From: Eyal Birger <e...@metanetworks.com> The following patchset introduces a new tc ematch for matching using netfilter matches.
This allows early classification as well as mirroning/redirecting traffic based on logic implemented in netfilter extensions. Example use case is classification based on the incoming IPSec policy used during decpsulation using the 'policy' iptables extension (xt_policy). This patchset is an enhancement of a former series ([1]) which allowed only policy matching following a suggestion by Pablo Neira Ayuso ([2]). [1] https://patchwork.ozlabs.org/cover/859887/ [2] https://patchwork.ozlabs.org/patch/859888/ v2: Remove skb push/pull and limit functionality to ingress Eyal Birger (2): net: sched: ematch: pass protocol to ematch 'change()' handlers net: sched: add em_ipt ematch for calling xtables matches include/net/pkt_cls.h | 2 +- include/uapi/linux/pkt_cls.h | 3 +- include/uapi/linux/tc_ematch/tc_em_ipt.h | 19 +++ net/sched/Kconfig | 10 ++ net/sched/Makefile | 1 + net/sched/em_canid.c | 4 +- net/sched/em_ipset.c | 4 +- net/sched/em_ipt.c | 244 +++++++++++++++++++++++++++++++ net/sched/em_meta.c | 2 +- net/sched/em_nbyte.c | 4 +- net/sched/em_text.c | 2 +- net/sched/ematch.c | 3 +- 12 files changed, 287 insertions(+), 11 deletions(-) create mode 100644 include/uapi/linux/tc_ematch/tc_em_ipt.h create mode 100644 net/sched/em_ipt.c -- 2.7.4