src: rt: add support to check if route will perform ipsec transformation

Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index 83edac3e3946a701af890a035c71b8db3e2b3f4d..f217f839c026683b2ffe97f8f86dc776e4acb90b 100644 (file)
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -260,6 +260,9 @@ ipv4_addr/ipv6_addr
 |mtu|
 TCP maximum segment size of route |
 integer (16 bit)
+|ipsec|
+route via ipsec tunnel or transport |
+boolean
 |=================================
 
 .Routing expression specific types
@@ -274,6 +277,7 @@ Routing Realm (32 bit number). Can be specified numerically or as symbolic name
 --------------------------
 # IP family independent rt expression
 filter output rt classid 10
+filter output rt ipsec missing
 
 # IP family dependent rt expressions
 ip filter output rt nexthop 192.168.0.1

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 143ebe287a1cc91795aff88010cacfdf1a3be063..1a63bd1e32f455b54233c5cbbf63758743716917 100644 (file)
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -832,6 +832,7 @@ enum nft_rt_keys {
        NFT_RT_NEXTHOP4,
        NFT_RT_NEXTHOP6,
        NFT_RT_TCPMSS,
+       NFT_RT_XFRM,
        __NFT_RT_MAX
 };
 #define NFT_RT_MAX             (__NFT_RT_MAX - 1)

diff --git a/src/parser_bison.y b/src/parser_bison.y
index 85830d880b05554631625b874033632a5910a470..32d61b3b67230ff357aa22659ba5f5e2b8c121d7 100644 (file)
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -510,6 +510,7 @@ int nft_lex(void *, void *, void *);
 
 %token EXTHDR                  "exthdr"
 
+%token IPSEC           "ipsec"
 %type <string>                 identifier type_identifier string comment_spec
 %destructor { xfree($$); }     identifier type_identifier string comment_spec
 
@@ -3830,6 +3831,7 @@ rt_expr                   :       RT      rt_key
 rt_key                 :       CLASSID         { $$ = NFT_RT_CLASSID; }
                        |       NEXTHOP         { $$ = NFT_RT_NEXTHOP4; }
                        |       MTU             { $$ = NFT_RT_TCPMSS; }
+                       |       IPSEC           { $$ = NFT_RT_XFRM; }
                        ;
 
 ct_expr                        :       CT      ct_key

diff --git a/src/parser_json.c b/src/parser_json.c
index 514bc46bba1b1f48632df118e79cbea0cb3daa3d..3f0ab0ac1993db21bd9d25046d1c0740bc64b6a6 100644 (file)
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -621,6 +621,7 @@ static struct expr *json_parse_rt_expr(struct json_ctx *ctx,
                { "classid", NFT_RT_CLASSID },
                { "nexthop", NFT_RT_NEXTHOP4 },
                { "mtu", NFT_RT_TCPMSS },
+               { "ipsec", NFT_RT_XFRM },
        };
        unsigned int i, familyval = NFPROTO_UNSPEC;
        const char *key, *family = NULL;

diff --git a/src/rt.c b/src/rt.c
index caa4947d048a50004a5efad119ebc5e928b758fe..b63284fbcd9a677796e27e658b9cf2df01335b09 100644 (file)
--- a/src/rt.c
+++ b/src/rt.c
@@ -79,6 +79,11 @@ const struct rt_template rt_templates[] = {
                                              2 * BITS_PER_BYTE,
                                              BYTEORDER_HOST_ENDIAN,
                                              false),
+       [NFT_RT_XFRM]           = RT_TEMPLATE("ipsec",
+                                             &boolean_type,
+                                             BITS_PER_BYTE,
+                                             BYTEORDER_HOST_ENDIAN,
+                                             false),
 };
 
 static void rt_expr_print(const struct expr *expr, struct output_ctx *octx)

diff --git a/src/scanner.l b/src/scanner.l
index 2f45e05bfe8181da500624b9c8fd653d3c03ef09..26e63b9bcc0cc9811ec1a0b4cce7a475c91914b1 100644 (file)
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -554,6 +554,7 @@ addrstring  ({macaddr}|{ip4addr}|{ip6addr})
 
 "exthdr"               { return EXTHDR; }
 
+"ipsec"                        { return IPSEC; }
 {addrstring}           {
                                yylval->string = xstrdup(yytext);
                                return STRING;

diff --git a/tests/py/any/rt.t b/tests/py/any/rt.t
index 4f65eaad39172065066e28950075c6bd3a1c5608..3ce57e05b5f077fcc5b8dc96f031deb97512c851 100644 (file)
--- a/tests/py/any/rt.t
+++ b/tests/py/any/rt.t
@@ -5,3 +5,5 @@
 *inet;test-inet;output
 
 rt classid "cosmos";ok
+rt ipsec exists;ok
+rt ipsec missing;ok

diff --git a/tests/py/any/rt.t.json b/tests/py/any/rt.t.json
index 955d12a3d89153f5eae03b432bd8a4a246916b7d..2ca6fe0139255f182542ab62ab179714ee0e6043 100644 (file)
--- a/tests/py/any/rt.t.json
+++ b/tests/py/any/rt.t.json
@@ -13,3 +13,33 @@
     }
 ]
 
+# rt ipsec exists
+[
+    {
+        "match": {
+            "left": {
+                "rt": {
+                    "key": "ipsec"
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# rt ipsec missing
+[
+    {
+        "match": {
+            "left": {
+                "rt": {
+                    "key": "ipsec"
+                }
+            },
+            "op": "==",
+            "right": false
+        }
+    }
+]
+

diff --git a/tests/py/any/rt.t.payload b/tests/py/any/rt.t.payload
index 0e354fa020b24ceb315e1474c405590cb6aff65d..e1ecb2860ed08cac2b38aa7d4e27bc7963408656 100644 (file)
--- a/tests/py/any/rt.t.payload
+++ b/tests/py/any/rt.t.payload
@@ -3,3 +3,13 @@ ip test-ip4 input
   [ rt load classid => reg 1 ]
   [ cmp eq reg 1 0x00000000 ]
 
+# rt ipsec exists
+ip test-ip4 input
+  [ rt load ipsec => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# rt ipsec missing
+ip test-ip4 input
+  [ rt load ipsec => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+