From: wenxu <[email protected]> This brpvid meta can be used to match the pvid of the brport.
nft add rule bridge firewall zones meta brpvid 10 accept Signed-off-by: wenxu <[email protected]> --- doc/primary-expression.txt | 11 ++++++++--- include/linux/netfilter/nf_tables.h | 2 ++ src/meta.c | 3 +++ 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt index 6eb9583..e33ea26 100644 --- a/doc/primary-expression.txt +++ b/doc/primary-expression.txt @@ -2,7 +2,7 @@ META EXPRESSIONS ~~~~~~~~~~~~~~~~ [verse] *meta* {*length* | *nfproto* | *l4proto* | *protocol* | *priority*} -[*meta*] {*mark* | *iif* | *iifname* | *iiftype* | *oif* | *oifname* | *oiftype* | *skuid* | *skgid* | *nftrace* | *rtclassid* | *ibrname* | *obrname* | *pkttype* | *cpu* | *iifgroup* | *oifgroup* | *cgroup* | *random* | *ipsec* | *iifkind* | *oifkind*} +[*meta*] {*mark* | *iif* | *iifname* | *iiftype* | *oif* | *oifname* | *oiftype* | *skuid* | *skgid* | *nftrace* | *rtclassid* | *ibrname* | *obrname* | *pkttype* | *cpu* | *iifgroup* | *oifgroup* | *cgroup* | *random* | *ipsec* | *iifkind* | *oifkind* | *brpvid*} A meta expression refers to meta data associated with a packet. @@ -113,9 +113,12 @@ integer (32 bit) boolean| boolean (1 bit) |iifkind| -Input interface kind | +Input interface kind| |oifkind| -Output interface kind +Output interface kind| +|brpvid| +bridge port pvid| +integer (16 bit) |==================== .Meta expression specific types @@ -141,6 +144,8 @@ Packet type: *host* (addressed to local host), *broadcast* (to all), *multicast* (to group), *other* (addressed to another host). |ifkind| Interface kind (16 byte string). Does not have to exist. +|brpvid| +Bridge port pvid (16 bit number). |============================= .Using meta expressions diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index 7bdb234..0715b6a 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -793,6 +793,7 @@ enum nft_exthdr_attributes { * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp) * @NFT_META_IIFKIND: packet input interface kind name (dev->rtnl_link_ops->kind) * @NFT_META_OIFKIND: packet output interface kind name (dev->rtnl_link_ops->kind) + * @NFT_META_BRI_PVID: packet input bridge port pvid */ enum nft_meta_keys { NFT_META_LEN, @@ -823,6 +824,7 @@ enum nft_meta_keys { NFT_META_SECPATH, NFT_META_IIFKIND, NFT_META_OIFKIND, + NFT_META_BRI_PVID, }; /** diff --git a/src/meta.c b/src/meta.c index 1e8964e..cef7b02 100644 --- a/src/meta.c +++ b/src/meta.c @@ -450,6 +450,9 @@ const struct meta_template meta_templates[] = { [NFT_META_OIFKIND] = META_TEMPLATE("oifkind", &ifname_type, IFNAMSIZ * BITS_PER_BYTE, BYTEORDER_HOST_ENDIAN), + [NFT_META_BRI_PVID] = META_TEMPLATE("brpvid", &integer_type, + 2 * BITS_PER_BYTE, + BYTEORDER_HOST_ENDIAN), }; static bool meta_key_is_unqualified(enum nft_meta_keys key) -- 1.8.3.1
