From 4a75ed32132d8e2292dd276f3ea7f4edec4f3d06 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Thu, 15 Sep 2016 17:28:00 +0200
Subject: src: add fib expression

This adds the 'fib' expression which can be used to
obtain the output interface from the route table based on either
source or destination address of a packet.

This can be used to e.g. add reverse path filtering:

 # drop if not coming from the same interface packet
 # arrived on
 # nft add rule x prerouting fib saddr . iif oif eq 0 drop

 # accept only if from eth0
 # nft add rule x prerouting fib saddr . iif oif eq "eth0" accept

 # accept if from any valid interface
 # nft add rule x prerouting fib saddr oif accept

Querying of address type is also supported.  This can be used
to e.g. only accept packets to addresses configured in the same
interface:
 # fib daddr . iif type local

Its also possible to use mark and verdict map, e.g.:
 # nft add rule x prerouting meta mark set 0xdead fib daddr . mark type vmap {
   blackhole : drop,
   prohibit : drop,
   unicast : accept
 }

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 src/netlink_delinearize.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

(limited to 'src/netlink_delinearize.c')

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index dc9cc837..f0df8848 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -538,6 +538,23 @@ static void netlink_parse_hash(struct netlink_parse_ctx *ctx,
 	netlink_set_register(ctx, dreg, expr);
 }
 
+static void netlink_parse_fib(struct netlink_parse_ctx *ctx,
+			      const struct location *loc,
+			      const struct nftnl_expr *nle)
+{
+	enum nft_registers dreg;
+	struct expr *expr;
+	uint32_t flags, result;
+
+	flags = nftnl_expr_get_u32(nle, NFTNL_EXPR_FIB_FLAGS);
+	result = nftnl_expr_get_u32(nle, NFTNL_EXPR_FIB_RESULT);
+
+	expr = fib_expr_alloc(loc, flags, result);
+
+	dreg = netlink_parse_register(nle, NFTNL_EXPR_FIB_DREG);
+	netlink_set_register(ctx, dreg, expr);
+}
+
 static void netlink_parse_meta_expr(struct netlink_parse_ctx *ctx,
 				    const struct location *loc,
 				    const struct nftnl_expr *nle)
@@ -1120,6 +1137,7 @@ static const struct {
 	{ .name = "quota",	.parse = netlink_parse_quota },
 	{ .name = "numgen",	.parse = netlink_parse_numgen },
 	{ .name = "hash",	.parse = netlink_parse_hash },
+	{ .name = "fib",	.parse = netlink_parse_fib },
 };
 
 static int netlink_parse_expr(const struct nftnl_expr *nle,
@@ -1743,6 +1761,7 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp)
 	case EXPR_RT:
 	case EXPR_VERDICT:
 	case EXPR_NUMGEN:
+	case EXPR_FIB:
 		break;
 	case EXPR_HASH:
 		expr_postprocess(ctx, &expr->hash.expr);
-- 
cgit v1.2.3