meta: add iifkind and oifkind support

This can be used to match the kind type of iif or oif
interface of the packet.  Example:

add rule inet raw prerouting meta iifkind "vrf" accept

Signed-off-by: wenxu <wenxu@ucloud.cn>
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index a964ce926dc79fd71e6b4e9b73d11d8a410768d9..d819b24ca4346be850b9f5c78184e512e3cab18a 100644 (file)
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -4,7 +4,7 @@ META EXPRESSIONS
 *meta* {length | nfproto | l4proto | protocol | priority}
 [meta] {mark | iif | iifname | iiftype | oif | oifname | oiftype |
 skuid | skgid | nftrace | rtclassid | ibrname | obrname | pkttype | cpu
-| iifgroup | oifgroup | cgroup | random | ipsec}
+| iifgroup | oifgroup | cgroup | random | ipsec | iifkind | oifkind}
 
 A meta expression refers to meta data associated with a packet.
 
@@ -114,6 +114,10 @@ integer (32 bit)
 |ipsec|
 boolean|
 boolean (1 bit)
+|iifkind|
+Input interface kind |
+|oifkind|
+Output interface kind
 |====================
 
 .Meta expression specific types
@@ -137,6 +141,8 @@ Device group (32 bit number). Can be specified numerically or as symbolic name d
 |pkt_type|
 Packet type: *host* (addressed to local host), *broadcast* (to all),
 *multicast* (to group), *other* (addressed to another host).
+|ifkind|
+Interface kind (16 byte string). Does not have to exist.
 |=============================
 
 .Using meta expressions

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 1d13ad37ec8921d8e1fe1c539e4b53972f563a00..37036be07296d4293b541d677f987f848e28b428 100644 (file)
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -789,6 +789,8 @@ enum nft_exthdr_attributes {
  * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid)
  * @NFT_META_PRANDOM: a 32bit pseudo-random number
  * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp)
+ * @NFT_META_IIFKIND: packet input interface kind name (dev->rtnl_link_ops->kind)
+ * @NFT_META_OIFKIND: packet output interface kind name (dev->rtnl_link_ops->kind)
  */
 enum nft_meta_keys {
        NFT_META_LEN,
@@ -817,6 +819,8 @@ enum nft_meta_keys {
        NFT_META_CGROUP,
        NFT_META_PRANDOM,
        NFT_META_SECPATH,
+       NFT_META_IIFKIND,
+       NFT_META_OIFKIND,
 };
 
 /**

diff --git a/src/meta.c b/src/meta.c
index c8a7b13b1d2bce9b447e60f404e98f2dbe8de22d..4cb91773b71d0c7aef69672cc9aae2be89dd63bd 100644 (file)
--- a/src/meta.c
+++ b/src/meta.c
@@ -444,6 +444,12 @@ const struct meta_template meta_templates[] = {
                                                BYTEORDER_BIG_ENDIAN), /* avoid conversion; doesn't have endianess */
        [NFT_META_SECPATH]      = META_TEMPLATE("ipsec", &boolean_type,
                                                BITS_PER_BYTE, BYTEORDER_HOST_ENDIAN),
+       [NFT_META_IIFKIND]      = META_TEMPLATE("iifkind",   &ifname_type,
+                                               IFNAMSIZ * BITS_PER_BYTE,
+                                               BYTEORDER_HOST_ENDIAN),
+       [NFT_META_OIFKIND]      = META_TEMPLATE("oifkind",   &ifname_type,
+                                               IFNAMSIZ * BITS_PER_BYTE,
+                                               BYTEORDER_HOST_ENDIAN),
 };
 
 static bool meta_key_is_unqualified(enum nft_meta_keys key)