nftables userspace tool support for broute meta statement introduced in [1]. [1]: https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230224095251.11249-1-sriram.yagnaraman@xxxxxxxx/ Signed-off-by: Sriram Yagnaraman <sriram.yagnaraman@xxxxxxxx> --- doc/statements.txt | 5 ++++- include/linux/netfilter/nf_tables.h | 2 ++ src/meta.c | 2 ++ tests/py/bridge/meta.t | 2 ++ tests/py/bridge/meta.t.payload | 5 +++++ tests/py/bridge/redirect.t | 5 +++++ tests/py/bridge/redirect.t.json | 12 ++++++++++++ tests/py/bridge/redirect.t.payload | 4 ++++ 8 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 tests/py/bridge/redirect.t create mode 100644 tests/py/bridge/redirect.t.json create mode 100644 tests/py/bridge/redirect.t.payload diff --git a/doc/statements.txt b/doc/statements.txt index 0532b2b1..4e7e2654 100644 --- a/doc/statements.txt +++ b/doc/statements.txt @@ -296,7 +296,7 @@ A meta statement sets the value of a meta expression. The existing meta fields are: priority, mark, pkttype, nftrace. + [verse] -*meta* {*mark* | *priority* | *pkttype* | *nftrace*} *set* 'value' +*meta* {*mark* | *priority* | *pkttype* | *nftrace* | *broute*} *set* 'value' A meta statement sets meta data associated with a packet. + @@ -316,6 +316,9 @@ pkt_type |nftrace | ruleset packet tracing on/off. Use *monitor trace* command to watch traces| 0, 1 +|broute | +broute on/off. packets are routed instead of being bridged| +0, 1 |========================== LIMIT STATEMENT diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index ff677f3a..9c6f02c2 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -931,6 +931,7 @@ enum nft_exthdr_attributes { * @NFT_META_TIME_HOUR: hour of day (in seconds) * @NFT_META_SDIF: slave device interface index * @NFT_META_SDIFNAME: slave device interface name + * @NFT_META_BRI_BROUTE: packet br_netfilter_broute bit */ enum nft_meta_keys { NFT_META_LEN, @@ -969,6 +970,7 @@ enum nft_meta_keys { NFT_META_TIME_HOUR, NFT_META_SDIF, NFT_META_SDIFNAME, + NFT_META_BRI_BROUTE, __NFT_META_IIFTYPE, }; diff --git a/src/meta.c b/src/meta.c index 013e8cba..6f9ed06b 100644 --- a/src/meta.c +++ b/src/meta.c @@ -698,6 +698,8 @@ const struct meta_template meta_templates[] = { [NFT_META_SDIFNAME] = META_TEMPLATE("sdifname", &ifname_type, IFNAMSIZ * BITS_PER_BYTE, BYTEORDER_HOST_ENDIAN), + [NFT_META_BRI_BROUTE] = META_TEMPLATE("broute", &integer_type, + 1 , BYTEORDER_HOST_ENDIAN), }; static bool meta_key_is_unqualified(enum nft_meta_keys key) diff --git a/tests/py/bridge/meta.t b/tests/py/bridge/meta.t index d77ebd89..171aa610 100644 --- a/tests/py/bridge/meta.t +++ b/tests/py/bridge/meta.t @@ -9,3 +9,5 @@ meta ibrpvid 100;ok meta protocol ip udp dport 67;ok meta protocol ip6 udp dport 67;ok + +meta broute set 1;fail diff --git a/tests/py/bridge/meta.t.payload b/tests/py/bridge/meta.t.payload index 0a39842a..72588e3d 100644 --- a/tests/py/bridge/meta.t.payload +++ b/tests/py/bridge/meta.t.payload @@ -35,3 +35,8 @@ bridge test-bridge input [ cmp eq reg 1 0x00000011 ] [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x00004300 ] + +# meta broute set 1 +bridge test-bridge input + [ immediate reg 1 0x00000001 ] + [ meta set broute with reg 1 ] diff --git a/tests/py/bridge/redirect.t b/tests/py/bridge/redirect.t new file mode 100644 index 00000000..5181e799 --- /dev/null +++ b/tests/py/bridge/redirect.t @@ -0,0 +1,5 @@ +:prerouting;type filter hook prerouting priority 0 + +*bridge;test-bridge;prerouting + +meta broute set 1;ok diff --git a/tests/py/bridge/redirect.t.json b/tests/py/bridge/redirect.t.json new file mode 100644 index 00000000..7e32b329 --- /dev/null +++ b/tests/py/bridge/redirect.t.json @@ -0,0 +1,12 @@ +# meta broute set 1 +[ + { + "mangle": { + "key": { + "meta": { "key": "broute" } + }, + "value": 1 + } + } +] + diff --git a/tests/py/bridge/redirect.t.payload b/tests/py/bridge/redirect.t.payload new file mode 100644 index 00000000..1fcfa5f1 --- /dev/null +++ b/tests/py/bridge/redirect.t.payload @@ -0,0 +1,4 @@ +# meta broute set 1 +bridge test-bridge prerouting + [ immediate reg 1 0x00000001 ] + [ meta set broute with reg 1 ] -- 2.34.1
