leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
f6d0cbcf09
linux/net
History
Florian Westphal f6d0cbcf09 netfilter: nf_tables: add fib expression 
Add FIB expression, supported for ipv4, ipv6 and inet family (the latter
just dispatches to ipv4 or ipv6 one based on nfproto).

Currently supports fetching output interface index/name and the
rtm_type associated with an address.

This can be used for adding path filtering. rtm_type is useful
to e.g. enforce a strong-end host model where packets
are only accepted if daddr is configured on the interface the
packet arrived on.

The fib expression is a native nftables alternative to the
xtables addrtype and rp_filter matches.

FIB result order for oif/oifname retrieval is as follows:
 - if packet is local (skb has rtable, RTF_LOCAL set, this
   will also catch looped-back multicast packets), set oif to
   the loopback interface.
 - if fib lookup returns an error, or result points to local,
   store zero result.  This means '--local' option of -m rpfilter
   is not supported. It is possible to use 'fib type local' or add
   explicit saddr/daddr matching rules to create exceptions if this
   is really needed.
 - store result in the destination register.
   In case of multiple routes, search set for desired oif in case
   strict matching is requested.

ipv4 and ipv6 behave fib expressions are supposed to behave the same.

[ I have collapsed Arnd Bergmann's ("netfilter: nf_tables: fib warnings")

	http://patchwork.ozlabs.org/patch/688615/

  to address fallout from this patch after rebasing nf-next, that was
  posted to address compilation warnings. --pablo ]

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2016-11-01 20:50:14 +01:00
..
6lowpan 6lowpan: ndisc: no overreact if no short address is available 2016-09-19 20:19:34 +02:00
9p IB/core: add support to create a unsafe global rkey to ib_create_pd 2016-09-23 13:47:44 -04:00
802 net: use core MTU range checking in misc drivers 2016-10-20 14:51:10 -04:00
8021q net: use core MTU range checking in core net infra 2016-10-20 14:51:09 -04:00
appletalk
atm net: remove MTU limits on a few ether_setup callers 2016-10-21 13:57:50 -04:00
ax25
batman-adv net: use core MTU range checking in misc drivers 2016-10-20 14:51:10 -04:00
bluetooth net: remove MTU limits on a few ether_setup callers 2016-10-21 13:57:50 -04:00
bridge net: use core MTU range checking in core net infra 2016-10-20 14:51:09 -04:00
caif
can
ceph crush: remove redundant local variable 2016-10-05 23:02:10 +02:00
core net: allow to kill a task which waits net_mutex in copy_new_ns 2016-10-23 17:33:39 -04:00
dcb
dccp
decnet
dns_resolver
dsa net: remove MTU limits on a few ether_setup callers 2016-10-21 13:57:50 -04:00
ethernet net: deprecate eth_change_mtu, remove usage 2016-10-13 09:36:57 -04:00
hsr net: use core MTU range checking in misc drivers 2016-10-20 14:51:10 -04:00
ieee802154
ipv4 netfilter: nf_tables: add fib expression 2016-11-01 20:50:14 +01:00
ipv6 netfilter: nf_tables: add fib expression 2016-11-01 20:50:14 +01:00
ipx
irda net: remove MTU limits on a few ether_setup callers 2016-10-21 13:57:50 -04:00
iucv Subject: [PATCH] af_iucv: drop skbs rejected by filter 2016-10-12 01:56:04 -04:00
kcm Merge branch 'work.splice_read' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-10-07 15:36:58 -07:00
key
l2tp net: remove MTU limits on a few ether_setup callers 2016-10-21 13:57:50 -04:00
l3mdev
lapb
llc llc: switch type to bool as the timeout is only tested versus 0 2016-09-17 10:05:05 -04:00
mac80211 net: use core MTU range checking in wireless drivers 2016-10-20 14:51:08 -04:00
mac802154 mac802154: use rate limited warnings for malformed frames 2016-09-19 20:19:34 +02:00
mpls lwt: Remove unused len field 2016-10-23 17:45:01 -04:00
ncsi net/ncsi: Introduce ncsi_stop_dev() 2016-10-04 02:11:51 -04:00
netfilter netfilter: nf_tables: add fib expression 2016-11-01 20:50:14 +01:00
netlabel
netlink netlink: do not enter direct reclaim from netlink_dump() 2016-10-06 20:53:13 -04:00
netrom
nfc
openvswitch net: use core MTU range checking in core net infra 2016-10-20 14:51:09 -04:00
packet packet: call fanout_release, while UNREGISTERING a netdev 2016-10-06 20:50:18 -04:00
phonet net: use core MTU range checking in misc drivers 2016-10-20 14:51:10 -04:00
qrtr
rds rds: Remove duplicate prefix from rds_conn_path_error use 2016-10-17 11:07:22 -04:00
rfkill
rose
rxrpc rxrpc: Don't request an ACK on the last DATA packet of a call's Tx phase 2016-10-06 08:11:51 +01:00
sched net/sched: em_meta: Fix 'meta vlan' to correctly recognize zero VID frames 2016-10-23 17:31:25 -04:00
sctp sctp: remove the old ttl expires policy 2016-10-13 09:44:14 -04:00
strparser strparser: Propagate correct error code in strp_recv() 2016-10-12 01:51:49 -04:00
sunrpc udp: use it's own memory accounting schema 2016-10-22 17:05:05 -04:00
switchdev switchdev: remove FIB offload infrastructure 2016-09-28 04:48:00 -04:00
tipc tipc: info leak in __tipc_nl_add_udp_addr() 2016-10-13 12:10:01 -04:00
unix skb_splice_bits(): get rid of callback 2016-10-03 20:40:56 -04:00
vmw_vsock VSOCK: Don't dec ack backlog twice for rejected connections 2016-09-27 07:59:25 -04:00
wimax
wireless Merge remote-tracking branch 'net-next/master' into mac80211-next 2016-10-04 09:46:44 +02:00
x25
xfrm proc: Reduce cache miss in xfrm_statistics_seq_show 2016-09-30 01:50:45 -04:00
compat.c
Kconfig
Makefile
socket.c vfs: Remove {get,set,remove}xattr inode operations 2016-10-07 21:48:36 -04:00
sysctl_net.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2016-10-06 09:52:23 -07:00