The following series adds two distinct features to nftables, though since the second one depends on presence of the first one this is submitted as a series. Patch 1 adds support for a boolean variant of relational expression. It's OP is strictly implicit and determined by RHS being a boolean expression. It depends on a related kernel patch adding support for NFT_CMP_BOOL to nft_cmp.c. Patch 2 extends exthdr expression by a private flags field which will be used in patch 3. It depends on a related patch for libnftnl to handle the new field. Patch 3 then adds support for checking extension header presence to exthdr expression by making use of the previously introduced exthdr flag NFT_EXTHDR_F_PRESENT. It's ideally used together with a boolean relational expression for a syntax of e.g.: | exthdr hbh exists to match on hop-by-hop options presence or: | exthdr frag missing to match on packets without fragmentation header present. Phil Sutter (3): Implement boolean comparison in relational expression exthdr: Add support for exthdr specific flags exthdr: Implement exthdr existence check include/expression.h | 10 +++++++++ include/exthdr.h | 4 ++++ include/linux/netfilter/nf_tables.h | 1 + include/netlink.h | 2 ++ src/evaluate.c | 13 ++++++++++++ src/expression.c | 39 ++++++++++++++++++++++++++++++++++ src/exthdr.c | 10 +++++++-- src/netlink.c | 20 ++++++++++++++++++ src/netlink_delinearize.c | 12 +++++++++-- src/netlink_linearize.c | 4 ++++ src/parser_bison.y | 42 +++++++++++++++++++++++++++++++++++++ src/scanner.l | 7 +++++++ 12 files changed, 160 insertions(+), 4 deletions(-) -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
