netfilter: nf_tables: rt: allow checking if dst has xfrm attached

Useful e.g. to avoid NATting inner headers of to-be-encrypted packets. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Florian Westphal <fw@strlen.de> 2018-08-29 00:19:00 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2018-09-17 11:29:49 +0200
commit: 02b408fae3d5552d10d1189fc0bd7e5b1e76af71 (patch)
tree: 24d5c7411d344dd87bb9bcef6554b2c1575e080a /include/uapi/linux/netfilter
parent: ip6_gre: simplify gre header parsing in ip6gre_err (diff)
download: linux-dev-02b408fae3d5552d10d1189fc0bd7e5b1e76af71.tar.xz
linux-dev-02b408fae3d5552d10d1189fc0bd7e5b1e76af71.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index e23290ffdc77..6c44cbbb2cda 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -826,12 +826,14 @@ enum nft_meta_keys {
  * @NFT_RT_NEXTHOP4: routing nexthop for IPv4
  * @NFT_RT_NEXTHOP6: routing nexthop for IPv6
  * @NFT_RT_TCPMSS: fetch current path tcp mss
+ * @NFT_RT_XFRM: boolean, skb->dst->xfrm != NULL
  */
 enum nft_rt_keys {
 	NFT_RT_CLASSID,
 	NFT_RT_NEXTHOP4,
 	NFT_RT_NEXTHOP6,
 	NFT_RT_TCPMSS,
+	NFT_RT_XFRM,
 	__NFT_RT_MAX
 };
 #define NFT_RT_MAX		(__NFT_RT_MAX - 1)
author	Florian Westphal <fw@strlen.de>	2018-08-29 00:19:00 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2018-09-17 11:29:49 +0200
commit	02b408fae3d5552d10d1189fc0bd7e5b1e76af71 (patch)
tree	24d5c7411d344dd87bb9bcef6554b2c1575e080a /include/uapi/linux/netfilter
parent	ip6_gre: simplify gre header parsing in ip6gre_err (diff)
download	linux-dev-02b408fae3d5552d10d1189fc0bd7e5b1e76af71.tar.xz linux-dev-02b408fae3d5552d10d1189fc0bd7e5b1e76af71.zip