diff options
author | Eyal Birger <eyal.birger@gmail.com> | 2018-02-15 19:42:43 +0200 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2018-02-21 13:15:33 -0500 |
commit | ccc007e4a746bb592d3e72106f00241f81d51410 (patch) | |
tree | 986ff019562403f85554be3c7eb2f8ed9a635e83 /net/sched/Kconfig | |
parent | 022ddbca86ce692518bc1809e2dfe27add669608 (diff) |
net: sched: add em_ipt ematch for calling xtables matches
The commit a new tc ematch for using netfilter xtable matches.
This allows early classification as well as mirroning/redirecting traffic
based on logic implemented in netfilter extensions.
Current supported use case is classification based on the incoming IPSec
state used during decpsulation using the 'policy' iptables extension
(xt_policy).
The module dynamically fetches the netfilter match module and calls
it using a fake xt_action_param structure based on validated userspace
provided parameters.
As the xt_policy match does not access skb->data, no skb modifications
are needed on match.
Signed-off-by: Eyal Birger <eyal.birger@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/sched/Kconfig')
-rw-r--r-- | net/sched/Kconfig | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/net/sched/Kconfig b/net/sched/Kconfig index f24a6ae6819a..a01169fb5325 100644 --- a/net/sched/Kconfig +++ b/net/sched/Kconfig @@ -658,6 +658,18 @@ config NET_EMATCH_IPSET To compile this code as a module, choose M here: the module will be called em_ipset. +config NET_EMATCH_IPT + tristate "IPtables Matches" + depends on NET_EMATCH && NETFILTER && NETFILTER_XTABLES + ---help--- + Say Y here to be able to classify packets based on iptables + matches. + Current supported match is "policy" which allows packet classification + based on IPsec policy that was used during decapsulation + + To compile this code as a module, choose M here: the + module will be called em_ipt. + config NET_CLS_ACT bool "Actions" select NET_CLS |