linux/net/netfilter
Florian Westphal f6d0cbcf09 netfilter: nf_tables: add fib expression
Add FIB expression, supported for ipv4, ipv6 and inet family (the latter
just dispatches to ipv4 or ipv6 one based on nfproto).

Currently supports fetching output interface index/name and the
rtm_type associated with an address.

This can be used for adding path filtering. rtm_type is useful
to e.g. enforce a strong-end host model where packets
are only accepted if daddr is configured on the interface the
packet arrived on.

The fib expression is a native nftables alternative to the
xtables addrtype and rp_filter matches.

FIB result order for oif/oifname retrieval is as follows:
 - if packet is local (skb has rtable, RTF_LOCAL set, this
   will also catch looped-back multicast packets), set oif to
   the loopback interface.
 - if fib lookup returns an error, or result points to local,
   store zero result.  This means '--local' option of -m rpfilter
   is not supported. It is possible to use 'fib type local' or add
   explicit saddr/daddr matching rules to create exceptions if this
   is really needed.
 - store result in the destination register.
   In case of multiple routes, search set for desired oif in case
   strict matching is requested.

ipv4 and ipv6 behave fib expressions are supposed to behave the same.

[ I have collapsed Arnd Bergmann's ("netfilter: nf_tables: fib warnings")

	http://patchwork.ozlabs.org/patch/688615/

  to address fallout from this patch after rebasing nf-next, that was
  posted to address compilation warnings. --pablo ]

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2016-11-01 20:50:14 +01:00
..
ipset netfilter: ipset: fix race condition in ipset save, swap and delete 2016-03-28 17:57:45 +02:00
ipvs ipvs: use nf_ct_kill helper 2016-08-12 00:43:52 +02:00
core.c netfilter: Fix slab corruption. 2016-10-11 04:44:37 -04:00
Kconfig netfilter: nf_tables: add fib expression 2016-11-01 20:50:14 +01:00
Makefile netfilter: nf_tables: add fib expression 2016-11-01 20:50:14 +01:00
nf_conntrack_acct.c netfilter: Remove uses of seq_<foo> return values 2015-03-18 10:51:35 +01:00
nf_conntrack_amanda.c net: Remove state argument from skb_find_text() 2015-02-22 15:59:54 -05:00
nf_conntrack_broadcast.c
nf_conntrack_core.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2016-09-25 23:34:19 +02:00
nf_conntrack_ecache.c netfilter: don't rely on DYING bit to detect when destroy event was sent 2016-08-30 11:43:08 +02:00
nf_conntrack_expect.c netfilter: nf_ct_expect: remove the redundant slash when policy name is empty 2016-08-09 10:38:46 +02:00
nf_conntrack_extend.c netfilter: move nat hlist_head to nf_conn 2016-07-11 11:47:50 +02:00
nf_conntrack_ftp.c netfilter: ftp: Remove the useless code 2016-09-07 10:38:00 +02:00
nf_conntrack_h323_asn1.c netfilter: nf_conntrack_h323: fix off-by-one in DecodeQ931 2016-07-11 12:32:45 +02:00
nf_conntrack_h323_main.c netfilter: Remove explicit rcu_read_lock in nf_hook_slow 2016-09-24 21:29:53 +02:00
nf_conntrack_h323_types.c
nf_conntrack_helper.c netfilter: Remove explicit rcu_read_lock in nf_hook_slow 2016-09-24 21:29:53 +02:00
nf_conntrack_irc.c netfilter: Add helper array register/unregister functions 2016-07-21 02:31:53 +02:00
nf_conntrack_l3proto_generic.c netfilter: Convert print_tuple functions to return void 2014-11-05 14:10:33 -05:00
nf_conntrack_labels.c netfilter: connlabels: move set helper to xt_connlabel 2016-07-22 17:05:10 +02:00
nf_conntrack_netbios_ns.c
nf_conntrack_netlink.c netfilter: conntrack: remove packet hotpath stats 2016-09-12 19:59:39 +02:00
nf_conntrack_pptp.c netfilter: conntrack: get rid of conntrack timer 2016-08-30 11:43:09 +02:00
nf_conntrack_proto_dccp.c netfilter: conntrack: Only need first 4 bytes to get l4proto ports 2016-08-12 00:41:08 +02:00
nf_conntrack_proto_generic.c netfilter: remove ip_conntrack* sysctl compat code 2016-08-13 13:27:13 +02:00
nf_conntrack_proto_gre.c netfilter: gre: Use consistent GRE and PTTP header structure instead of the ones defined by netfilter 2016-09-07 10:36:52 +02:00
nf_conntrack_proto_sctp.c netfilter: remove ip_conntrack* sysctl compat code 2016-08-13 13:27:13 +02:00
nf_conntrack_proto_tcp.c netfilter: remove ip_conntrack* sysctl compat code 2016-08-13 13:27:13 +02:00
nf_conntrack_proto_udp.c netfilter: remove ip_conntrack* sysctl compat code 2016-08-13 13:27:13 +02:00
nf_conntrack_proto_udplite.c netfilter: conntrack: Only need first 4 bytes to get l4proto ports 2016-08-12 00:41:08 +02:00
nf_conntrack_proto.c netfilter: remove ip_conntrack* sysctl compat code 2016-08-13 13:27:13 +02:00
nf_conntrack_sane.c netfilter: Add helper array register/unregister functions 2016-07-21 02:31:53 +02:00
nf_conntrack_seqadj.c netfilter: seqadj: Fix the wrong ack adjust for the RST packet without ack 2016-09-25 14:54:01 +02:00
nf_conntrack_sip.c netfilter: nf_ct_sip: allow tab character in SIP headers 2016-09-07 13:53:43 +02:00
nf_conntrack_snmp.c
nf_conntrack_standalone.c netfilter: evict stale entries when user reads /proc/net/nf_conntrack 2016-09-25 14:54:08 +02:00
nf_conntrack_tftp.c netfilter: Add helper array register/unregister functions 2016-07-21 02:31:53 +02:00
nf_conntrack_timeout.c netfilter: cttimeout: add netns support 2015-12-14 12:48:58 +01:00
nf_conntrack_timestamp.c
nf_dup_netdev.c net: remove skb_sender_cpu_clear() 2016-03-01 17:36:47 -05:00
nf_internals.h netfilter: replace list_head with single linked list 2016-09-25 14:38:48 +02:00
nf_log_common.c netfilter: nf_log: get rid of XT_LOG_* macros 2016-09-25 23:16:45 +02:00
nf_log.c netfilter: fix namespace handling in nf_log_proc_dostring 2016-10-04 08:41:06 +02:00
nf_nat_amanda.c
nf_nat_core.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-09-23 06:46:57 -04:00
nf_nat_ftp.c
nf_nat_helper.c
nf_nat_irc.c
nf_nat_proto_common.c netfilter: use IS_ENABLED() macro 2014-06-30 11:38:03 +02:00
nf_nat_proto_dccp.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
nf_nat_proto_sctp.c netfilter: use IS_ENABLED() macro 2014-06-30 11:38:03 +02:00
nf_nat_proto_tcp.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
nf_nat_proto_udp.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
nf_nat_proto_udplite.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
nf_nat_proto_unknown.c
nf_nat_redirect.c netfilter: nf_nat_redirect: add missing NULL pointer check 2015-10-27 06:54:56 +01:00
nf_nat_sip.c netfilter: replace strnicmp with strncasecmp 2014-10-14 02:18:24 +02:00
nf_nat_tftp.c
nf_queue.c netfilter: replace list_head with single linked list 2016-09-25 14:38:48 +02:00
nf_sockopt.c netfilter: don't use mutex_lock_interruptible() 2014-08-08 16:47:23 +02:00
nf_synproxy_core.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 2015-09-05 21:57:42 -07:00
nf_tables_api.c netfilter: nf_tables: validate maximum value of u32 netlink attributes 2016-09-23 09:29:02 +02:00
nf_tables_core.c netfilter: nf_tables: allow expressions to return STOLEN 2016-10-26 16:35:15 +02:00
nf_tables_inet.c netfilter: Add the missed return value check of nft_register_chain_type 2016-09-12 19:54:45 +02:00
nf_tables_netdev.c netfilter: Add the missed return value check of nft_register_chain_type 2016-09-12 19:54:45 +02:00
nf_tables_trace.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2016-09-25 23:34:19 +02:00
nfnetlink_acct.c netfilter: nfnetlink: use list_for_each_entry_safe to delete all objects 2016-08-25 13:11:00 +02:00
nfnetlink_cthelper.c netfilter: Remove explicit rcu_read_lock in nf_hook_slow 2016-09-24 21:29:53 +02:00
nfnetlink_cttimeout.c netfilter: cttimeout: unlink timeout objs in the unconfirmed ct lists 2016-08-25 13:11:30 +02:00
nfnetlink_log.c netfilter: nfnetlink_log: Use GFP_NOWARN for skb allocation 2016-10-26 16:35:15 +02:00
nfnetlink_queue.c netfilter: replace list_head with single linked list 2016-09-25 14:38:48 +02:00
nfnetlink.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-02-23 00:09:14 -05:00
nft_bitwise.c netfilter: nf_tables: validate maximum value of u32 netlink attributes 2016-09-23 09:29:02 +02:00
nft_byteorder.c netfilter: nf_tables: validate maximum value of u32 netlink attributes 2016-09-23 09:29:02 +02:00
nft_cmp.c netfilter: nf_tables: validate maximum value of u32 netlink attributes 2016-09-23 09:29:02 +02:00
nft_compat.c netfilter: nft_compat: fix crash when related match/target module is removed 2016-07-23 12:25:00 +02:00
nft_counter.c libnl: nla_put_be64(): align on a 64-bit area 2016-04-23 20:13:24 -04:00
nft_ct.c netfilter: nft_ct: add notrack support 2016-10-26 16:35:16 +02:00
nft_dup_netdev.c netfilter: nf_tables: add packet duplication to the netdev family 2016-01-03 21:04:23 +01:00
nft_dynset.c netfilter: nft_dynset: allow to invert match criteria 2016-09-12 18:49:50 +02:00
nft_exthdr.c netfilter: nf_tables: validate maximum value of u32 netlink attributes 2016-09-23 09:29:02 +02:00
nft_fib_inet.c netfilter: nf_tables: add fib expression 2016-11-01 20:50:14 +01:00
nft_fib.c netfilter: nf_tables: add fib expression 2016-11-01 20:50:14 +01:00
nft_fwd_netdev.c netfilter: nf_tables: add forward expression to the netdev family 2016-01-04 17:48:38 +01:00
nft_hash.c netfilter: nft_hash: fix hash overflow validation 2016-09-13 10:49:23 +02:00
nft_immediate.c netfilter: nf_tables: validate maximum value of u32 netlink attributes 2016-09-23 09:29:02 +02:00
nft_limit.c netfilter: nft_limit: fix divided by zero panic 2016-10-04 08:59:03 +02:00
nft_log.c netfilter: nft_log: complete NFTA_LOG_FLAGS attr support 2016-09-25 23:16:43 +02:00
nft_lookup.c netfilter: nft_lookup: remove superfluous element found check 2016-09-23 09:30:48 +02:00
nft_masq.c netfilter: nft_masq: support port range 2016-03-02 20:05:27 +01:00
nft_meta.c netfilter: nft_meta: permit pkttype mangling in ip/ip6 prerouting 2016-10-26 16:35:16 +02:00
nft_nat.c netfilter: nf_tables: switch registers to 32 bit addressing 2015-04-13 17:17:29 +02:00
nft_numgen.c netfilter: nft_numgen: start round robin from zero 2016-10-26 16:35:16 +02:00
nft_payload.c netfilter: nf_tables: check tprot_set first when we use xt.thoff 2016-09-23 09:30:26 +02:00
nft_queue.c netfilter: nft_queue: add _SREG_QNUM attr to select the queue number 2016-09-23 09:29:50 +02:00
nft_quota.c netfilter: nft_quota: introduce nft_overquota() 2016-09-07 11:02:06 +02:00
nft_range.c netfilter: nf_tables: add range expression 2016-09-25 23:16:42 +02:00
nft_redir.c netfilter: nf_tables: add register parsing/dumping helpers 2015-04-13 17:17:28 +02:00
nft_reject_inet.c netfilter: nft_reject: restrict to INPUT/FORWARD/OUTPUT 2016-08-25 12:55:34 +02:00
nft_reject.c netfilter: nft_reject: restrict to INPUT/FORWARD/OUTPUT 2016-08-25 12:55:34 +02:00
nft_set_hash.c netfilter: nf_tables: honor NLM_F_EXCL flag in set element insertion 2016-08-26 17:30:20 +02:00
nft_set_rbtree.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2016-09-06 12:45:26 -07:00
x_tables.c netfilter: x_tables: speed up jump target validation 2016-07-18 21:35:23 +02:00
xt_addrtype.c netfilter: x_tables: Use par->net instead of computing from the passed net devices 2015-09-18 21:58:25 +02:00
xt_AUDIT.c
xt_bpf.c net: filter: split 'struct sk_filter' into socket and bpf parts 2014-08-02 15:03:58 -07:00
xt_cgroup.c netfilter: implement xt_cgroup cgroup2 path match 2015-12-14 20:34:55 +01:00
xt_CHECKSUM.c
xt_CLASSIFY.c
xt_cluster.c net: use reciprocal_scale() helper 2014-08-23 12:21:21 -07:00
xt_comment.c
xt_connbytes.c netfilter: Convert pr_warning to pr_warn 2014-09-10 12:40:10 -07:00
xt_connlabel.c netfilter: connlabels: move set helper to xt_connlabel 2016-07-22 17:05:10 +02:00
xt_connlimit.c netfilter: Enhance the codes used to get random once 2016-09-23 09:30:36 +02:00
xt_connmark.c
xt_CONNSECMARK.c
xt_conntrack.c netfilter: use_nf_conn_expires helper in more places 2016-08-12 00:43:13 +02:00
xt_cpu.c
xt_CT.c netfilter: cttimeout: add netns support 2015-12-14 12:48:58 +01:00
xt_dccp.c
xt_devgroup.c
xt_dscp.c
xt_DSCP.c netfilter: fix various sparse warnings 2014-11-13 12:14:42 +01:00
xt_ecn.c
xt_esp.c
xt_hashlimit.c netfilter: xt_hashlimit: Fix link error in 32bit arch because of 64bit division 2016-09-30 20:15:27 +02:00
xt_helper.c netfilter: Remove explicit rcu_read_lock in nf_hook_slow 2016-09-24 21:29:53 +02:00
xt_hl.c
xt_HL.c
xt_HMARK.c net: use reciprocal_scale() helper 2014-08-23 12:21:21 -07:00
xt_IDLETIMER.c netfilter: IDLETIMER: fix race condition when destroy the target 2016-04-29 14:28:48 +02:00
xt_ipcomp.c
xt_iprange.c
xt_ipvs.c ipvs: Pass ipvs into conn_out_get 2015-09-24 09:34:41 +09:00
xt_l2tp.c
xt_LED.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2014-08-05 18:46:26 -07:00
xt_length.c
xt_limit.c
xt_LOG.c netfilter: x_tables: Use par->net instead of computing from the passed net devices 2015-09-18 21:58:25 +02:00
xt_mac.c
xt_mark.c netfilter: xt_MARK: Add ARP support 2015-05-14 13:00:27 +02:00
xt_multiport.c netfilter: xt_multiport: Use switch case instead of multiple condition checks 2016-10-26 16:35:15 +02:00
xt_nat.c
xt_NETMAP.c
xt_nfacct.c netfilter: nfnetlink_acct: report overquota to the right netns 2016-08-18 00:38:23 +02:00
xt_NFLOG.c netfilter: xt_NFLOG: nflog-range does not truncate packets 2016-06-24 11:03:23 +02:00
xt_NFQUEUE.c
xt_osf.c netfilter: xt_osf: remove unused variable 2016-02-29 13:59:43 +01:00
xt_owner.c netfilter: Allow xt_owner in any user namespace 2016-06-23 13:58:55 +02:00
xt_physdev.c netfilter: physdev: add missed blank 2016-08-12 00:42:14 +02:00
xt_pkttype.c
xt_policy.c
xt_quota.c
xt_rateest.c
xt_RATEEST.c netfilter: Enhance the codes used to get random once 2016-09-23 09:30:36 +02:00
xt_realm.c
xt_recent.c netfilter: Enhance the codes used to get random once 2016-09-23 09:30:36 +02:00
xt_REDIRECT.c netfilter: combine IPv4 and IPv6 nf_nat_redirect code in one module 2014-11-27 13:08:42 +01:00
xt_repldata.h
xt_sctp.c sctp: rename WORD_TRUNC/ROUND macros 2016-09-22 03:13:26 -04:00
xt_SECMARK.c
xt_set.c netfilter: ipset: Fix coding styles reported by checkpatch.pl 2015-06-14 10:40:18 +02:00
xt_socket.c tcp/dccp: do not touch listener sk_refcnt under synflood 2016-04-04 22:11:20 -04:00
xt_state.c
xt_statistic.c
xt_string.c net: Remove state argument from skb_find_text() 2015-02-22 15:59:54 -05:00
xt_tcpmss.c
xt_TCPMSS.c netfilter: xt_TCPMSS: Refactor the codes to decrease one condition check and more readable 2016-09-24 21:13:21 +02:00
xt_TCPOPTSTRIP.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
xt_tcpudp.c netfilter: Convert FWINV<[foo]> macros and uses to NF_INVF 2016-07-03 10:55:07 +02:00
xt_TEE.c netfilter: Add the missed return value check of register_netdevice_notifier 2016-09-12 19:54:43 +02:00
xt_time.c
xt_TPROXY.c netfilter: tproxy: properly refcount tcp listeners 2016-08-18 00:51:13 +02:00
xt_TRACE.c netfilter: xt_TRACE: add explicitly nf_logger_find_get call 2016-06-23 13:26:49 +02:00
xt_u32.c