netfilter: nft_meta: add inner match support

Add support for inner meta matching on: - NFT_META_PROTOCOL: to match on the ethertype, this can be used regardless tunnel protocol provides no link layer header, in that case nft_inner sets on the ethertype based on the IP header version field. - NFT_META_L4PROTO: to match on the layer 4 protocol. These meta expression are usually autogenerated as dependencies by userspace nftables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2022-10-17 13:03:33 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2022-10-25 13:48:42 +0200
commit: a150d122b6bdb84df532057aa3b2faf8c6485792 (patch)
tree: 35293ab12ec1addca9159e2e30dbded64aafaa03 /include/net/netfilter
parent: 0e795b37ba044893107f887b037594645a6fc584 (diff)
download: linux-a150d122b6bdb84df532057aa3b2faf8c6485792.tar.bz2
1 files changed, 6 insertions, 0 deletions
diff --git a/include/net/netfilter/nft_meta.h b/include/net/netfilter/nft_meta.h
index 9b51cc67de54..f3a5285a511c 100644
--- a/include/net/netfilter/nft_meta.h
+++ b/include/net/netfilter/nft_meta.h
@@ -46,4 +46,10 @@ int nft_meta_set_validate(const struct nft_ctx *ctx,
 
 bool nft_meta_get_reduce(struct nft_regs_track *track,
 			 const struct nft_expr *expr);
+
+struct nft_inner_tun_ctx;
+void nft_meta_inner_eval(const struct nft_expr *expr,
+			 struct nft_regs *regs, const struct nft_pktinfo *pkt,
+			 struct nft_inner_tun_ctx *tun_ctx);
+
 #endif
author	Pablo Neira Ayuso <pablo@netfilter.org>	2022-10-17 13:03:33 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2022-10-25 13:48:42 +0200
commit	a150d122b6bdb84df532057aa3b2faf8c6485792 (patch)
tree	35293ab12ec1addca9159e2e30dbded64aafaa03 /include/net/netfilter
parent	0e795b37ba044893107f887b037594645a6fc584 (diff)
download	linux-a150d122b6bdb84df532057aa3b2faf8c6485792.tar.bz2