netfilter: nf_tables: add fib expression to the netdev family

Add fib expression support for netdev family. Like inet family, netdev delegates the actual decision to the corresponding backend, either ipv4 or ipv6. This allows to perform very early reverse path filtering, among other things. You can find more information about fib expression in the f6d0cbcf09c5 ("<netfilter: nf_tables: add fib expression>") commit message. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo M. Bermudo Garay <pablombg@gmail.com> 2017-07-21 01:54:38 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2017-07-31 19:01:40 +0200
commit: 6392c226037c2b90d3062126c65fc354e47156f7 (patch)
tree: ec0ae365f53bffabd611a5907cabd4fde350f15a /net/netfilter/Kconfig
parent: f347ec852c7a83e1803192d2c1fce4e42e0715a5 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 9b28864cc36a..e4a13cc8a2e7 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -636,6 +636,15 @@ config NFT_FWD_NETDEV
 	help
 	  This option enables packet forwarding for the "netdev" family.
 
+config NFT_FIB_NETDEV
+	depends on NFT_FIB_IPV4
+	depends on NFT_FIB_IPV6
+	tristate "Netfilter nf_tables netdev fib lookups support"
+	help
+	  This option allows using the FIB expression from the netdev table.
+	  The lookup will be delegated to the IPv4 or IPv6 FIB depending
+	  on the protocol of the packet.
+
 endif # NF_TABLES_NETDEV
 
 endif # NF_TABLES
author	Pablo M. Bermudo Garay <pablombg@gmail.com>	2017-07-21 01:54:38 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2017-07-31 19:01:40 +0200
commit	6392c226037c2b90d3062126c65fc354e47156f7 (patch)
tree	ec0ae365f53bffabd611a5907cabd4fde350f15a /net/netfilter/Kconfig
parent	f347ec852c7a83e1803192d2c1fce4e42e0715a5 (diff)