netfilter: nf_tables: add tunnel support

This patch implements the tunnel object type that can be used to configure tunnels via metadata template through the existing lightweight API from the ingress path. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2018-08-02 14:51:39 -0400
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2018-08-03 15:12:12 -0400
commit: af308b94a2a4a5a27bec9028354c4df444a7c8ba (patch)
tree: 2d3082f03ade1bdeec8e276266816128bf27d39d /include/uapi/linux
parent: 033eab53fff7acc0f5718dee6fda641734b94416 (diff)
1 files changed, 68 insertions, 1 deletions
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index f112ea52dc1a..3ee1198eeac1 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -1416,7 +1416,8 @@ enum nft_ct_helper_attributes {
 #define NFT_OBJECT_CT_HELPER    3
 #define NFT_OBJECT_LIMIT        4
 #define NFT_OBJECT_CONNLIMIT    5
-#define __NFT_OBJECT_MAX        6
+#define NFT_OBJECT_TUNNEL       6
+#define __NFT_OBJECT_MAX        7
 #define NFT_OBJECT_MAX          (__NFT_OBJECT_MAX - 1)
 /**
@@ -1580,4 +1581,70 @@ enum nft_ng_types {
 };
 #define NFT_NG_MAX      (__NFT_NG_MAX - 1)
+enum nft_tunnel_key_ip_attributes {
+        NFTA_TUNNEL_KEY_IP_UNSPEC,
+        NFTA_TUNNEL_KEY_IP_SRC,
+        NFTA_TUNNEL_KEY_IP_DST,
+        __NFTA_TUNNEL_KEY_IP_MAX
+};
+#define NFTA_TUNNEL_KEY_IP_MAX  (__NFTA_TUNNEL_KEY_IP_MAX - 1)
+enum nft_tunnel_ip6_attributes {
+        NFTA_TUNNEL_KEY_IP6_UNSPEC,
+        NFTA_TUNNEL_KEY_IP6_SRC,
+        NFTA_TUNNEL_KEY_IP6_DST,
+        NFTA_TUNNEL_KEY_IP6_FLOWLABEL,
+        __NFTA_TUNNEL_KEY_IP6_MAX
+};
+#define NFTA_TUNNEL_KEY_IP6_MAX (__NFTA_TUNNEL_KEY_IP6_MAX - 1)
+enum nft_tunnel_opts_attributes {
+        NFTA_TUNNEL_KEY_OPTS_UNSPEC,
+        NFTA_TUNNEL_KEY_OPTS_VXLAN,
+        NFTA_TUNNEL_KEY_OPTS_ERSPAN,
+        __NFTA_TUNNEL_KEY_OPTS_MAX
+};
+#define NFTA_TUNNEL_KEY_OPTS_MAX        (__NFTA_TUNNEL_KEY_OPTS_MAX - 1)
+enum nft_tunnel_opts_vxlan_attributes {
+        NFTA_TUNNEL_KEY_VXLAN_UNSPEC,
+        NFTA_TUNNEL_KEY_VXLAN_GBP,
+        __NFTA_TUNNEL_KEY_VXLAN_MAX
+};
+#define NFTA_TUNNEL_KEY_VXLAN_MAX       (__NFTA_TUNNEL_KEY_VXLAN_MAX - 1)
+enum nft_tunnel_opts_erspan_attributes {
+        NFTA_TUNNEL_KEY_ERSPAN_UNSPEC,
+        NFTA_TUNNEL_KEY_ERSPAN_VERSION,
+        NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX,
+        NFTA_TUNNEL_KEY_ERSPAN_V2_HWID,
+        NFTA_TUNNEL_KEY_ERSPAN_V2_DIR,
+        __NFTA_TUNNEL_KEY_ERSPAN_MAX
+};
+#define NFTA_TUNNEL_KEY_ERSPAN_MAX      (__NFTA_TUNNEL_KEY_ERSPAN_MAX - 1)
+enum nft_tunnel_flags {
+        NFT_TUNNEL_F_ZERO_CSUM_TX       = (1 << 0),
+        NFT_TUNNEL_F_DONT_FRAGMENT      = (1 << 1),
+        NFT_TUNNEL_F_SEQ_NUMBER         = (1 << 2),
+};
+#define NFT_TUNNEL_F_MASK       (NFT_TUNNEL_F_ZERO_CSUM_TX | \
+                                 NFT_TUNNEL_F_DONT_FRAGMENT | \
+                                 NFT_TUNNEL_F_SEQ_NUMBER)
+enum nft_tunnel_key_attributes {
+        NFTA_TUNNEL_KEY_UNSPEC,
+        NFTA_TUNNEL_KEY_ID,
+        NFTA_TUNNEL_KEY_IP,
+        NFTA_TUNNEL_KEY_IP6,
+        NFTA_TUNNEL_KEY_FLAGS,
+        NFTA_TUNNEL_KEY_TOS,
+        NFTA_TUNNEL_KEY_TTL,
+        NFTA_TUNNEL_KEY_SPORT,
+        NFTA_TUNNEL_KEY_DPORT,
+        NFTA_TUNNEL_KEY_OPTS,
+        __NFTA_TUNNEL_KEY_MAX
+};
+#define NFTA_TUNNEL_KEY_MAX     (__NFTA_TUNNEL_KEY_MAX - 1)
 #endif /* _LINUX_NF_TABLES_H */
author	Pablo Neira Ayuso <pablo@netfilter.org>	2018-08-02 14:51:39 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2018-08-03 15:12:12 -0400
commit	af308b94a2a4a5a27bec9028354c4df444a7c8ba (patch)
tree	2d3082f03ade1bdeec8e276266816128bf27d39d /include/uapi/linux
parent	033eab53fff7acc0f5718dee6fda641734b94416 (diff)

diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h index f112ea52dc1a..3ee1198eeac1 100644 --- a/include/uapi/linux/netfilter/nf_tables.h +++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -1416,7 +1416,8 @@ enum nft_ct_helper_attributes {
1416	#define NFT_OBJECT_CT_HELPER 3	1416	#define NFT_OBJECT_CT_HELPER 3
1417	#define NFT_OBJECT_LIMIT 4	1417	#define NFT_OBJECT_LIMIT 4
1418	#define NFT_OBJECT_CONNLIMIT 5	1418	#define NFT_OBJECT_CONNLIMIT 5
1419	#define __NFT_OBJECT_MAX 6	1419	#define NFT_OBJECT_TUNNEL 6
		1420	#define __NFT_OBJECT_MAX 7
1420	#define NFT_OBJECT_MAX (__NFT_OBJECT_MAX - 1)	1421	#define NFT_OBJECT_MAX (__NFT_OBJECT_MAX - 1)
1421		1422
1422	/**	1423	/**
@@ -1580,4 +1581,70 @@ enum nft_ng_types {
1580	};	1581	};
1581	#define NFT_NG_MAX (__NFT_NG_MAX - 1)	1582	#define NFT_NG_MAX (__NFT_NG_MAX - 1)
1582		1583
		1584	enum nft_tunnel_key_ip_attributes {
		1585	NFTA_TUNNEL_KEY_IP_UNSPEC,
		1586	NFTA_TUNNEL_KEY_IP_SRC,
		1587	NFTA_TUNNEL_KEY_IP_DST,
		1588	__NFTA_TUNNEL_KEY_IP_MAX
		1589	};
		1590	#define NFTA_TUNNEL_KEY_IP_MAX (__NFTA_TUNNEL_KEY_IP_MAX - 1)
		1591
		1592	enum nft_tunnel_ip6_attributes {
		1593	NFTA_TUNNEL_KEY_IP6_UNSPEC,
		1594	NFTA_TUNNEL_KEY_IP6_SRC,
		1595	NFTA_TUNNEL_KEY_IP6_DST,
		1596	NFTA_TUNNEL_KEY_IP6_FLOWLABEL,
		1597	__NFTA_TUNNEL_KEY_IP6_MAX
		1598	};
		1599	#define NFTA_TUNNEL_KEY_IP6_MAX (__NFTA_TUNNEL_KEY_IP6_MAX - 1)
		1600
		1601	enum nft_tunnel_opts_attributes {
		1602	NFTA_TUNNEL_KEY_OPTS_UNSPEC,
		1603	NFTA_TUNNEL_KEY_OPTS_VXLAN,
		1604	NFTA_TUNNEL_KEY_OPTS_ERSPAN,
		1605	__NFTA_TUNNEL_KEY_OPTS_MAX
		1606	};
		1607	#define NFTA_TUNNEL_KEY_OPTS_MAX (__NFTA_TUNNEL_KEY_OPTS_MAX - 1)
		1608
		1609	enum nft_tunnel_opts_vxlan_attributes {
		1610	NFTA_TUNNEL_KEY_VXLAN_UNSPEC,
		1611	NFTA_TUNNEL_KEY_VXLAN_GBP,
		1612	__NFTA_TUNNEL_KEY_VXLAN_MAX
		1613	};
		1614	#define NFTA_TUNNEL_KEY_VXLAN_MAX (__NFTA_TUNNEL_KEY_VXLAN_MAX - 1)
		1615
		1616	enum nft_tunnel_opts_erspan_attributes {
		1617	NFTA_TUNNEL_KEY_ERSPAN_UNSPEC,
		1618	NFTA_TUNNEL_KEY_ERSPAN_VERSION,
		1619	NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX,
		1620	NFTA_TUNNEL_KEY_ERSPAN_V2_HWID,
		1621	NFTA_TUNNEL_KEY_ERSPAN_V2_DIR,
		1622	__NFTA_TUNNEL_KEY_ERSPAN_MAX
		1623	};
		1624	#define NFTA_TUNNEL_KEY_ERSPAN_MAX (__NFTA_TUNNEL_KEY_ERSPAN_MAX - 1)
		1625
		1626	enum nft_tunnel_flags {
		1627	NFT_TUNNEL_F_ZERO_CSUM_TX = (1 << 0),
		1628	NFT_TUNNEL_F_DONT_FRAGMENT = (1 << 1),
		1629	NFT_TUNNEL_F_SEQ_NUMBER = (1 << 2),
		1630	};
		1631	#define NFT_TUNNEL_F_MASK (NFT_TUNNEL_F_ZERO_CSUM_TX \| \
		1632	NFT_TUNNEL_F_DONT_FRAGMENT \| \
		1633	NFT_TUNNEL_F_SEQ_NUMBER)
		1634
		1635	enum nft_tunnel_key_attributes {
		1636	NFTA_TUNNEL_KEY_UNSPEC,
		1637	NFTA_TUNNEL_KEY_ID,
		1638	NFTA_TUNNEL_KEY_IP,
		1639	NFTA_TUNNEL_KEY_IP6,
		1640	NFTA_TUNNEL_KEY_FLAGS,
		1641	NFTA_TUNNEL_KEY_TOS,
		1642	NFTA_TUNNEL_KEY_TTL,
		1643	NFTA_TUNNEL_KEY_SPORT,
		1644	NFTA_TUNNEL_KEY_DPORT,
		1645	NFTA_TUNNEL_KEY_OPTS,
		1646	__NFTA_TUNNEL_KEY_MAX
		1647	};
		1648	#define NFTA_TUNNEL_KEY_MAX (__NFTA_TUNNEL_KEY_MAX - 1)
		1649
1583	#endif /* _LINUX_NF_TABLES_H */	1650	#endif /* _LINUX_NF_TABLES_H */