[PATCH nft 2/2] src: rt: add support to check if route will perform ipsec transformation

Florian Westphal Thu, 30 Aug 2018 01:52:19 -0700

Signed-off-by: Florian Westphal <f...@strlen.de>
---
 doc/primary-expression.txt          |  4 ++++
 include/linux/netfilter/nf_tables.h |  1 +
 src/parser_bison.y                  |  2 ++
 src/parser_json.c                   |  1 +
 src/rt.c                            |  5 +++++
 src/scanner.l                       |  1 +
 tests/py/any/rt.t                   |  2 ++
 tests/py/any/rt.t.json              | 28 ++++++++++++++++++++++++++++
 tests/py/any/rt.t.payload           | 10 ++++++++++
 9 files changed, 54 insertions(+)


diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index 18b4c52f367d..5024a11faf39 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -259,6 +259,9 @@ ipv4_addr/ipv6_addr
 |mtu|
 TCP maximum segment size of route |
 integer (16 bit)
+|ipsec|
+route via ipsec tunnel or transport |
+boolean
 |=================================
 
 .Routing expression specific types
@@ -273,6 +276,7 @@ Routing Realm (32 bit number). Can be specified numerically 
or as symbolic name
 --------------------------
 # IP family independent rt expression
 filter output rt classid 10
+filter output rt ipsec missing
 
 # IP family dependent rt expressions
 ip filter output rt nexthop 192.168.0.1
diff --git a/include/linux/netfilter/nf_tables.h 
b/include/linux/netfilter/nf_tables.h
index fe65652583d0..6cd1973c0b37 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -832,6 +832,7 @@ enum nft_rt_keys {
        NFT_RT_NEXTHOP4,
        NFT_RT_NEXTHOP6,
        NFT_RT_TCPMSS,
+       NFT_RT_XFRM,
        __NFT_RT_MAX
 };
 #define NFT_RT_MAX             (__NFT_RT_MAX - 1)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 86036124a6a6..194eabe09d9a 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -510,6 +510,7 @@ int nft_lex(void *, void *, void *);
 
 %token EXTHDR                  "exthdr"
 
+%token IPSEC           "ipsec"
 %type <string>                 identifier type_identifier string comment_spec
 %destructor { xfree($$); }     identifier type_identifier string comment_spec
 
@@ -3747,6 +3748,7 @@ rt_expr                   :       RT      rt_key
 rt_key                 :       CLASSID         { $$ = NFT_RT_CLASSID; }
                        |       NEXTHOP         { $$ = NFT_RT_NEXTHOP4; }
                        |       MTU             { $$ = NFT_RT_TCPMSS; }
+                       |       IPSEC           { $$ = NFT_RT_XFRM; }
                        ;
 
 ct_expr                        :       CT      ct_key
diff --git a/src/parser_json.c b/src/parser_json.c
index 3d96000b6066..28d87a12aa74 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -631,6 +631,7 @@ static struct expr *json_parse_rt_expr(struct json_ctx *ctx,
                { "classid", NFT_RT_CLASSID },
                { "nexthop", NFT_RT_NEXTHOP4 },
                { "mtu", NFT_RT_TCPMSS },
+               { "ipsec", NFT_RT_XFRM },
        };
        unsigned int i, familyval = NFPROTO_UNSPEC;
        const char *key, *family = NULL;
diff --git a/src/rt.c b/src/rt.c
index caa4947d048a..b63284fbcd9a 100644
--- a/src/rt.c
+++ b/src/rt.c
@@ -79,6 +79,11 @@ const struct rt_template rt_templates[] = {
                                              2 * BITS_PER_BYTE,
                                              BYTEORDER_HOST_ENDIAN,
                                              false),
+       [NFT_RT_XFRM]           = RT_TEMPLATE("ipsec",
+                                             &boolean_type,
+                                             BITS_PER_BYTE,
+                                             BYTEORDER_HOST_ENDIAN,
+                                             false),
 };
 
 static void rt_expr_print(const struct expr *expr, struct output_ctx *octx)
diff --git a/src/scanner.l b/src/scanner.l
index 2f45e05bfe81..26e63b9bcc0c 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -554,6 +554,7 @@ addrstring  ({macaddr}|{ip4addr}|{ip6addr})
 
 "exthdr"               { return EXTHDR; }
 
+"ipsec"                        { return IPSEC; }
 {addrstring}           {
                                yylval->string = xstrdup(yytext);
                                return STRING;
diff --git a/tests/py/any/rt.t b/tests/py/any/rt.t
index 4f65eaad3917..3ce57e05b5f0 100644
--- a/tests/py/any/rt.t
+++ b/tests/py/any/rt.t
@@ -5,3 +5,5 @@
 *inet;test-inet;output
 
 rt classid "cosmos";ok
+rt ipsec exists;ok
+rt ipsec missing;ok
diff --git a/tests/py/any/rt.t.json b/tests/py/any/rt.t.json
index 146a8a013091..0ac17e0b4e72 100644
--- a/tests/py/any/rt.t.json
+++ b/tests/py/any/rt.t.json
@@ -12,3 +12,31 @@
     }
 ]
 
+# rt ipsec exists
+[
+    {
+        "match": {
+            "left": {
+                "rt": {
+                    "key": "ipsec"
+                }
+            },
+            "right": true
+        }
+    }
+]
+
+# rt ipsec missing
+[
+    {
+        "match": {
+            "left": {
+                "rt": {
+                    "key": "ipsec"
+                }
+            },
+            "right": false
+        }
+    }
+]
+
diff --git a/tests/py/any/rt.t.payload b/tests/py/any/rt.t.payload
index 0e354fa020b2..e1ecb2860ed0 100644
--- a/tests/py/any/rt.t.payload
+++ b/tests/py/any/rt.t.payload
@@ -3,3 +3,13 @@ ip test-ip4 input
   [ rt load classid => reg 1 ]
   [ cmp eq reg 1 0x00000000 ]
 
+# rt ipsec exists
+ip test-ip4 input
+  [ rt load ipsec => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# rt ipsec missing
+ip test-ip4 input
+  [ rt load ipsec => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
-- 
2.16.4

[PATCH nft 2/2] src: rt: add support to check if route will perform ipsec transformation

Reply via email to