[PATCH nftables 5/5] meta: Add support for input and output bridge interface name

[PATCH nftables 5/5] meta: Add support for input and output bridge interface name

[Tomasz Bursztyka]

Add support to get an input or output bridge interface name through the
relevant meta keys: bri_iifname and bri_oifname.

Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
---
 include/linux/netfilter/nf_tables.h |  4 ++++
 src/meta.c                          | 38 +++++++++++++++++++++----------------
 src/parser.y                        |  4 ++++
 src/scanner.l                       |  2 ++
 4 files changed, 32 insertions(+), 16 deletions(-)

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index ff9b0a7..a5f8ec0 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -533,6 +533,8 @@ enum nft_exthdr_attributes {
  * @NFT_META_SECMARK: packet secmark (skb->secmark)
  * @NFT_META_NFPROTO: netfilter protocol
  * @NFT_META_L4PROTO: layer 4 protocol number
+ * @NFT_META_BRI_IIFNAME: packet input bridge interface name
+ * @NFT_META_BRI_OIFNAME: packet output bridge interface name
  */
 enum nft_meta_keys {
 	NFT_META_LEN,
@@ -552,6 +554,8 @@ enum nft_meta_keys {
 	NFT_META_SECMARK,
 	NFT_META_NFPROTO,
 	NFT_META_L4PROTO,
+	NFT_META_BRI_IIFNAME,
+	NFT_META_BRI_OIFNAME,
 };
 
 /**
diff --git a/src/meta.c b/src/meta.c
index ebc0c54..d95c124 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -298,40 +298,46 @@ static const struct datatype gid_type = {
 };
 
 static const struct meta_template meta_templates[] = {
-	[NFT_META_LEN]		= META_TEMPLATE("length",    &integer_type,
+	[NFT_META_LEN]		= META_TEMPLATE("length",      &integer_type,
 						4 * 8, BYTEORDER_HOST_ENDIAN),
-	[NFT_META_PROTOCOL]	= META_TEMPLATE("protocol",  &ethertype_type,
+	[NFT_META_PROTOCOL]	= META_TEMPLATE("protocol",    &ethertype_type,
 						2 * 8, BYTEORDER_BIG_ENDIAN),
-	[NFT_META_NFPROTO]	= META_TEMPLATE("nfproto",   &nfproto_type,
+	[NFT_META_NFPROTO]	= META_TEMPLATE("nfproto",     &nfproto_type,
 						1 * 8, BYTEORDER_HOST_ENDIAN),
-	[NFT_META_L4PROTO]	= META_TEMPLATE("l4proto",   &inet_protocol_type,
+	[NFT_META_L4PROTO]	= META_TEMPLATE("l4proto",     &inet_protocol_type,
 						1 * 8, BYTEORDER_HOST_ENDIAN),
-	[NFT_META_PRIORITY]	= META_TEMPLATE("priority",  &tchandle_type,
+	[NFT_META_PRIORITY]	= META_TEMPLATE("priority",    &tchandle_type,
 						4 * 8, BYTEORDER_HOST_ENDIAN),
-	[NFT_META_MARK]		= META_TEMPLATE("mark",      &mark_type,
+	[NFT_META_MARK]		= META_TEMPLATE("mark",        &mark_type,
 						4 * 8, BYTEORDER_HOST_ENDIAN),
-	[NFT_META_IIF]		= META_TEMPLATE("iif",       &ifindex_type,
+	[NFT_META_IIF]		= META_TEMPLATE("iif",         &ifindex_type,
 						4 * 8, BYTEORDER_HOST_ENDIAN),
-	[NFT_META_IIFNAME]	= META_TEMPLATE("iifname",   &string_type,
+	[NFT_META_IIFNAME]	= META_TEMPLATE("iifname",     &string_type,
 						IFNAMSIZ * BITS_PER_BYTE,
 						BYTEORDER_HOST_ENDIAN),
-	[NFT_META_IIFTYPE]	= META_TEMPLATE("iiftype",   &arphrd_type,
+	[NFT_META_IIFTYPE]	= META_TEMPLATE("iiftype",     &arphrd_type,
 						2 * 8, BYTEORDER_HOST_ENDIAN),
-	[NFT_META_OIF]		= META_TEMPLATE("oif",	     &ifindex_type,
+	[NFT_META_OIF]		= META_TEMPLATE("oif",	       &ifindex_type,
 						4 * 8, BYTEORDER_HOST_ENDIAN),
-	[NFT_META_OIFNAME]	= META_TEMPLATE("oifname",   &string_type,
+	[NFT_META_OIFNAME]	= META_TEMPLATE("oifname",     &string_type,
 						IFNAMSIZ * BITS_PER_BYTE,
 						BYTEORDER_HOST_ENDIAN),
-	[NFT_META_OIFTYPE]	= META_TEMPLATE("oiftype",   &arphrd_type,
+	[NFT_META_OIFTYPE]	= META_TEMPLATE("oiftype",     &arphrd_type,
 						2 * 8, BYTEORDER_HOST_ENDIAN),
-	[NFT_META_SKUID]	= META_TEMPLATE("skuid",     &uid_type,
+	[NFT_META_SKUID]	= META_TEMPLATE("skuid",       &uid_type,
 						4 * 8, BYTEORDER_HOST_ENDIAN),
-	[NFT_META_SKGID]	= META_TEMPLATE("skgid",     &gid_type,
+	[NFT_META_SKGID]	= META_TEMPLATE("skgid",       &gid_type,
 						4 * 8, BYTEORDER_HOST_ENDIAN),
-	[NFT_META_NFTRACE]	= META_TEMPLATE("nftrace",   &integer_type,
+	[NFT_META_NFTRACE]	= META_TEMPLATE("nftrace",     &integer_type,
 						1    , BYTEORDER_HOST_ENDIAN),
-	[NFT_META_RTCLASSID]	= META_TEMPLATE("rtclassid", &realm_type,
+	[NFT_META_RTCLASSID]	= META_TEMPLATE("rtclassid",   &realm_type,
 						4 * 8, BYTEORDER_HOST_ENDIAN),
+	[NFT_META_BRI_IIFNAME]	= META_TEMPLATE("bri_iifname", &string_type,
+						IFNAMSIZ * BITS_PER_BYTE,
+						BYTEORDER_HOST_ENDIAN),
+	[NFT_META_BRI_OIFNAME]	= META_TEMPLATE("bri_oifname", &string_type,
+						IFNAMSIZ * BITS_PER_BYTE,
+						BYTEORDER_HOST_ENDIAN),
 };
 
 static void meta_expr_print(const struct expr *expr)
diff --git a/src/parser.y b/src/parser.y
index db6f493..e8aef1d 100644
--- a/src/parser.y
+++ b/src/parser.y
@@ -304,6 +304,8 @@ static void location_update(struct location *loc, struct location *rhs, int n)
 %token SKGID			"skgid"
 %token NFTRACE			"nftrace"
 %token RTCLASSID		"rtclassid"
+%token BRI_IIFNAME		"bri_iifname"
+%token BRI_OIFNAME		"bri_oifname"
 
 %token CT			"ct"
 %token DIRECTION		"direction"
@@ -1563,6 +1565,8 @@ meta_key_unqualified	:	MARK		{ $$ = NFT_META_MARK; }
 			|	SKGID		{ $$ = NFT_META_SKGID; }
 			|	NFTRACE		{ $$ = NFT_META_NFTRACE; }
 			|	RTCLASSID	{ $$ = NFT_META_RTCLASSID; }
+			|	BRI_IIFNAME	{ $$ = NFT_META_BRI_IIFNAME; }
+			|       BRI_OIFNAME	{ $$ = NFT_META_BRI_OIFNAME; }
 			;
 
 meta_stmt		:	META	meta_key	SET	expr
diff --git a/src/scanner.l b/src/scanner.l
index 47c5933..61c98b5 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -402,6 +402,8 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 "skgid"			{ return SKGID; }
 "nftrace"		{ return NFTRACE; }
 "rtclassid"		{ return RTCLASSID; }
+"bri_iifname"		{ return BRI_IIFNAME; }
+"bri_oifname"		{ return BRI_OIFNAME; }
 
 "ct"			{ return CT; }
 "direction"		{ return DIRECTION; }
-- 
1.8.3.2

[PATCH v2 0/4] Add suport for bridge if dev name meta exepression keys

[Tomasz Bursztyka]

Here is the patch-set to add meta keys NFT_META_BRI_IIFNAME and NFT_META_BRI_OIFNAME.

Changes against v1:
- Rebased the kernel patch set against Patrick's nft_meta.c get/set init function split up.

Last 2 patches are about user-space support.

Tomasz Bursztyka (5):
kernel:
  netfilter: nf_tables: Stack expression type depending on their family
  netfilter: nf_tables: Make meta expression core functions public
  netfilter: nf_tables: Add meta expression key for bridge interface
    name
libnftnl:
  meta: Add support for input and output bridge interface name
nftables:
  meta: Add support for input and output bridge interface name


-- 
1.8.3.2

[PATCH 1/5] netfilter: nf_tables: Stack expression type depending on their family

[Tomasz Bursztyka]

To ensure family tight expression gets selected in priority to family
agnostic ones.

Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
---
 net/netfilter/nf_tables_api.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 33045a5..700a522 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1093,7 +1093,10 @@ static void nft_ctx_init(struct nft_ctx *ctx,
 int nft_register_expr(struct nft_expr_type *type)
 {
 	nfnl_lock(NFNL_SUBSYS_NFTABLES);
-	list_add_tail(&type->list, &nf_tables_expressions);
+	if (type->family == NFPROTO_UNSPEC)
+		list_add_tail(&type->list, &nf_tables_expressions);
+	else
+		list_add(&type->list, &nf_tables_expressions);
 	nfnl_unlock(NFNL_SUBSYS_NFTABLES);
 	return 0;
 }
-- 
1.8.3.2

[PATCH 2/5] netfilter: nf_tables: Make meta expression core functions public

[Tomasz Bursztyka]

 This will be useful to create network family dedicated META expression
 as for NFPROTO_BRIDGE for instance.

 Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
---
 include/net/netfilter/nft_meta.h | 36 +++++++++++++++++++++++++++++
 net/netfilter/nft_meta.c         | 50 ++++++++++++++++++++--------------------
 2 files changed, 61 insertions(+), 25 deletions(-)
 create mode 100644 include/net/netfilter/nft_meta.h

diff --git a/include/net/netfilter/nft_meta.h b/include/net/netfilter/nft_meta.h
new file mode 100644
index 0000000..0ee47c3
--- /dev/null
+++ b/include/net/netfilter/nft_meta.h
@@ -0,0 +1,36 @@
+#ifndef _NFT_META_H_
+#define _NFT_META_H_
+
+struct nft_meta {
+	enum nft_meta_keys	key:8;
+	union {
+		enum nft_registers	dreg:8;
+		enum nft_registers	sreg:8;
+	};
+};
+
+extern const struct nla_policy nft_meta_policy[];
+
+int nft_meta_get_init(const struct nft_ctx *ctx,
+		      const struct nft_expr *expr,
+		      const struct nlattr * const tb[]);
+
+int nft_meta_set_init(const struct nft_ctx *ctx,
+		      const struct nft_expr *expr,
+		      const struct nlattr * const tb[]);
+
+int nft_meta_get_dump(struct sk_buff *skb,
+		      const struct nft_expr *expr);
+
+int nft_meta_set_dump(struct sk_buff *skb,
+		      const struct nft_expr *expr);
+
+void nft_meta_get_eval(const struct nft_expr *expr,
+		       struct nft_data data[NFT_REG_MAX + 1],
+		       const struct nft_pktinfo *pkt);
+
+void nft_meta_set_eval(const struct nft_expr *expr,
+		       struct nft_data data[NFT_REG_MAX + 1],
+		       const struct nft_pktinfo *pkt);
+
+#endif
diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index 6d0b8cc2..852b178 100644
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -18,18 +18,11 @@
 #include <net/sock.h>
 #include <net/tcp_states.h> /* for TCP_TIME_WAIT */
 #include <net/netfilter/nf_tables.h>
+#include <net/netfilter/nft_meta.h>
 
-struct nft_meta {
-	enum nft_meta_keys	key:8;
-	union {
-		enum nft_registers	dreg:8;
-		enum nft_registers	sreg:8;
-	};
-};
-
-static void nft_meta_get_eval(const struct nft_expr *expr,
-			      struct nft_data data[NFT_REG_MAX + 1],
-			      const struct nft_pktinfo *pkt)
+void nft_meta_get_eval(const struct nft_expr *expr,
+		       struct nft_data data[NFT_REG_MAX + 1],
+		       const struct nft_pktinfo *pkt)
 {
 	const struct nft_meta *priv = nft_expr_priv(expr);
 	const struct sk_buff *skb = pkt->skb;
@@ -140,10 +133,11 @@ static void nft_meta_get_eval(const struct nft_expr *expr,
 err:
 	data[NFT_REG_VERDICT].verdict = NFT_BREAK;
 }
+EXPORT_SYMBOL_GPL(nft_meta_get_eval);
 
-static void nft_meta_set_eval(const struct nft_expr *expr,
-			      struct nft_data data[NFT_REG_MAX + 1],
-			      const struct nft_pktinfo *pkt)
+void nft_meta_set_eval(const struct nft_expr *expr,
+		       struct nft_data data[NFT_REG_MAX + 1],
+		       const struct nft_pktinfo *pkt)
 {
 	const struct nft_meta *meta = nft_expr_priv(expr);
 	struct sk_buff *skb = pkt->skb;
@@ -163,16 +157,18 @@ static void nft_meta_set_eval(const struct nft_expr *expr,
 		WARN_ON(1);
 	}
 }
+EXPORT_SYMBOL_GPL(nft_meta_set_eval);
 
-static const struct nla_policy nft_meta_policy[NFTA_META_MAX + 1] = {
+const struct nla_policy nft_meta_policy[NFTA_META_MAX + 1] = {
 	[NFTA_META_DREG]	= { .type = NLA_U32 },
 	[NFTA_META_KEY]		= { .type = NLA_U32 },
 	[NFTA_META_SREG]	= { .type = NLA_U32 },
 };
+EXPORT_SYMBOL_GPL(nft_meta_policy);
 
-static int nft_meta_get_init(const struct nft_ctx *ctx,
-			     const struct nft_expr *expr,
-			     const struct nlattr * const tb[])
+int nft_meta_get_init(const struct nft_ctx *ctx,
+		      const struct nft_expr *expr,
+		      const struct nlattr * const tb[])
 {
 	struct nft_meta *priv = nft_expr_priv(expr);
 	int err;
@@ -215,10 +211,11 @@ static int nft_meta_get_init(const struct nft_ctx *ctx,
 
 	return 0;
 }
+EXPORT_SYMBOL_GPL(nft_meta_get_init);
 
-static int nft_meta_set_init(const struct nft_ctx *ctx,
-			     const struct nft_expr *expr,
-			     const struct nlattr * const tb[])
+int nft_meta_set_init(const struct nft_ctx *ctx,
+		      const struct nft_expr *expr,
+		      const struct nlattr * const tb[])
 {
 	struct nft_meta *priv = nft_expr_priv(expr);
 	int err;
@@ -240,9 +237,10 @@ static int nft_meta_set_init(const struct nft_ctx *ctx,
 
 	return 0;
 }
+EXPORT_SYMBOL_GPL(nft_meta_set_init);
 
-static int nft_meta_get_dump(struct sk_buff *skb,
-			     const struct nft_expr *expr)
+int nft_meta_get_dump(struct sk_buff *skb,
+		      const struct nft_expr *expr)
 {
 	const struct nft_meta *priv = nft_expr_priv(expr);
 
@@ -255,9 +253,10 @@ static int nft_meta_get_dump(struct sk_buff *skb,
 nla_put_failure:
 	return -1;
 }
+EXPORT_SYMBOL_GPL(nft_meta_get_dump);
 
-static int nft_meta_set_dump(struct sk_buff *skb,
-			     const struct nft_expr *expr)
+int nft_meta_set_dump(struct sk_buff *skb,
+		      const struct nft_expr *expr)
 {
 	const struct nft_meta *priv = nft_expr_priv(expr);
 
@@ -271,6 +270,7 @@ static int nft_meta_set_dump(struct sk_buff *skb,
 nla_put_failure:
 	return -1;
 }
+EXPORT_SYMBOL_GPL(nft_meta_set_dump);
 
 static struct nft_expr_type nft_meta_type;
 static const struct nft_expr_ops nft_meta_get_ops = {
-- 
1.8.3.2

[PATCH 3/5] netfilter: nf_tables: Add meta expression key for bridge interface name

[Tomasz Bursztyka]

NFT_META_BRI_IIFNAME to get packet input bridge interface name
NFT_META_BRI_OIFNAME to get packet output bridge interface name

Such meta key are accessible only through NFPROTO_BRIDGE family, on a
dedicated nft meta module: nft_meta_bridge.

Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
---
 include/uapi/linux/netfilter/nf_tables.h |   4 +
 net/bridge/Makefile                      |   1 +
 net/bridge/netfilter/Kconfig             |  12 ++-
 net/bridge/netfilter/Makefile            |   1 +
 net/bridge/netfilter/nft_meta_bridge.c   | 142 +++++++++++++++++++++++++++++++
 5 files changed, 159 insertions(+), 1 deletion(-)
 create mode 100644 net/bridge/netfilter/nft_meta_bridge.c

diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index c88ccbf..45fb37c 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -536,6 +536,8 @@ enum nft_exthdr_attributes {
  * @NFT_META_SECMARK: packet secmark (skb->secmark)
  * @NFT_META_NFPROTO: netfilter protocol
  * @NFT_META_L4PROTO: layer 4 protocol number
+ * @NFT_META_BRI_IIFNAME: packet input bridge interface name
+ * @NFT_META_BRI_OIFNAME: packet output bridge interface name
  */
 enum nft_meta_keys {
 	NFT_META_LEN,
@@ -555,6 +557,8 @@ enum nft_meta_keys {
 	NFT_META_SECMARK,
 	NFT_META_NFPROTO,
 	NFT_META_L4PROTO,
+	NFT_META_BRI_IIFNAME,
+	NFT_META_BRI_OIFNAME,
 };
 
 /**
diff --git a/net/bridge/Makefile b/net/bridge/Makefile
index e85498b2f..58acd82 100644
--- a/net/bridge/Makefile
+++ b/net/bridge/Makefile
@@ -16,4 +16,5 @@ bridge-$(CONFIG_BRIDGE_IGMP_SNOOPING) += br_multicast.o br_mdb.o
 
 bridge-$(CONFIG_BRIDGE_VLAN_FILTERING) += br_vlan.o
 
+obj-$(CONFIG_NF_TABLES_BRIDGE) += netfilter/
 obj-$(CONFIG_BRIDGE_NF_EBTABLES) += netfilter/
diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
index 5ca74a0..906783d 100644
--- a/net/bridge/netfilter/Kconfig
+++ b/net/bridge/netfilter/Kconfig
@@ -2,10 +2,20 @@
 # Bridge netfilter configuration
 #
 #
-config NF_TABLES_BRIDGE
+menuconfig NF_TABLES_BRIDGE
 	depends on NF_TABLES
 	tristate "Ethernet Bridge nf_tables support"
 
+if NF_TABLES_BRIDGE
+
+config NFT_BRIDGE_META
+	tristate "Netfilter nf_table bridge meta support"
+	depends on NFT_META
+	help
+	  Add support for bridge dedicated meta key.
+
+endif # NF_TABLES_BRIDGE
+
 menuconfig BRIDGE_NF_EBTABLES
 	tristate "Ethernet Bridge tables (ebtables) support"
 	depends on BRIDGE && NETFILTER
diff --git a/net/bridge/netfilter/Makefile b/net/bridge/netfilter/Makefile
index ea7629f..6f2f394 100644
--- a/net/bridge/netfilter/Makefile
+++ b/net/bridge/netfilter/Makefile
@@ -3,6 +3,7 @@
 #
 
 obj-$(CONFIG_NF_TABLES_BRIDGE) += nf_tables_bridge.o
+obj-$(CONFIG_NFT_BRIDGE_META)  += nft_meta_bridge.o
 
 obj-$(CONFIG_BRIDGE_NF_EBTABLES) += ebtables.o
 
diff --git a/net/bridge/netfilter/nft_meta_bridge.c b/net/bridge/netfilter/nft_meta_bridge.c
new file mode 100644
index 0000000..d324441
--- /dev/null
+++ b/net/bridge/netfilter/nft_meta_bridge.c
@@ -0,0 +1,142 @@
+/*
+ * Copyright (c) 2014 Intel Corporation
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ */
+
+#include <linux/kernel.h>
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/netlink.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/nf_tables.h>
+#include <net/netfilter/nf_tables.h>
+#include <net/netfilter/nft_meta.h>
+
+#include "../br_private.h"
+
+static void nft_meta_bridge_get_eval(const struct nft_expr *expr,
+				     struct nft_data data[NFT_REG_MAX + 1],
+				     const struct nft_pktinfo *pkt)
+{
+	const struct nft_meta *priv = nft_expr_priv(expr);
+	const struct net_device *in = pkt->in, *out = pkt->out;
+	struct nft_data *dest = &data[priv->dreg];
+	const struct net_bridge_port *p;
+
+	if (pkt->ops->pf != NFPROTO_BRIDGE)
+		goto out;
+
+	switch (priv->key) {
+	case NFT_META_BRI_IIFNAME:
+		if (in == NULL || (p = br_port_get_rcu(in)) == NULL)
+			goto err;
+		break;
+	case NFT_META_BRI_OIFNAME:
+		if (out == NULL || (p = br_port_get_rcu(out)) == NULL)
+			goto err;
+		break;
+	default:
+		goto out;
+	}
+
+	strncpy((char *)dest->data, p->br->dev->name, sizeof(dest->data));
+	return;
+out:
+	return nft_meta_get_eval(expr, data, pkt);
+err:
+	data[NFT_REG_VERDICT].verdict = NFT_BREAK;
+}
+
+static int nft_meta_bridge_get_init(const struct nft_ctx *ctx,
+				    const struct nft_expr *expr,
+				    const struct nlattr * const tb[])
+{
+	struct nft_meta *priv = nft_expr_priv(expr);
+	int err;
+
+	priv->key = ntohl(nla_get_be32(tb[NFTA_META_KEY]));
+	switch (priv->key) {
+	case NFT_META_BRI_IIFNAME:
+	case NFT_META_BRI_OIFNAME:
+		break;
+	default:
+		return nft_meta_get_init(ctx, expr, tb);
+	}
+
+	priv->dreg = ntohl(nla_get_be32(tb[NFTA_META_DREG]));
+	err = nft_validate_output_register(priv->dreg);
+	if (err < 0)
+		return err;
+
+	err = nft_validate_data_load(ctx, priv->dreg, NULL, NFT_DATA_VALUE);
+	if (err < 0)
+		return err;
+
+	return 0;
+}
+
+static struct nft_expr_type nft_meta_bridge_type;
+static const struct nft_expr_ops nft_meta_bridge_get_ops = {
+	.type		= &nft_meta_bridge_type,
+	.size		= NFT_EXPR_SIZE(sizeof(struct nft_meta)),
+	.eval		= nft_meta_bridge_get_eval,
+	.init		= nft_meta_bridge_get_init,
+	.dump		= nft_meta_get_dump,
+};
+
+static const struct nft_expr_ops nft_meta_bridge_set_ops = {
+	.type		= &nft_meta_bridge_type,
+	.size		= NFT_EXPR_SIZE(sizeof(struct nft_meta)),
+	.eval		= nft_meta_set_eval,
+	.init		= nft_meta_set_init,
+	.dump		= nft_meta_set_dump,
+};
+
+static const struct nft_expr_ops *
+nft_meta_bridge_select_ops(const struct nft_ctx *ctx,
+			   const struct nlattr * const tb[])
+{
+	if (tb[NFTA_META_KEY] == NULL)
+		return ERR_PTR(-EINVAL);
+
+	if (tb[NFTA_META_DREG] && tb[NFTA_META_SREG])
+		return ERR_PTR(-EINVAL);
+
+	if (tb[NFTA_META_DREG])
+		return &nft_meta_bridge_get_ops;
+
+	if (tb[NFTA_META_SREG])
+		return &nft_meta_bridge_set_ops;
+
+	return ERR_PTR(-EINVAL);
+}
+
+static struct nft_expr_type nft_meta_bridge_type __read_mostly = {
+	.family         = NFPROTO_BRIDGE,
+	.name           = "meta",
+	.select_ops     = &nft_meta_bridge_select_ops,
+	.policy         = nft_meta_policy,
+	.maxattr        = NFTA_META_MAX,
+	.owner          = THIS_MODULE,
+};
+
+static int __init nft_meta_bridge_module_init(void)
+{
+	return nft_register_expr(&nft_meta_bridge_type);
+}
+
+static void __exit nft_meta_bridge_module_exit(void)
+{
+	nft_unregister_expr(&nft_meta_bridge_type);
+}
+
+module_init(nft_meta_bridge_module_init);
+module_exit(nft_meta_bridge_module_exit);
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>");
+MODULE_ALIAS_NFT_AF_EXPR(AF_BRIDGE, "meta");
-- 
1.8.3.2

[PATCH libnftnl 4/5] meta: Add support for input and output bridge interface name

[Tomasz Bursztyka]

Add support for dedicated bridge meta key, related to device names:
- NFT_META_BRI_IIFNAME
- NFT_META_BRI_OIFNAME

Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
---
 include/linux/netfilter/nf_tables.h | 4 ++++
 src/expr/meta.c                     | 4 +++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index bb160d5..5b7bed5 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -536,6 +536,8 @@ enum nft_exthdr_attributes {
  * @NFT_META_SECMARK: packet secmark (skb->secmark)
  * @NFT_META_NFPROTO: netfilter protocol
  * @NFT_META_L4PROTO: layer 4 protocol number
+ * @NFT_META_BRI_IIFNAME: packet input bridge interface name
+ * @NFT_META_BRI_OIFNAME: packet output bridge interface name
  */
 enum nft_meta_keys {
 	NFT_META_LEN,
@@ -555,6 +557,8 @@ enum nft_meta_keys {
 	NFT_META_SECMARK,
 	NFT_META_NFPROTO,
 	NFT_META_L4PROTO,
+	NFT_META_BRI_IIFNAME,
+	NFT_META_BRI_OIFNAME,
 };
 
 /**
diff --git a/src/expr/meta.c b/src/expr/meta.c
index bee2f4c..fb945f0 100644
--- a/src/expr/meta.c
+++ b/src/expr/meta.c
@@ -23,7 +23,7 @@
 #include "expr_ops.h"
 
 #ifndef NFT_META_MAX
-#define NFT_META_MAX (NFT_META_L4PROTO + 1)
+#define NFT_META_MAX (NFT_META_BRI_OIFNAME + 1)
 #endif
 
 struct nft_expr_meta {
@@ -153,6 +153,8 @@ static const char *meta_key2str_array[NFT_META_MAX] = {
 	[NFT_META_NFTRACE]	= "nftrace",
 	[NFT_META_RTCLASSID]	= "rtclassid",
 	[NFT_META_SECMARK]	= "secmark",
+	[NFT_META_BRI_IIFNAME]	= "bri_iifname",
+	[NFT_META_BRI_OIFNAME]	= "bri_oifname",
 };
 
 static const char *meta_key2str(uint8_t key)
-- 
1.8.3.2

[PATCH nftables 5/5] meta: Add support for input and output bridge interface name

[Tomasz Bursztyka]

Add support to get an input or output bridge interface name through the
relevant meta keys: bri_iifname and bri_oifname.

Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
---
 include/linux/netfilter/nf_tables.h |  4 ++++
 src/meta.c                          | 38 +++++++++++++++++++++----------------
 src/parser.y                        |  4 ++++
 src/scanner.l                       |  2 ++
 4 files changed, 32 insertions(+), 16 deletions(-)

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index ff9b0a7..a5f8ec0 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -533,6 +533,8 @@ enum nft_exthdr_attributes {
  * @NFT_META_SECMARK: packet secmark (skb->secmark)
  * @NFT_META_NFPROTO: netfilter protocol
  * @NFT_META_L4PROTO: layer 4 protocol number
+ * @NFT_META_BRI_IIFNAME: packet input bridge interface name
+ * @NFT_META_BRI_OIFNAME: packet output bridge interface name
  */
 enum nft_meta_keys {
 	NFT_META_LEN,
@@ -552,6 +554,8 @@ enum nft_meta_keys {
 	NFT_META_SECMARK,
 	NFT_META_NFPROTO,
 	NFT_META_L4PROTO,
+	NFT_META_BRI_IIFNAME,
+	NFT_META_BRI_OIFNAME,
 };
 
 /**
diff --git a/src/meta.c b/src/meta.c
index ebc0c54..d95c124 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -298,40 +298,46 @@ static const struct datatype gid_type = {
 };
 
 static const struct meta_template meta_templates[] = {
-	[NFT_META_LEN]		= META_TEMPLATE("length",    &integer_type,
+	[NFT_META_LEN]		= META_TEMPLATE("length",      &integer_type,
 						4 * 8, BYTEORDER_HOST_ENDIAN),
-	[NFT_META_PROTOCOL]	= META_TEMPLATE("protocol",  &ethertype_type,
+	[NFT_META_PROTOCOL]	= META_TEMPLATE("protocol",    &ethertype_type,
 						2 * 8, BYTEORDER_BIG_ENDIAN),
-	[NFT_META_NFPROTO]	= META_TEMPLATE("nfproto",   &nfproto_type,
+	[NFT_META_NFPROTO]	= META_TEMPLATE("nfproto",     &nfproto_type,
 						1 * 8, BYTEORDER_HOST_ENDIAN),
-	[NFT_META_L4PROTO]	= META_TEMPLATE("l4proto",   &inet_protocol_type,
+	[NFT_META_L4PROTO]	= META_TEMPLATE("l4proto",     &inet_protocol_type,
 						1 * 8, BYTEORDER_HOST_ENDIAN),
-	[NFT_META_PRIORITY]	= META_TEMPLATE("priority",  &tchandle_type,
+	[NFT_META_PRIORITY]	= META_TEMPLATE("priority",    &tchandle_type,
 						4 * 8, BYTEORDER_HOST_ENDIAN),
-	[NFT_META_MARK]		= META_TEMPLATE("mark",      &mark_type,
+	[NFT_META_MARK]		= META_TEMPLATE("mark",        &mark_type,
 						4 * 8, BYTEORDER_HOST_ENDIAN),
-	[NFT_META_IIF]		= META_TEMPLATE("iif",       &ifindex_type,
+	[NFT_META_IIF]		= META_TEMPLATE("iif",         &ifindex_type,
 						4 * 8, BYTEORDER_HOST_ENDIAN),
-	[NFT_META_IIFNAME]	= META_TEMPLATE("iifname",   &string_type,
+	[NFT_META_IIFNAME]	= META_TEMPLATE("iifname",     &string_type,
 						IFNAMSIZ * BITS_PER_BYTE,
 						BYTEORDER_HOST_ENDIAN),
-	[NFT_META_IIFTYPE]	= META_TEMPLATE("iiftype",   &arphrd_type,
+	[NFT_META_IIFTYPE]	= META_TEMPLATE("iiftype",     &arphrd_type,
 						2 * 8, BYTEORDER_HOST_ENDIAN),
-	[NFT_META_OIF]		= META_TEMPLATE("oif",	     &ifindex_type,
+	[NFT_META_OIF]		= META_TEMPLATE("oif",	       &ifindex_type,
 						4 * 8, BYTEORDER_HOST_ENDIAN),
-	[NFT_META_OIFNAME]	= META_TEMPLATE("oifname",   &string_type,
+	[NFT_META_OIFNAME]	= META_TEMPLATE("oifname",     &string_type,
 						IFNAMSIZ * BITS_PER_BYTE,
 						BYTEORDER_HOST_ENDIAN),
-	[NFT_META_OIFTYPE]	= META_TEMPLATE("oiftype",   &arphrd_type,
+	[NFT_META_OIFTYPE]	= META_TEMPLATE("oiftype",     &arphrd_type,
 						2 * 8, BYTEORDER_HOST_ENDIAN),
-	[NFT_META_SKUID]	= META_TEMPLATE("skuid",     &uid_type,
+	[NFT_META_SKUID]	= META_TEMPLATE("skuid",       &uid_type,
 						4 * 8, BYTEORDER_HOST_ENDIAN),
-	[NFT_META_SKGID]	= META_TEMPLATE("skgid",     &gid_type,
+	[NFT_META_SKGID]	= META_TEMPLATE("skgid",       &gid_type,
 						4 * 8, BYTEORDER_HOST_ENDIAN),
-	[NFT_META_NFTRACE]	= META_TEMPLATE("nftrace",   &integer_type,
+	[NFT_META_NFTRACE]	= META_TEMPLATE("nftrace",     &integer_type,
 						1    , BYTEORDER_HOST_ENDIAN),
-	[NFT_META_RTCLASSID]	= META_TEMPLATE("rtclassid", &realm_type,
+	[NFT_META_RTCLASSID]	= META_TEMPLATE("rtclassid",   &realm_type,
 						4 * 8, BYTEORDER_HOST_ENDIAN),
+	[NFT_META_BRI_IIFNAME]	= META_TEMPLATE("bri_iifname", &string_type,
+						IFNAMSIZ * BITS_PER_BYTE,
+						BYTEORDER_HOST_ENDIAN),
+	[NFT_META_BRI_OIFNAME]	= META_TEMPLATE("bri_oifname", &string_type,
+						IFNAMSIZ * BITS_PER_BYTE,
+						BYTEORDER_HOST_ENDIAN),
 };
 
 static void meta_expr_print(const struct expr *expr)
diff --git a/src/parser.y b/src/parser.y
index db6f493..e8aef1d 100644
--- a/src/parser.y
+++ b/src/parser.y
@@ -304,6 +304,8 @@ static void location_update(struct location *loc, struct location *rhs, int n)
 %token SKGID			"skgid"
 %token NFTRACE			"nftrace"
 %token RTCLASSID		"rtclassid"
+%token BRI_IIFNAME		"bri_iifname"
+%token BRI_OIFNAME		"bri_oifname"
 
 %token CT			"ct"
 %token DIRECTION		"direction"
@@ -1563,6 +1565,8 @@ meta_key_unqualified	:	MARK		{ $$ = NFT_META_MARK; }
 			|	SKGID		{ $$ = NFT_META_SKGID; }
 			|	NFTRACE		{ $$ = NFT_META_NFTRACE; }
 			|	RTCLASSID	{ $$ = NFT_META_RTCLASSID; }
+			|	BRI_IIFNAME	{ $$ = NFT_META_BRI_IIFNAME; }
+			|       BRI_OIFNAME	{ $$ = NFT_META_BRI_OIFNAME; }
 			;
 
 meta_stmt		:	META	meta_key	SET	expr
diff --git a/src/scanner.l b/src/scanner.l
index 47c5933..61c98b5 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -402,6 +402,8 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 "skgid"			{ return SKGID; }
 "nftrace"		{ return NFTRACE; }
 "rtclassid"		{ return RTCLASSID; }
+"bri_iifname"		{ return BRI_IIFNAME; }
+"bri_oifname"		{ return BRI_OIFNAME; }
 
 "ct"			{ return CT; }
 "direction"		{ return DIRECTION; }
-- 
1.8.3.2

Re: [PATCH nftables 5/5] meta: Add support for input and output bridge interface name

[Pablo Neira Ayuso]

On Fri, Apr 04, 2014 at 12:47:31PM +0300, Tomasz Bursztyka wrote:
> diff --git a/src/meta.c b/src/meta.c
> index ebc0c54..d95c124 100644
> --- a/src/meta.c
> +++ b/src/meta.c
> @@ -298,40 +298,46 @@ static const struct datatype gid_type = {
>  };
>  
>  static const struct meta_template meta_templates[] = {
> -	[NFT_META_LEN]		= META_TEMPLATE("length",    &integer_type,
> +	[NFT_META_LEN]		= META_TEMPLATE("length",      &integer_type,
>  						4 * 8, BYTEORDER_HOST_ENDIAN),
> -	[NFT_META_PROTOCOL]	= META_TEMPLATE("protocol",  &ethertype_type,
> +	[NFT_META_PROTOCOL]	= META_TEMPLATE("protocol",    &ethertype_type,
>  						2 * 8, BYTEORDER_BIG_ENDIAN),
> -	[NFT_META_NFPROTO]	= META_TEMPLATE("nfproto",   &nfproto_type,
> +	[NFT_META_NFPROTO]	= META_TEMPLATE("nfproto",     &nfproto_type,
>  						1 * 8, BYTEORDER_HOST_ENDIAN),
> -	[NFT_META_L4PROTO]	= META_TEMPLATE("l4proto",   &inet_protocol_type,
> +	[NFT_META_L4PROTO]	= META_TEMPLATE("l4proto",     &inet_protocol_type,
>  						1 * 8, BYTEORDER_HOST_ENDIAN),
> -	[NFT_META_PRIORITY]	= META_TEMPLATE("priority",  &tchandle_type,
> +	[NFT_META_PRIORITY]	= META_TEMPLATE("priority",    &tchandle_type,
>  						4 * 8, BYTEORDER_HOST_ENDIAN),
> -	[NFT_META_MARK]		= META_TEMPLATE("mark",      &mark_type,
> +	[NFT_META_MARK]		= META_TEMPLATE("mark",        &mark_type,
>  						4 * 8, BYTEORDER_HOST_ENDIAN),
> -	[NFT_META_IIF]		= META_TEMPLATE("iif",       &ifindex_type,
> +	[NFT_META_IIF]		= META_TEMPLATE("iif",         &ifindex_type,
>  						4 * 8, BYTEORDER_HOST_ENDIAN),
> -	[NFT_META_IIFNAME]	= META_TEMPLATE("iifname",   &string_type,
> +	[NFT_META_IIFNAME]	= META_TEMPLATE("iifname",     &string_type,
>  						IFNAMSIZ * BITS_PER_BYTE,
>  						BYTEORDER_HOST_ENDIAN),
> -	[NFT_META_IIFTYPE]	= META_TEMPLATE("iiftype",   &arphrd_type,
> +	[NFT_META_IIFTYPE]	= META_TEMPLATE("iiftype",     &arphrd_type,
>  						2 * 8, BYTEORDER_HOST_ENDIAN),
> -	[NFT_META_OIF]		= META_TEMPLATE("oif",	     &ifindex_type,
> +	[NFT_META_OIF]		= META_TEMPLATE("oif",	       &ifindex_type,
>  						4 * 8, BYTEORDER_HOST_ENDIAN),
> -	[NFT_META_OIFNAME]	= META_TEMPLATE("oifname",   &string_type,
> +	[NFT_META_OIFNAME]	= META_TEMPLATE("oifname",     &string_type,
>  						IFNAMSIZ * BITS_PER_BYTE,
>  						BYTEORDER_HOST_ENDIAN),
> -	[NFT_META_OIFTYPE]	= META_TEMPLATE("oiftype",   &arphrd_type,
> +	[NFT_META_OIFTYPE]	= META_TEMPLATE("oiftype",     &arphrd_type,
>  						2 * 8, BYTEORDER_HOST_ENDIAN),
> -	[NFT_META_SKUID]	= META_TEMPLATE("skuid",     &uid_type,
> +	[NFT_META_SKUID]	= META_TEMPLATE("skuid",       &uid_type,
>  						4 * 8, BYTEORDER_HOST_ENDIAN),
> -	[NFT_META_SKGID]	= META_TEMPLATE("skgid",     &gid_type,
> +	[NFT_META_SKGID]	= META_TEMPLATE("skgid",       &gid_type,
>  						4 * 8, BYTEORDER_HOST_ENDIAN),
> -	[NFT_META_NFTRACE]	= META_TEMPLATE("nftrace",   &integer_type,
> +	[NFT_META_NFTRACE]	= META_TEMPLATE("nftrace",     &integer_type,
>  						1    , BYTEORDER_HOST_ENDIAN),
> -	[NFT_META_RTCLASSID]	= META_TEMPLATE("rtclassid", &realm_type,
> +	[NFT_META_RTCLASSID]	= META_TEMPLATE("rtclassid",   &realm_type,
>  						4 * 8, BYTEORDER_HOST_ENDIAN),
> +	[NFT_META_BRI_IIFNAME]	= META_TEMPLATE("bri_iifname", &string_type,
> +						IFNAMSIZ * BITS_PER_BYTE,
> +						BYTEORDER_HOST_ENDIAN),
> +	[NFT_META_BRI_OIFNAME]	= META_TEMPLATE("bri_oifname", &string_type,
> +						IFNAMSIZ * BITS_PER_BYTE,
> +						BYTEORDER_HOST_ENDIAN),
>  };
>  
>  static void meta_expr_print(const struct expr *expr)
> diff --git a/src/parser.y b/src/parser.y
> index db6f493..e8aef1d 100644
> --- a/src/parser.y
> +++ b/src/parser.y
> @@ -304,6 +304,8 @@ static void location_update(struct location *loc, struct location *rhs, int n)
>  %token SKGID			"skgid"
>  %token NFTRACE			"nftrace"
>  %token RTCLASSID		"rtclassid"
> +%token BRI_IIFNAME		"bri_iifname"
> +%token BRI_OIFNAME		"bri_oifname"
>  
>  %token CT			"ct"
>  %token DIRECTION		"direction"
> @@ -1563,6 +1565,8 @@ meta_key_unqualified	:	MARK		{ $$ = NFT_META_MARK; }
>  			|	SKGID		{ $$ = NFT_META_SKGID; }
>  			|	NFTRACE		{ $$ = NFT_META_NFTRACE; }
>  			|	RTCLASSID	{ $$ = NFT_META_RTCLASSID; }
> +			|	BRI_IIFNAME	{ $$ = NFT_META_BRI_IIFNAME; }
> +			|       BRI_OIFNAME	{ $$ = NFT_META_BRI_OIFNAME; }
>  			;
>  
>  meta_stmt		:	META	meta_key	SET	expr
> diff --git a/src/scanner.l b/src/scanner.l
> index 47c5933..61c98b5 100644
> --- a/src/scanner.l
> +++ b/src/scanner.l
> @@ -402,6 +402,8 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
>  "skgid"			{ return SKGID; }
>  "nftrace"		{ return NFTRACE; }
>  "rtclassid"		{ return RTCLASSID; }
> +"bri_iifname"		{ return BRI_IIFNAME; }
> +"bri_oifname"		{ return BRI_OIFNAME; }

I prefer if we skip the underscore there, I remember that Patrick
mentioned that he would also like to get rid of it in other cases like
the ipv4_address type.

Perhaps iifnamebr
        oifnamebr?

briifname and broifname could be an alternative, but I had problems to
type that myself several times while writing this email. So I prefer
the iffnamebr / oifnamebr alternative.

We can also save the reformatting of meta_templates with a shorter
name, so this patch will be smaller.

>  "ct"			{ return CT; }
>  "direction"		{ return DIRECTION; }
> -- 
> 1.8.3.2
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nftables 5/5] meta: Add support for input and output bridge interface name

[Patrick McHardy]

On Fri, Apr 04, 2014 at 01:11:34PM +0200, Pablo Neira Ayuso wrote:
> On Fri, Apr 04, 2014 at 12:47:31PM +0300, Tomasz Bursztyka wrote:
> > --- a/src/parser.y
> > +++ b/src/parser.y
> > @@ -304,6 +304,8 @@ static void location_update(struct location *loc, struct location *rhs, int n)
> >  %token SKGID			"skgid"
> >  %token NFTRACE			"nftrace"
> >  %token RTCLASSID		"rtclassid"
> > +%token BRI_IIFNAME		"bri_iifname"
> > +%token BRI_OIFNAME		"bri_oifname"
> >  
> >  %token CT			"ct"
> >  %token DIRECTION		"direction"
> > @@ -1563,6 +1565,8 @@ meta_key_unqualified	:	MARK		{ $$ = NFT_META_MARK; }
> >  			|	SKGID		{ $$ = NFT_META_SKGID; }
> >  			|	NFTRACE		{ $$ = NFT_META_NFTRACE; }
> >  			|	RTCLASSID	{ $$ = NFT_META_RTCLASSID; }
> > +			|	BRI_IIFNAME	{ $$ = NFT_META_BRI_IIFNAME; }
> > +			|       BRI_OIFNAME	{ $$ = NFT_META_BRI_OIFNAME; }
> >  			;
> >  
> >  meta_stmt		:	META	meta_key	SET	expr
> > diff --git a/src/scanner.l b/src/scanner.l
> > index 47c5933..61c98b5 100644
> > --- a/src/scanner.l
> > +++ b/src/scanner.l
> > @@ -402,6 +402,8 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
> >  "skgid"			{ return SKGID; }
> >  "nftrace"		{ return NFTRACE; }
> >  "rtclassid"		{ return RTCLASSID; }
> > +"bri_iifname"		{ return BRI_IIFNAME; }
> > +"bri_oifname"		{ return BRI_OIFNAME; }
> 
> I prefer if we skip the underscore there, I remember that Patrick
> mentioned that he would also like to get rid of it in other cases like
> the ipv4_address type.
> 
> Perhaps iifnamebr
>         oifnamebr?
> 
> briifname and broifname could be an alternative, but I had problems to
> type that myself several times while writing this email. So I prefer
> the iffnamebr / oifnamebr alternative.

Actually I think they all suck :)

The match on bridge ports, so something containing briport would be a lot
more descriptive. briiport and brioport, ibriport and obriport, something
like that?

Re: [PATCH nftables 5/5] meta: Add support for input and output bridge interface name

[Pablo Neira Ayuso]

On Fri, Apr 04, 2014 at 02:13:06PM +0200, Patrick McHardy wrote:
> On Fri, Apr 04, 2014 at 01:11:34PM +0200, Pablo Neira Ayuso wrote:
> > On Fri, Apr 04, 2014 at 12:47:31PM +0300, Tomasz Bursztyka wrote:
> > > --- a/src/parser.y
> > > +++ b/src/parser.y
> > > @@ -304,6 +304,8 @@ static void location_update(struct location *loc, struct location *rhs, int n)
> > >  %token SKGID			"skgid"
> > >  %token NFTRACE			"nftrace"
> > >  %token RTCLASSID		"rtclassid"
> > > +%token BRI_IIFNAME		"bri_iifname"
> > > +%token BRI_OIFNAME		"bri_oifname"
> > >  
> > >  %token CT			"ct"
> > >  %token DIRECTION		"direction"
> > > @@ -1563,6 +1565,8 @@ meta_key_unqualified	:	MARK		{ $$ = NFT_META_MARK; }
> > >  			|	SKGID		{ $$ = NFT_META_SKGID; }
> > >  			|	NFTRACE		{ $$ = NFT_META_NFTRACE; }
> > >  			|	RTCLASSID	{ $$ = NFT_META_RTCLASSID; }
> > > +			|	BRI_IIFNAME	{ $$ = NFT_META_BRI_IIFNAME; }
> > > +			|       BRI_OIFNAME	{ $$ = NFT_META_BRI_OIFNAME; }
> > >  			;
> > >  
> > >  meta_stmt		:	META	meta_key	SET	expr
> > > diff --git a/src/scanner.l b/src/scanner.l
> > > index 47c5933..61c98b5 100644
> > > --- a/src/scanner.l
> > > +++ b/src/scanner.l
> > > @@ -402,6 +402,8 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
> > >  "skgid"			{ return SKGID; }
> > >  "nftrace"		{ return NFTRACE; }
> > >  "rtclassid"		{ return RTCLASSID; }
> > > +"bri_iifname"		{ return BRI_IIFNAME; }
> > > +"bri_oifname"		{ return BRI_OIFNAME; }
> > 
> > I prefer if we skip the underscore there, I remember that Patrick
> > mentioned that he would also like to get rid of it in other cases like
> > the ipv4_address type.
> > 
> > Perhaps iifnamebr
> >         oifnamebr?
> > 
> > briifname and broifname could be an alternative, but I had problems to
> > type that myself several times while writing this email. So I prefer
> > the iffnamebr / oifnamebr alternative.
> 
> Actually I think they all suck :)

Now I remember why I'm not a top sales book writer :)

> The match on bridge ports, so something containing briport would be a lot
> more descriptive. briiport and brioport, ibriport and obriport, something
> like that?

ibriport and obriport look fine to me. I have problems myself with
cacophony like briiport.
                 ^^

@Tomasz: Can you address the feedback and resend? I'd like to have
this in the nftables tree so Giuseppe can continue with the ebtables
compat layer. Thanks.

Re: [PATCH nftables 5/5] meta: Add support for input and output bridge interface name

[Tomasz Bursztyka]

Hi Pablo,

> ibriport and obriport look fine to me. I have problems myself with
> cacophony like briiport.
>                   ^^
>
> @Tomasz: Can you address the feedback and resend? I'd like to have
> this in the nftables tree so Giuseppe can continue with the ebtables
> compat layer. Thanks.

Will do soon.

Tomasz