diff options
Diffstat (limited to 'target/linux/generic/backport-4.19/314-v4.16-netfilter-meta-secpath-support.patch')
| -rw-r--r-- | target/linux/generic/backport-4.19/314-v4.16-netfilter-meta-secpath-support.patch | 101 |
1 files changed, 0 insertions, 101 deletions
diff --git a/target/linux/generic/backport-4.19/314-v4.16-netfilter-meta-secpath-support.patch b/target/linux/generic/backport-4.19/314-v4.16-netfilter-meta-secpath-support.patch deleted file mode 100644 index 7aab67fc2c..0000000000 --- a/target/linux/generic/backport-4.19/314-v4.16-netfilter-meta-secpath-support.patch +++ /dev/null @@ -1,101 +0,0 @@ -From: Florian Westphal <fw@strlen.de> -Date: Wed, 6 Dec 2017 16:18:16 +0100 -Subject: [PATCH] netfilter: meta: secpath support - -replacement for iptables "-m policy --dir in --policy {ipsec,none}". - -Signed-off-by: Florian Westphal <fw@strlen.de> -Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> ---- - ---- a/include/uapi/linux/netfilter/nf_tables.h -+++ b/include/uapi/linux/netfilter/nf_tables.h -@@ -777,6 +777,7 @@ enum nft_exthdr_attributes { - * @NFT_META_OIFGROUP: packet output interface group - * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid) - * @NFT_META_PRANDOM: a 32bit pseudo-random number -+ * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp) - */ - enum nft_meta_keys { - NFT_META_LEN, -@@ -804,6 +805,7 @@ enum nft_meta_keys { - NFT_META_OIFGROUP, - NFT_META_CGROUP, - NFT_META_PRANDOM, -+ NFT_META_SECPATH, - }; - - /** ---- a/net/netfilter/nft_meta.c -+++ b/net/netfilter/nft_meta.c -@@ -210,6 +210,11 @@ void nft_meta_get_eval(const struct nft_ - *dest = prandom_u32_state(state); - break; - } -+#ifdef CONFIG_XFRM -+ case NFT_META_SECPATH: -+ nft_reg_store8(dest, !!skb->sp); -+ break; -+#endif - default: - WARN_ON(1); - goto err; -@@ -310,6 +315,11 @@ int nft_meta_get_init(const struct nft_c - prandom_init_once(&nft_prandom_state); - len = sizeof(u32); - break; -+#ifdef CONFIG_XFRM -+ case NFT_META_SECPATH: -+ len = sizeof(u8); -+ break; -+#endif - default: - return -EOPNOTSUPP; - } -@@ -320,6 +330,38 @@ int nft_meta_get_init(const struct nft_c - } - EXPORT_SYMBOL_GPL(nft_meta_get_init); - -+static int nft_meta_get_validate(const struct nft_ctx *ctx, -+ const struct nft_expr *expr, -+ const struct nft_data **data) -+{ -+#ifdef CONFIG_XFRM -+ const struct nft_meta *priv = nft_expr_priv(expr); -+ unsigned int hooks; -+ -+ if (priv->key != NFT_META_SECPATH) -+ return 0; -+ -+ switch (ctx->afi->family) { -+ case NFPROTO_NETDEV: -+ hooks = 1 << NF_NETDEV_INGRESS; -+ break; -+ case NFPROTO_IPV4: -+ case NFPROTO_IPV6: -+ case NFPROTO_INET: -+ hooks = (1 << NF_INET_PRE_ROUTING) | -+ (1 << NF_INET_LOCAL_IN) | -+ (1 << NF_INET_FORWARD); -+ break; -+ default: -+ return -EOPNOTSUPP; -+ } -+ -+ return nft_chain_validate_hooks(ctx->chain, hooks); -+#else -+ return 0; -+#endif -+} -+ - int nft_meta_set_validate(const struct nft_ctx *ctx, - const struct nft_expr *expr, - const struct nft_data **data) -@@ -436,6 +478,7 @@ static const struct nft_expr_ops nft_met - .eval = nft_meta_get_eval, - .init = nft_meta_get_init, - .dump = nft_meta_get_dump, -+ .validate = nft_meta_get_validate, - }; - - static const struct nft_expr_ops nft_meta_set_ops = { |