diff options
| author | Florian Westphal <fw@strlen.de> | 2017-12-01 13:40:21 +0100 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2018-01-16 15:57:22 +0100 |
| commit | 49f6e9a846c6c8325b95debe04d5ebc3c01246fb (patch) | |
| tree | 4de70952424cf45846cc67287967fca823edc0c9 | |
| parent | 1dbd13c97e300dcaf6581bc7b0b0f23cc74c6645 (diff) | |
meta: add secpath support
This can be used to check if a packet has a secpath attached to it, i.e.
was subject to ipsec processing. Example:
add rule inet raw prerouting meta secpath exists accept
Signed-off-by: Florian Westphal <fw@strlen.de>
| -rw-r--r-- | doc/nft.xml | 10 | ||||
| -rw-r--r-- | include/linux/netfilter/nf_tables.h | 2 | ||||
| -rw-r--r-- | src/meta.c | 3 | ||||
| -rw-r--r-- | tests/py/inet/meta.t | 2 | ||||
| -rw-r--r-- | tests/py/inet/meta.t.payload | 9 |
5 files changed, 26 insertions, 0 deletions
diff --git a/doc/nft.xml b/doc/nft.xml index cbb3b802..e515b110 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -2504,6 +2504,7 @@ filter output icmpv6 type { echo-request, echo-reply } <arg>oifgroup</arg> <arg>cgroup</arg> <arg>random</arg> + <arg>secpath</arg> </group> </cmdsynopsis> </para> @@ -2641,6 +2642,12 @@ filter output icmpv6 type { echo-request, echo-reply } <entry>pseudo-random number</entry> <entry>integer (32 bits)</entry> </row> + <row> + <entry>secpath</entry> + <entry>boolean</entry> + <entry>boolean (1 bit)</entry> + </row> + </tbody> </tgroup> </table> @@ -2725,6 +2732,9 @@ filter output meta oif eth0 # unqualified meta expression filter output oif eth0 + +# packed was subject to ipsec processing +raw prerouting meta secpath exists accept </programlisting> </example> </para> diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index a3ee277b..2efbf974 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -777,6 +777,7 @@ enum nft_exthdr_attributes { * @NFT_META_OIFGROUP: packet output interface group * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid) * @NFT_META_PRANDOM: a 32bit pseudo-random number + * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp) */ enum nft_meta_keys { NFT_META_LEN, @@ -804,6 +805,7 @@ enum nft_meta_keys { NFT_META_OIFGROUP, NFT_META_CGROUP, NFT_META_PRANDOM, + NFT_META_SECPATH, }; /** @@ -428,6 +428,8 @@ static const struct meta_template meta_templates[] = { [NFT_META_PRANDOM] = META_TEMPLATE("random", &integer_type, 4 * BITS_PER_BYTE, BYTEORDER_BIG_ENDIAN), /* avoid conversion; doesn't have endianess */ + [NFT_META_SECPATH] = META_TEMPLATE("secpath", &boolean_type, + BITS_PER_BYTE, BYTEORDER_HOST_ENDIAN), }; static bool meta_key_is_qualified(enum nft_meta_keys key) @@ -439,6 +441,7 @@ static bool meta_key_is_qualified(enum nft_meta_keys key) case NFT_META_PROTOCOL: case NFT_META_PRIORITY: case NFT_META_PRANDOM: + case NFT_META_SECPATH: return true; default: return false; diff --git a/tests/py/inet/meta.t b/tests/py/inet/meta.t index bd225e3d..d68896dc 100644 --- a/tests/py/inet/meta.t +++ b/tests/py/inet/meta.t @@ -12,3 +12,5 @@ meta nfproto ipv4 tcp dport 22;ok meta nfproto ipv4 ip saddr 1.2.3.4;ok;ip saddr 1.2.3.4 meta nfproto ipv6 meta l4proto tcp;ok;meta nfproto ipv6 meta l4proto 6 meta nfproto ipv4 counter ip saddr 1.2.3.4;ok +meta secpath exists;ok +meta secpath missing;ok diff --git a/tests/py/inet/meta.t.payload b/tests/py/inet/meta.t.payload index 0323b30f..2d0a66fa 100644 --- a/tests/py/inet/meta.t.payload +++ b/tests/py/inet/meta.t.payload @@ -64,3 +64,12 @@ inet test-inet input [ payload load 4b @ network header + 12 => reg 1 ] [ cmp eq reg 1 0x04030201 ] +# meta secpath exists +inet test-inet input + [ meta load secpath => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# meta secpath missing +inet test-inet input + [ meta load secpath => reg 1 ] + [ cmp eq reg 1 0x00000000 ] |