netfilter: meta: secpath support

 * @NFT_META_OIFGROUP: packet output interface group

 * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid)

 * @NFT_META_PRANDOM: a 32bit pseudo-random number

 * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp)

 */

enum nft_meta_keys {

	NFT_META_LEN,

	NFT_META_OIFGROUP,

	NFT_META_CGROUP,

	NFT_META_PRANDOM,

	NFT_META_SECPATH,

};

/**

		*dest = prandom_u32_state(state);

		break;

	}

#ifdef CONFIG_XFRM

	case NFT_META_SECPATH:

		nft_reg_store8(dest, !!skb->sp);

		break;

#endif

	default:

		WARN_ON(1);

		goto err;

		prandom_init_once(&nft_prandom_state);

		len = sizeof(u32);

		break;

#ifdef CONFIG_XFRM

	case NFT_META_SECPATH:

		len = sizeof(u8);

		break;

#endif

	default:

		return -EOPNOTSUPP;

	}

}

EXPORT_SYMBOL_GPL(nft_meta_get_init);

static int nft_meta_get_validate(const struct nft_ctx *ctx,

				 const struct nft_expr *expr,

				 const struct nft_data **data)

{

#ifdef CONFIG_XFRM

	const struct nft_meta *priv = nft_expr_priv(expr);

	unsigned int hooks;

	if (priv->key != NFT_META_SECPATH)

		return 0;

	switch (ctx->afi->family) {

	case NFPROTO_NETDEV:

		hooks = 1 << NF_NETDEV_INGRESS;

		break;

	case NFPROTO_IPV4:

	case NFPROTO_IPV6:

	case NFPROTO_INET:

		hooks = (1 << NF_INET_PRE_ROUTING) |

			(1 << NF_INET_LOCAL_IN) |

			(1 << NF_INET_FORWARD);

		break;

	default:

		return -EOPNOTSUPP;

	}

	return nft_chain_validate_hooks(ctx->chain, hooks);

#else

	return 0;

#endif

}

int nft_meta_set_validate(const struct nft_ctx *ctx,

			  const struct nft_expr *expr,

			  const struct nft_data **data)

	.eval		= nft_meta_get_eval,

	.init		= nft_meta_get_init,

	.dump		= nft_meta_get_dump,

	.validate	= nft_meta_get_validate,

};

static const struct nft_expr_ops nft_meta_set_ops = {