From: wenxu <wenxu@xxxxxxxxx>
meta brvlan can be used to the packet vlan tags
nft add rule bridge firewall zones counter meta brvlan set meta brpvid
Signed-off-by: wenxu <wenxu@xxxxxxxxx>
---
doc/primary-expression.txt | 7 ++++++-
include/linux/netfilter/nf_tables.h | 2 ++
src/meta.c | 3 +++
3 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index e33ea26..6bcfa5e 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -2,7 +2,7 @@ META EXPRESSIONS
~~~~~~~~~~~~~~~~
[verse]
*meta* {*length* | *nfproto* | *l4proto* | *protocol* | *priority*}
-[*meta*] {*mark* | *iif* | *iifname* | *iiftype* | *oif* | *oifname* | *oiftype* | *skuid* | *skgid* | *nftrace* | *rtclassid* | *ibrname* | *obrname* | *pkttype* | *cpu* | *iifgroup* | *oifgroup* | *cgroup* | *random* | *ipsec* | *iifkind* | *oifkind* | *brpvid*}
+[*meta*] {*mark* | *iif* | *iifname* | *iiftype* | *oif* | *oifname* | *oiftype* | *skuid* | *skgid* | *nftrace* | *rtclassid* | *ibrname* | *obrname* | *pkttype* | *cpu* | *iifgroup* | *oifgroup* | *cgroup* | *random* | *ipsec* | *iifkind* | *oifkind* | *brpvid* | *brvlan*}
A meta expression refers to meta data associated with a packet.
@@ -119,6 +119,9 @@ Output interface kind|
|brpvid|
bridge port pvid|
integer (16 bit)
+|brvlan|
+set packet vlan tag|
+integer (16 bit)
|====================
.Meta expression specific types
@@ -146,6 +149,8 @@ Packet type: *host* (addressed to local host), *broadcast* (to all),
Interface kind (16 byte string). Does not have to exist.
|brpvid|
Bridge port pvid (16 bit number).
+|brpvlan|
+Set packet vlan tag (16 bit number).
|=============================
.Using meta expressions
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 0715b6a..7afac26 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -794,6 +794,7 @@ enum nft_exthdr_attributes {
* @NFT_META_IIFKIND: packet input interface kind name (dev->rtnl_link_ops->kind)
* @NFT_META_OIFKIND: packet output interface kind name (dev->rtnl_link_ops->kind)
* @NFT_META_BRI_PVID: packet input bridge port pvid
+ * @NFT_META_BRI_VLAN: set vlan tag on packet
*/
enum nft_meta_keys {
NFT_META_LEN,
@@ -825,6 +826,7 @@ enum nft_meta_keys {
NFT_META_IIFKIND,
NFT_META_OIFKIND,
NFT_META_BRI_PVID,
+ NFT_META_BRI_VLAN,
};
/**
diff --git a/src/meta.c b/src/meta.c
index cef7b02..63b66dc 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -453,6 +453,9 @@ const struct meta_template meta_templates[] = {
[NFT_META_BRI_PVID] = META_TEMPLATE("brpvid", &integer_type,
2 * BITS_PER_BYTE,
BYTEORDER_HOST_ENDIAN),
+ [NFT_META_BRI_VLAN] = META_TEMPLATE("brvlan", &integer_type,
+ 2 * BITS_PER_BYTE,
+ BYTEORDER_HOST_ENDIAN),
};
static bool meta_key_is_unqualified(enum nft_meta_keys key)
--
1.8.3.1
