diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-01-02 15:15:48 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-01-02 15:15:48 +0100 |
| commit | 3f3909afd76d2b4d1af0f133c7fe5dc258fcb694 (patch) | |
| tree | 59b880ed2dfe28d0cae7d106c7201e2bd32a0b7c /include | |
| parent | ccd9434022f230163ec88313637b90444046763b (diff) | |
expr: add inner support
This patch adds support for the inner expression which allows you to
match on the inner tunnel headers, eg. VxLAN.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
| -rw-r--r-- | include/libnftnl/expr.h | 7 | ||||
| -rw-r--r-- | include/linux/netfilter/nf_tables.h | 32 |
2 files changed, 37 insertions, 2 deletions
diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h index 00c63ab..9873228 100644 --- a/include/libnftnl/expr.h +++ b/include/libnftnl/expr.h @@ -316,6 +316,13 @@ enum { NFTNL_EXPR_LAST_SET, }; +enum { + NFTNL_EXPR_INNER_TYPE = NFTNL_EXPR_BASE, + NFTNL_EXPR_INNER_FLAGS, + NFTNL_EXPR_INNER_HDRSIZE, + NFTNL_EXPR_INNER_EXPR, +}; + #ifdef __cplusplus } /* extern "C" */ #endif diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index 0ae9120..4608646 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -753,13 +753,14 @@ enum nft_dynset_attributes { * @NFT_PAYLOAD_LL_HEADER: link layer header * @NFT_PAYLOAD_NETWORK_HEADER: network header * @NFT_PAYLOAD_TRANSPORT_HEADER: transport header - * @NFT_PAYLOAD_INNER_HEADER: inner header + * @NFT_PAYLOAD_INNER_HEADER: inner header / payload */ enum nft_payload_bases { NFT_PAYLOAD_LL_HEADER, NFT_PAYLOAD_NETWORK_HEADER, NFT_PAYLOAD_TRANSPORT_HEADER, NFT_PAYLOAD_INNER_HEADER, + NFT_PAYLOAD_TUN_HEADER, }; /** @@ -779,6 +780,31 @@ enum nft_payload_csum_flags { NFT_PAYLOAD_L4CSUM_PSEUDOHDR = (1 << 0), }; +enum nft_inner_type { + NFT_INNER_UNSPEC = 0, + NFT_INNER_VXLAN, +}; + +enum nft_inner_flags { + NFT_INNER_HDRSIZE = (1 << 0), + NFT_INNER_LL = (1 << 1), + NFT_INNER_NH = (1 << 2), + NFT_INNER_TH = (1 << 3), +}; +#define NFT_INNER_MASK (NFT_INNER_HDRSIZE | NFT_INNER_LL | \ + NFT_INNER_NH | NFT_INNER_TH) + +enum nft_inner_attributes { + NFTA_INNER_UNSPEC, + NFTA_INNER_NUM, + NFTA_INNER_TYPE, + NFTA_INNER_FLAGS, + NFTA_INNER_HDRSIZE, + NFTA_INNER_EXPR, + __NFTA_INNER_MAX +}; +#define NFTA_INNER_MAX (__NFTA_INNER_MAX - 1) + /** * enum nft_payload_attributes - nf_tables payload expression netlink attributes * @@ -898,7 +924,8 @@ enum nft_meta_keys { NFT_META_OIF, NFT_META_IIFNAME, NFT_META_OIFNAME, - NFT_META_IIFTYPE, + NFT_META_IFTYPE, +#define NFT_META_IIFTYPE NFT_META_IFTYPE NFT_META_OIFTYPE, NFT_META_SKUID, NFT_META_SKGID, @@ -925,6 +952,7 @@ enum nft_meta_keys { NFT_META_TIME_HOUR, NFT_META_SDIF, NFT_META_SDIFNAME, + __NFT_META_IIFTYPE, }; /** |