Hi,
This is a RFC patchset, untested, to introduce new infrastructure to
specify protocol decapsulation and encapsulation actions. This patchset
comes with initial support for VLAN, eg.
1) VLAN decapsulation:
... meta iif . vlan id { eth0 . 10, eth1 . 11} decap vlan
The decapsulation is a single statement with no extra options.
2) VLAN encapsulation:
add vlan "network0" { type push; id 100; proto 0x8100; }
add vlan "network1" { type update; id 101; }
... encap vlan set ip daddr map { 192.168.0.0/24 : "network0",
192.168.1.0/24 : "network1" }
The idea is that the user specifies the vlan policy through object
definition, eg. "network0" and "network1", then it applies this policy
via the "encap vlan set" statement.
This infrastructure should allow for more encapsulation protocols
with little work, eg. MPLS.
I have places the encap object and the decap expression in the same
nft_encap module.
I'm still considering to extend the object infrastructure to specify
the operation type through the rule, ie.
add vlan "network0" { id 100; proto 0x8100; }
add vlan "network1" { id 101; }
... encap vlan push ip daddr map { 192.168.0.0/24 : "network0",
192.168.1.0/24 : "network1" }
So the VLAN object does not come with the operation type, instead this
is specified through the encap statement, that would require a bit more
work on the object infrastructure which is probably a good idea.
This is work-in-progress, syntax is tentative, comments welcome.
Thanks.
Pablo Neira Ayuso (2):
netfilter: nf_tables: add decapsulation support
netfilter: nf_tables: add encapsulation support
include/uapi/linux/netfilter/nf_tables.h | 56 ++++-
net/netfilter/Kconfig | 6 +
net/netfilter/Makefile | 1 +
net/netfilter/nft_encap.c | 341 +++++++++++++++++++++++++++++++
4 files changed, 403 insertions(+), 1 deletion(-)
create mode 100644 net/netfilter/nft_encap.c
--
2.11.0
