netfilter: nft_meta: offload support for interface index

This patch adds support for offloading the NFT_META_IIF selector.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/net/netfilter/nf_tables_offload.h b/include/net/netfilter/nf_tables_offload.h
index 03cf5856d76f28cfcc706529312d73354d0625f1..ea7d1d78b92d2a6a64f6017d7ffa1fe0af142997 100644 (file)
--- a/include/net/netfilter/nf_tables_offload.h
+++ b/include/net/netfilter/nf_tables_offload.h
@@ -45,6 +45,7 @@ struct nft_flow_key {
        struct flow_dissector_key_ip                    ip;
        struct flow_dissector_key_vlan                  vlan;
        struct flow_dissector_key_eth_addrs             eth_addrs;
+       struct flow_dissector_key_meta                  meta;
 } __aligned(BITS_PER_LONG / 8); /* Ensure that we can do comparisons as longs. */
 
 struct nft_flow_match {

diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index 317e3a9e8c5bec3c67e9b5a606ee4f24971495a4..8fd21f436347331af0423b4622f310ee496a385e 100644 (file)
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -547,6 +547,10 @@ static int nft_meta_get_offload(struct nft_offload_ctx *ctx,
                                  sizeof(__u8), reg);
                nft_offload_set_dependency(ctx, NFT_OFFLOAD_DEP_TRANSPORT);
                break;
+       case NFT_META_IIF:
+               NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_META, meta,
+                                 ingress_ifindex, sizeof(__u32), reg);
+               break;
        default:
                return -EOPNOTSUPP;
        }