meta: add secpath support

author Florian Westphal <fw@strlen.de>

Fri, 1 Dec 2017 12:40:21 +0000 (13:40 +0100)

committer Florian Westphal <fw@strlen.de>

Tue, 16 Jan 2018 14:57:22 +0000 (15:57 +0100)
author Florian Westphal <fw@strlen.de>
Fri, 1 Dec 2017 12:40:21 +0000 (13:40 +0100)
committer Florian Westphal <fw@strlen.de>
Tue, 16 Jan 2018 14:57:22 +0000 (15:57 +0100)
diff --git a/doc/nft.xml b/doc/nft.xml

index cbb3b8026d27b30dfc449c2904d39c6d1e56a982..e515b1103bb9c7ada723b5efefec3b4333ad57cd 100644 (file)
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -2504,6 +2504,7 @@ filter output icmpv6 type { echo-request, echo-reply }
                                                 <arg>oifgroup</arg>
                                                 <arg>cgroup</arg>
                                                 <arg>random</arg>
+                                               <arg>secpath</arg>
                                         </group>
                                 </cmdsynopsis>
                         </para>
@@ -2641,6 +2642,12 @@ filter output icmpv6 type { echo-request, echo-reply }
                                                                 <entry>pseudo-random number</entry>
                                                                 <entry>integer (32 bits)</entry>
                                                         </row>
+                                                       <row>
+                                                               <entry>secpath</entry>
+                                                               <entry>boolean</entry>
+                                                               <entry>boolean (1 bit)</entry>
+                                                       </row>
+
                                                 </tbody>
                                         </tgroup>
                                 </table>
@@ -2725,6 +2732,9 @@ filter output meta oif eth0
  
  # unqualified meta expression
  filter output oif eth0
+
+# packed was subject to ipsec processing
+raw prerouting meta secpath exists accept
                                         </programlisting>
                                 </example>
                         </para>
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h

index a3ee277b17a17885f27c73e8d0f66dc8117817aa..2efbf9744c2aabdc8b77f8d79eac4f2e58026d26 100644 (file)
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -777,6 +777,7 @@ enum nft_exthdr_attributes {
   * @NFT_META_OIFGROUP: packet output interface group
   * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid)
   * @NFT_META_PRANDOM: a 32bit pseudo-random number
+ * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp)
   */
  enum nft_meta_keys {
         NFT_META_LEN,
@@ -804,6 +805,7 @@ enum nft_meta_keys {
         NFT_META_OIFGROUP,
         NFT_META_CGROUP,
         NFT_META_PRANDOM,
+       NFT_META_SECPATH,
  };
  
  /**
diff --git a/src/meta.c b/src/meta.c

index 687de8cda8c353a60d1173e3068af73c09cdda78..8c2eca270e0dcce073630c471fa902ef72997d1a 100644 (file)
--- a/src/meta.c
+++ b/src/meta.c
@@ -428,6 +428,8 @@ static const struct meta_template meta_templates[] = {
         [NFT_META_PRANDOM]      = META_TEMPLATE("random",    &integer_type,
                                                 4 * BITS_PER_BYTE,
                                                 BYTEORDER_BIG_ENDIAN), /* avoid conversion; doesn't have endianess */
+       [NFT_META_SECPATH]      = META_TEMPLATE("secpath", &boolean_type,
+                                               BITS_PER_BYTE, BYTEORDER_HOST_ENDIAN),
  };
  
  static bool meta_key_is_qualified(enum nft_meta_keys key)
@@ -439,6 +441,7 @@ static bool meta_key_is_qualified(enum nft_meta_keys key)
         case NFT_META_PROTOCOL:
         case NFT_META_PRIORITY:
         case NFT_META_PRANDOM:
+       case NFT_META_SECPATH:
                 return true;
         default:
                 return false;
diff --git a/tests/py/inet/meta.t b/tests/py/inet/meta.t

index bd225e3d8bc4fbdf3bd1065218317400b6d9ae08..d68896dc0b9ecf271d28828e454f9dc607c03fcf 100644 (file)
--- a/tests/py/inet/meta.t
+++ b/tests/py/inet/meta.t
@@ -12,3 +12,5 @@ meta nfproto ipv4 tcp dport 22;ok
  meta nfproto ipv4 ip saddr 1.2.3.4;ok;ip saddr 1.2.3.4
  meta nfproto ipv6 meta l4proto tcp;ok;meta nfproto ipv6 meta l4proto 6
  meta nfproto ipv4 counter ip saddr 1.2.3.4;ok
+meta secpath exists;ok
+meta secpath missing;ok
diff --git a/tests/py/inet/meta.t.payload b/tests/py/inet/meta.t.payload

index 0323b30f487b1479c8a179df975113aae44f0ebe..2d0a66fa5cf5ef8f5f5faf2093cb484639d0b6fc 100644 (file)
--- a/tests/py/inet/meta.t.payload
+++ b/tests/py/inet/meta.t.payload
@@ -64,3 +64,12 @@ inet test-inet input
    [ payload load 4b @ network header + 12 => reg 1 ]
    [ cmp eq reg 1 0x04030201 ]
  
+# meta secpath exists
+inet test-inet input
+  [ meta load secpath => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# meta secpath missing
+inet test-inet input
+  [ meta load secpath => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
author	Florian Westphal <fw@strlen.de>
	Fri, 1 Dec 2017 12:40:21 +0000 (13:40 +0100)
committer	Florian Westphal <fw@strlen.de>
	Tue, 16 Jan 2018 14:57:22 +0000 (15:57 +0100)
doc/nft.xml		patch \| blob \| blame \| history
include/linux/netfilter/nf_tables.h		patch \| blob \| blame \| history
src/meta.c		patch \| blob \| blame \| history
tests/py/inet/meta.t		patch \| blob \| blame \| history
tests/py/inet/meta.t.payload		patch \| blob \| blame \| history