netfilter: nf_tables: add support for native socket matching

Now it can only match the transparent flag of an ip/ipv6 socket. Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Máté Eckl <ecklm94@gmail.com> 2018-05-28 03:15:33 -0400
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2018-06-01 03:46:15 -0400
commit: 554ced0a6e2946562c20d9fffdbaf2aa7da36b1b (patch)
tree: 183337776f85d8e10d2a23b7ddc49a59cc0502c7 /include/uapi/linux
parent: 7849958b51aa392e3592b6b8181db0baad979b0b (diff)
1 files changed, 25 insertions, 0 deletions
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 9c71f024f9cc..3d46c82a5ebd 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -905,6 +905,31 @@ enum nft_rt_attributes {
 #define NFTA_RT_MAX             (__NFTA_RT_MAX - 1)
 /**
+ * enum nft_socket_attributes - nf_tables socket expression netlink attributes
+ *
+ * @NFTA_SOCKET_KEY: socket key to match
+ * @NFTA_SOCKET_DREG: destination register
+ */
+enum nft_socket_attributes {
+        NFTA_SOCKET_UNSPEC,
+        NFTA_SOCKET_KEY,
+        NFTA_SOCKET_DREG,
+        __NFTA_SOCKET_MAX
+};
+#define NFTA_SOCKET_MAX         (__NFTA_SOCKET_MAX - 1)
+/*
+ * enum nft_socket_keys - nf_tables socket expression keys
+ *
+ * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option_
+ */
+enum nft_socket_keys {
+        NFT_SOCKET_TRANSPARENT,
+        __NFT_SOCKET_MAX
+};
+#define NFT_SOCKET_MAX  (__NFT_SOCKET_MAX - 1)
+/**
 * enum nft_ct_keys - nf_tables ct expression keys
 *
 * @NFT_CT_STATE: conntrack state (bitmask of enum ip_conntrack_info)
author	Máté Eckl <ecklm94@gmail.com>	2018-05-28 03:15:33 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2018-06-01 03:46:15 -0400
commit	554ced0a6e2946562c20d9fffdbaf2aa7da36b1b (patch)
tree	183337776f85d8e10d2a23b7ddc49a59cc0502c7 /include/uapi/linux
parent	7849958b51aa392e3592b6b8181db0baad979b0b (diff)

diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h index 9c71f024f9cc..3d46c82a5ebd 100644 --- a/include/uapi/linux/netfilter/nf_tables.h +++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -905,6 +905,31 @@ enum nft_rt_attributes {
905	#define NFTA_RT_MAX (__NFTA_RT_MAX - 1)	905	#define NFTA_RT_MAX (__NFTA_RT_MAX - 1)
906		906
907	/**	907	/**
		908	* enum nft_socket_attributes - nf_tables socket expression netlink attributes
		909	*
		910	* @NFTA_SOCKET_KEY: socket key to match
		911	* @NFTA_SOCKET_DREG: destination register
		912	*/
		913	enum nft_socket_attributes {
		914	NFTA_SOCKET_UNSPEC,
		915	NFTA_SOCKET_KEY,
		916	NFTA_SOCKET_DREG,
		917	__NFTA_SOCKET_MAX
		918	};
		919	#define NFTA_SOCKET_MAX (__NFTA_SOCKET_MAX - 1)
		920
		921	/*
		922	* enum nft_socket_keys - nf_tables socket expression keys
		923	*
		924	* @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option_
		925	*/
		926	enum nft_socket_keys {
		927	NFT_SOCKET_TRANSPARENT,
		928	__NFT_SOCKET_MAX
		929	};
		930	#define NFT_SOCKET_MAX (__NFT_SOCKET_MAX - 1)
		931
		932	/**
908	* enum nft_ct_keys - nf_tables ct expression keys	933	* enum nft_ct_keys - nf_tables ct expression keys
909	*	934	*
910	* @NFT_CT_STATE: conntrack state (bitmask of enum ip_conntrack_info)	935	* @NFT_CT_STATE: conntrack state (bitmask of enum ip_conntrack_info)