On Fri, Jan 12, 2018 at 03:56:21PM +0200, Eyal Birger wrote: > On Fri, Jan 12, 2018 at 3:41 PM, Pablo Neira Ayuso <pa...@netfilter.org> > wrote: > > On Fri, Jan 12, 2018 at 02:57:24PM +0200, Eyal Birger wrote: > >> @@ -51,9 +52,9 @@ match_xfrm_state(const struct xfrm_state *x, const > >> struct xt_policy_elem *e, > >> MATCH(reqid, x->props.reqid); > >> } > >> > >> -static int > >> -match_policy_in(const struct sk_buff *skb, const struct xt_policy_info > >> *info, > >> - unsigned short family) > >> +int xt_policy_match_policy_in(const struct sk_buff *skb, > >> + const struct xt_policy_info *info, > >> + unsigned short family) > >> { > >> const struct xt_policy_elem *e; > >> const struct sec_path *sp = skb->sp; > >> @@ -80,10 +81,11 @@ match_policy_in(const struct sk_buff *skb, const > >> struct xt_policy_info *info, > >> > >> return strict ? 1 : 0; > >> } > >> +EXPORT_SYMBOL_GPL(xt_policy_match_policy_in); > > > > If you just want to call xt_policy_match from tc, then you could use > > tc ipt infrastructure instead. > > Thanks for the suggestion - > Are you referring to act_ipt? it looks like it allows calling targets; > I couldn't find a classifier calling a netfilter matcher.
Then, I'd suggest you extend that infrastructure to alllow to call matches, so we reduce the number of interdepencies between different subsystems.