Hi Ahmed,
On Thu, Jan 18, 2018 at 04:13:25PM +0100, Ahmed Abdelsalam wrote:
[...]
> diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_inner6.h b/include/uapi/linux/netfilter_ipv6/ip6t_inner6.h
> new file mode 100644
> index 0000000..7017fa4
> --- /dev/null
> +++ b/include/uapi/linux/netfilter_ipv6/ip6t_inner6.h
> @@ -0,0 +1,21 @@
> +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
> +#ifndef _IP6T_INNER6_H
> +#define _IP6T_INNER6_H
> +
> +#include <linux/types.h>
> +#include <linux/netfilter.h>
> +
> +/* Values for "invflags" field in struct ip6t_inner6 */
> +#define IP6T_INNER6_INV_SRC 0x01
> +#define IP6T_INNER6_INV_DST 0x02
> +#define IP6T_INNER6_INV_MASK 0x03
> +
> +struct ip6t_inner6 {
> + /* Source and destination addr of inner IPv6 packet */
> + struct in6_addr inner_src, inner_dst;
> + /* Mask for src and dest addr of inner IPv6 packet */
> + struct in6_addr inner_smsk, inner_dmsk;
> + __u8 invflags;
> +};
Matching at inner headers is a very useful, no doubt. Problem is that
this approach is rather limited since it only allows for matching
source and destination address at the inner header. I suspect someone
else will follow up later on to add more fields to this, and we will
end up having a new version of ip6tables... inside ip6t_inner6 :-).
nf_tables is a much more flexible framework, we can store the offset
of this inner header in nft_pktinfo on demand, add new base to
nft_payload and have access to all matching capabilities from any
arbitrary offset. I really think this new feature belongs there.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
