Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 02b408fa authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso
Browse files

netfilter: nf_tables: rt: allow checking if dst has xfrm attached 



Useful e.g. to avoid NATting inner headers of to-be-encrypted packets.

Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent a82738ad

include/uapi/linux/netfilter/nf_tables.h

+2 −0
Original line number Diff line number Diff line
@@ -826,12 +826,14 @@ enum nft_meta_keys { 
 * @NFT_RT_NEXTHOP4: routing nexthop for IPv4

 * @NFT_RT_NEXTHOP6: routing nexthop for IPv6

 * @NFT_RT_TCPMSS: fetch current path tcp mss

 * @NFT_RT_XFRM: boolean, skb->dst->xfrm != NULL

 */

enum nft_rt_keys {

	NFT_RT_CLASSID,

	NFT_RT_NEXTHOP4,

	NFT_RT_NEXTHOP6,

	NFT_RT_TCPMSS,

	NFT_RT_XFRM,

	__NFT_RT_MAX

};

#define NFT_RT_MAX		(__NFT_RT_MAX - 1)

net/netfilter/nft_rt.c

+11 −0
Original line number Diff line number Diff line
@@ -90,6 +90,11 @@ static void nft_rt_get_eval(const struct nft_expr *expr, 
	case NFT_RT_TCPMSS:

		nft_reg_store16(dest, get_tcpmss(pkt, dst));

		break;

#ifdef CONFIG_XFRM

	case NFT_RT_XFRM:

		nft_reg_store8(dest, !!dst->xfrm);

		break;

#endif

	default:

		WARN_ON(1);

		goto err;
@@ -130,6 +135,11 @@ static int nft_rt_get_init(const struct nft_ctx *ctx, 
	case NFT_RT_TCPMSS:

		len = sizeof(u16);

		break;

#ifdef CONFIG_XFRM

	case NFT_RT_XFRM:

		len = sizeof(u8);

		break;

#endif

	default:

		return -EOPNOTSUPP;

	}
@@ -164,6 +174,7 @@ static int nft_rt_validate(const struct nft_ctx *ctx, const struct nft_expr *exp 
	case NFT_RT_NEXTHOP4:

	case NFT_RT_NEXTHOP6:

	case NFT_RT_CLASSID:

	case NFT_RT_XFRM:

		return 0;

	case NFT_RT_TCPMSS:

		hooks = (1 << NF_INET_FORWARD) |