From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shards.monkeyblade.net ([184.105.139.130]:33306 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751691AbeBUSQh (ORCPT ); Wed, 21 Feb 2018 13:16:37 -0500 Date: Wed, 21 Feb 2018 13:16:35 -0500 (EST) Message-Id: <20180221.131635.682087826054662910.davem@davemloft.net> To: eyal.birger@gmail.com Cc: jhs@mojatatu.com, xiyou.wangcong@gmail.com, pablo@netfilter.org, netdev@vger.kernel.org, shmulik@metanetworks.com Subject: Re: [PATCH net-next,v3] net: sched: add em_ipt ematch for calling xtables matches From: David Miller In-Reply-To: <1518716563-13430-1-git-send-email-eyal.birger@gmail.com> References: <1518716563-13430-1-git-send-email-eyal.birger@gmail.com> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: netdev-owner@vger.kernel.org List-ID: From: Eyal Birger Date: Thu, 15 Feb 2018 19:42:43 +0200 > The commit a new tc ematch for using netfilter xtable matches. > > This allows early classification as well as mirroning/redirecting traffic > based on logic implemented in netfilter extensions. > > Current supported use case is classification based on the incoming IPSec > state used during decpsulation using the 'policy' iptables extension > (xt_policy). > > The module dynamically fetches the netfilter match module and calls > it using a fake xt_action_param structure based on validated userspace > provided parameters. > > As the xt_policy match does not access skb->data, no skb modifications > are needed on match. > > Signed-off-by: Eyal Birger Applied, thank you.