1 From: Florian Westphal <fw@strlen.de>
2 Date: Wed, 6 Dec 2017 16:18:16 +0100
3 Subject: [PATCH] netfilter: meta: secpath support
5 replacement for iptables "-m policy --dir in --policy {ipsec,none}".
7 Signed-off-by: Florian Westphal <fw@strlen.de>
8 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
11 --- a/include/uapi/linux/netfilter/nf_tables.h
12 +++ b/include/uapi/linux/netfilter/nf_tables.h
13 @@ -777,6 +777,7 @@ enum nft_exthdr_attributes {
14 * @NFT_META_OIFGROUP: packet output interface group
15 * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid)
16 * @NFT_META_PRANDOM: a 32bit pseudo-random number
17 + * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp)
21 @@ -804,6 +805,7 @@ enum nft_meta_keys {
29 --- a/net/netfilter/nft_meta.c
30 +++ b/net/netfilter/nft_meta.c
31 @@ -210,6 +210,11 @@ void nft_meta_get_eval(const struct nft_
32 *dest = prandom_u32_state(state);
36 + case NFT_META_SECPATH:
37 + nft_reg_store8(dest, !!skb->sp);
43 @@ -308,6 +313,11 @@ int nft_meta_get_init(const struct nft_c
44 prandom_init_once(&nft_prandom_state);
48 + case NFT_META_SECPATH:
55 @@ -318,6 +328,38 @@ int nft_meta_get_init(const struct nft_c
57 EXPORT_SYMBOL_GPL(nft_meta_get_init);
59 +static int nft_meta_get_validate(const struct nft_ctx *ctx,
60 + const struct nft_expr *expr,
61 + const struct nft_data **data)
64 + const struct nft_meta *priv = nft_expr_priv(expr);
67 + if (priv->key != NFT_META_SECPATH)
70 + switch (ctx->afi->family) {
71 + case NFPROTO_NETDEV:
72 + hooks = 1 << NF_NETDEV_INGRESS;
77 + hooks = (1 << NF_INET_PRE_ROUTING) |
78 + (1 << NF_INET_LOCAL_IN) |
79 + (1 << NF_INET_FORWARD);
85 + return nft_chain_validate_hooks(ctx->chain, hooks);
91 int nft_meta_set_validate(const struct nft_ctx *ctx,
92 const struct nft_expr *expr,
93 const struct nft_data **data)
94 @@ -434,6 +476,7 @@ static const struct nft_expr_ops nft_met
95 .eval = nft_meta_get_eval,
96 .init = nft_meta_get_init,
97 .dump = nft_meta_get_dump,
98 + .validate = nft_meta_get_validate,
101 static const struct nft_expr_ops nft_meta_set_ops = {