* [PATCH nft 1/2] meta: add brpvid support
@ 2019-06-20 8:01 wenxu
2019-06-20 8:01 ` [PATCH nft 2/2] meta: add brvlan support wenxu
0 siblings, 1 reply; 2+ messages in thread
From: wenxu @ 2019-06-20 8:01 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
From: wenxu <wenxu@ucloud.cn>
This brpvid meta can be used to match the pvid of the brport.
nft add rule bridge firewall zones meta brpvid 10 accept
Signed-off-by: wenxu <wenxu@ucloud.cn>
---
doc/primary-expression.txt | 11 ++++++++---
include/linux/netfilter/nf_tables.h | 2 ++
src/meta.c | 3 +++
3 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index 6eb9583..e33ea26 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -2,7 +2,7 @@ META EXPRESSIONS
~~~~~~~~~~~~~~~~
[verse]
*meta* {*length* | *nfproto* | *l4proto* | *protocol* | *priority*}
-[*meta*] {*mark* | *iif* | *iifname* | *iiftype* | *oif* | *oifname* | *oiftype* | *skuid* | *skgid* | *nftrace* | *rtclassid* | *ibrname* | *obrname* | *pkttype* | *cpu* | *iifgroup* | *oifgroup* | *cgroup* | *random* | *ipsec* | *iifkind* | *oifkind*}
+[*meta*] {*mark* | *iif* | *iifname* | *iiftype* | *oif* | *oifname* | *oiftype* | *skuid* | *skgid* | *nftrace* | *rtclassid* | *ibrname* | *obrname* | *pkttype* | *cpu* | *iifgroup* | *oifgroup* | *cgroup* | *random* | *ipsec* | *iifkind* | *oifkind* | *brpvid*}
A meta expression refers to meta data associated with a packet.
@@ -113,9 +113,12 @@ integer (32 bit)
boolean|
boolean (1 bit)
|iifkind|
-Input interface kind |
+Input interface kind|
|oifkind|
-Output interface kind
+Output interface kind|
+|brpvid|
+bridge port pvid|
+integer (16 bit)
|====================
.Meta expression specific types
@@ -141,6 +144,8 @@ Packet type: *host* (addressed to local host), *broadcast* (to all),
*multicast* (to group), *other* (addressed to another host).
|ifkind|
Interface kind (16 byte string). Does not have to exist.
+|brpvid|
+Bridge port pvid (16 bit number).
|=============================
.Using meta expressions
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 7bdb234..0715b6a 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -793,6 +793,7 @@ enum nft_exthdr_attributes {
* @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp)
* @NFT_META_IIFKIND: packet input interface kind name (dev->rtnl_link_ops->kind)
* @NFT_META_OIFKIND: packet output interface kind name (dev->rtnl_link_ops->kind)
+ * @NFT_META_BRI_PVID: packet input bridge port pvid
*/
enum nft_meta_keys {
NFT_META_LEN,
@@ -823,6 +824,7 @@ enum nft_meta_keys {
NFT_META_SECPATH,
NFT_META_IIFKIND,
NFT_META_OIFKIND,
+ NFT_META_BRI_PVID,
};
/**
diff --git a/src/meta.c b/src/meta.c
index 1e8964e..cef7b02 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -450,6 +450,9 @@ const struct meta_template meta_templates[] = {
[NFT_META_OIFKIND] = META_TEMPLATE("oifkind", &ifname_type,
IFNAMSIZ * BITS_PER_BYTE,
BYTEORDER_HOST_ENDIAN),
+ [NFT_META_BRI_PVID] = META_TEMPLATE("brpvid", &integer_type,
+ 2 * BITS_PER_BYTE,
+ BYTEORDER_HOST_ENDIAN),
};
static bool meta_key_is_unqualified(enum nft_meta_keys key)
--
1.8.3.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [PATCH nft 2/2] meta: add brvlan support
2019-06-20 8:01 [PATCH nft 1/2] meta: add brpvid support wenxu
@ 2019-06-20 8:01 ` wenxu
0 siblings, 0 replies; 2+ messages in thread
From: wenxu @ 2019-06-20 8:01 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
From: wenxu <wenxu@ucloud.cn>
meta brvlan can be used to the packet vlan tags
nft add rule bridge firewall zones counter meta brvlan set meta brpvid
Signed-off-by: wenxu <wenxu@ucloud.cn>
---
doc/primary-expression.txt | 7 ++++++-
include/linux/netfilter/nf_tables.h | 2 ++
src/meta.c | 3 +++
3 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index e33ea26..6bcfa5e 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -2,7 +2,7 @@ META EXPRESSIONS
~~~~~~~~~~~~~~~~
[verse]
*meta* {*length* | *nfproto* | *l4proto* | *protocol* | *priority*}
-[*meta*] {*mark* | *iif* | *iifname* | *iiftype* | *oif* | *oifname* | *oiftype* | *skuid* | *skgid* | *nftrace* | *rtclassid* | *ibrname* | *obrname* | *pkttype* | *cpu* | *iifgroup* | *oifgroup* | *cgroup* | *random* | *ipsec* | *iifkind* | *oifkind* | *brpvid*}
+[*meta*] {*mark* | *iif* | *iifname* | *iiftype* | *oif* | *oifname* | *oiftype* | *skuid* | *skgid* | *nftrace* | *rtclassid* | *ibrname* | *obrname* | *pkttype* | *cpu* | *iifgroup* | *oifgroup* | *cgroup* | *random* | *ipsec* | *iifkind* | *oifkind* | *brpvid* | *brvlan*}
A meta expression refers to meta data associated with a packet.
@@ -119,6 +119,9 @@ Output interface kind|
|brpvid|
bridge port pvid|
integer (16 bit)
+|brvlan|
+set packet vlan tag|
+integer (16 bit)
|====================
.Meta expression specific types
@@ -146,6 +149,8 @@ Packet type: *host* (addressed to local host), *broadcast* (to all),
Interface kind (16 byte string). Does not have to exist.
|brpvid|
Bridge port pvid (16 bit number).
+|brpvlan|
+Set packet vlan tag (16 bit number).
|=============================
.Using meta expressions
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 0715b6a..7afac26 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -794,6 +794,7 @@ enum nft_exthdr_attributes {
* @NFT_META_IIFKIND: packet input interface kind name (dev->rtnl_link_ops->kind)
* @NFT_META_OIFKIND: packet output interface kind name (dev->rtnl_link_ops->kind)
* @NFT_META_BRI_PVID: packet input bridge port pvid
+ * @NFT_META_BRI_VLAN: set vlan tag on packet
*/
enum nft_meta_keys {
NFT_META_LEN,
@@ -825,6 +826,7 @@ enum nft_meta_keys {
NFT_META_IIFKIND,
NFT_META_OIFKIND,
NFT_META_BRI_PVID,
+ NFT_META_BRI_VLAN,
};
/**
diff --git a/src/meta.c b/src/meta.c
index cef7b02..63b66dc 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -453,6 +453,9 @@ const struct meta_template meta_templates[] = {
[NFT_META_BRI_PVID] = META_TEMPLATE("brpvid", &integer_type,
2 * BITS_PER_BYTE,
BYTEORDER_HOST_ENDIAN),
+ [NFT_META_BRI_VLAN] = META_TEMPLATE("brvlan", &integer_type,
+ 2 * BITS_PER_BYTE,
+ BYTEORDER_HOST_ENDIAN),
};
static bool meta_key_is_unqualified(enum nft_meta_keys key)
--
1.8.3.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-06-20 8:01 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-06-20 8:01 [PATCH nft 1/2] meta: add brpvid support wenxu
2019-06-20 8:01 ` [PATCH nft 2/2] meta: add brvlan support wenxu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).