netfilter: nf_tables: match on tunnel metadata

This patch allows us to match on the tunnel metadata that is available of the packet. We can use this to validate if the packet comes from/goes to tunnel and the corresponding tunnel ID. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2018-08-02 20:51:46 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2018-08-03 21:12:19 +0200
commit: aaecfdb5c5dd8bac2dfd112166844a9f2d5711f0 (patch)
tree: 9ade4d7fd7477641b0f142588bcbed29c266016d /include/uapi/linux/netfilter
parent: netfilter: nf_tables: add tunnel support (diff)
download: linux-dev-aaecfdb5c5dd8bac2dfd112166844a9f2d5711f0.tar.xz
linux-dev-aaecfdb5c5dd8bac2dfd112166844a9f2d5711f0.zip
1 files changed, 15 insertions, 0 deletions
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 3ee1198eeac1..357862d948de 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -1647,4 +1647,19 @@ enum nft_tunnel_key_attributes {
 };
 #define NFTA_TUNNEL_KEY_MAX	(__NFTA_TUNNEL_KEY_MAX - 1)
 
+enum nft_tunnel_keys {
+	NFT_TUNNEL_PATH,
+	NFT_TUNNEL_ID,
+	__NFT_TUNNEL_MAX
+};
+#define NFT_TUNNEL_MAX	(__NFT_TUNNEL_MAX - 1)
+
+enum nft_tunnel_attributes {
+	NFTA_TUNNEL_UNSPEC,
+	NFTA_TUNNEL_KEY,
+	NFTA_TUNNEL_DREG,
+	__NFTA_TUNNEL_MAX
+};
+#define NFTA_TUNNEL_MAX	(__NFTA_TUNNEL_MAX - 1)
+
 #endif /* _LINUX_NF_TABLES_H */
author	Pablo Neira Ayuso <pablo@netfilter.org>	2018-08-02 20:51:46 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2018-08-03 21:12:19 +0200
commit	aaecfdb5c5dd8bac2dfd112166844a9f2d5711f0 (patch)
tree	9ade4d7fd7477641b0f142588bcbed29c266016d /include/uapi/linux/netfilter
parent	netfilter: nf_tables: add tunnel support (diff)
download	linux-dev-aaecfdb5c5dd8bac2dfd112166844a9f2d5711f0.tar.xz linux-dev-aaecfdb5c5dd8bac2dfd112166844a9f2d5711f0.zip