Hi,
This is version 5 for this patchset.
The inner expression provides a packet parser for the tunneled packet
which uses a userspace description of the expected inner headers. Then,
the inner expression (only payload and meta supported at this stage) is
used to match on the inner header protocol fields, using the new link,
network and transport offsets as well as inner metadata.
This patchset adds support for VxLAN, Geneve, GRE and IPIP.
Changes in this v5:
Patch #1 skip if GRE_ROUTING flag is set
Patch #2 no changes
Patch #3 use absolute inner offsets
restrict tunnel header offset to GRE and UDP.
set ctx->llproto to outer ethertype to fix NFT_META_PROTOCOL semantics.
Patch #4 no changes
Patch #5 no changes
Patch #6 no changes
Patch #7 new in the series: set tunnel header offset to GRE header.
Pablo Neira Ayuso (7):
netfilter: nft_payload: access GRE payload via inner offset
netfilter: nft_payload: access ipip payload for inner offset
netfilter: nft_inner: support for inner tunnel header matching
netfilter: nft_inner: add percpu inner context
netfilter: nft_meta: add inner match support
netfilter: nft_inner: add geneve support
netfilter: nft_inner: set tunnel offset to GRE header offset
include/net/netfilter/nf_tables.h | 6 +
include/net/netfilter/nf_tables_core.h | 25 ++
include/net/netfilter/nft_meta.h | 6 +
include/uapi/linux/netfilter/nf_tables.h | 27 ++
net/netfilter/Makefile | 3 +-
net/netfilter/nf_tables_api.c | 37 +++
net/netfilter/nf_tables_core.c | 1 +
net/netfilter/nft_inner.c | 384 +++++++++++++++++++++++
net/netfilter/nft_meta.c | 62 ++++
net/netfilter/nft_payload.c | 124 +++++++-
10 files changed, 673 insertions(+), 2 deletions(-)
create mode 100644 net/netfilter/nft_inner.c
--
2.30.2
