From 49f6e9a846c6c8325b95debe04d5ebc3c01246fb Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Fri, 1 Dec 2017 13:40:21 +0100
Subject: meta: add secpath support

This can be used to check if a packet has a secpath attached to it, i.e.
was subject to ipsec processing.  Example:

add rule inet raw prerouting meta secpath exists accept

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 doc/nft.xml | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'doc')

diff --git a/doc/nft.xml b/doc/nft.xml
index cbb3b802..e515b110 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -2504,6 +2504,7 @@ filter output icmpv6 type { echo-request, echo-reply }
 						<arg>oifgroup</arg>
 						<arg>cgroup</arg>
 						<arg>random</arg>
+						<arg>secpath</arg>
 					</group>
 				</cmdsynopsis>
 			</para>
@@ -2641,6 +2642,12 @@ filter output icmpv6 type { echo-request, echo-reply }
 								<entry>pseudo-random number</entry>
 								<entry>integer (32 bits)</entry>
 							</row>
+							<row>
+								<entry>secpath</entry>
+								<entry>boolean</entry>
+								<entry>boolean (1 bit)</entry>
+							</row>
+
 						</tbody>
 					</tgroup>
 				</table>
@@ -2725,6 +2732,9 @@ filter output meta oif eth0
 
 # unqualified meta expression
 filter output oif eth0
+
+# packed was subject to ipsec processing
+raw prerouting meta secpath exists accept
 					</programlisting>
 				</example>
 			</para>
-- 
cgit v1.2.3