On 12/19/19 10:08 AM, Florian Westphal wrote: > David Ahern <dsahern@xxxxxxxxx> wrote: >> On 12/18/19 4:05 AM, Florian Westphal wrote: >>> Allow to match on vrf slave ifindex or name. >>> >>> In case there was no slave interface involved, store 0 in the >>> destination register just like existing iif/oif matching. >>> >>> sdif(name) is restricted to the ipv4/ipv6 input and forward hooks, >>> as it depends on ip(6) stack parsing/storing info in skb->cb[]. >>> >>> Cc: Martin Willi <martin@xxxxxxxxxxxxxx> >>> Cc: David Ahern <dsahern@xxxxxxxxxx> >>> Cc: Shrijeet Mukherjee <shrijeet@xxxxxxxxx> >>> Signed-off-by: Florian Westphal <fw@xxxxxxxxx> >>> --- >>> include/uapi/linux/netfilter/nf_tables.h | 4 ++ >>> net/netfilter/nft_meta.c | 76 +++++++++++++++++++++--- >>> 2 files changed, 73 insertions(+), 7 deletions(-) >>> >> >> do you have an example that you can share? > > nft add rule inet filter input meta sdifname "eth0" accept > > so its similar to existing iif(name) that test for the input device. > > This is the nft equivalent for the "slavedev" match that Martin proposed > here: > > http://patchwork.ozlabs.org/patch/1211435/ > Thanks for the example. I still have not found the time to get up to speed with nft. I am glad to see netfilter matches on the enslaved interface with VRF; it's a much needed feature.
