diff options
| author | wenxu <wenxu@ucloud.cn> | 2019-01-24 22:23:49 +0800 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2019-01-28 07:36:22 +0100 |
| commit | 512795a673f999fb04b84dbbbe41174e9c581430 (patch) | |
| tree | 22becd9b9be0890253977be3709a87be73d8ac47 | |
| parent | 88ba0c92754d89c71dab11f701839522a5ddb5a9 (diff) | |
meta: add iifkind and oifkind support
This can be used to match the kind type of iif or oif
interface of the packet. Example:
add rule inet raw prerouting meta iifkind "vrf" accept
Signed-off-by: wenxu <wenxu@ucloud.cn>
Signed-off-by: Florian Westphal <fw@strlen.de>
| -rw-r--r-- | doc/primary-expression.txt | 8 | ||||
| -rw-r--r-- | include/linux/netfilter/nf_tables.h | 4 | ||||
| -rw-r--r-- | src/meta.c | 6 |
3 files changed, 17 insertions, 1 deletions
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt index a964ce92..d819b24c 100644 --- a/doc/primary-expression.txt +++ b/doc/primary-expression.txt @@ -4,7 +4,7 @@ META EXPRESSIONS *meta* {length | nfproto | l4proto | protocol | priority} [meta] {mark | iif | iifname | iiftype | oif | oifname | oiftype | skuid | skgid | nftrace | rtclassid | ibrname | obrname | pkttype | cpu -| iifgroup | oifgroup | cgroup | random | ipsec} +| iifgroup | oifgroup | cgroup | random | ipsec | iifkind | oifkind} A meta expression refers to meta data associated with a packet. @@ -114,6 +114,10 @@ integer (32 bit) |ipsec| boolean| boolean (1 bit) +|iifkind| +Input interface kind | +|oifkind| +Output interface kind |==================== .Meta expression specific types @@ -137,6 +141,8 @@ Device group (32 bit number). Can be specified numerically or as symbolic name d |pkt_type| Packet type: *host* (addressed to local host), *broadcast* (to all), *multicast* (to group), *other* (addressed to another host). +|ifkind| +Interface kind (16 byte string). Does not have to exist. |============================= .Using meta expressions diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index 1d13ad37..37036be0 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -789,6 +789,8 @@ enum nft_exthdr_attributes { * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid) * @NFT_META_PRANDOM: a 32bit pseudo-random number * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp) + * @NFT_META_IIFKIND: packet input interface kind name (dev->rtnl_link_ops->kind) + * @NFT_META_OIFKIND: packet output interface kind name (dev->rtnl_link_ops->kind) */ enum nft_meta_keys { NFT_META_LEN, @@ -817,6 +819,8 @@ enum nft_meta_keys { NFT_META_CGROUP, NFT_META_PRANDOM, NFT_META_SECPATH, + NFT_META_IIFKIND, + NFT_META_OIFKIND, }; /** @@ -444,6 +444,12 @@ const struct meta_template meta_templates[] = { BYTEORDER_BIG_ENDIAN), /* avoid conversion; doesn't have endianess */ [NFT_META_SECPATH] = META_TEMPLATE("ipsec", &boolean_type, BITS_PER_BYTE, BYTEORDER_HOST_ENDIAN), + [NFT_META_IIFKIND] = META_TEMPLATE("iifkind", &ifname_type, + IFNAMSIZ * BITS_PER_BYTE, + BYTEORDER_HOST_ENDIAN), + [NFT_META_OIFKIND] = META_TEMPLATE("oifkind", &ifname_type, + IFNAMSIZ * BITS_PER_BYTE, + BYTEORDER_HOST_ENDIAN), }; static bool meta_key_is_unqualified(enum nft_meta_keys key) |