = strtoul(argv[idx++], NULL, 0);
+				nfnl_ct_set_status(ct, status);
+				nfnl_ct_unset_status(ct, ~status);
+			}
 		} else if (arg_match("timeout")) {
 			if (argc > ++idx)
 				nfnl_ct_set_timeout(ct, strtoul(argv[idx++], NULL, 0));
@@ -130,7 +133,21 @@ static void get_filter(struct nfnl_ct *ct, int argc, char **argv, int idx)
 		} else if (arg_match("replybytes")) {
 			if (argc > ++idx)
 				nfnl_ct_set_bytes(ct, 1, strtoul(argv[idx++], NULL, 0));
-		} else {
+		}
+#define MSTATUS(STR, STATUS) \
+	else if (!strcasecmp(argv[idx], STR)) { \
+		nfnl_ct_set_status(ct, STATUS); idx++; }
+#define MNOSTATUS(STR, STATUS) \
+	else if (!strcasecmp(argv[idx], STR)) { \
+		nfnl_ct_unset_status(ct, STATUS); idx++; }
+
+		MSTATUS("replied", IPS_SEEN_REPLY)
+		MNOSTATUS("unreplied", IPS_SEEN_REPLY)
+		MSTATUS("assured", IPS_ASSURED)
+		MNOSTATUS("unassured", IPS_ASSURED)
+#undef MSTATUS
+#undef MNOSTATUS
+		else {
 			fprintf(stderr, "What is '%s'?\n", argv[idx]);
 			exit(1);
 		}

src/nf-ct-dump.c

@@ -13,6 +13,7 @@
 
 #include "utils.h"
 #include <netlink/netfilter/ct.h>
+#include <linux/netfilter/nf_conntrack_common.h>
 
 #include "f_ct.c"
 
@@ -28,7 +29,9 @@ static void print_usage(void)
 	"            [origpackets PACKETS] [origbytes BYTES]\n"
 	"            [replysrc ADDR] [replydst ADDR] [replysrcport PORT] [replydstport PORT]\n"
 	"            [replyicmpid ID] [replyicmptype TYPE] [replyicmpcode CODE]\n"
-	"            [replypackets PACKETS] [replybytes BYTES]\n");
+	"            [replypackets PACKETS] [replybytes BYTES]\n"
+	"            [{ replied | unreplied }] [{ assured | unassured }]\n"
+	);
 	exit(1);
 }