From: Eyal Birger <e...@metanetworks.com> The following patchset introduces a new tc ematch for matching IPSec traffic from a tc context.
This allows early classification as well as mirroning/redirecting IPSec traffic based on decapsulation criteria. The matching functionality is based on the netfilter xt_policy match, and shares code and data structures. Eyal Birger (2): net: netfilter: export xt_policy match_policy_in() as xt_policy_match_policy_in() net: sched: add xfrm policy ematch include/net/netfilter/xt_policy.h | 12 ++++ include/uapi/linux/pkt_cls.h | 3 +- net/netfilter/xt_policy.c | 18 +++--- net/sched/Kconfig | 10 ++++ net/sched/Makefile | 1 + net/sched/em_policy.c | 117 ++++++++++++++++++++++++++++++++++++++ 6 files changed, 152 insertions(+), 9 deletions(-) create mode 100644 include/net/netfilter/xt_policy.h create mode 100644 net/sched/em_policy.c -- 2.7.4