proxmox-mirrors/mirror_iproute2
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_iproute2 synced 2025-11-01 13:54:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
dd29621578
mirror_iproute2/man
History
Eyal Birger dd29621578 tc: add em_ipt ematch for calling xtables matches from tc matching context 
The commit calls a new tc ematch for using netfilter xtable matches.

This allows early classification as well as mirroning/redirecting traffic
based on logic implemented in netfilter extensions.

Current supported use case is classification based on the incoming IPSec
state used during decpsulation using the 'policy' iptables extension
(xt_policy).

The matcher uses libxtables for parsing the input parameters.

Example use for matching an IPSec state with reqid 1:

tc qdisc add dev eth0 ingress
tc filter add dev eth0 protocol ip parent ffff: \
    basic match 'ipt(-m policy --dir in --pol ipsec --reqid 1)' \
    action drop

This is the user-space counter part of kernel commit ccc007e4a746
("net: sched: add em_ipt ematch for calling xtables matches")

Signed-off-by: Eyal Birger <eyal.birger@gmail.com>
Signed-off-by: David Ahern <dsahern@gmail.com>
2018-02-27 09:43:16 -08:00
..
man3 SPDX license identifiers 2017-11-24 12:21:35 -08:00
man7 SPDX license identifiers 2017-11-24 12:21:35 -08:00
man8 tc: add em_ipt ematch for calling xtables matches from tc matching context 2018-02-27 09:43:16 -08:00
Makefile SPDX license identifiers 2017-11-24 12:21:35 -08:00