src: Add devgroup support in meta expresion

This adds device group support in meta expresion.

The new attributes of meta are "iffgroup" and "oifgroup"
- iffgroup: Match device group of incoming device.
- oifgroup: Match device group of outcoming device.

Example of use:
nft add rule ip test input meta iifgroup 2 counter
nft add rule ip test output meta oifgroup 2 counter

The kernel and libnftnl support were added in these commits:
netfilter: nf_tables: add devgroup support in meta expresion
src: meta: Add devgroup support to meta expresion

Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index dbdc4f5b42aa4196afa3497d7b4c4deadf7c4436..e8b9d19583ca1765b36c4c512218dce1bf9733b8 100644 (file)
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -537,6 +537,8 @@ enum nft_exthdr_attributes {
  * @NFT_META_BRI_OIFNAME: packet output bridge interface name
  * @NFT_META_PKTTYPE: packet type (skb->pkt_type), special handling for loopback
  * @NFT_META_CPU: cpu id through smp_processor_id()
+ * @NFT_META_IIFGROUP: packet input interface group
+ * @NFT_META_OIFGROUP: packet output interface group
  */
 enum nft_meta_keys {
        NFT_META_LEN,
@@ -560,6 +562,8 @@ enum nft_meta_keys {
        NFT_META_BRI_OIFNAME,
        NFT_META_PKTTYPE,
        NFT_META_CPU,
+       NFT_META_IIFGROUP,
+       NFT_META_OIFGROUP,
 };
 
 /**

diff --git a/src/meta.c b/src/meta.c
index bf41ac46722ee678eddb63d8043c8a33c42c09d3..cea3ccbb5694a58209e29c6c05e10a2e69aa51f0 100644 (file)
--- a/src/meta.c
+++ b/src/meta.c
@@ -396,6 +396,12 @@ static const struct meta_template meta_templates[] = {
        [NFT_META_CPU]          = META_TEMPLATE("cpu",  &integer_type,
                                                4 * BITS_PER_BYTE,
                                                BYTEORDER_HOST_ENDIAN),
+       [NFT_META_IIFGROUP]     = META_TEMPLATE("iifgroup", &integer_type,
+                                               4 * BITS_PER_BYTE,
+                                               BYTEORDER_HOST_ENDIAN),
+       [NFT_META_OIFGROUP]     = META_TEMPLATE("oifgroup", &integer_type,
+                                               4 * BITS_PER_BYTE,
+                                               BYTEORDER_HOST_ENDIAN),
 };
 
 static void meta_expr_print(const struct expr *expr)

diff --git a/src/parser.y b/src/parser.y
index d7bc287f495af5115f309d6c668fbf107d1e005e..baa087887cacaea266e5b42493a9f3da3b29bcea 100644 (file)
--- a/src/parser.y
+++ b/src/parser.y
@@ -327,6 +327,8 @@ static int monitor_lookup_event(const char *event)
 %token OBRIPORT                        "obriport"
 %token PKTTYPE                 "pkttype"
 %token CPU                     "cpu"
+%token IIFGROUP                        "iifgroup"
+%token OIFGROUP                        "oifgroup"
 
 %token CT                      "ct"
 %token DIRECTION               "direction"
@@ -1842,6 +1844,8 @@ meta_key_unqualified      :       MARK            { $$ = NFT_META_MARK; }
                        |       OBRIPORT        { $$ = NFT_META_BRI_OIFNAME; }
                        |       PKTTYPE         { $$ = NFT_META_PKTTYPE; }
                        |       CPU             { $$ = NFT_META_CPU; }
+                       |       IIFGROUP        { $$ = NFT_META_IIFGROUP; }
+                       |       OIFGROUP        { $$ = NFT_META_OIFGROUP; }
                        ;
 
 meta_stmt              :       META    meta_key        SET     expr

diff --git a/src/scanner.l b/src/scanner.l
index b7a00b4fef1098b53bed7b88bcc24c61bdc77d8f..929dbf6e45c593a76f28b74f3c89e11e660a0bb3 100644 (file)
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -417,6 +417,8 @@ addrstring  ({macaddr}|{ip4addr}|{ip6addr})
 "obriport"             { return OBRIPORT; }
 "pkttype"              { return PKTTYPE; }
 "cpu"                  { return CPU; }
+"iifgroup"             { return IIFGROUP; }
+"oifgroup"             { return OIFGROUP; }
 
 "ct"                   { return CT; }
 "direction"            { return DIRECTION; }