tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: nft_meta_bridge: introduce NFT_META_BRI_IIFHWADDR support

Expose the input bridge interface ethernet address so it can be used to
redirect the packet to the receiving physical device for processing.

Tested with nft command line tool.

table bridge nat {
chain PREROUTING {
type filter hook prerouting priority 0; policy accept;
ether daddr de:ad:00:00:be:ef meta pkttype set host ether daddr set meta ibrhwdr accept
}
}

Joint work with Pablo Neira.

Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Florian Westphal <fw@strlen.de>

authored by

Fernando Fernandez Mancera and committed by
Florian Westphal cbd2257d ba941796

+13
+2
include/uapi/linux/netfilter/nf_tables.h
··· 959 959 * @NFT_META_SDIF: slave device interface index 960 960 * @NFT_META_SDIFNAME: slave device interface name 961 961 * @NFT_META_BRI_BROUTE: packet br_netfilter_broute bit 962 + * @NFT_META_BRI_IIFHWADDR: packet input bridge interface ethernet address 962 963 */ 963 964 enum nft_meta_keys { 964 965 NFT_META_LEN, ··· 1000 999 NFT_META_SDIFNAME, 1001 1000 NFT_META_BRI_BROUTE, 1002 1001 __NFT_META_IIFTYPE, 1002 + NFT_META_BRI_IIFHWADDR, 1003 1003 }; 1004 1004 1005 1005 /**
+11
net/bridge/netfilter/nft_meta_bridge.c
··· 59 59 nft_reg_store_be16(dest, htons(p_proto)); 60 60 return; 61 61 } 62 + case NFT_META_BRI_IIFHWADDR: 63 + br_dev = nft_meta_get_bridge(in); 64 + if (!br_dev) 65 + goto err; 66 + 67 + memcpy(dest, br_dev->dev_addr, ETH_ALEN); 68 + return; 62 69 default: 63 70 return nft_meta_get_eval(expr, regs, pkt); 64 71 } ··· 92 85 case NFT_META_BRI_IIFPVID: 93 86 case NFT_META_BRI_IIFVPROTO: 94 87 len = sizeof(u16); 88 + break; 89 + case NFT_META_BRI_IIFHWADDR: 90 + len = ETH_ALEN; 95 91 break; 96 92 default: 97 93 return nft_meta_get_init(ctx, expr, tb); ··· 185 175 186 176 switch (priv->key) { 187 177 case NFT_META_BRI_BROUTE: 178 + case NFT_META_BRI_IIFHWADDR: 188 179 hooks = 1 << NF_BR_PRE_ROUTING; 189 180 break; 190 181 default: