On Fri, Jan 12, 2018 at 03:56:21PM +0200, Eyal Birger wrote:
> On Fri, Jan 12, 2018 at 3:41 PM, Pablo Neira Ayuso <pa...@netfilter.org>
> wrote:
> > On Fri, Jan 12, 2018 at 02:57:24PM +0200, Eyal Birger wrote:
> >> @@ -51,9 +52,9 @@ match_xfrm_state(const struct xfrm_state *x, const
> >> struct xt_policy_elem *e,
> >> MATCH(reqid, x->props.reqid);
> >> }
> >>
> >> -static int
> >> -match_policy_in(const struct sk_buff *skb, const struct xt_policy_info
> >> *info,
> >> - unsigned short family)
> >> +int xt_policy_match_policy_in(const struct sk_buff *skb,
> >> + const struct xt_policy_info *info,
> >> + unsigned short family)
> >> {
> >> const struct xt_policy_elem *e;
> >> const struct sec_path *sp = skb->sp;
> >> @@ -80,10 +81,11 @@ match_policy_in(const struct sk_buff *skb, const
> >> struct xt_policy_info *info,
> >>
> >> return strict ? 1 : 0;
> >> }
> >> +EXPORT_SYMBOL_GPL(xt_policy_match_policy_in);
> >
> > If you just want to call xt_policy_match from tc, then you could use
> > tc ipt infrastructure instead.
>
> Thanks for the suggestion -
> Are you referring to act_ipt? it looks like it allows calling targets;
> I couldn't find a classifier calling a netfilter matcher.
Then, I'd suggest you extend that infrastructure to alllow to call
matches, so we reduce the number of interdepencies between different
subsystems.
