Hi pablo & Florian,
How about this patch?
On 1/24/2019 10:23 PM, wenxu@xxxxxxxxx wrote:
> From: wenxu <wenxu@xxxxxxxxx>
>
> This can be used to match the kind type of iif or oif
> interface of the packet. Example:
>
> add rule inet raw prerouting meta iifkind "vrf" accept
>
> Signed-off-by: wenxu <wenxu@xxxxxxxxx>
> ---
> doc/primary-expression.txt | 8 +++++++-
> include/linux/netfilter/nf_tables.h | 4 ++++
> src/meta.c | 6 ++++++
> 3 files changed, 17 insertions(+), 1 deletion(-)
>
> diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
> index a964ce9..e96fba0 100644
> --- a/doc/primary-expression.txt
> +++ b/doc/primary-expression.txt
> @@ -4,7 +4,7 @@ META EXPRESSIONS
> *meta* {length | nfproto | l4proto | protocol | priority}
> [meta] {mark | iif | iifname | iiftype | oif | oifname | oiftype |
> skuid | skgid | nftrace | rtclassid | ibrname | obrname | pkttype | cpu
> -| iifgroup | oifgroup | cgroup | random | ipsec}
> +| iifgroup | oifgroup | cgroup | random | ipsec | iifkind | oifkind}
>
> A meta expression refers to meta data associated with a packet.
>
> @@ -114,6 +114,10 @@ integer (32 bit)
> |ipsec|
> boolean|
> boolean (1 bit)
> +|iifkind|
> +Input interface kind |
> +|oifkind|
> +Output interface kind
> |====================
>
> .Meta expression specific types
> @@ -137,6 +141,8 @@ Device group (32 bit number). Can be specified numerically or as symbolic name d
> |pkt_type|
> Packet type: *host* (addressed to local host), *broadcast* (to all),
> *multicast* (to group), *other* (addressed to another host).
> +|ifkind|
> +Interface kind (16 byte string). Does not have to exist.
> |=============================
>
> .Using meta expressions
> diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
> index 1d13ad3..37036be 100644
> --- a/include/linux/netfilter/nf_tables.h
> +++ b/include/linux/netfilter/nf_tables.h
> @@ -789,6 +789,8 @@ enum nft_exthdr_attributes {
> * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid)
> * @NFT_META_PRANDOM: a 32bit pseudo-random number
> * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp)
> + * @NFT_META_IIFKIND: packet input interface kind name (dev->rtnl_link_ops->kind)
> + * @NFT_META_OIFKIND: packet output interface kind name (dev->rtnl_link_ops->kind)
> */
> enum nft_meta_keys {
> NFT_META_LEN,
> @@ -817,6 +819,8 @@ enum nft_meta_keys {
> NFT_META_CGROUP,
> NFT_META_PRANDOM,
> NFT_META_SECPATH,
> + NFT_META_IIFKIND,
> + NFT_META_OIFKIND,
> };
>
> /**
> diff --git a/src/meta.c b/src/meta.c
> index c8a7b13..4cb9177 100644
> --- a/src/meta.c
> +++ b/src/meta.c
> @@ -444,6 +444,12 @@ const struct meta_template meta_templates[] = {
> BYTEORDER_BIG_ENDIAN), /* avoid conversion; doesn't have endianess */
> [NFT_META_SECPATH] = META_TEMPLATE("ipsec", &boolean_type,
> BITS_PER_BYTE, BYTEORDER_HOST_ENDIAN),
> + [NFT_META_IIFKIND] = META_TEMPLATE("iifkind", &ifname_type,
> + IFNAMSIZ * BITS_PER_BYTE,
> + BYTEORDER_HOST_ENDIAN),
> + [NFT_META_OIFKIND] = META_TEMPLATE("oifkind", &ifname_type,
> + IFNAMSIZ * BITS_PER_BYTE,
> + BYTEORDER_HOST_ENDIAN),
> };
>
> static bool meta_key_is_unqualified(enum nft_meta_keys key)
