git.baikalelectronics.ru Git - kernel.git/commit

author	Eyal Birger <eyal.birger@gmail.com>
	Thu, 15 Feb 2018 17:42:43 +0000 (19:42 +0200)
committer	David S. Miller <davem@davemloft.net>
	Wed, 21 Feb 2018 18:15:33 +0000 (13:15 -0500)
commit	2dac915ca81000b9ad6746e3e45fe540d2f6af4e
tree	986ff019562403f85554be3c7eb2f8ed9a635e83	tree \| snapshot
parent	9165e27f219b5bc358cad0f86672b3b138d763e1	commit \| diff

net: sched: add em_ipt ematch for calling xtables matches

The commit a new tc ematch for using netfilter xtable matches.

This allows early classification as well as mirroning/redirecting traffic
based on logic implemented in netfilter extensions.

Current supported use case is classification based on the incoming IPSec
state used during decpsulation using the 'policy' iptables extension
(xt_policy).

The module dynamically fetches the netfilter match module and calls
it using a fake xt_action_param structure based on validated userspace
provided parameters.

As the xt_policy match does not access skb->data, no skb modifications
are needed on match.

Signed-off-by: Eyal Birger <eyal.birger@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

include/uapi/linux/pkt_cls.h		diff \| blob \| history
include/uapi/linux/tc_ematch/tc_em_ipt.h	[new file with mode: 0644]	blob
net/sched/Kconfig		diff \| blob \| history
net/sched/Makefile		diff \| blob \| history
net/sched/em_ipt.c	[new file with mode: 0644]	blob