On 1 December 2017 at 13:40, Florian Westphal <fw@xxxxxxxxx> wrote: > replacement for iptables "-m policy --dir in --policy {ipsec,none}". > > Signed-off-by: Florian Westphal <fw@xxxxxxxxx> > --- > include/uapi/linux/netfilter/nf_tables.h | 2 ++ > net/netfilter/nft_meta.c | 39 ++++++++++++++++++++++++++++++++ > 2 files changed, 41 insertions(+) > > diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h > index a3ee277b17a1..2efbf9744c2a 100644 > --- a/include/uapi/linux/netfilter/nf_tables.h > +++ b/include/uapi/linux/netfilter/nf_tables.h > @@ -777,6 +777,7 @@ enum nft_exthdr_attributes { > * @NFT_META_OIFGROUP: packet output interface group > * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid) > * @NFT_META_PRANDOM: a 32bit pseudo-random number > + * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp) > */ > enum nft_meta_keys { > NFT_META_LEN, > @@ -804,6 +805,7 @@ enum nft_meta_keys { > NFT_META_OIFGROUP, > NFT_META_CGROUP, > NFT_META_PRANDOM, > + NFT_META_SECPATH, > }; > > /** > diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c > index 5a60eb23a7ed..63a013ad4077 100644 > --- a/net/netfilter/nft_meta.c > +++ b/net/netfilter/nft_meta.c > @@ -210,6 +210,11 @@ void nft_meta_get_eval(const struct nft_expr *expr, > *dest = prandom_u32_state(state); > break; > } > +#ifdef CONFIG_XFRM > + case NFT_META_SECPATH: > + nft_reg_store8(dest, !!skb->sp); > + break; > +#endif > default: > WARN_ON(1); > goto err; > @@ -308,6 +313,11 @@ int nft_meta_get_init(const struct nft_ctx *ctx, > prandom_init_once(&nft_prandom_state); > len = sizeof(u32); > break; > +#ifdef CONFIG_XFRM > + case NFT_META_SECPATH: > + len = sizeof(u8); > + break; > +#endif > default: > return -EOPNOTSUPP; > } > @@ -318,6 +328,34 @@ int nft_meta_get_init(const struct nft_ctx *ctx, > } > EXPORT_SYMBOL_GPL(nft_meta_get_init); > > +int nft_meta_get_validate(const struct nft_ctx *ctx, > + const struct nft_expr *expr, > + const struct nft_data **data) > +{ > + const struct nft_meta *priv = nft_expr_priv(expr); > + unsigned int hooks; > + > + if (priv->key != NFT_META_SECPATH) > + return 0; > + Would it worth adding here something like this? #ifnfdef CONFIG_XFRM return -EOPNOTSUPP; #endif I mean, if CONFIG_XFRM is not defined, then _get_eval() is doing nothing, right? > + switch (ctx->afi->family) { > + case NFPROTO_NETDEV: > + hooks = 1 << NF_NETDEV_INGRESS; > + break; > + case NFPROTO_IPV4: > + case NFPROTO_IPV6: > + case NFPROTO_INET: > + hooks = (1 << NF_INET_PRE_ROUTING) | > + (1 << NF_INET_LOCAL_IN) | > + (1 << NF_INET_FORWARD); > + break; > + default: > + return -EOPNOTSUPP; > + } > + > + return nft_chain_validate_hooks(ctx->chain, hooks); > +} -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html