diff options
author | Florian Westphal <fw@strlen.de> | 2016-09-15 17:28:00 +0200 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2016-10-28 13:17:44 +0200 |
commit | 4a75ed32132d8e2292dd276f3ea7f4edec4f3d06 (patch) | |
tree | 1c095dc262a953ebb816d1770ccbdef1724e3e00 /include | |
parent | dfd92948a0a88a9f245e71c1cfb63ae670e6e7c1 (diff) |
src: add fib expression
This adds the 'fib' expression which can be used to
obtain the output interface from the route table based on either
source or destination address of a packet.
This can be used to e.g. add reverse path filtering:
# drop if not coming from the same interface packet
# arrived on
# nft add rule x prerouting fib saddr . iif oif eq 0 drop
# accept only if from eth0
# nft add rule x prerouting fib saddr . iif oif eq "eth0" accept
# accept if from any valid interface
# nft add rule x prerouting fib saddr oif accept
Querying of address type is also supported. This can be used
to e.g. only accept packets to addresses configured in the same
interface:
# fib daddr . iif type local
Its also possible to use mark and verdict map, e.g.:
# nft add rule x prerouting meta mark set 0xdead fib daddr . mark type vmap {
blackhole : drop,
prohibit : drop,
unicast : accept
}
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'include')
-rw-r--r-- | include/datatype.h | 1 | ||||
-rw-r--r-- | include/expression.h | 7 | ||||
-rw-r--r-- | include/fib.h | 7 | ||||
-rw-r--r-- | include/linux/netfilter/nf_tables.h | 36 |
4 files changed, 51 insertions, 0 deletions
diff --git a/include/datatype.h b/include/datatype.h index 12ec46bc..9f3f711c 100644 --- a/include/datatype.h +++ b/include/datatype.h @@ -81,6 +81,7 @@ enum datatypes { TYPE_DEVGROUP, TYPE_DSCP, TYPE_ECN, + TYPE_FIB_ADDR, __TYPE_MAX }; #define TYPE_MAX (__TYPE_MAX - 1) diff --git a/include/expression.h b/include/expression.h index 3ae4e804..3a52a45c 100644 --- a/include/expression.h +++ b/include/expression.h @@ -61,6 +61,7 @@ enum expr_types { EXPR_NUMGEN, EXPR_HASH, EXPR_RT, + EXPR_FIB, }; enum ops { @@ -180,6 +181,7 @@ enum expr_flags { #include <payload.h> #include <exthdr.h> +#include <fib.h> #include <numgen.h> #include <meta.h> #include <rt.h> @@ -306,6 +308,11 @@ struct expr { uint32_t mod; uint32_t seed; } hash; + struct { + /* EXPR_FIB */ + uint32_t flags; + uint32_t result; + } fib; }; }; diff --git a/include/fib.h b/include/fib.h new file mode 100644 index 00000000..3a019e65 --- /dev/null +++ b/include/fib.h @@ -0,0 +1,7 @@ +#ifndef NFTABLES_FIB_H +#define NFTABLES_FIB_H + +extern struct expr *fib_expr_alloc(const struct location *loc, + unsigned int flags, + unsigned int result); +#endif /* NFTABLES_FIB_H */ diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index 2d477847..c6567ace 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -1126,6 +1126,42 @@ enum nft_gen_attributes { }; #define NFTA_GEN_MAX (__NFTA_GEN_MAX - 1) +/* + * enum nft_fib_attributes - nf_tables fib expression netlink attributes + * + * @NFTA_FIB_DREG: destination register (NLA_U32) + * @NFTA_FIB_RESULT: desired result (NLA_U32) + * @NFTA_FIB_FLAGS: flowi fields to initialize when querying the FIB (NLA_U32) + * + * The FIB expression performs a route lookup according + * to the packet data. + */ +enum nft_fib_attributes { + NFTA_FIB_UNSPEC, + NFTA_FIB_DREG, + NFTA_FIB_RESULT, + NFTA_FIB_FLAGS, + __NFTA_FIB_MAX +}; +#define NFTA_FIB_MAX (__NFTA_FIB_MAX - 1) + +enum nft_fib_result { + NFT_FIB_RESULT_UNSPEC, + NFT_FIB_RESULT_OIF, + NFT_FIB_RESULT_OIFNAME, + NFT_FIB_RESULT_ADDRTYPE, + __NFT_FIB_RESULT_MAX +}; +#define NFT_FIB_RESULT_MAX (__NFT_FIB_RESULT_MAX - 1) + +enum nft_fib_flags { + NFTA_FIB_F_SADDR = 1 << 0, /* look up src */ + NFTA_FIB_F_DADDR = 1 << 1, /* look up dst */ + NFTA_FIB_F_MARK = 1 << 2, /* use skb->mark */ + NFTA_FIB_F_IIF = 1 << 3, /* restrict to iif */ + NFTA_FIB_F_OIF = 1 << 4, /* restrict to oif */ +}; + /** * enum nft_trace_attributes - nf_tables trace netlink attributes * |