From 512795a673f999fb04b84dbbbe41174e9c581430 Mon Sep 17 00:00:00 2001 From: wenxu Date: Thu, 24 Jan 2019 22:23:49 +0800 Subject: meta: add iifkind and oifkind support This can be used to match the kind type of iif or oif interface of the packet. Example: add rule inet raw prerouting meta iifkind "vrf" accept Signed-off-by: wenxu Signed-off-by: Florian Westphal --- doc/primary-expression.txt | 8 +++++++- include/linux/netfilter/nf_tables.h | 4 ++++ src/meta.c | 6 ++++++ 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt index a964ce92..d819b24c 100644 --- a/doc/primary-expression.txt +++ b/doc/primary-expression.txt @@ -4,7 +4,7 @@ META EXPRESSIONS *meta* {length | nfproto | l4proto | protocol | priority} [meta] {mark | iif | iifname | iiftype | oif | oifname | oiftype | skuid | skgid | nftrace | rtclassid | ibrname | obrname | pkttype | cpu -| iifgroup | oifgroup | cgroup | random | ipsec} +| iifgroup | oifgroup | cgroup | random | ipsec | iifkind | oifkind} A meta expression refers to meta data associated with a packet. @@ -114,6 +114,10 @@ integer (32 bit) |ipsec| boolean| boolean (1 bit) +|iifkind| +Input interface kind | +|oifkind| +Output interface kind |==================== .Meta expression specific types @@ -137,6 +141,8 @@ Device group (32 bit number). Can be specified numerically or as symbolic name d |pkt_type| Packet type: *host* (addressed to local host), *broadcast* (to all), *multicast* (to group), *other* (addressed to another host). +|ifkind| +Interface kind (16 byte string). Does not have to exist. |============================= .Using meta expressions diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index 1d13ad37..37036be0 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -789,6 +789,8 @@ enum nft_exthdr_attributes { * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid) * @NFT_META_PRANDOM: a 32bit pseudo-random number * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp) + * @NFT_META_IIFKIND: packet input interface kind name (dev->rtnl_link_ops->kind) + * @NFT_META_OIFKIND: packet output interface kind name (dev->rtnl_link_ops->kind) */ enum nft_meta_keys { NFT_META_LEN, @@ -817,6 +819,8 @@ enum nft_meta_keys { NFT_META_CGROUP, NFT_META_PRANDOM, NFT_META_SECPATH, + NFT_META_IIFKIND, + NFT_META_OIFKIND, }; /** diff --git a/src/meta.c b/src/meta.c index c8a7b13b..4cb91773 100644 --- a/src/meta.c +++ b/src/meta.c @@ -444,6 +444,12 @@ const struct meta_template meta_templates[] = { BYTEORDER_BIG_ENDIAN), /* avoid conversion; doesn't have endianess */ [NFT_META_SECPATH] = META_TEMPLATE("ipsec", &boolean_type, BITS_PER_BYTE, BYTEORDER_HOST_ENDIAN), + [NFT_META_IIFKIND] = META_TEMPLATE("iifkind", &ifname_type, + IFNAMSIZ * BITS_PER_BYTE, + BYTEORDER_HOST_ENDIAN), + [NFT_META_OIFKIND] = META_TEMPLATE("oifkind", &ifname_type, + IFNAMSIZ * BITS_PER_BYTE, + BYTEORDER_HOST_ENDIAN), }; static bool meta_key_is_unqualified(enum nft_meta_keys key) -- cgit v1.2.3