subject:"\[net\-next\] netfilter\: add segment routing header 'srh' match"

Re: [net-next] netfilter: add segment routing header 'srh' match

2018-01-07 Thread Ahmed Abdelsalam

On Sun, 7 Jan 2018 00:40:03 +0100
Pablo Neira Ayuso  wrote:

> Hi Ahmed,
> 
> On Fri, Dec 29, 2017 at 12:07:52PM +0100, Ahmed Abdelsalam wrote:
> > It allows matching packets based on Segment Routing Header
> > (SRH) information.
> > The implementation considers revision 7 of the SRH draft.
> > https://tools.ietf.org/html/draft-ietf-6man-segment-routing-header-07
> > 
> > Currently supported match options include:
> > (1) Next Header
> > (2) Hdr Ext Len
> > (3) Segments Left
> > (4) Last Entry
> > (5) Tag value of SRH
> > 
> > Signed-off-by: Ahmed Abdelsalam 
> > ---
> >  include/uapi/linux/netfilter_ipv6/ip6t_srh.h |  63 ++
> >  net/ipv6/netfilter/Kconfig   |   9 ++
> >  net/ipv6/netfilter/Makefile  |   1 +
> >  net/ipv6/netfilter/ip6t_srh.c| 165 
> > +++
> >  4 files changed, 238 insertions(+)
> >  create mode 100644 include/uapi/linux/netfilter_ipv6/ip6t_srh.h
> >  create mode 100644 net/ipv6/netfilter/ip6t_srh.c
> > 
> > diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_srh.h 
> > b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
> > new file mode 100644
> > index 000..1b5dbd8
> > --- /dev/null
> > +++ b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
> > @@ -0,0 +1,63 @@
> > +/**
> > + * Definitions for Segment Routing Header 'srh' match
> > + *
> > + * Author:
> > + *   Ahmed Abdelsalam   
> > + */
> 
> Please, add this in SPDX format instead.
> 
> See include/uapi/linux/netfilter/xt_owner.h for instance.
> 
Ok
> > +#ifndef _IP6T_SRH_H
> > +#define _IP6T_SRH_H
> > +
> > +#include 
> > +#include 
> > +
> > +/* Values for "mt_flags" field in struct ip6t_srh */
> > +#define IP6T_SRH_NEXTHDR0x0001
> > +#define IP6T_SRH_LEN_EQ 0x0002
> > +#define IP6T_SRH_LEN_GT 0x0004
> > +#define IP6T_SRH_LEN_LT 0x0008
> > +#define IP6T_SRH_SEGS_EQ0x0010
> > +#define IP6T_SRH_SEGS_GT0x0020
> > +#define IP6T_SRH_SEGS_LT0x0040
> > +#define IP6T_SRH_LAST_EQ0x0080
> > +#define IP6T_SRH_LAST_GT0x0100
> > +#define IP6T_SRH_LAST_LT0x0200
> > +#define IP6T_SRH_TAG0x0400
> > +#define IP6T_SRH_MASK   0x07FF
> > +
> > +/* Values for "mt_invflags" field in struct ip6t_srh */
> > +#define IP6T_SRH_INV_NEXTHDR0x0001
> > +#define IP6T_SRH_INV_LEN_EQ 0x0002
> > +#define IP6T_SRH_INV_LEN_GT 0x0004
> > +#define IP6T_SRH_INV_LEN_LT 0x0008
> > +#define IP6T_SRH_INV_SEGS_EQ0x0010
> > +#define IP6T_SRH_INV_SEGS_GT0x0020
> > +#define IP6T_SRH_INV_SEGS_LT0x0040
> > +#define IP6T_SRH_INV_LAST_EQ0x0080
> > +#define IP6T_SRH_INV_LAST_GT0x0100
> > +#define IP6T_SRH_INV_LAST_LT0x0200
> > +#define IP6T_SRH_INV_TAG0x0400
> > +#define IP6T_SRH_INV_MASK   0x07FF
> 
> Looking at all these EQ, GT, LT... I think this should be very easy to
> implement in nf_tables with no kernel changes.
> 
> You only need to add the protocol definition to:
> 
> nftables/src/exthdr.c
> 
> Would you have a look into this? This would be very much appreciated
> to we keep nftables in sync with what we have in iptables.
Yes, I look into it. I will send you a patch for nf_tables as well. 
> 
> > +
> > +/**
> > + *  struct ip6t_srh - SRH match options
> > + *  @ next_hdr: Next header field of SRH
> > + *  @ hdr_len: Extension header length field of SRH
> > + *  @ segs_left: Segments left field of SRH
> > + *  @ last_entry: Last entry field of SRH
> > + *  @ tag: Tag field of SRH
> > + *  @ mt_flags: match options
> > + *  @ mt_invflags: Invert the sense of match options
> > + */
> > +
> > +struct ip6t_srh {
> > +   __u8next_hdr;
> > +   __u8hdr_len;
> > +   __u8segs_left;
> > +   __u8last_entry;
> > +   __u16   tag;
> > +   __u16   mt_flags;
> > +   __u16   mt_invflags;
> > +};
> > +
> > +#endif /*_IP6T_SRH_H*/
> > diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
> > index 6acb2ee..e1818eb 100644
> > --- a/net/ipv6/netfilter/Kconfig
> > +++ b/net/ipv6/netfilter/Kconfig
> > @@ -232,6 +232,15 @@ config IP6_NF_MATCH_RT
> >  
> >   To compile it as a module, choose M here.  If unsure, say N.
> >  
> > +config IP6_NF_MATCH_SRH
> > +tristate '"srh" Segment Routing header match support'
> > +depends on NETFILTER_ADVANCED
> > +help
> > +  srh matching allows you to match packets based on the segment
> > + routing header of the packet.
> > +
> > +  To compile it as a module, choose M here.  If unsure, say N.
> > +
> >  # The targets
> >  config IP6_NF_TARGET_HL
> > tristate '"HL" hoplimit target support'
> > diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
> > index c6ee0cd..e0d51a9 100644
> > --- a/net/ipv6/netfilter/Makefile
> > +++

Re: [net-next] netfilter: add segment routing header 'srh' match

2018-01-07 Thread Ahmed Abdelsalam

On Sun, 7 Jan 2018 00:40:03 +0100
Pablo Neira Ayuso  wrote:

> Hi Ahmed,
> 
> On Fri, Dec 29, 2017 at 12:07:52PM +0100, Ahmed Abdelsalam wrote:
> > It allows matching packets based on Segment Routing Header
> > (SRH) information.
> > The implementation considers revision 7 of the SRH draft.
> > https://tools.ietf.org/html/draft-ietf-6man-segment-routing-header-07
> > 
> > Currently supported match options include:
> > (1) Next Header
> > (2) Hdr Ext Len
> > (3) Segments Left
> > (4) Last Entry
> > (5) Tag value of SRH
> > 
> > Signed-off-by: Ahmed Abdelsalam 
> > ---
> >  include/uapi/linux/netfilter_ipv6/ip6t_srh.h |  63 ++
> >  net/ipv6/netfilter/Kconfig   |   9 ++
> >  net/ipv6/netfilter/Makefile  |   1 +
> >  net/ipv6/netfilter/ip6t_srh.c| 165 
> > +++
> >  4 files changed, 238 insertions(+)
> >  create mode 100644 include/uapi/linux/netfilter_ipv6/ip6t_srh.h
> >  create mode 100644 net/ipv6/netfilter/ip6t_srh.c
> > 
> > diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_srh.h 
> > b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
> > new file mode 100644
> > index 000..1b5dbd8
> > --- /dev/null
> > +++ b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
> > @@ -0,0 +1,63 @@
> > +/**
> > + * Definitions for Segment Routing Header 'srh' match
> > + *
> > + * Author:
> > + *   Ahmed Abdelsalam   
> > + */
> 
> Please, add this in SPDX format instead.
> 
> See include/uapi/linux/netfilter/xt_owner.h for instance.
> 
Ok
> > +#ifndef _IP6T_SRH_H
> > +#define _IP6T_SRH_H
> > +
> > +#include 
> > +#include 
> > +
> > +/* Values for "mt_flags" field in struct ip6t_srh */
> > +#define IP6T_SRH_NEXTHDR0x0001
> > +#define IP6T_SRH_LEN_EQ 0x0002
> > +#define IP6T_SRH_LEN_GT 0x0004
> > +#define IP6T_SRH_LEN_LT 0x0008
> > +#define IP6T_SRH_SEGS_EQ0x0010
> > +#define IP6T_SRH_SEGS_GT0x0020
> > +#define IP6T_SRH_SEGS_LT0x0040
> > +#define IP6T_SRH_LAST_EQ0x0080
> > +#define IP6T_SRH_LAST_GT0x0100
> > +#define IP6T_SRH_LAST_LT0x0200
> > +#define IP6T_SRH_TAG0x0400
> > +#define IP6T_SRH_MASK   0x07FF
> > +
> > +/* Values for "mt_invflags" field in struct ip6t_srh */
> > +#define IP6T_SRH_INV_NEXTHDR0x0001
> > +#define IP6T_SRH_INV_LEN_EQ 0x0002
> > +#define IP6T_SRH_INV_LEN_GT 0x0004
> > +#define IP6T_SRH_INV_LEN_LT 0x0008
> > +#define IP6T_SRH_INV_SEGS_EQ0x0010
> > +#define IP6T_SRH_INV_SEGS_GT0x0020
> > +#define IP6T_SRH_INV_SEGS_LT0x0040
> > +#define IP6T_SRH_INV_LAST_EQ0x0080
> > +#define IP6T_SRH_INV_LAST_GT0x0100
> > +#define IP6T_SRH_INV_LAST_LT0x0200
> > +#define IP6T_SRH_INV_TAG0x0400
> > +#define IP6T_SRH_INV_MASK   0x07FF
> 
> Looking at all these EQ, GT, LT... I think this should be very easy to
> implement in nf_tables with no kernel changes.
> 
> You only need to add the protocol definition to:
> 
> nftables/src/exthdr.c
> 
> Would you have a look into this? This would be very much appreciated
> to we keep nftables in sync with what we have in iptables.
Yes, I look into it. I will send you a patch for nf_tables as well. 
> 
> > +
> > +/**
> > + *  struct ip6t_srh - SRH match options
> > + *  @ next_hdr: Next header field of SRH
> > + *  @ hdr_len: Extension header length field of SRH
> > + *  @ segs_left: Segments left field of SRH
> > + *  @ last_entry: Last entry field of SRH
> > + *  @ tag: Tag field of SRH
> > + *  @ mt_flags: match options
> > + *  @ mt_invflags: Invert the sense of match options
> > + */
> > +
> > +struct ip6t_srh {
> > +   __u8next_hdr;
> > +   __u8hdr_len;
> > +   __u8segs_left;
> > +   __u8last_entry;
> > +   __u16   tag;
> > +   __u16   mt_flags;
> > +   __u16   mt_invflags;
> > +};
> > +
> > +#endif /*_IP6T_SRH_H*/
> > diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
> > index 6acb2ee..e1818eb 100644
> > --- a/net/ipv6/netfilter/Kconfig
> > +++ b/net/ipv6/netfilter/Kconfig
> > @@ -232,6 +232,15 @@ config IP6_NF_MATCH_RT
> >  
> >   To compile it as a module, choose M here.  If unsure, say N.
> >  
> > +config IP6_NF_MATCH_SRH
> > +tristate '"srh" Segment Routing header match support'
> > +depends on NETFILTER_ADVANCED
> > +help
> > +  srh matching allows you to match packets based on the segment
> > + routing header of the packet.
> > +
> > +  To compile it as a module, choose M here.  If unsure, say N.
> > +
> >  # The targets
> >  config IP6_NF_TARGET_HL
> > tristate '"HL" hoplimit target support'
> > diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
> > index c6ee0cd..e0d51a9 100644
> > --- a/net/ipv6/netfilter/Makefile
> > +++ b/net/ipv6/netfilter/Makefile
> > @@ -54,6 +54,7 @@

Re: [net-next] netfilter: add segment routing header 'srh' match

2018-01-06 Thread Pablo Neira Ayuso

Hi Ahmed,

On Fri, Dec 29, 2017 at 12:07:52PM +0100, Ahmed Abdelsalam wrote:
> It allows matching packets based on Segment Routing Header
> (SRH) information.
> The implementation considers revision 7 of the SRH draft.
> https://tools.ietf.org/html/draft-ietf-6man-segment-routing-header-07
> 
> Currently supported match options include:
> (1) Next Header
> (2) Hdr Ext Len
> (3) Segments Left
> (4) Last Entry
> (5) Tag value of SRH
> 
> Signed-off-by: Ahmed Abdelsalam 
> ---
>  include/uapi/linux/netfilter_ipv6/ip6t_srh.h |  63 ++
>  net/ipv6/netfilter/Kconfig   |   9 ++
>  net/ipv6/netfilter/Makefile  |   1 +
>  net/ipv6/netfilter/ip6t_srh.c| 165 
> +++
>  4 files changed, 238 insertions(+)
>  create mode 100644 include/uapi/linux/netfilter_ipv6/ip6t_srh.h
>  create mode 100644 net/ipv6/netfilter/ip6t_srh.c
> 
> diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_srh.h 
> b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
> new file mode 100644
> index 000..1b5dbd8
> --- /dev/null
> +++ b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
> @@ -0,0 +1,63 @@
> +/**
> + * Definitions for Segment Routing Header 'srh' match
> + *
> + * Author:
> + *   Ahmed Abdelsalam   
> + */

Please, add this in SPDX format instead.

See include/uapi/linux/netfilter/xt_owner.h for instance.

> +#ifndef _IP6T_SRH_H
> +#define _IP6T_SRH_H
> +
> +#include 
> +#include 
> +
> +/* Values for "mt_flags" field in struct ip6t_srh */
> +#define IP6T_SRH_NEXTHDR0x0001
> +#define IP6T_SRH_LEN_EQ 0x0002
> +#define IP6T_SRH_LEN_GT 0x0004
> +#define IP6T_SRH_LEN_LT 0x0008
> +#define IP6T_SRH_SEGS_EQ0x0010
> +#define IP6T_SRH_SEGS_GT0x0020
> +#define IP6T_SRH_SEGS_LT0x0040
> +#define IP6T_SRH_LAST_EQ0x0080
> +#define IP6T_SRH_LAST_GT0x0100
> +#define IP6T_SRH_LAST_LT0x0200
> +#define IP6T_SRH_TAG0x0400
> +#define IP6T_SRH_MASK   0x07FF
> +
> +/* Values for "mt_invflags" field in struct ip6t_srh */
> +#define IP6T_SRH_INV_NEXTHDR0x0001
> +#define IP6T_SRH_INV_LEN_EQ 0x0002
> +#define IP6T_SRH_INV_LEN_GT 0x0004
> +#define IP6T_SRH_INV_LEN_LT 0x0008
> +#define IP6T_SRH_INV_SEGS_EQ0x0010
> +#define IP6T_SRH_INV_SEGS_GT0x0020
> +#define IP6T_SRH_INV_SEGS_LT0x0040
> +#define IP6T_SRH_INV_LAST_EQ0x0080
> +#define IP6T_SRH_INV_LAST_GT0x0100
> +#define IP6T_SRH_INV_LAST_LT0x0200
> +#define IP6T_SRH_INV_TAG0x0400
> +#define IP6T_SRH_INV_MASK   0x07FF

Looking at all these EQ, GT, LT... I think this should be very easy to
implement in nf_tables with no kernel changes.

You only need to add the protocol definition to:

nftables/src/exthdr.c

Would you have a look into this? This would be very much appreciated
to we keep nftables in sync with what we have in iptables.

> +
> +/**
> + *  struct ip6t_srh - SRH match options
> + *  @ next_hdr: Next header field of SRH
> + *  @ hdr_len: Extension header length field of SRH
> + *  @ segs_left: Segments left field of SRH
> + *  @ last_entry: Last entry field of SRH
> + *  @ tag: Tag field of SRH
> + *  @ mt_flags: match options
> + *  @ mt_invflags: Invert the sense of match options
> + */
> +
> +struct ip6t_srh {
> + __u8next_hdr;
> + __u8hdr_len;
> + __u8segs_left;
> + __u8last_entry;
> + __u16   tag;
> + __u16   mt_flags;
> + __u16   mt_invflags;
> +};
> +
> +#endif /*_IP6T_SRH_H*/
> diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
> index 6acb2ee..e1818eb 100644
> --- a/net/ipv6/netfilter/Kconfig
> +++ b/net/ipv6/netfilter/Kconfig
> @@ -232,6 +232,15 @@ config IP6_NF_MATCH_RT
>  
> To compile it as a module, choose M here.  If unsure, say N.
>  
> +config IP6_NF_MATCH_SRH
> +tristate '"srh" Segment Routing header match support'
> +depends on NETFILTER_ADVANCED
> +help
> +  srh matching allows you to match packets based on the segment
> +   routing header of the packet.
> +
> +  To compile it as a module, choose M here.  If unsure, say N.
> +
>  # The targets
>  config IP6_NF_TARGET_HL
>   tristate '"HL" hoplimit target support'
> diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
> index c6ee0cd..e0d51a9 100644
> --- a/net/ipv6/netfilter/Makefile
> +++ b/net/ipv6/netfilter/Makefile
> @@ -54,6 +54,7 @@ obj-$(CONFIG_IP6_NF_MATCH_MH) += ip6t_mh.o
>  obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_hbh.o
>  obj-$(CONFIG_IP6_NF_MATCH_RPFILTER) += ip6t_rpfilter.o
>  obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o
> +obj-$(CONFIG_IP6_NF_MATCH_SRH) += ip6t_srh.o
>  
>  # targets
>  obj-$(CONFIG_IP6_NF_TARGET_MASQUERADE) += ip6t_MASQUERADE.o
> diff --git

Re: [net-next] netfilter: add segment routing header 'srh' match

2018-01-06 Thread Pablo Neira Ayuso

Hi Ahmed,

On Fri, Dec 29, 2017 at 12:07:52PM +0100, Ahmed Abdelsalam wrote:
> It allows matching packets based on Segment Routing Header
> (SRH) information.
> The implementation considers revision 7 of the SRH draft.
> https://tools.ietf.org/html/draft-ietf-6man-segment-routing-header-07
> 
> Currently supported match options include:
> (1) Next Header
> (2) Hdr Ext Len
> (3) Segments Left
> (4) Last Entry
> (5) Tag value of SRH
> 
> Signed-off-by: Ahmed Abdelsalam 
> ---
>  include/uapi/linux/netfilter_ipv6/ip6t_srh.h |  63 ++
>  net/ipv6/netfilter/Kconfig   |   9 ++
>  net/ipv6/netfilter/Makefile  |   1 +
>  net/ipv6/netfilter/ip6t_srh.c| 165 
> +++
>  4 files changed, 238 insertions(+)
>  create mode 100644 include/uapi/linux/netfilter_ipv6/ip6t_srh.h
>  create mode 100644 net/ipv6/netfilter/ip6t_srh.c
> 
> diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_srh.h 
> b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
> new file mode 100644
> index 000..1b5dbd8
> --- /dev/null
> +++ b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
> @@ -0,0 +1,63 @@
> +/**
> + * Definitions for Segment Routing Header 'srh' match
> + *
> + * Author:
> + *   Ahmed Abdelsalam   
> + */

Please, add this in SPDX format instead.

See include/uapi/linux/netfilter/xt_owner.h for instance.

> +#ifndef _IP6T_SRH_H
> +#define _IP6T_SRH_H
> +
> +#include 
> +#include 
> +
> +/* Values for "mt_flags" field in struct ip6t_srh */
> +#define IP6T_SRH_NEXTHDR0x0001
> +#define IP6T_SRH_LEN_EQ 0x0002
> +#define IP6T_SRH_LEN_GT 0x0004
> +#define IP6T_SRH_LEN_LT 0x0008
> +#define IP6T_SRH_SEGS_EQ0x0010
> +#define IP6T_SRH_SEGS_GT0x0020
> +#define IP6T_SRH_SEGS_LT0x0040
> +#define IP6T_SRH_LAST_EQ0x0080
> +#define IP6T_SRH_LAST_GT0x0100
> +#define IP6T_SRH_LAST_LT0x0200
> +#define IP6T_SRH_TAG0x0400
> +#define IP6T_SRH_MASK   0x07FF
> +
> +/* Values for "mt_invflags" field in struct ip6t_srh */
> +#define IP6T_SRH_INV_NEXTHDR0x0001
> +#define IP6T_SRH_INV_LEN_EQ 0x0002
> +#define IP6T_SRH_INV_LEN_GT 0x0004
> +#define IP6T_SRH_INV_LEN_LT 0x0008
> +#define IP6T_SRH_INV_SEGS_EQ0x0010
> +#define IP6T_SRH_INV_SEGS_GT0x0020
> +#define IP6T_SRH_INV_SEGS_LT0x0040
> +#define IP6T_SRH_INV_LAST_EQ0x0080
> +#define IP6T_SRH_INV_LAST_GT0x0100
> +#define IP6T_SRH_INV_LAST_LT0x0200
> +#define IP6T_SRH_INV_TAG0x0400
> +#define IP6T_SRH_INV_MASK   0x07FF

Looking at all these EQ, GT, LT... I think this should be very easy to
implement in nf_tables with no kernel changes.

You only need to add the protocol definition to:

nftables/src/exthdr.c

Would you have a look into this? This would be very much appreciated
to we keep nftables in sync with what we have in iptables.

> +
> +/**
> + *  struct ip6t_srh - SRH match options
> + *  @ next_hdr: Next header field of SRH
> + *  @ hdr_len: Extension header length field of SRH
> + *  @ segs_left: Segments left field of SRH
> + *  @ last_entry: Last entry field of SRH
> + *  @ tag: Tag field of SRH
> + *  @ mt_flags: match options
> + *  @ mt_invflags: Invert the sense of match options
> + */
> +
> +struct ip6t_srh {
> + __u8next_hdr;
> + __u8hdr_len;
> + __u8segs_left;
> + __u8last_entry;
> + __u16   tag;
> + __u16   mt_flags;
> + __u16   mt_invflags;
> +};
> +
> +#endif /*_IP6T_SRH_H*/
> diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
> index 6acb2ee..e1818eb 100644
> --- a/net/ipv6/netfilter/Kconfig
> +++ b/net/ipv6/netfilter/Kconfig
> @@ -232,6 +232,15 @@ config IP6_NF_MATCH_RT
>  
> To compile it as a module, choose M here.  If unsure, say N.
>  
> +config IP6_NF_MATCH_SRH
> +tristate '"srh" Segment Routing header match support'
> +depends on NETFILTER_ADVANCED
> +help
> +  srh matching allows you to match packets based on the segment
> +   routing header of the packet.
> +
> +  To compile it as a module, choose M here.  If unsure, say N.
> +
>  # The targets
>  config IP6_NF_TARGET_HL
>   tristate '"HL" hoplimit target support'
> diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
> index c6ee0cd..e0d51a9 100644
> --- a/net/ipv6/netfilter/Makefile
> +++ b/net/ipv6/netfilter/Makefile
> @@ -54,6 +54,7 @@ obj-$(CONFIG_IP6_NF_MATCH_MH) += ip6t_mh.o
>  obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_hbh.o
>  obj-$(CONFIG_IP6_NF_MATCH_RPFILTER) += ip6t_rpfilter.o
>  obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o
> +obj-$(CONFIG_IP6_NF_MATCH_SRH) += ip6t_srh.o
>  
>  # targets
>  obj-$(CONFIG_IP6_NF_TARGET_MASQUERADE) += ip6t_MASQUERADE.o
> diff --git a/net/ipv6/netfilter/ip6t_srh.c b/net/ipv6/netfilter/ip6t_srh.c

Re: [net-next] netfilter: add segment routing header 'srh' match

2018-01-02 Thread Ahmed Abdelsalam

On Fri, 29 Dec 2017 12:07:52 +0100
Ahmed Abdelsalam  wrote:

> It allows matching packets based on Segment Routing Header
> (SRH) information.
> The implementation considers revision 7 of the SRH draft.
> https://tools.ietf.org/html/draft-ietf-6man-segment-routing-header-07
> 
> Currently supported match options include:
> (1) Next Header
> (2) Hdr Ext Len
> (3) Segments Left
> (4) Last Entry
> (5) Tag value of SRH
> 
> Signed-off-by: Ahmed Abdelsalam 
> ---
>  include/uapi/linux/netfilter_ipv6/ip6t_srh.h |  63 ++
>  net/ipv6/netfilter/Kconfig   |   9 ++
>  net/ipv6/netfilter/Makefile  |   1 +
>  net/ipv6/netfilter/ip6t_srh.c| 165 
> +++
>  4 files changed, 238 insertions(+)
>  create mode 100644 include/uapi/linux/netfilter_ipv6/ip6t_srh.h
>  create mode 100644 net/ipv6/netfilter/ip6t_srh.c
> 
> diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_srh.h 
> b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
> new file mode 100644
> index 000..1b5dbd8
> --- /dev/null
> +++ b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
> @@ -0,0 +1,63 @@
> +/**
> + * Definitions for Segment Routing Header 'srh' match
> + *
> + * Author:
> + *   Ahmed Abdelsalam   
> + */
> +
> +#ifndef _IP6T_SRH_H
> +#define _IP6T_SRH_H
> +
> +#include 
> +#include 
> +
> +/* Values for "mt_flags" field in struct ip6t_srh */
> +#define IP6T_SRH_NEXTHDR0x0001
> +#define IP6T_SRH_LEN_EQ 0x0002
> +#define IP6T_SRH_LEN_GT 0x0004
> +#define IP6T_SRH_LEN_LT 0x0008
> +#define IP6T_SRH_SEGS_EQ0x0010
> +#define IP6T_SRH_SEGS_GT0x0020
> +#define IP6T_SRH_SEGS_LT0x0040
> +#define IP6T_SRH_LAST_EQ0x0080
> +#define IP6T_SRH_LAST_GT0x0100
> +#define IP6T_SRH_LAST_LT0x0200
> +#define IP6T_SRH_TAG0x0400
> +#define IP6T_SRH_MASK   0x07FF
> +
> +/* Values for "mt_invflags" field in struct ip6t_srh */
> +#define IP6T_SRH_INV_NEXTHDR0x0001
> +#define IP6T_SRH_INV_LEN_EQ 0x0002
> +#define IP6T_SRH_INV_LEN_GT 0x0004
> +#define IP6T_SRH_INV_LEN_LT 0x0008
> +#define IP6T_SRH_INV_SEGS_EQ0x0010
> +#define IP6T_SRH_INV_SEGS_GT0x0020
> +#define IP6T_SRH_INV_SEGS_LT0x0040
> +#define IP6T_SRH_INV_LAST_EQ0x0080
> +#define IP6T_SRH_INV_LAST_GT0x0100
> +#define IP6T_SRH_INV_LAST_LT0x0200
> +#define IP6T_SRH_INV_TAG0x0400
> +#define IP6T_SRH_INV_MASK   0x07FF
> +
> +/**
> + *  struct ip6t_srh - SRH match options
> + *  @ next_hdr: Next header field of SRH
> + *  @ hdr_len: Extension header length field of SRH
> + *  @ segs_left: Segments left field of SRH
> + *  @ last_entry: Last entry field of SRH
> + *  @ tag: Tag field of SRH
> + *  @ mt_flags: match options
> + *  @ mt_invflags: Invert the sense of match options
> + */
> +
> +struct ip6t_srh {
> + __u8next_hdr;
> + __u8hdr_len;
> + __u8segs_left;
> + __u8last_entry;
> + __u16   tag;
> + __u16   mt_flags;
> + __u16   mt_invflags;
> +};
> +
> +#endif /*_IP6T_SRH_H*/
> diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
> index 6acb2ee..e1818eb 100644
> --- a/net/ipv6/netfilter/Kconfig
> +++ b/net/ipv6/netfilter/Kconfig
> @@ -232,6 +232,15 @@ config IP6_NF_MATCH_RT
>  
> To compile it as a module, choose M here.  If unsure, say N.
>  
> +config IP6_NF_MATCH_SRH
> +tristate '"srh" Segment Routing header match support'
> +depends on NETFILTER_ADVANCED
> +help
> +  srh matching allows you to match packets based on the segment
> +   routing header of the packet.
> +
> +  To compile it as a module, choose M here.  If unsure, say N.
> +
>  # The targets
>  config IP6_NF_TARGET_HL
>   tristate '"HL" hoplimit target support'
> diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
> index c6ee0cd..e0d51a9 100644
> --- a/net/ipv6/netfilter/Makefile
> +++ b/net/ipv6/netfilter/Makefile
> @@ -54,6 +54,7 @@ obj-$(CONFIG_IP6_NF_MATCH_MH) += ip6t_mh.o
>  obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_hbh.o
>  obj-$(CONFIG_IP6_NF_MATCH_RPFILTER) += ip6t_rpfilter.o
>  obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o
> +obj-$(CONFIG_IP6_NF_MATCH_SRH) += ip6t_srh.o
>  
>  # targets
>  obj-$(CONFIG_IP6_NF_TARGET_MASQUERADE) += ip6t_MASQUERADE.o
> diff --git a/net/ipv6/netfilter/ip6t_srh.c b/net/ipv6/netfilter/ip6t_srh.c
> new file mode 100644
> index 000..75e41dc9
> --- /dev/null
> +++ b/net/ipv6/netfilter/ip6t_srh.c
> @@ -0,0 +1,165 @@
> +/*
> + * Kernel module to match Segment Routing Header (SRH) parameters.
> + *
> + * Author:
> + * Ahmed Abdelsalam 
> + *
> + *
> + *  This program is free software; you can redistribute it and/or
> + *   modify it under the

Re: [net-next] netfilter: add segment routing header 'srh' match

2018-01-02 Thread Ahmed Abdelsalam

On Fri, 29 Dec 2017 12:07:52 +0100
Ahmed Abdelsalam  wrote:

> It allows matching packets based on Segment Routing Header
> (SRH) information.
> The implementation considers revision 7 of the SRH draft.
> https://tools.ietf.org/html/draft-ietf-6man-segment-routing-header-07
> 
> Currently supported match options include:
> (1) Next Header
> (2) Hdr Ext Len
> (3) Segments Left
> (4) Last Entry
> (5) Tag value of SRH
> 
> Signed-off-by: Ahmed Abdelsalam 
> ---
>  include/uapi/linux/netfilter_ipv6/ip6t_srh.h |  63 ++
>  net/ipv6/netfilter/Kconfig   |   9 ++
>  net/ipv6/netfilter/Makefile  |   1 +
>  net/ipv6/netfilter/ip6t_srh.c| 165 
> +++
>  4 files changed, 238 insertions(+)
>  create mode 100644 include/uapi/linux/netfilter_ipv6/ip6t_srh.h
>  create mode 100644 net/ipv6/netfilter/ip6t_srh.c
> 
> diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_srh.h 
> b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
> new file mode 100644
> index 000..1b5dbd8
> --- /dev/null
> +++ b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
> @@ -0,0 +1,63 @@
> +/**
> + * Definitions for Segment Routing Header 'srh' match
> + *
> + * Author:
> + *   Ahmed Abdelsalam   
> + */
> +
> +#ifndef _IP6T_SRH_H
> +#define _IP6T_SRH_H
> +
> +#include 
> +#include 
> +
> +/* Values for "mt_flags" field in struct ip6t_srh */
> +#define IP6T_SRH_NEXTHDR0x0001
> +#define IP6T_SRH_LEN_EQ 0x0002
> +#define IP6T_SRH_LEN_GT 0x0004
> +#define IP6T_SRH_LEN_LT 0x0008
> +#define IP6T_SRH_SEGS_EQ0x0010
> +#define IP6T_SRH_SEGS_GT0x0020
> +#define IP6T_SRH_SEGS_LT0x0040
> +#define IP6T_SRH_LAST_EQ0x0080
> +#define IP6T_SRH_LAST_GT0x0100
> +#define IP6T_SRH_LAST_LT0x0200
> +#define IP6T_SRH_TAG0x0400
> +#define IP6T_SRH_MASK   0x07FF
> +
> +/* Values for "mt_invflags" field in struct ip6t_srh */
> +#define IP6T_SRH_INV_NEXTHDR0x0001
> +#define IP6T_SRH_INV_LEN_EQ 0x0002
> +#define IP6T_SRH_INV_LEN_GT 0x0004
> +#define IP6T_SRH_INV_LEN_LT 0x0008
> +#define IP6T_SRH_INV_SEGS_EQ0x0010
> +#define IP6T_SRH_INV_SEGS_GT0x0020
> +#define IP6T_SRH_INV_SEGS_LT0x0040
> +#define IP6T_SRH_INV_LAST_EQ0x0080
> +#define IP6T_SRH_INV_LAST_GT0x0100
> +#define IP6T_SRH_INV_LAST_LT0x0200
> +#define IP6T_SRH_INV_TAG0x0400
> +#define IP6T_SRH_INV_MASK   0x07FF
> +
> +/**
> + *  struct ip6t_srh - SRH match options
> + *  @ next_hdr: Next header field of SRH
> + *  @ hdr_len: Extension header length field of SRH
> + *  @ segs_left: Segments left field of SRH
> + *  @ last_entry: Last entry field of SRH
> + *  @ tag: Tag field of SRH
> + *  @ mt_flags: match options
> + *  @ mt_invflags: Invert the sense of match options
> + */
> +
> +struct ip6t_srh {
> + __u8next_hdr;
> + __u8hdr_len;
> + __u8segs_left;
> + __u8last_entry;
> + __u16   tag;
> + __u16   mt_flags;
> + __u16   mt_invflags;
> +};
> +
> +#endif /*_IP6T_SRH_H*/
> diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
> index 6acb2ee..e1818eb 100644
> --- a/net/ipv6/netfilter/Kconfig
> +++ b/net/ipv6/netfilter/Kconfig
> @@ -232,6 +232,15 @@ config IP6_NF_MATCH_RT
>  
> To compile it as a module, choose M here.  If unsure, say N.
>  
> +config IP6_NF_MATCH_SRH
> +tristate '"srh" Segment Routing header match support'
> +depends on NETFILTER_ADVANCED
> +help
> +  srh matching allows you to match packets based on the segment
> +   routing header of the packet.
> +
> +  To compile it as a module, choose M here.  If unsure, say N.
> +
>  # The targets
>  config IP6_NF_TARGET_HL
>   tristate '"HL" hoplimit target support'
> diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
> index c6ee0cd..e0d51a9 100644
> --- a/net/ipv6/netfilter/Makefile
> +++ b/net/ipv6/netfilter/Makefile
> @@ -54,6 +54,7 @@ obj-$(CONFIG_IP6_NF_MATCH_MH) += ip6t_mh.o
>  obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_hbh.o
>  obj-$(CONFIG_IP6_NF_MATCH_RPFILTER) += ip6t_rpfilter.o
>  obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o
> +obj-$(CONFIG_IP6_NF_MATCH_SRH) += ip6t_srh.o
>  
>  # targets
>  obj-$(CONFIG_IP6_NF_TARGET_MASQUERADE) += ip6t_MASQUERADE.o
> diff --git a/net/ipv6/netfilter/ip6t_srh.c b/net/ipv6/netfilter/ip6t_srh.c
> new file mode 100644
> index 000..75e41dc9
> --- /dev/null
> +++ b/net/ipv6/netfilter/ip6t_srh.c
> @@ -0,0 +1,165 @@
> +/*
> + * Kernel module to match Segment Routing Header (SRH) parameters.
> + *
> + * Author:
> + * Ahmed Abdelsalam 
> + *
> + *
> + *  This program is free software; you can redistribute it and/or
> + *   modify it under the terms of the GNU General Public License
> + *   as published by the Free Software

[net-next] netfilter: add segment routing header 'srh' match

2017-12-29 Thread Ahmed Abdelsalam

It allows matching packets based on Segment Routing Header
(SRH) information.
The implementation considers revision 7 of the SRH draft.
https://tools.ietf.org/html/draft-ietf-6man-segment-routing-header-07

Currently supported match options include:
(1) Next Header
(2) Hdr Ext Len
(3) Segments Left
(4) Last Entry
(5) Tag value of SRH

Signed-off-by: Ahmed Abdelsalam 
---
 include/uapi/linux/netfilter_ipv6/ip6t_srh.h |  63 ++
 net/ipv6/netfilter/Kconfig   |   9 ++
 net/ipv6/netfilter/Makefile  |   1 +
 net/ipv6/netfilter/ip6t_srh.c| 165 +++
 4 files changed, 238 insertions(+)
 create mode 100644 include/uapi/linux/netfilter_ipv6/ip6t_srh.h
 create mode 100644 net/ipv6/netfilter/ip6t_srh.c

diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_srh.h 
b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
new file mode 100644
index 000..1b5dbd8
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
@@ -0,0 +1,63 @@
+/**
+ * Definitions for Segment Routing Header 'srh' match
+ *
+ * Author:
+ *   Ahmed Abdelsalam   
+ */
+
+#ifndef _IP6T_SRH_H
+#define _IP6T_SRH_H
+
+#include 
+#include 
+
+/* Values for "mt_flags" field in struct ip6t_srh */
+#define IP6T_SRH_NEXTHDR0x0001
+#define IP6T_SRH_LEN_EQ 0x0002
+#define IP6T_SRH_LEN_GT 0x0004
+#define IP6T_SRH_LEN_LT 0x0008
+#define IP6T_SRH_SEGS_EQ0x0010
+#define IP6T_SRH_SEGS_GT0x0020
+#define IP6T_SRH_SEGS_LT0x0040
+#define IP6T_SRH_LAST_EQ0x0080
+#define IP6T_SRH_LAST_GT0x0100
+#define IP6T_SRH_LAST_LT0x0200
+#define IP6T_SRH_TAG0x0400
+#define IP6T_SRH_MASK   0x07FF
+
+/* Values for "mt_invflags" field in struct ip6t_srh */
+#define IP6T_SRH_INV_NEXTHDR0x0001
+#define IP6T_SRH_INV_LEN_EQ 0x0002
+#define IP6T_SRH_INV_LEN_GT 0x0004
+#define IP6T_SRH_INV_LEN_LT 0x0008
+#define IP6T_SRH_INV_SEGS_EQ0x0010
+#define IP6T_SRH_INV_SEGS_GT0x0020
+#define IP6T_SRH_INV_SEGS_LT0x0040
+#define IP6T_SRH_INV_LAST_EQ0x0080
+#define IP6T_SRH_INV_LAST_GT0x0100
+#define IP6T_SRH_INV_LAST_LT0x0200
+#define IP6T_SRH_INV_TAG0x0400
+#define IP6T_SRH_INV_MASK   0x07FF
+
+/**
+ *  struct ip6t_srh - SRH match options
+ *  @ next_hdr: Next header field of SRH
+ *  @ hdr_len: Extension header length field of SRH
+ *  @ segs_left: Segments left field of SRH
+ *  @ last_entry: Last entry field of SRH
+ *  @ tag: Tag field of SRH
+ *  @ mt_flags: match options
+ *  @ mt_invflags: Invert the sense of match options
+ */
+
+struct ip6t_srh {
+   __u8next_hdr;
+   __u8hdr_len;
+   __u8segs_left;
+   __u8last_entry;
+   __u16   tag;
+   __u16   mt_flags;
+   __u16   mt_invflags;
+};
+
+#endif /*_IP6T_SRH_H*/
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 6acb2ee..e1818eb 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -232,6 +232,15 @@ config IP6_NF_MATCH_RT
 
  To compile it as a module, choose M here.  If unsure, say N.
 
+config IP6_NF_MATCH_SRH
+tristate '"srh" Segment Routing header match support'
+depends on NETFILTER_ADVANCED
+help
+  srh matching allows you to match packets based on the segment
+ routing header of the packet.
+
+  To compile it as a module, choose M here.  If unsure, say N.
+
 # The targets
 config IP6_NF_TARGET_HL
tristate '"HL" hoplimit target support'
diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
index c6ee0cd..e0d51a9 100644
--- a/net/ipv6/netfilter/Makefile
+++ b/net/ipv6/netfilter/Makefile
@@ -54,6 +54,7 @@ obj-$(CONFIG_IP6_NF_MATCH_MH) += ip6t_mh.o
 obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_hbh.o
 obj-$(CONFIG_IP6_NF_MATCH_RPFILTER) += ip6t_rpfilter.o
 obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o
+obj-$(CONFIG_IP6_NF_MATCH_SRH) += ip6t_srh.o
 
 # targets
 obj-$(CONFIG_IP6_NF_TARGET_MASQUERADE) += ip6t_MASQUERADE.o
diff --git a/net/ipv6/netfilter/ip6t_srh.c b/net/ipv6/netfilter/ip6t_srh.c
new file mode 100644
index 000..75e41dc9
--- /dev/null
+++ b/net/ipv6/netfilter/ip6t_srh.c
@@ -0,0 +1,165 @@
+/*
+ * Kernel module to match Segment Routing Header (SRH) parameters.
+ *
+ * Author:
+ * Ahmed Abdelsalam 
+ *
+ *
+ *  This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ */
+
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include 
+#include 
+#include 
+

[net-next] netfilter: add segment routing header 'srh' match

2017-12-29 Thread Ahmed Abdelsalam

It allows matching packets based on Segment Routing Header
(SRH) information.
The implementation considers revision 7 of the SRH draft.
https://tools.ietf.org/html/draft-ietf-6man-segment-routing-header-07

Currently supported match options include:
(1) Next Header
(2) Hdr Ext Len
(3) Segments Left
(4) Last Entry
(5) Tag value of SRH

Signed-off-by: Ahmed Abdelsalam 
---
 include/uapi/linux/netfilter_ipv6/ip6t_srh.h |  63 ++
 net/ipv6/netfilter/Kconfig   |   9 ++
 net/ipv6/netfilter/Makefile  |   1 +
 net/ipv6/netfilter/ip6t_srh.c| 165 +++
 4 files changed, 238 insertions(+)
 create mode 100644 include/uapi/linux/netfilter_ipv6/ip6t_srh.h
 create mode 100644 net/ipv6/netfilter/ip6t_srh.c

diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_srh.h 
b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
new file mode 100644
index 000..1b5dbd8
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
@@ -0,0 +1,63 @@
+/**
+ * Definitions for Segment Routing Header 'srh' match
+ *
+ * Author:
+ *   Ahmed Abdelsalam   
+ */
+
+#ifndef _IP6T_SRH_H
+#define _IP6T_SRH_H
+
+#include 
+#include 
+
+/* Values for "mt_flags" field in struct ip6t_srh */
+#define IP6T_SRH_NEXTHDR0x0001
+#define IP6T_SRH_LEN_EQ 0x0002
+#define IP6T_SRH_LEN_GT 0x0004
+#define IP6T_SRH_LEN_LT 0x0008
+#define IP6T_SRH_SEGS_EQ0x0010
+#define IP6T_SRH_SEGS_GT0x0020
+#define IP6T_SRH_SEGS_LT0x0040
+#define IP6T_SRH_LAST_EQ0x0080
+#define IP6T_SRH_LAST_GT0x0100
+#define IP6T_SRH_LAST_LT0x0200
+#define IP6T_SRH_TAG0x0400
+#define IP6T_SRH_MASK   0x07FF
+
+/* Values for "mt_invflags" field in struct ip6t_srh */
+#define IP6T_SRH_INV_NEXTHDR0x0001
+#define IP6T_SRH_INV_LEN_EQ 0x0002
+#define IP6T_SRH_INV_LEN_GT 0x0004
+#define IP6T_SRH_INV_LEN_LT 0x0008
+#define IP6T_SRH_INV_SEGS_EQ0x0010
+#define IP6T_SRH_INV_SEGS_GT0x0020
+#define IP6T_SRH_INV_SEGS_LT0x0040
+#define IP6T_SRH_INV_LAST_EQ0x0080
+#define IP6T_SRH_INV_LAST_GT0x0100
+#define IP6T_SRH_INV_LAST_LT0x0200
+#define IP6T_SRH_INV_TAG0x0400
+#define IP6T_SRH_INV_MASK   0x07FF
+
+/**
+ *  struct ip6t_srh - SRH match options
+ *  @ next_hdr: Next header field of SRH
+ *  @ hdr_len: Extension header length field of SRH
+ *  @ segs_left: Segments left field of SRH
+ *  @ last_entry: Last entry field of SRH
+ *  @ tag: Tag field of SRH
+ *  @ mt_flags: match options
+ *  @ mt_invflags: Invert the sense of match options
+ */
+
+struct ip6t_srh {
+   __u8next_hdr;
+   __u8hdr_len;
+   __u8segs_left;
+   __u8last_entry;
+   __u16   tag;
+   __u16   mt_flags;
+   __u16   mt_invflags;
+};
+
+#endif /*_IP6T_SRH_H*/
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 6acb2ee..e1818eb 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -232,6 +232,15 @@ config IP6_NF_MATCH_RT
 
  To compile it as a module, choose M here.  If unsure, say N.
 
+config IP6_NF_MATCH_SRH
+tristate '"srh" Segment Routing header match support'
+depends on NETFILTER_ADVANCED
+help
+  srh matching allows you to match packets based on the segment
+ routing header of the packet.
+
+  To compile it as a module, choose M here.  If unsure, say N.
+
 # The targets
 config IP6_NF_TARGET_HL
tristate '"HL" hoplimit target support'
diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
index c6ee0cd..e0d51a9 100644
--- a/net/ipv6/netfilter/Makefile
+++ b/net/ipv6/netfilter/Makefile
@@ -54,6 +54,7 @@ obj-$(CONFIG_IP6_NF_MATCH_MH) += ip6t_mh.o
 obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_hbh.o
 obj-$(CONFIG_IP6_NF_MATCH_RPFILTER) += ip6t_rpfilter.o
 obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o
+obj-$(CONFIG_IP6_NF_MATCH_SRH) += ip6t_srh.o
 
 # targets
 obj-$(CONFIG_IP6_NF_TARGET_MASQUERADE) += ip6t_MASQUERADE.o
diff --git a/net/ipv6/netfilter/ip6t_srh.c b/net/ipv6/netfilter/ip6t_srh.c
new file mode 100644
index 000..75e41dc9
--- /dev/null
+++ b/net/ipv6/netfilter/ip6t_srh.c
@@ -0,0 +1,165 @@
+/*
+ * Kernel module to match Segment Routing Header (SRH) parameters.
+ *
+ * Author:
+ * Ahmed Abdelsalam 
+ *
+ *
+ *  This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ */
+
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include 
+#include 
+#include 
+
+MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("Xtables: IPv6 Segment Routing

Re: [net-next] netfilter: add segment routing header 'srh' match

Re: [net-next] netfilter: add segment routing header 'srh' match

Re: [net-next] netfilter: add segment routing header 'srh' match

Re: [net-next] netfilter: add segment routing header 'srh' match

Re: [net-next] netfilter: add segment routing header 'srh' match

Re: [net-next] netfilter: add segment routing header 'srh' match

[net-next] netfilter: add segment routing header 'srh' match

[net-next] netfilter: add segment routing header 'srh' match

8 matches

Site Navigation

Mail list logo

Footer information