From 04ca9a6ba3ca369053e9b5951f2f85bf8fe98e72 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Wed, 5 Sep 2018 11:16:42 +0200
Subject: src: rt: add support to check if route will perform ipsec
 transformation

Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 doc/primary-expression.txt          |  4 ++++
 include/linux/netfilter/nf_tables.h |  1 +
 src/parser_bison.y                  |  2 ++
 src/parser_json.c                   |  1 +
 src/rt.c                            |  5 +++++
 src/scanner.l                       |  1 +
 tests/py/any/rt.t                   |  2 ++
 tests/py/any/rt.t.json              | 30 ++++++++++++++++++++++++++++++
 tests/py/any/rt.t.payload           | 10 ++++++++++
 9 files changed, 56 insertions(+)

diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index 83edac3e..f217f839 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -260,6 +260,9 @@ ipv4_addr/ipv6_addr
 |mtu|
 TCP maximum segment size of route |
 integer (16 bit)
+|ipsec|
+route via ipsec tunnel or transport |
+boolean
 |=================================
 
 .Routing expression specific types
@@ -274,6 +277,7 @@ Routing Realm (32 bit number). Can be specified numerically or as symbolic name
 --------------------------
 # IP family independent rt expression
 filter output rt classid 10
+filter output rt ipsec missing
 
 # IP family dependent rt expressions
 ip filter output rt nexthop 192.168.0.1
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 143ebe28..1a63bd1e 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -832,6 +832,7 @@ enum nft_rt_keys {
 	NFT_RT_NEXTHOP4,
 	NFT_RT_NEXTHOP6,
 	NFT_RT_TCPMSS,
+	NFT_RT_XFRM,
 	__NFT_RT_MAX
 };
 #define NFT_RT_MAX		(__NFT_RT_MAX - 1)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 85830d88..32d61b3b 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -510,6 +510,7 @@ int nft_lex(void *, void *, void *);
 
 %token EXTHDR			"exthdr"
 
+%token IPSEC		"ipsec"
 %type <string>			identifier type_identifier string comment_spec
 %destructor { xfree($$); }	identifier type_identifier string comment_spec
 
@@ -3830,6 +3831,7 @@ rt_expr			:	RT	rt_key
 rt_key			:	CLASSID		{ $$ = NFT_RT_CLASSID; }
 			|	NEXTHOP		{ $$ = NFT_RT_NEXTHOP4; }
 			|	MTU		{ $$ = NFT_RT_TCPMSS; }
+			|	IPSEC		{ $$ = NFT_RT_XFRM; }
 			;
 
 ct_expr			: 	CT	ct_key
diff --git a/src/parser_json.c b/src/parser_json.c
index 514bc46b..3f0ab0ac 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -621,6 +621,7 @@ static struct expr *json_parse_rt_expr(struct json_ctx *ctx,
 		{ "classid", NFT_RT_CLASSID },
 		{ "nexthop", NFT_RT_NEXTHOP4 },
 		{ "mtu", NFT_RT_TCPMSS },
+		{ "ipsec", NFT_RT_XFRM },
 	};
 	unsigned int i, familyval = NFPROTO_UNSPEC;
 	const char *key, *family = NULL;
diff --git a/src/rt.c b/src/rt.c
index caa4947d..b63284fb 100644
--- a/src/rt.c
+++ b/src/rt.c
@@ -79,6 +79,11 @@ const struct rt_template rt_templates[] = {
 					      2 * BITS_PER_BYTE,
 					      BYTEORDER_HOST_ENDIAN,
 					      false),
+	[NFT_RT_XFRM]		= RT_TEMPLATE("ipsec",
+					      &boolean_type,
+					      BITS_PER_BYTE,
+					      BYTEORDER_HOST_ENDIAN,
+					      false),
 };
 
 static void rt_expr_print(const struct expr *expr, struct output_ctx *octx)
diff --git a/src/scanner.l b/src/scanner.l
index 2f45e05b..26e63b9b 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -554,6 +554,7 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 
 "exthdr"		{ return EXTHDR; }
 
+"ipsec"			{ return IPSEC; }
 {addrstring}		{
 				yylval->string = xstrdup(yytext);
 				return STRING;
diff --git a/tests/py/any/rt.t b/tests/py/any/rt.t
index 4f65eaad..3ce57e05 100644
--- a/tests/py/any/rt.t
+++ b/tests/py/any/rt.t
@@ -5,3 +5,5 @@
 *inet;test-inet;output
 
 rt classid "cosmos";ok
+rt ipsec exists;ok
+rt ipsec missing;ok
diff --git a/tests/py/any/rt.t.json b/tests/py/any/rt.t.json
index 955d12a3..2ca6fe01 100644
--- a/tests/py/any/rt.t.json
+++ b/tests/py/any/rt.t.json
@@ -13,3 +13,33 @@
     }
 ]
 
+# rt ipsec exists
+[
+    {
+        "match": {
+            "left": {
+                "rt": {
+                    "key": "ipsec"
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# rt ipsec missing
+[
+    {
+        "match": {
+            "left": {
+                "rt": {
+                    "key": "ipsec"
+                }
+            },
+            "op": "==",
+            "right": false
+        }
+    }
+]
+
diff --git a/tests/py/any/rt.t.payload b/tests/py/any/rt.t.payload
index 0e354fa0..e1ecb286 100644
--- a/tests/py/any/rt.t.payload
+++ b/tests/py/any/rt.t.payload
@@ -3,3 +3,13 @@ ip test-ip4 input
   [ rt load classid => reg 1 ]
   [ cmp eq reg 1 0x00000000 ]
 
+# rt ipsec exists
+ip test-ip4 input
+  [ rt load ipsec => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# rt ipsec missing
+ip test-ip4 input
+  [ rt load ipsec => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
-- 
cgit v1.2.3