diff options
| author | Florian Westphal <fw@strlen.de> | 2018-09-05 11:16:42 +0200 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2018-09-21 12:03:47 +0200 |
| commit | 04ca9a6ba3ca369053e9b5951f2f85bf8fe98e72 (patch) | |
| tree | e8d68a8efef66f446d90de1183785ad4b0d0522a | |
| parent | b0d3f3d95c51f506787719021f3dcba5da687dcb (diff) | |
src: rt: add support to check if route will perform ipsec transformation
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | doc/primary-expression.txt | 4 | ||||
| -rw-r--r-- | include/linux/netfilter/nf_tables.h | 1 | ||||
| -rw-r--r-- | src/parser_bison.y | 2 | ||||
| -rw-r--r-- | src/parser_json.c | 1 | ||||
| -rw-r--r-- | src/rt.c | 5 | ||||
| -rw-r--r-- | src/scanner.l | 1 | ||||
| -rw-r--r-- | tests/py/any/rt.t | 2 | ||||
| -rw-r--r-- | tests/py/any/rt.t.json | 30 | ||||
| -rw-r--r-- | tests/py/any/rt.t.payload | 10 |
9 files changed, 56 insertions, 0 deletions
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt index 83edac3e..f217f839 100644 --- a/doc/primary-expression.txt +++ b/doc/primary-expression.txt @@ -260,6 +260,9 @@ ipv4_addr/ipv6_addr |mtu| TCP maximum segment size of route | integer (16 bit) +|ipsec| +route via ipsec tunnel or transport | +boolean |================================= .Routing expression specific types @@ -274,6 +277,7 @@ Routing Realm (32 bit number). Can be specified numerically or as symbolic name -------------------------- # IP family independent rt expression filter output rt classid 10 +filter output rt ipsec missing # IP family dependent rt expressions ip filter output rt nexthop 192.168.0.1 diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index 143ebe28..1a63bd1e 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -832,6 +832,7 @@ enum nft_rt_keys { NFT_RT_NEXTHOP4, NFT_RT_NEXTHOP6, NFT_RT_TCPMSS, + NFT_RT_XFRM, __NFT_RT_MAX }; #define NFT_RT_MAX (__NFT_RT_MAX - 1) diff --git a/src/parser_bison.y b/src/parser_bison.y index 85830d88..32d61b3b 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -510,6 +510,7 @@ int nft_lex(void *, void *, void *); %token EXTHDR "exthdr" +%token IPSEC "ipsec" %type <string> identifier type_identifier string comment_spec %destructor { xfree($$); } identifier type_identifier string comment_spec @@ -3830,6 +3831,7 @@ rt_expr : RT rt_key rt_key : CLASSID { $$ = NFT_RT_CLASSID; } | NEXTHOP { $$ = NFT_RT_NEXTHOP4; } | MTU { $$ = NFT_RT_TCPMSS; } + | IPSEC { $$ = NFT_RT_XFRM; } ; ct_expr : CT ct_key diff --git a/src/parser_json.c b/src/parser_json.c index 514bc46b..3f0ab0ac 100644 --- a/src/parser_json.c +++ b/src/parser_json.c @@ -621,6 +621,7 @@ static struct expr *json_parse_rt_expr(struct json_ctx *ctx, { "classid", NFT_RT_CLASSID }, { "nexthop", NFT_RT_NEXTHOP4 }, { "mtu", NFT_RT_TCPMSS }, + { "ipsec", NFT_RT_XFRM }, }; unsigned int i, familyval = NFPROTO_UNSPEC; const char *key, *family = NULL; @@ -79,6 +79,11 @@ const struct rt_template rt_templates[] = { 2 * BITS_PER_BYTE, BYTEORDER_HOST_ENDIAN, false), + [NFT_RT_XFRM] = RT_TEMPLATE("ipsec", + &boolean_type, + BITS_PER_BYTE, + BYTEORDER_HOST_ENDIAN, + false), }; static void rt_expr_print(const struct expr *expr, struct output_ctx *octx) diff --git a/src/scanner.l b/src/scanner.l index 2f45e05b..26e63b9b 100644 --- a/src/scanner.l +++ b/src/scanner.l @@ -554,6 +554,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) "exthdr" { return EXTHDR; } +"ipsec" { return IPSEC; } {addrstring} { yylval->string = xstrdup(yytext); return STRING; diff --git a/tests/py/any/rt.t b/tests/py/any/rt.t index 4f65eaad..3ce57e05 100644 --- a/tests/py/any/rt.t +++ b/tests/py/any/rt.t @@ -5,3 +5,5 @@ *inet;test-inet;output rt classid "cosmos";ok +rt ipsec exists;ok +rt ipsec missing;ok diff --git a/tests/py/any/rt.t.json b/tests/py/any/rt.t.json index 955d12a3..2ca6fe01 100644 --- a/tests/py/any/rt.t.json +++ b/tests/py/any/rt.t.json @@ -13,3 +13,33 @@ } ] +# rt ipsec exists +[ + { + "match": { + "left": { + "rt": { + "key": "ipsec" + } + }, + "op": "==", + "right": true + } + } +] + +# rt ipsec missing +[ + { + "match": { + "left": { + "rt": { + "key": "ipsec" + } + }, + "op": "==", + "right": false + } + } +] + diff --git a/tests/py/any/rt.t.payload b/tests/py/any/rt.t.payload index 0e354fa0..e1ecb286 100644 --- a/tests/py/any/rt.t.payload +++ b/tests/py/any/rt.t.payload @@ -3,3 +3,13 @@ ip test-ip4 input [ rt load classid => reg 1 ] [ cmp eq reg 1 0x00000000 ] +# rt ipsec exists +ip test-ip4 input + [ rt load ipsec => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# rt ipsec missing +ip test-ip4 input + [ rt load ipsec => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + |