• F
    netfilter: nf_tables: add fib expression · f6d0cbcf
    Florian Westphal 提交于
    Add FIB expression, supported for ipv4, ipv6 and inet family (the latter
    just dispatches to ipv4 or ipv6 one based on nfproto).
    
    Currently supports fetching output interface index/name and the
    rtm_type associated with an address.
    
    This can be used for adding path filtering. rtm_type is useful
    to e.g. enforce a strong-end host model where packets
    are only accepted if daddr is configured on the interface the
    packet arrived on.
    
    The fib expression is a native nftables alternative to the
    xtables addrtype and rp_filter matches.
    
    FIB result order for oif/oifname retrieval is as follows:
     - if packet is local (skb has rtable, RTF_LOCAL set, this
       will also catch looped-back multicast packets), set oif to
       the loopback interface.
     - if fib lookup returns an error, or result points to local,
       store zero result.  This means '--local' option of -m rpfilter
       is not supported. It is possible to use 'fib type local' or add
       explicit saddr/daddr matching rules to create exceptions if this
       is really needed.
     - store result in the destination register.
       In case of multiple routes, search set for desired oif in case
       strict matching is requested.
    
    ipv4 and ipv6 behave fib expressions are supposed to behave the same.
    
    [ I have collapsed Arnd Bergmann's ("netfilter: nf_tables: fib warnings")
    
    	http://patchwork.ozlabs.org/patch/688615/
    
      to address fallout from this patch after rebasing nf-next, that was
      posted to address compilation warnings. --pablo ]
    Signed-off-by: NFlorian Westphal <fw@strlen.de>
    Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
    f6d0cbcf
Kconfig 48.9 KB