netfilter: nf_tables: rt: allow checking if dst has xfrm attached

Useful e.g. to avoid NATting inner headers of to-be-encrypted packets. Signed-off-by: Florian Westphal <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]>
author: Florian Westphal <[email protected]> 2018-08-29 00:19:00 +0200
committer: Pablo Neira Ayuso <[email protected]> 2018-09-17 11:29:49 +0200
commit: 02b408fae3d5552d10d1189fc0bd7e5b1e76af71 (patch)
tree: 24d5c7411d344dd87bb9bcef6554b2c1575e080a /include/uapi/linux
parent: a82738adff167593bbb9df90b4201ce4b3407d21 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index e23290ffdc77..6c44cbbb2cda 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -826,12 +826,14 @@ enum nft_meta_keys {
  * @NFT_RT_NEXTHOP4: routing nexthop for IPv4
  * @NFT_RT_NEXTHOP6: routing nexthop for IPv6
  * @NFT_RT_TCPMSS: fetch current path tcp mss
+ * @NFT_RT_XFRM: boolean, skb->dst->xfrm != NULL
  */
 enum nft_rt_keys {
 	NFT_RT_CLASSID,
 	NFT_RT_NEXTHOP4,
 	NFT_RT_NEXTHOP6,
 	NFT_RT_TCPMSS,
+	NFT_RT_XFRM,
 	__NFT_RT_MAX
 };
 #define NFT_RT_MAX		(__NFT_RT_MAX - 1)
author	Florian Westphal <[email protected]>	2018-08-29 00:19:00 +0200
committer	Pablo Neira Ayuso <[email protected]>	2018-09-17 11:29:49 +0200
commit	02b408fae3d5552d10d1189fc0bd7e5b1e76af71 (patch)
tree	24d5c7411d344dd87bb9bcef6554b2c1575e080a /include/uapi/linux
parent	a82738adff167593bbb9df90b4201ce4b3407d21 (diff)