On Fri, Jan 12, 2018 at 3:41 PM, Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> On Fri, Jan 12, 2018 at 02:57:24PM +0200, Eyal Birger wrote:
>> @@ -51,9 +52,9 @@ match_xfrm_state(const struct xfrm_state *x, const struct
>> xt_policy_elem *e,
>> MATCH(reqid, x->props.reqid);
>> }
>>
>> -static int
>> -match_policy_in(const struct sk_buff *skb, const struct xt_policy_info
>> *info,
>> - unsigned short family)
>> +int xt_policy_match_policy_in(const struct sk_buff *skb,
>> + const struct xt_policy_info *info,
>> + unsigned short family)
>> {
>> const struct xt_policy_elem *e;
>> const struct sec_path *sp = skb->sp;
>> @@ -80,10 +81,11 @@ match_policy_in(const struct sk_buff *skb, const struct
>> xt_policy_info *info,
>>
>> return strict ? 1 : 0;
>> }
>> +EXPORT_SYMBOL_GPL(xt_policy_match_policy_in);
>
> If you just want to call xt_policy_match from tc, then you could use
> tc ipt infrastructure instead.
Thanks for the suggestion -
Are you referring to act_ipt? it looks like it allows calling targets;
I couldn't
find a classifier calling a netfilter matcher.
Eyal.
