meta: introduce meta broute support

Can be used in bridge prerouting hook to divert a packet
to the ip stack for routing.

This is a replacement for "ebtables -t broute" functionality.

Link: https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230224095251.11249-1-sriram.yagnaraman@est.tech/
Signed-off-by: Sriram Yagnaraman <sriram.yagnaraman@est.tech>
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/doc/statements.txt b/doc/statements.txt
index b2794bcd682114f04c2dcda088edceefcbf73979..3fc70f863f4a889d7f9e7908b736c1113c760bb1 100644 (file)
--- a/doc/statements.txt
+++ b/doc/statements.txt
@@ -296,7 +296,7 @@ A meta statement sets the value of a meta expression. The existing meta fields
 are: priority, mark, pkttype, nftrace. +
 
 [verse]
-*meta* {*mark* | *priority* | *pkttype* | *nftrace*} *set* 'value'
+*meta* {*mark* | *priority* | *pkttype* | *nftrace* | *broute*} *set* 'value'
 
 A meta statement sets meta data associated with a packet. +
 
@@ -316,6 +316,9 @@ pkt_type
 |nftrace |
 ruleset packet tracing on/off. Use *monitor trace* command to watch traces|
 0, 1
+|broute |
+broute on/off. packets are routed instead of being bridged|
+0, 1
 |==========================
 
 LIMIT STATEMENT

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index ff677f3a6cadbe831ddff2d2996dc61c51e350d8..9c6f02c26054ade2efd43a67f1b10b4b6a276f5b 100644 (file)
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -931,6 +931,7 @@ enum nft_exthdr_attributes {
  * @NFT_META_TIME_HOUR: hour of day (in seconds)
  * @NFT_META_SDIF: slave device interface index
  * @NFT_META_SDIFNAME: slave device interface name
+ * @NFT_META_BRI_BROUTE: packet br_netfilter_broute bit
  */
 enum nft_meta_keys {
        NFT_META_LEN,
@@ -969,6 +970,7 @@ enum nft_meta_keys {
        NFT_META_TIME_HOUR,
        NFT_META_SDIF,
        NFT_META_SDIFNAME,
+       NFT_META_BRI_BROUTE,
        __NFT_META_IIFTYPE,
 };
 

diff --git a/src/meta.c b/src/meta.c
index 3be270a4253cf7dbac5df1efb4d16b9c185714be..822c2fd12b6f60fd9455d8ac71ff54b8e9ee3320 100644 (file)
--- a/src/meta.c
+++ b/src/meta.c
@@ -698,6 +698,8 @@ const struct meta_template meta_templates[] = {
        [NFT_META_SDIFNAME]     = META_TEMPLATE("sdifname", &ifname_type,
                                                IFNAMSIZ * BITS_PER_BYTE,
                                                BYTEORDER_HOST_ENDIAN),
+       [NFT_META_BRI_BROUTE]   = META_TEMPLATE("broute",   &integer_type,
+                                               1    , BYTEORDER_HOST_ENDIAN),
 };
 
 static bool meta_key_is_unqualified(enum nft_meta_keys key)

diff --git a/tests/py/bridge/meta.t b/tests/py/bridge/meta.t
index d77ebd899f1859ecd2f0e097c9257500c6303671..171aa610204e4fcf8af33132c333ca41cc35bfdc 100644 (file)
--- a/tests/py/bridge/meta.t
+++ b/tests/py/bridge/meta.t
@@ -9,3 +9,5 @@ meta ibrpvid 100;ok
 
 meta protocol ip udp dport 67;ok
 meta protocol ip6 udp dport 67;ok
+
+meta broute set 1;fail

diff --git a/tests/py/bridge/redirect.t b/tests/py/bridge/redirect.t
new file mode 100644 (file)
index 0000000..5181e79
--- /dev/null
+++ b/tests/py/bridge/redirect.t
@@ -0,0 +1,5 @@
+:prerouting;type filter hook prerouting priority 0
+
+*bridge;test-bridge;prerouting
+
+meta broute set 1;ok

diff --git a/tests/py/bridge/redirect.t.json b/tests/py/bridge/redirect.t.json
new file mode 100644 (file)
index 0000000..7e32b32
--- /dev/null
+++ b/tests/py/bridge/redirect.t.json
@@ -0,0 +1,12 @@
+# meta broute set 1
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": { "key": "broute" }
+            },
+            "value": 1
+        }
+    }
+]
+

diff --git a/tests/py/bridge/redirect.t.payload b/tests/py/bridge/redirect.t.payload
new file mode 100644 (file)
index 0000000..1fcfa5f
--- /dev/null
+++ b/tests/py/bridge/redirect.t.payload
@@ -0,0 +1,4 @@
+# meta broute set 1
+bridge test-bridge prerouting
+  [ immediate reg 1 0x00000001 ]
+  [ meta set broute with reg 1 ]