meta: add secpath support

This can be used to check if a packet has a secpath attached to it, i.e. was subject to ipsec processing. Example: add rule inet raw prerouting meta secpath exists accept Signed-off-by: Florian Westphal <fw@strlen.de>
author: Florian Westphal <fw@strlen.de> 2017-12-01 13:40:21 +0100
committer: Florian Westphal <fw@strlen.de> 2018-01-16 15:57:22 +0100
commit: 49f6e9a846c6c8325b95debe04d5ebc3c01246fb (patch)
tree: 4de70952424cf45846cc67287967fca823edc0c9 /include
parent: 1dbd13c97e300dcaf6581bc7b0b0f23cc74c6645 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index a3ee277b..2efbf974 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -777,6 +777,7 @@ enum nft_exthdr_attributes {
  * @NFT_META_OIFGROUP: packet output interface group
  * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid)
  * @NFT_META_PRANDOM: a 32bit pseudo-random number
+ * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp)
  */
 enum nft_meta_keys {
 	NFT_META_LEN,
@@ -804,6 +805,7 @@ enum nft_meta_keys {
 	NFT_META_OIFGROUP,
 	NFT_META_CGROUP,
 	NFT_META_PRANDOM,
+	NFT_META_SECPATH,
 };
 
 /**
author	Florian Westphal <fw@strlen.de>	2017-12-01 13:40:21 +0100
committer	Florian Westphal <fw@strlen.de>	2018-01-16 15:57:22 +0100
commit	49f6e9a846c6c8325b95debe04d5ebc3c01246fb (patch)
tree	4de70952424cf45846cc67287967fca823edc0c9 /include
parent	1dbd13c97e300dcaf6581bc7b0b0f23cc74c6645 (diff)