From: wenxu <wenxu@xxxxxxxxx>
This brpvid meta can be used to match the pvid of the brport.
nft add rule bridge firewall zones meta brpvid 10 accept
Signed-off-by: wenxu <wenxu@xxxxxxxxx>
---
doc/primary-expression.txt | 11 ++++++++---
include/linux/netfilter/nf_tables.h | 2 ++
src/meta.c | 3 +++
3 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index 6eb9583..e33ea26 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -2,7 +2,7 @@ META EXPRESSIONS
~~~~~~~~~~~~~~~~
[verse]
*meta* {*length* | *nfproto* | *l4proto* | *protocol* | *priority*}
-[*meta*] {*mark* | *iif* | *iifname* | *iiftype* | *oif* | *oifname* | *oiftype* | *skuid* | *skgid* | *nftrace* | *rtclassid* | *ibrname* | *obrname* | *pkttype* | *cpu* | *iifgroup* | *oifgroup* | *cgroup* | *random* | *ipsec* | *iifkind* | *oifkind*}
+[*meta*] {*mark* | *iif* | *iifname* | *iiftype* | *oif* | *oifname* | *oiftype* | *skuid* | *skgid* | *nftrace* | *rtclassid* | *ibrname* | *obrname* | *pkttype* | *cpu* | *iifgroup* | *oifgroup* | *cgroup* | *random* | *ipsec* | *iifkind* | *oifkind* | *brpvid*}
A meta expression refers to meta data associated with a packet.
@@ -113,9 +113,12 @@ integer (32 bit)
boolean|
boolean (1 bit)
|iifkind|
-Input interface kind |
+Input interface kind|
|oifkind|
-Output interface kind
+Output interface kind|
+|brpvid|
+bridge port pvid|
+integer (16 bit)
|====================
.Meta expression specific types
@@ -141,6 +144,8 @@ Packet type: *host* (addressed to local host), *broadcast* (to all),
*multicast* (to group), *other* (addressed to another host).
|ifkind|
Interface kind (16 byte string). Does not have to exist.
+|brpvid|
+Bridge port pvid (16 bit number).
|=============================
.Using meta expressions
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 7bdb234..0715b6a 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -793,6 +793,7 @@ enum nft_exthdr_attributes {
* @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp)
* @NFT_META_IIFKIND: packet input interface kind name (dev->rtnl_link_ops->kind)
* @NFT_META_OIFKIND: packet output interface kind name (dev->rtnl_link_ops->kind)
+ * @NFT_META_BRI_PVID: packet input bridge port pvid
*/
enum nft_meta_keys {
NFT_META_LEN,
@@ -823,6 +824,7 @@ enum nft_meta_keys {
NFT_META_SECPATH,
NFT_META_IIFKIND,
NFT_META_OIFKIND,
+ NFT_META_BRI_PVID,
};
/**
diff --git a/src/meta.c b/src/meta.c
index 1e8964e..cef7b02 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -450,6 +450,9 @@ const struct meta_template meta_templates[] = {
[NFT_META_OIFKIND] = META_TEMPLATE("oifkind", &ifname_type,
IFNAMSIZ * BITS_PER_BYTE,
BYTEORDER_HOST_ENDIAN),
+ [NFT_META_BRI_PVID] = META_TEMPLATE("brpvid", &integer_type,
+ 2 * BITS_PER_BYTE,
+ BYTEORDER_HOST_ENDIAN),
};
static bool meta_key_is_unqualified(enum nft_meta_keys key)
--
1.8.3.1
