netfilter: nft_meta: add support for slave device ifindex matching

Allow to match on vrf slave ifindex or name. In case there was no slave interface involved, store 0 in the destination register just like existing iif/oif matching. sdif(name) is restricted to the ipv4/ipv6 input and forward hooks, as it depends on ip(6) stack parsing/storing info in skb->cb[]. Cc: Martin Willi <martin@strongswan.org> Cc: David Ahern <dsahern@kernel.org> Cc: Shrijeet Mukherjee <shrijeet@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Florian Westphal <fw@strlen.de> 2019-12-18 12:05:21 +0100
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2019-12-26 17:41:34 +0100
commit: c14ceb0ec727187f71a487a592ffa91767fed66e (patch)
tree: ca06929e9f9f81a84050672307eb5552a594899d /include
parent: 01a0fc82252d82eda50d4e1252b826a3ef7afb3d (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index bb9b049310df..e237ecbdcd8a 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -805,6 +805,8 @@ enum nft_exthdr_attributes {
  * @NFT_META_TIME_NS: time since epoch (in nanoseconds)
  * @NFT_META_TIME_DAY: day of week (from 0 = Sunday to 6 = Saturday)
  * @NFT_META_TIME_HOUR: hour of day (in seconds)
+ * @NFT_META_SDIF: slave device interface index
+ * @NFT_META_SDIFNAME: slave device interface name
  */
 enum nft_meta_keys {
 	NFT_META_LEN,
@@ -840,6 +842,8 @@ enum nft_meta_keys {
 	NFT_META_TIME_NS,
 	NFT_META_TIME_DAY,
 	NFT_META_TIME_HOUR,
+	NFT_META_SDIF,
+	NFT_META_SDIFNAME,
 };
 
 /**
author	Florian Westphal <fw@strlen.de>	2019-12-18 12:05:21 +0100
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2019-12-26 17:41:34 +0100
commit	c14ceb0ec727187f71a487a592ffa91767fed66e (patch)
tree	ca06929e9f9f81a84050672307eb5552a594899d /include
parent	01a0fc82252d82eda50d4e1252b826a3ef7afb3d (diff)