git.proxmox.com Git - mirror_iproute2.git/commit

author	Eyal Birger <eyal.birger@gmail.com>
	Fri, 23 Feb 2018 11:12:25 +0000 (13:12 +0200)
committer	David Ahern <dsahern@gmail.com>
	Tue, 27 Feb 2018 17:43:16 +0000 (09:43 -0800)
commit	dd29621578d29881d42018a4fd9dad364e66baf3
tree	2c96dff6d0e45d73354d6e98c35b1a65939897a1	tree
parent	526862038e92afaed4378e64b3a7f2b501ffbf2f	commit \| diff

tc: add em_ipt ematch for calling xtables matches from tc matching context

The commit calls a new tc ematch for using netfilter xtable matches.

This allows early classification as well as mirroning/redirecting traffic
based on logic implemented in netfilter extensions.

Current supported use case is classification based on the incoming IPSec
state used during decpsulation using the 'policy' iptables extension
(xt_policy).

The matcher uses libxtables for parsing the input parameters.

Example use for matching an IPSec state with reqid 1:

tc qdisc add dev eth0 ingress
tc filter add dev eth0 protocol ip parent ffff: \
basic match 'ipt(-m policy --dir in --pol ipsec --reqid 1)' \
action drop

This is the user-space counter part of kernel commit ccc007e4a746
("net: sched: add em_ipt ematch for calling xtables matches")

Signed-off-by: Eyal Birger <eyal.birger@gmail.com>
Signed-off-by: David Ahern <dsahern@gmail.com>

etc/iproute2/ematch_map		diff \| blob \| blame \| history
man/man8/tc-ematch.8		diff \| blob \| blame \| history
tc/Makefile		diff \| blob \| blame \| history
tc/em_ipt.c	[new file with mode: 0644]	blob