asedeno.scripts.mit.edu Git - linux.git/commit

author	Ahmed Abdelsalam <amsalam20@gmail.com>
	Wed, 25 Apr 2018 10:30:24 +0000 (05:30 -0500)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Sun, 6 May 2018 21:33:03 +0000 (23:33 +0200)
commit	c1c7e44b4f62e9c07fea8aaa58ed46cfae48ba3d
tree	5644ade3c0378003e7afca3e986b2e7e25f84910	tree \| snapshot
parent	75e72f05418afbeac0a707d2e0cc9451ceb47e43	commit \| diff

netfilter: ip6t_srh: extend SRH matching for previous, next and last SID

IPv6 Segment Routing Header (SRH) contains a list of SIDs to be crossed
by SR encapsulated packet. Each SID is encoded as an IPv6 prefix.

When a Firewall receives an SR encapsulated packet, it should be able
to identify which node previously processed the packet (previous SID),
which node is going to process the packet next (next SID), and which
node is the last to process the packet (last SID) which represent the
final destination of the packet in case of inline SR mode.

An example use-case of using these features could be SID list that
includes two firewalls. When the second firewall receives a packet,
it can check whether the packet has been processed by the first firewall
or not. Based on that check, it decides to apply all rules, apply just
subset of the rules, or totally skip all rules and forward the packet to
the next SID.

This patch extends SRH match to support matching previous SID, next SID,
and last SID.

Signed-off-by: Ahmed Abdelsalam <amsalam20@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/uapi/linux/netfilter_ipv6/ip6t_srh.h		diff \| blob \| history
net/ipv6/netfilter/ip6t_srh.c		diff \| blob \| history