mirror of
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git
synced 2024-11-14 21:44:41 +08:00
dd29621578
The commit calls a new tc ematch for using netfilter xtable matches.
This allows early classification as well as mirroning/redirecting traffic
based on logic implemented in netfilter extensions.
Current supported use case is classification based on the incoming IPSec
state used during decpsulation using the 'policy' iptables extension
(xt_policy).
The matcher uses libxtables for parsing the input parameters.
Example use for matching an IPSec state with reqid 1:
tc qdisc add dev eth0 ingress
tc filter add dev eth0 protocol ip parent ffff: \
basic match 'ipt(-m policy --dir in --pol ipsec --reqid 1)' \
action drop
This is the user-space counter part of kernel commit ccc007e4a746
("net: sched: add em_ipt ematch for calling xtables matches")
Signed-off-by: Eyal Birger <eyal.birger@gmail.com>
Signed-off-by: David Ahern <dsahern@gmail.com>
9 lines
81 B
Plaintext
9 lines
81 B
Plaintext
# lookup table for ematch kinds
|
|
1 cmp
|
|
2 nbyte
|
|
3 u32
|
|
4 meta
|
|
7 canid
|
|
8 ipset
|
|
9 ipt
|