netfilter: nf_tables: add nft_dup expression

This new expression uses the nf_dup engine to clone packets to a given gateway. Unlike xt_TEE, we use an index to indicate output interface which should be fine at this stage. Moreover, change to the preemtion-safe this_cpu_read(nf_skb_duplicated) from nf_dup_ipv{4,6} to silence a lockdep splat. Based on the original tee expression from Arturo Borrero Gonzalez, although this patch has diverted quite a bit from this initial effort due to the change to support maps. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2015-05-31 18:04:11 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2015-08-07 11:49:49 +0200
commit: d877f07112f1e5a247c6b585c971a93895c9f738 (patch)
tree: 6ff7fa3d31b94ef6cbe88284d63f93bdab8a35fb /include/net/netfilter
parent: netfilter: factor out packet duplication for IPv4/IPv6 (diff)
download: linux-dev-d877f07112f1e5a247c6b585c971a93895c9f738.tar.xz
linux-dev-d877f07112f1e5a247c6b585c971a93895c9f738.zip
1 files changed, 9 insertions, 0 deletions
diff --git a/include/net/netfilter/nft_dup.h b/include/net/netfilter/nft_dup.h
new file mode 100644
index 000000000000..6b84cf6491a2
--- /dev/null
+++ b/include/net/netfilter/nft_dup.h
@@ -0,0 +1,9 @@
+#ifndef _NFT_DUP_H_
+#define _NFT_DUP_H_
+
+struct nft_dup_inet {
+	enum nft_registers	sreg_addr:8;
+	enum nft_registers	sreg_dev:8;
+};
+
+#endif /* _NFT_DUP_H_ */
author	Pablo Neira Ayuso <pablo@netfilter.org>	2015-05-31 18:04:11 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2015-08-07 11:49:49 +0200
commit	d877f07112f1e5a247c6b585c971a93895c9f738 (patch)
tree	6ff7fa3d31b94ef6cbe88284d63f93bdab8a35fb /include/net/netfilter
parent	netfilter: factor out packet duplication for IPv4/IPv6 (diff)
download	linux-dev-d877f07112f1e5a247c6b585c971a93895c9f738.tar.xz linux-dev-d877f07112f1e5a247c6b585c971a93895c9f738.zip