@@ -2503,6 +2503,7 @@ filter output icmpv6 type { echo-request, echo-reply }
<arg>oifgroup</arg>
<arg>cgroup</arg>
<arg>random</arg>
+ <arg>secpath</arg>
</group>
</cmdsynopsis>
</para>
@@ -2640,6 +2641,12 @@ filter output icmpv6 type { echo-request, echo-reply }
<entry>pseudo-random number</entry>
<entry>integer (32 bits)</entry>
</row>
+ <row>
+ <entry>secpath</entry>
+ <entry>boolean</entry>
+ <entry>boolean (1 bit)</entry>
+ </row>
+
</tbody>
</tgroup>
</table>
@@ -2724,6 +2731,9 @@ filter output meta oif eth0
# unqualified meta expression
filter output oif eth0
+
+# packed was subject to ipsec processing
+raw prerouting meta secpath exists accept
</programlisting>
</example>
</para>
@@ -773,6 +773,7 @@ enum nft_exthdr_attributes {
* @NFT_META_OIFGROUP: packet output interface group
* @NFT_META_CGROUP: socket control group (skb->sk->sk_classid)
* @NFT_META_PRANDOM: a 32bit pseudo-random number
+ * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp)
*/
enum nft_meta_keys {
NFT_META_LEN,
@@ -800,6 +801,7 @@ enum nft_meta_keys {
NFT_META_OIFGROUP,
NFT_META_CGROUP,
NFT_META_PRANDOM,
+ NFT_META_SECPATH,
};
/**
@@ -428,6 +428,8 @@ static const struct meta_template meta_templates[] = {
[NFT_META_PRANDOM] = META_TEMPLATE("random", &integer_type,
4 * BITS_PER_BYTE,
BYTEORDER_BIG_ENDIAN), /* avoid conversion; doesn't have endianess */
+ [NFT_META_SECPATH] = META_TEMPLATE("secpath", &boolean_type,
+ BITS_PER_BYTE, BYTEORDER_HOST_ENDIAN),
};
static bool meta_key_is_qualified(enum nft_meta_keys key)
@@ -439,6 +441,7 @@ static bool meta_key_is_qualified(enum nft_meta_keys key)
case NFT_META_PROTOCOL:
case NFT_META_PRIORITY:
case NFT_META_PRANDOM:
+ case NFT_META_SECPATH:
return true;
default:
return false;
@@ -12,3 +12,5 @@ meta nfproto ipv4 tcp dport 22;ok
meta nfproto ipv4 ip saddr 1.2.3.4;ok;ip saddr 1.2.3.4
meta nfproto ipv6 meta l4proto tcp;ok;meta nfproto ipv6 meta l4proto 6
meta nfproto ipv4 counter ip saddr 1.2.3.4;ok
+meta secpath exists;ok
+meta secpath missing;ok
@@ -64,3 +64,12 @@ inet test-inet input
[ payload load 4b @ network header + 12 => reg 1 ]
[ cmp eq reg 1 0x04030201 ]
+# meta secpath exists
+inet test-inet input
+ [ meta load secpath => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# meta secpath missing
+inet test-inet input
+ [ meta load secpath => reg 1 ]
+ [ cmp eq reg 1 0x00000000 ]
This can be used to check if a packet has a secpath attached to it, i.e. was subject to ipsec processing. Example: add rule inet raw prerouting meta secpath exists accept Signed-off-by: Florian Westphal <fw@strlen.de> --- doc/nft.xml | 10 ++++++++++ include/linux/netfilter/nf_tables.h | 2 ++ src/meta.c | 3 +++ tests/py/inet/meta.t | 2 ++ tests/py/inet/meta.t.payload | 9 +++++++++ 5 files changed, 26 insertions(+)