From: Eyal Birger <eyal.bir...@gmail.com> Date: Thu, 15 Feb 2018 19:42:43 +0200
> The commit a new tc ematch for using netfilter xtable matches. > > This allows early classification as well as mirroning/redirecting traffic > based on logic implemented in netfilter extensions. > > Current supported use case is classification based on the incoming IPSec > state used during decpsulation using the 'policy' iptables extension > (xt_policy). > > The module dynamically fetches the netfilter match module and calls > it using a fake xt_action_param structure based on validated userspace > provided parameters. > > As the xt_policy match does not access skb->data, no skb modifications > are needed on match. > > Signed-off-by: Eyal Birger <eyal.bir...@gmail.com> Applied, thank you.