From 09fcaafc5a2de4379574a0882f976a14d8c49dfe Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Wed, 18 Dec 2019 12:10:41 +0100 Subject: meta: add slave device matching Adds "meta sdif" and "meta sdifname". Both only work in input/forward hook of ipv4/ipv6/inet family. Cc: Martin Willi Signed-off-by: Florian Westphal --- doc/primary-expression.txt | 6 ++++++ include/linux/netfilter/nf_tables.h | 4 ++++ src/meta.c | 6 ++++++ tests/py/ip/meta.t | 3 +++ tests/py/ip/meta.t.payload | 11 +++++++++++ tests/py/ip6/meta.t | 3 +++ tests/py/ip6/meta.t.payload | 12 ++++++++++++ 7 files changed, 45 insertions(+) diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt index 6f636e13..94eccc20 100644 --- a/doc/primary-expression.txt +++ b/doc/primary-expression.txt @@ -76,6 +76,12 @@ ifname |oiftype| Output interface hardware type| iface_type +|sdif| +Slave device input interface index | +iface_index +|sdifname| +Slave device interface name| +ifname |skuid| UID associated with originating socket| uid diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index ed8881ad..c556ccd3 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -803,6 +803,8 @@ enum nft_exthdr_attributes { * @NFT_META_TIME_NS: time since epoch (in nanoseconds) * @NFT_META_TIME_DAY: day of week (from 0 = Sunday to 6 = Saturday) * @NFT_META_TIME_HOUR: hour of day (in seconds) + * @NFT_META_SDIF: slave device interface index + * @NFT_META_SDIFNAME: slave device interface name */ enum nft_meta_keys { NFT_META_LEN, @@ -838,6 +840,8 @@ enum nft_meta_keys { NFT_META_TIME_NS, NFT_META_TIME_DAY, NFT_META_TIME_HOUR, + NFT_META_SDIF, + NFT_META_SDIFNAME, }; /** diff --git a/src/meta.c b/src/meta.c index 135f84b5..acc348eb 100644 --- a/src/meta.c +++ b/src/meta.c @@ -700,6 +700,12 @@ const struct meta_template meta_templates[] = { BYTEORDER_HOST_ENDIAN), [NFT_META_SECMARK] = META_TEMPLATE("secmark", &integer_type, 32, BYTEORDER_HOST_ENDIAN), + [NFT_META_SDIF] = META_TEMPLATE("sdif", &ifindex_type, + sizeof(int) * BITS_PER_BYTE, + BYTEORDER_HOST_ENDIAN), + [NFT_META_SDIFNAME] = META_TEMPLATE("sdifname", &ifname_type, + IFNAMSIZ * BITS_PER_BYTE, + BYTEORDER_HOST_ENDIAN), }; static bool meta_key_is_unqualified(enum nft_meta_keys key) diff --git a/tests/py/ip/meta.t b/tests/py/ip/meta.t index 4db88354..f733d22d 100644 --- a/tests/py/ip/meta.t +++ b/tests/py/ip/meta.t @@ -10,3 +10,6 @@ icmpv6 type nd-router-advert;ok meta ibrname "br0";fail meta obrname "br0";fail + +meta sdif "lo" accept;ok +meta sdifname != "vrf1" accept;ok diff --git a/tests/py/ip/meta.t.payload b/tests/py/ip/meta.t.payload index 322c0878..7bc69a29 100644 --- a/tests/py/ip/meta.t.payload +++ b/tests/py/ip/meta.t.payload @@ -33,3 +33,14 @@ ip test-ip4 input [ payload load 1b @ transport header + 0 => reg 1 ] [ cmp eq reg 1 0x00000086 ] +# meta sdif "lo" accept +ip6 test-ip4 input + [ meta load sdif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ immediate reg 0 accept ] + +# meta sdifname != "vrf1" accept +ip6 test-ip4 input + [ meta load sdifname => reg 1 ] + [ cmp neq reg 1 0x31667276 0x00000000 0x00000000 0x00000000 ] + [ immediate reg 0 accept ] diff --git a/tests/py/ip6/meta.t b/tests/py/ip6/meta.t index 24445084..dce97f5b 100644 --- a/tests/py/ip6/meta.t +++ b/tests/py/ip6/meta.t @@ -8,3 +8,6 @@ meta l4proto ipv6-icmp icmpv6 type nd-router-advert;ok;icmpv6 type nd-router-adv meta l4proto icmp icmp type echo-request;ok;icmp type echo-request meta l4proto 1 icmp type echo-request;ok;icmp type echo-request icmp type echo-request;ok + +meta sdif "lo" accept;ok +meta sdifname != "vrf1" accept;ok diff --git a/tests/py/ip6/meta.t.payload b/tests/py/ip6/meta.t.payload index f203baab..be04816e 100644 --- a/tests/py/ip6/meta.t.payload +++ b/tests/py/ip6/meta.t.payload @@ -32,3 +32,15 @@ ip6 test-ip6 input [ cmp eq reg 1 0x00000001 ] [ payload load 1b @ transport header + 0 => reg 1 ] [ cmp eq reg 1 0x00000008 ] + +# meta sdif "lo" accept +ip6 test-ip6 input + [ meta load sdif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ immediate reg 0 accept ] + +# meta sdifname != "vrf1" accept +ip6 test-ip6 input + [ meta load sdifname => reg 1 ] + [ cmp neq reg 1 0x31667276 0x00000000 0x00000000 0x00000000 ] + [ immediate reg 0 accept ] -- cgit v1.2.3