netfilter: nft_meta: Add cpu attribute support

Add cpu support to meta expresion.

This allows you to match packets with cpu number.

Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 98144cd..c9b6f00 100644 (file)
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -572,6 +572,7 @@ enum nft_exthdr_attributes {
  * @NFT_META_BRI_IIFNAME: packet input bridge interface name
  * @NFT_META_BRI_OIFNAME: packet output bridge interface name
  * @NFT_META_PKTTYPE: packet type (skb->pkt_type), special handling for loopback
+ * @NFT_META_CPU: cpu id through smp_processor_id()
  */
 enum nft_meta_keys {
        NFT_META_LEN,
@@ -594,6 +595,7 @@ enum nft_meta_keys {
        NFT_META_BRI_IIFNAME,
        NFT_META_BRI_OIFNAME,
        NFT_META_PKTTYPE,
+       NFT_META_CPU,
 };
 
 /**

diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index 4f2862f..843e099 100644 (file)
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -17,6 +17,7 @@
 #include <linux/in.h>
 #include <linux/ip.h>
 #include <linux/ipv6.h>
+#include <linux/smp.h>
 #include <net/dst.h>
 #include <net/sock.h>
 #include <net/tcp_states.h> /* for TCP_TIME_WAIT */
@@ -151,6 +152,9 @@ void nft_meta_get_eval(const struct nft_expr *expr,
                        goto err;
                }
                break;
+       case NFT_META_CPU:
+               dest->data[0] = smp_processor_id();
+               break;
        default:
                WARN_ON(1);
                goto err;
@@ -223,6 +227,7 @@ int nft_meta_get_init(const struct nft_ctx *ctx,
        case NFT_META_SECMARK:
 #endif
        case NFT_META_PKTTYPE:
+       case NFT_META_CPU:
                break;
        default:
                return -EOPNOTSUPP;