From: wenxu <wenxu@xxxxxxxxx>
This can be used to match the kind type of iif or oif
interface of the packet. Example:
add rule inet raw prerouting meta iifkind "vrf" accept
Signed-off-by: wenxu <wenxu@xxxxxxxxx>
---
doc/primary-expression.txt | 8 +++++++-
include/linux/netfilter/nf_tables.h | 4 ++++
src/meta.c | 6 ++++++
3 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index a964ce9..e96fba0 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -4,7 +4,7 @@ META EXPRESSIONS
*meta* {length | nfproto | l4proto | protocol | priority}
[meta] {mark | iif | iifname | iiftype | oif | oifname | oiftype |
skuid | skgid | nftrace | rtclassid | ibrname | obrname | pkttype | cpu
-| iifgroup | oifgroup | cgroup | random | ipsec}
+| iifgroup | oifgroup | cgroup | random | ipsec | iifkind | oifkind}
A meta expression refers to meta data associated with a packet.
@@ -114,6 +114,10 @@ integer (32 bit)
|ipsec|
boolean|
boolean (1 bit)
+|iifkind|
+Input interface kind |
+|oifkind|
+Output interface kind
|====================
.Meta expression specific types
@@ -137,6 +141,8 @@ Device group (32 bit number). Can be specified numerically or as symbolic name d
|pkt_type|
Packet type: *host* (addressed to local host), *broadcast* (to all),
*multicast* (to group), *other* (addressed to another host).
+|ifkind|
+Interface kind (16 byte string). Does not have to exist.
|=============================
.Using meta expressions
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 1d13ad3..37036be 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -789,6 +789,8 @@ enum nft_exthdr_attributes {
* @NFT_META_CGROUP: socket control group (skb->sk->sk_classid)
* @NFT_META_PRANDOM: a 32bit pseudo-random number
* @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp)
+ * @NFT_META_IIFKIND: packet input interface kind name (dev->rtnl_link_ops->kind)
+ * @NFT_META_OIFKIND: packet output interface kind name (dev->rtnl_link_ops->kind)
*/
enum nft_meta_keys {
NFT_META_LEN,
@@ -817,6 +819,8 @@ enum nft_meta_keys {
NFT_META_CGROUP,
NFT_META_PRANDOM,
NFT_META_SECPATH,
+ NFT_META_IIFKIND,
+ NFT_META_OIFKIND,
};
/**
diff --git a/src/meta.c b/src/meta.c
index c8a7b13..4cb9177 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -444,6 +444,12 @@ const struct meta_template meta_templates[] = {
BYTEORDER_BIG_ENDIAN), /* avoid conversion; doesn't have endianess */
[NFT_META_SECPATH] = META_TEMPLATE("ipsec", &boolean_type,
BITS_PER_BYTE, BYTEORDER_HOST_ENDIAN),
+ [NFT_META_IIFKIND] = META_TEMPLATE("iifkind", &ifname_type,
+ IFNAMSIZ * BITS_PER_BYTE,
+ BYTEORDER_HOST_ENDIAN),
+ [NFT_META_OIFKIND] = META_TEMPLATE("oifkind", &ifname_type,
+ IFNAMSIZ * BITS_PER_BYTE,
+ BYTEORDER_HOST_ENDIAN),
};
static bool meta_key_is_unqualified(enum nft_meta_keys key)
--
1.8.3.1
