David Ahern <dsahern@xxxxxxxxx> wrote: > On 12/18/19 4:05 AM, Florian Westphal wrote: > > Allow to match on vrf slave ifindex or name. > > > > In case there was no slave interface involved, store 0 in the > > destination register just like existing iif/oif matching. > > > > sdif(name) is restricted to the ipv4/ipv6 input and forward hooks, > > as it depends on ip(6) stack parsing/storing info in skb->cb[]. > > > > Cc: Martin Willi <martin@xxxxxxxxxxxxxx> > > Cc: David Ahern <dsahern@xxxxxxxxxx> > > Cc: Shrijeet Mukherjee <shrijeet@xxxxxxxxx> > > Signed-off-by: Florian Westphal <fw@xxxxxxxxx> > > --- > > include/uapi/linux/netfilter/nf_tables.h | 4 ++ > > net/netfilter/nft_meta.c | 76 +++++++++++++++++++++--- > > 2 files changed, 73 insertions(+), 7 deletions(-) > > > > do you have an example that you can share? nft add rule inet filter input meta sdifname "eth0" accept so its similar to existing iif(name) that test for the input device. This is the nft equivalent for the "slavedev" match that Martin proposed here: http://patchwork.ozlabs.org/patch/1211435/
