diff mbox series

[nft,1/2] meta: add brpvid support

Message ID 1561017689-27603-1-git-send-email-wenxu@ucloud.cn
State Changes Requested
Delegated to: Pablo Neira
Headers show
Series [nft,1/2] meta: add brpvid support | expand

Commit Message

wenxu June 20, 2019, 8:01 a.m. UTC 
From: wenxu <wenxu@ucloud.cn>

This brpvid meta can be used to match the pvid of the brport.

nft add rule bridge firewall zones meta brpvid 10 accept

Signed-off-by: wenxu <wenxu@ucloud.cn>
---
 doc/primary-expression.txt          | 11 ++++++++---
 include/linux/netfilter/nf_tables.h |  2 ++
 src/meta.c                          |  3 +++
 3 files changed, 13 insertions(+), 3 deletions(-)
diff mbox series

Patch

diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index 6eb9583..e33ea26 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -2,7 +2,7 @@  META EXPRESSIONS
 ~~~~~~~~~~~~~~~~
 [verse]
 *meta* {*length* | *nfproto* | *l4proto* | *protocol* | *priority*}
-[*meta*] {*mark* | *iif* | *iifname* | *iiftype* | *oif* | *oifname* | *oiftype* | *skuid* | *skgid* | *nftrace* | *rtclassid* | *ibrname* | *obrname* | *pkttype* | *cpu* | *iifgroup* | *oifgroup* | *cgroup* | *random* | *ipsec* | *iifkind* | *oifkind*}
+[*meta*] {*mark* | *iif* | *iifname* | *iiftype* | *oif* | *oifname* | *oiftype* | *skuid* | *skgid* | *nftrace* | *rtclassid* | *ibrname* | *obrname* | *pkttype* | *cpu* | *iifgroup* | *oifgroup* | *cgroup* | *random* | *ipsec* | *iifkind* | *oifkind* | *brpvid*}
 
 A meta expression refers to meta data associated with a packet.
 
@@ -113,9 +113,12 @@  integer (32 bit)
 boolean|
 boolean (1 bit)
 |iifkind|
-Input interface kind |
+Input interface kind|
 |oifkind|
-Output interface kind
+Output interface kind|
+|brpvid|
+bridge port pvid|
+integer (16 bit)
 |====================
 
 .Meta expression specific types
@@ -141,6 +144,8 @@  Packet type: *host* (addressed to local host), *broadcast* (to all),
 *multicast* (to group), *other* (addressed to another host).
 |ifkind|
 Interface kind (16 byte string). Does not have to exist.
+|brpvid|
+Bridge port pvid (16 bit number).
 |=============================
 
 .Using meta expressions
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 7bdb234..0715b6a 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -793,6 +793,7 @@  enum nft_exthdr_attributes {
  * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp)
  * @NFT_META_IIFKIND: packet input interface kind name (dev->rtnl_link_ops->kind)
  * @NFT_META_OIFKIND: packet output interface kind name (dev->rtnl_link_ops->kind)
+ * @NFT_META_BRI_PVID: packet input bridge port pvid
  */
 enum nft_meta_keys {
 	NFT_META_LEN,
@@ -823,6 +824,7 @@  enum nft_meta_keys {
 	NFT_META_SECPATH,
 	NFT_META_IIFKIND,
 	NFT_META_OIFKIND,
+	NFT_META_BRI_PVID,
 };
 
 /**
diff --git a/src/meta.c b/src/meta.c
index 1e8964e..cef7b02 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -450,6 +450,9 @@  const struct meta_template meta_templates[] = {
 	[NFT_META_OIFKIND]	= META_TEMPLATE("oifkind",   &ifname_type,
 						IFNAMSIZ * BITS_PER_BYTE,
 						BYTEORDER_HOST_ENDIAN),
+	[NFT_META_BRI_PVID]	= META_TEMPLATE("brpvid",   &integer_type,
+						2 * BITS_PER_BYTE,
+						BYTEORDER_HOST_ENDIAN),
 };
 
 static bool meta_key_is_unqualified(enum nft_meta_keys key)