netfilter: nf_tables: add nfproto support to meta expression

Needed by multi-family tables to distinguish IPv4 and IPv6 packets.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index aa86a15293e10692b7a04c34990600fbfdbba44d..10afbfc0e66ad8ab230fdf90b4648accbccff03f 100644 (file)
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -531,6 +531,7 @@ enum nft_exthdr_attributes {
  * @NFT_META_NFTRACE: packet nftrace bit
  * @NFT_META_RTCLASSID: realm value of packet's route (skb->dst->tclassid)
  * @NFT_META_SECMARK: packet secmark (skb->secmark)
+ * @NFT_META_NFPROTO: netfilter protocol
  */
 enum nft_meta_keys {
        NFT_META_LEN,
@@ -548,6 +549,7 @@ enum nft_meta_keys {
        NFT_META_NFTRACE,
        NFT_META_RTCLASSID,
        NFT_META_SECMARK,
+       NFT_META_NFPROTO,
 };
 
 /**

diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index 1ceaaa6dfe722406d9cac8a73a3a46566e11a8ea..999d04688433540541e22b6706c2ce39effb1a1c 100644 (file)
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -43,6 +43,9 @@ static void nft_meta_get_eval(const struct nft_expr *expr,
        case NFT_META_PROTOCOL:
                *(__be16 *)dest->data = skb->protocol;
                break;
+       case NFT_META_NFPROTO:
+               dest->data[0] = pkt->ops->pf;
+               break;
        case NFT_META_PRIORITY:
                dest->data[0] = skb->priority;
                break;
@@ -181,6 +184,7 @@ static int nft_meta_init_validate_get(uint32_t key)
        switch (key) {
        case NFT_META_LEN:
        case NFT_META_PROTOCOL:
+       case NFT_META_NFPROTO:
        case NFT_META_PRIORITY:
        case NFT_META_MARK:
        case NFT_META_IIF: