netfilter: nft_payload: support for inner header matching / mangling

Allow to match and mangle on inner headers / payload data after the transport header. There is a new field in the pktinfo structure that stores the inner header offset which is calculated only when requested. Only TCP and UDP supported at this stage. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2021-10-28 23:15:00 +0300
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2021-11-01 11:31:03 +0300
commit: c46b38dc8743535e686b911d253a844f0bd50ead (patch)
tree: 3ea59205264ba559d399fd8047e9dbe196743fb2 /include/uapi
parent: b5bdc6f9c24db9a0adf8bd00c0e935b184654f00 (diff)
download: linux-c46b38dc8743535e686b911d253a844f0bd50ead.tar.xz
1 files changed, 2 insertions, 0 deletions
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 08db4ee06ab6..466fd3f4447c 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -753,11 +753,13 @@ enum nft_dynset_attributes {
  * @NFT_PAYLOAD_LL_HEADER: link layer header
  * @NFT_PAYLOAD_NETWORK_HEADER: network header
  * @NFT_PAYLOAD_TRANSPORT_HEADER: transport header
+ * @NFT_PAYLOAD_INNER_HEADER: inner header / payload
  */
 enum nft_payload_bases {
 	NFT_PAYLOAD_LL_HEADER,
 	NFT_PAYLOAD_NETWORK_HEADER,
 	NFT_PAYLOAD_TRANSPORT_HEADER,
+	NFT_PAYLOAD_INNER_HEADER,
 };
 
 /**
author	Pablo Neira Ayuso <pablo@netfilter.org>	2021-10-28 23:15:00 +0300
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2021-11-01 11:31:03 +0300
commit	c46b38dc8743535e686b911d253a844f0bd50ead (patch)
tree	3ea59205264ba559d399fd8047e9dbe196743fb2 /include/uapi
parent	b5bdc6f9c24db9a0adf8bd00c0e935b184654f00 (diff)
download	linux-c46b38dc8743535e686b911d253a844f0bd50ead.tar.xz