git.baikalelectronics.ru Git - kernel.git/commit

author	Ahmed Abdelsalam <amsalam20@gmail.com>
	Wed, 25 Apr 2018 10:30:24 +0000 (05:30 -0500)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Sun, 6 May 2018 21:33:03 +0000 (23:33 +0200)
commit	a98bc6fd6190b0025325e661a123877ea0ffc233
tree	5644ade3c0378003e7afca3e986b2e7e25f84910	tree \| snapshot
parent	f68a956089665d04020b8080552b6c0ff3401360	commit \| diff

netfilter: ip6t_srh: extend SRH matching for previous, next and last SID

IPv6 Segment Routing Header (SRH) contains a list of SIDs to be crossed
by SR encapsulated packet. Each SID is encoded as an IPv6 prefix.

When a Firewall receives an SR encapsulated packet, it should be able
to identify which node previously processed the packet (previous SID),
which node is going to process the packet next (next SID), and which
node is the last to process the packet (last SID) which represent the
final destination of the packet in case of inline SR mode.

An example use-case of using these features could be SID list that
includes two firewalls. When the second firewall receives a packet,
it can check whether the packet has been processed by the first firewall
or not. Based on that check, it decides to apply all rules, apply just
subset of the rules, or totally skip all rules and forward the packet to
the next SID.

This patch extends SRH match to support matching previous SID, next SID,
and last SID.

Signed-off-by: Ahmed Abdelsalam <amsalam20@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/uapi/linux/netfilter_ipv6/ip6t_srh.h		diff \| blob \| history
net/ipv6/netfilter/ip6t_srh.c		diff \| blob \| history