From f686a17eafa0bb5e9b0665c646fac09c9f95c0a5 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Sat, 11 Mar 2017 14:31:39 +0100 Subject: fib: Support existence check This allows to check whether a FIB entry exists for a given packet by comparing the expression with a boolean keyword like so: | fib daddr oif exists The implementation requires introduction of a generic expression flag EXPR_F_BOOLEAN which allows relational expression to signal it's LHS that a boolean comparison is being done (indicated by boolean type on RHS). In contrast to exthdr existence checks, fib expression can't know this in beforehand because the LHS syntax is absolutely identical to a non-boolean comparison. Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso --- include/expression.h | 2 ++ include/linux/netfilter/nf_tables.h | 1 + 2 files changed, 3 insertions(+) (limited to 'include') diff --git a/include/expression.h b/include/expression.h index 423eae71..94573de0 100644 --- a/include/expression.h +++ b/include/expression.h @@ -171,12 +171,14 @@ struct expr_ops { * @EXPR_F_SINGLETON: singleton (implies primary and constant) * @EXPR_F_PROTOCOL: expressions describes upper layer protocol * @EXPR_F_INTERVAL_END: set member ends an open interval + * @EXPR_F_BOOLEAN: expression is boolean (set by relational expr on LHS) */ enum expr_flags { EXPR_F_CONSTANT = 0x1, EXPR_F_SINGLETON = 0x2, EXPR_F_PROTOCOL = 0x4, EXPR_F_INTERVAL_END = 0x8, + EXPR_F_BOOLEAN = 0x10, }; #include diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index 4f7d7568..a9280a65 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -1257,6 +1257,7 @@ enum nft_fib_flags { NFTA_FIB_F_MARK = 1 << 2, /* use skb->mark */ NFTA_FIB_F_IIF = 1 << 3, /* restrict to iif */ NFTA_FIB_F_OIF = 1 << 4, /* restrict to oif */ + NFTA_FIB_F_PRESENT = 1 << 5, /* check existence only */ }; #define NFT_OBJECT_UNSPEC 0 -- cgit v1.2.3