[PATCH nft] meta: introduce meta ibrhwdr support

[PATCH nft] meta: introduce meta ibrhwdr support

[Fernando Fernandez Mancera]

Can be used in bridge prerouting hook to redirect the packet to the
receiving physical device for processing.

table bridge nat {
        chain PREROUTING {
                type filter hook prerouting priority 0; policy accept;
                ether daddr de:ad:00:00:be:ef meta pkttype set host ether daddr set meta ibrhwdr accept
        }
}

Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
---
 include/linux/netfilter/nf_tables.h |  2 ++
 src/meta.c                          |  4 ++++
 tests/py/bridge/meta.t              |  1 +
 tests/py/bridge/pass_up.t           |  6 ++++++
 tests/py/bridge/pass_up.t.json      | 19 +++++++++++++++++++
 tests/py/bridge/pass_up.t.payload   |  4 ++++
 6 files changed, 36 insertions(+)
 create mode 100644 tests/py/bridge/pass_up.t
 create mode 100644 tests/py/bridge/pass_up.t.json
 create mode 100644 tests/py/bridge/pass_up.t.payload

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index f57963e8..34a9b117 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -949,6 +949,7 @@ enum nft_exthdr_attributes {
  * @NFT_META_SDIF: slave device interface index
  * @NFT_META_SDIFNAME: slave device interface name
  * @NFT_META_BRI_BROUTE: packet br_netfilter_broute bit
+ * @NFT_META_BRI_IIFHWADDR: packet input bridge interface ethernet address
  */
 enum nft_meta_keys {
 	NFT_META_LEN,
@@ -989,6 +990,7 @@ enum nft_meta_keys {
 	NFT_META_SDIFNAME,
 	NFT_META_BRI_BROUTE,
 	__NFT_META_IIFTYPE,
+	NFT_META_BRI_IIFHWADDR,
 };
 
 /**
diff --git a/src/meta.c b/src/meta.c
index 1010209d..9e0d02c6 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -23,6 +23,7 @@
 #include <arpa/inet.h>
 #include <linux/netfilter.h>
 #include <linux/pkt_sched.h>
+#include <linux/if_ether.h>
 #include <linux/if_packet.h>
 #include <time.h>
 
@@ -704,6 +705,9 @@ const struct meta_template meta_templates[] = {
 						BYTEORDER_HOST_ENDIAN),
 	[NFT_META_BRI_BROUTE]	= META_TEMPLATE("broute",   &integer_type,
 						1    , BYTEORDER_HOST_ENDIAN),
+	[NFT_META_BRI_IIFHWADDR] = META_TEMPLATE("ibrhwdr", &etheraddr_type,
+						 ETH_ALEN * BITS_PER_BYTE,
+						 BYTEORDER_BIG_ENDIAN),
 };
 
 static bool meta_key_is_unqualified(enum nft_meta_keys key)
diff --git a/tests/py/bridge/meta.t b/tests/py/bridge/meta.t
index 171aa610..b7744023 100644
--- a/tests/py/bridge/meta.t
+++ b/tests/py/bridge/meta.t
@@ -11,3 +11,4 @@ meta protocol ip udp dport 67;ok
 meta protocol ip6 udp dport 67;ok
 
 meta broute set 1;fail
+meta ibrhwdr;fail
diff --git a/tests/py/bridge/pass_up.t b/tests/py/bridge/pass_up.t
new file mode 100644
index 00000000..97de13f4
--- /dev/null
+++ b/tests/py/bridge/pass_up.t
@@ -0,0 +1,6 @@
+:prerouting;type filter hook prerouting priority 0
+
+*bridge;test-bridge;prerouting
+
+ether daddr set meta ibrhwdr;ok
+meta ibrhwdr set 00:1a:2b:3c:4d:5e;fail
diff --git a/tests/py/bridge/pass_up.t.json b/tests/py/bridge/pass_up.t.json
new file mode 100644
index 00000000..937c0c11
--- /dev/null
+++ b/tests/py/bridge/pass_up.t.json
@@ -0,0 +1,19 @@
+# ether daddr set meta ibrhwdr
+[
+    {
+        "mangle": {
+            "key": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ether"
+                }
+            },
+            "value": {
+                "meta": {
+                    "key": "ibrhwdr"
+                }
+            }
+        }
+    }
+]
+
diff --git a/tests/py/bridge/pass_up.t.payload b/tests/py/bridge/pass_up.t.payload
new file mode 100644
index 00000000..f9826d9c
--- /dev/null
+++ b/tests/py/bridge/pass_up.t.payload
@@ -0,0 +1,4 @@
+# ether daddr set meta ibrhwdr
+bridge test-bridge prerouting
+  [ meta load ibrhwdr => reg 1 ]
+  [ payload write reg 1 => 6b @ link header + 0 csum_type 0 csum_off 0 csum_flags 0x0 ]
-- 
2.51.0

Re: [PATCH nft] meta: introduce meta ibrhwdr support

[Florian Westphal]

Fernando Fernandez Mancera <fmancera@suse.de> wrote:
> Can be used in bridge prerouting hook to redirect the packet to the
> receiving physical device for processing.
> 
> table bridge nat {
>         chain PREROUTING {
>                 type filter hook prerouting priority 0; policy accept;
>                 ether daddr de:ad:00:00:be:ef meta pkttype set host ether daddr set meta ibrhwdr accept
>         }
> }

Pablo, does the above ok to you?
I am not sure about 'ibrhwdr'.

Will there be an 'obrhwdr'?  Or is it for consistency because
its envisioned to be used in incoming direction?

Patch LGTM, I would apply this and the libnftnl dependency.

Re: [PATCH nft] meta: introduce meta ibrhwdr support

[Pablo Neira Ayuso]

Hi Florian,

On Mon, Oct 13, 2025 at 09:47:05PM +0200, Florian Westphal wrote:
> Fernando Fernandez Mancera <fmancera@suse.de> wrote:
> > Can be used in bridge prerouting hook to redirect the packet to the
> > receiving physical device for processing.
> > 
> > table bridge nat {
> >         chain PREROUTING {
> >                 type filter hook prerouting priority 0; policy accept;
> >                 ether daddr de:ad:00:00:be:ef meta pkttype set host ether daddr set meta ibrhwdr accept
> >         }
> > }
> 
> Pablo, does the above ok to you?
> I am not sure about 'ibrhwdr'.

I'd suggest: ibrhwaddr, for consistency with other existing ibr
selectors and anything that relates to address uses the suffix 'addr'.

> Will there be an 'obrhwdr'?

No usecase for this so far.

> Or is it for consistency because its envisioned to be used in
> incoming direction?

Using the input device where this frame came from, which is a bridge
port, fetch the address of the upper bridge device on top of it.

It is a bit unix-like looking acronym, arguably not so intuitive, but
I don't have a better idea.

> Patch LGTM, I would apply this and the libnftnl dependency.

Re: [PATCH nft] meta: introduce meta ibrhwdr support

[Fernando Fernandez Mancera]

On 10/13/25 10:39 PM, Pablo Neira Ayuso wrote:
> Hi Florian,
> 
> On Mon, Oct 13, 2025 at 09:47:05PM +0200, Florian Westphal wrote:
>> Fernando Fernandez Mancera <fmancera@suse.de> wrote:
>>> Can be used in bridge prerouting hook to redirect the packet to the
>>> receiving physical device for processing.
>>>
>>> table bridge nat {
>>>          chain PREROUTING {
>>>                  type filter hook prerouting priority 0; policy accept;
>>>                  ether daddr de:ad:00:00:be:ef meta pkttype set host ether daddr set meta ibrhwdr accept
>>>          }
>>> }
>>
>> Pablo, does the above ok to you?
>> I am not sure about 'ibrhwdr'.
> 
> I'd suggest: ibrhwaddr, for consistency with other existing ibr
> selectors and anything that relates to address uses the suffix 'addr'.
> 

Fine for me! If it looks good to you Florian I can send a v2 quickly and 
also adjust the test.

>> Will there be an 'obrhwdr'?
> 
> No usecase for this so far.
> 
>> Or is it for consistency because its envisioned to be used in
>> incoming direction?
> 
> Using the input device where this frame came from, which is a bridge
> port, fetch the address of the upper bridge device on top of it.
> 
> It is a bit unix-like looking acronym, arguably not so intuitive, but
> I don't have a better idea.
> 
>> Patch LGTM, I would apply this and the libnftnl dependency.
> 

Re: [PATCH nft] meta: introduce meta ibrhwdr support

[Florian Westphal]

Fernando Fernandez Mancera <fmancera@suse.de> wrote:
> Fine for me! If it looks good to you Florian I can send a v2 quickly and 
> also adjust the test.

Sure, sounds good, thanks Fernando!