Hi,
This patchset introduces new infrastructure to specify protocol
decapsulation and encapsulation actions. This patchset comes with
initial support for VLAN.
1) VLAN decapsulation:
... meta iif . vlan id { eth0 . 10, eth1 . 11} decap vlan
The decapsulation action is represented as a single statement with no
extra options.
2) VLAN encapsulation:
add vlan "network0" { id 100; proto 0x8100; }
add vlan "network1" { id 101; }
... encap vlan push ip daddr map { 192.168.0.0/24 : "network0",
192.168.1.0/24 : "network1" }
The idea is that the user specifies the vlan encapsulation through
object definition, eg. "network0" and "network1", then it applies this
policy via the "encap vlan push/update" statement.
This infrastructure should allow for more encapsulation protocols
with little work, eg. MPLS.
I have placed the encap object and the decap expression in the same
nft_encap module for simplificity.
Patchset is composed of initial updates to allow to specify operation
type on objects:
1) Rename NFTA_OBJREF_IMM_TYPE to NFTA_OBJREF_TYPE.
2) Check for object type from map reference.
3 and 4) Add nft_object_ref and update code to use it.
5) Add support for operations on object reference.
Then, the actual decapsulation / encapsulation support:
6) Add decapsulation support though expression.
7) Add encapsulation support through object definition, this uses
the operation when referencing the object from rule to specificy
if this is a update or push vlan operation.
Userspace patchset update is still in progress, comments welcome.
Thanks.
Pablo Neira Ayuso (7):
netfilter: nft_objref: rename NFTA_OBJREF_IMM_TYPE to NFTA_OBJREF_TYPE
netfilter: nft_objref: validate map object type
netfilter: nft_objref: add nft_obj_ref structure and use it
netfilter: nf_tables: pass nft_object_ref to object evaluation function
netfilter: nft_objref: add support for operation on objects
netfilter: nf_tables: add decapsulation support
netfilter: nf_tables: add encapsulation support
include/net/netfilter/nf_tables.h | 10 +-
include/uapi/linux/netfilter/nf_tables.h | 64 +++++-
net/netfilter/Kconfig | 6 +
net/netfilter/Makefile | 1 +
net/netfilter/nf_tables_api.c | 3 +-
net/netfilter/nft_connlimit.c | 4 +-
net/netfilter/nft_counter.c | 4 +-
net/netfilter/nft_ct.c | 12 +-
net/netfilter/nft_encap.c | 333 +++++++++++++++++++++++++++++++
net/netfilter/nft_limit.c | 8 +-
net/netfilter/nft_meta.c | 5 +-
net/netfilter/nft_objref.c | 69 +++++--
net/netfilter/nft_quota.c | 3 +-
net/netfilter/nft_synproxy.c | 4 +-
net/netfilter/nft_tunnel.c | 4 +-
15 files changed, 486 insertions(+), 44 deletions(-)
create mode 100644 net/netfilter/nft_encap.c
--
2.11.0
