summaryrefslogtreecommitdiff
path: root/net/sched/Kconfig
diff options
context:
space:
mode:
authorEyal Birger <eyal.birger@gmail.com>2018-02-15 19:42:43 +0200
committerDavid S. Miller <davem@davemloft.net>2018-02-21 13:15:33 -0500
commitccc007e4a746bb592d3e72106f00241f81d51410 (patch)
tree986ff019562403f85554be3c7eb2f8ed9a635e83 /net/sched/Kconfig
parent022ddbca86ce692518bc1809e2dfe27add669608 (diff)
net: sched: add em_ipt ematch for calling xtables matches
The commit a new tc ematch for using netfilter xtable matches. This allows early classification as well as mirroning/redirecting traffic based on logic implemented in netfilter extensions. Current supported use case is classification based on the incoming IPSec state used during decpsulation using the 'policy' iptables extension (xt_policy). The module dynamically fetches the netfilter match module and calls it using a fake xt_action_param structure based on validated userspace provided parameters. As the xt_policy match does not access skb->data, no skb modifications are needed on match. Signed-off-by: Eyal Birger <eyal.birger@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/sched/Kconfig')
-rw-r--r--net/sched/Kconfig12
1 files changed, 12 insertions, 0 deletions
diff --git a/net/sched/Kconfig b/net/sched/Kconfig
index f24a6ae6819a..a01169fb5325 100644
--- a/net/sched/Kconfig
+++ b/net/sched/Kconfig
@@ -658,6 +658,18 @@ config NET_EMATCH_IPSET
To compile this code as a module, choose M here: the
module will be called em_ipset.
+config NET_EMATCH_IPT
+ tristate "IPtables Matches"
+ depends on NET_EMATCH && NETFILTER && NETFILTER_XTABLES
+ ---help---
+ Say Y here to be able to classify packets based on iptables
+ matches.
+ Current supported match is "policy" which allows packet classification
+ based on IPsec policy that was used during decapsulation
+
+ To compile this code as a module, choose M here: the
+ module will be called em_ipt.
+
config NET_CLS_ACT
bool "Actions"
select NET_CLS