Can be used in bridge prerouting hook to redirect the packet to the
receiving physical device for processing.

table bridge nat {
        chain PREROUTING {
                type filter hook prerouting priority 0; policy accept;
                ether daddr de:ad:00:00:be:ef meta pkttype set host ether daddr set meta ibrhwdr accept
        }
}

Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
---
 include/linux/netfilter/nf_tables.h |  2 ++
 src/meta.c                          |  4 ++++
 tests/py/bridge/meta.t              |  1 +
 tests/py/bridge/pass_up.t           |  6 ++++++
 tests/py/bridge/pass_up.t.json      | 19 +++++++++++++++++++
 tests/py/bridge/pass_up.t.payload   |  4 ++++
 6 files changed, 36 insertions(+)
 create mode 100644 tests/py/bridge/pass_up.t
 create mode 100644 tests/py/bridge/pass_up.t.json
 create mode 100644 tests/py/bridge/pass_up.t.payload

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index f57963e8..34a9b117 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -949,6 +949,7 @@ enum nft_exthdr_attributes {
  * @NFT_META_SDIF: slave device interface index
  * @NFT_META_SDIFNAME: slave device interface name
  * @NFT_META_BRI_BROUTE: packet br_netfilter_broute bit
+ * @NFT_META_BRI_IIFHWADDR: packet input bridge interface ethernet address
  */
 enum nft_meta_keys {
 	NFT_META_LEN,
@@ -989,6 +990,7 @@ enum nft_meta_keys {
 	NFT_META_SDIFNAME,
 	NFT_META_BRI_BROUTE,
 	__NFT_META_IIFTYPE,
+	NFT_META_BRI_IIFHWADDR,
 };
 
 /**
diff --git a/src/meta.c b/src/meta.c
index 1010209d..9e0d02c6 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -23,6 +23,7 @@
 #include <arpa/inet.h>
 #include <linux/netfilter.h>
 #include <linux/pkt_sched.h>
+#include <linux/if_ether.h>
 #include <linux/if_packet.h>
 #include <time.h>
 
@@ -704,6 +705,9 @@ const struct meta_template meta_templates[] = {
 						BYTEORDER_HOST_ENDIAN),
 	[NFT_META_BRI_BROUTE]	= META_TEMPLATE("broute",   &integer_type,
 						1    , BYTEORDER_HOST_ENDIAN),
+	[NFT_META_BRI_IIFHWADDR] = META_TEMPLATE("ibrhwdr", &etheraddr_type,
+						 ETH_ALEN * BITS_PER_BYTE,
+						 BYTEORDER_BIG_ENDIAN),
 };
 
 static bool meta_key_is_unqualified(enum nft_meta_keys key)
diff --git a/tests/py/bridge/meta.t b/tests/py/bridge/meta.t
index 171aa610..b7744023 100644
--- a/tests/py/bridge/meta.t
+++ b/tests/py/bridge/meta.t
@@ -11,3 +11,4 @@ meta protocol ip udp dport 67;ok
 meta protocol ip6 udp dport 67;ok
 
 meta broute set 1;fail
+meta ibrhwdr;fail
diff --git a/tests/py/bridge/pass_up.t b/tests/py/bridge/pass_up.t
new file mode 100644
index 00000000..97de13f4
--- /dev/null
+++ b/tests/py/bridge/pass_up.t
@@ -0,0 +1,6 @@
+:prerouting;type filter hook prerouting priority 0
+
+*bridge;test-bridge;prerouting
+
+ether daddr set meta ibrhwdr;ok
+meta ibrhwdr set 00:1a:2b:3c:4d:5e;fail
diff --git a/tests/py/bridge/pass_up.t.json b/tests/py/bridge/pass_up.t.json
new file mode 100644
index 00000000..937c0c11
--- /dev/null
+++ b/tests/py/bridge/pass_up.t.json
@@ -0,0 +1,19 @@
+# ether daddr set meta ibrhwdr
+[
+    {
+        "mangle": {
+            "key": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ether"
+                }
+            },
+            "value": {
+                "meta": {
+                    "key": "ibrhwdr"
+                }
+            }
+        }
+    }
+]
+
diff --git a/tests/py/bridge/pass_up.t.payload b/tests/py/bridge/pass_up.t.payload
new file mode 100644
index 00000000..f9826d9c
--- /dev/null
+++ b/tests/py/bridge/pass_up.t.payload
@@ -0,0 +1,4 @@
+# ether daddr set meta ibrhwdr
+bridge test-bridge prerouting
+  [ meta load ibrhwdr => reg 1 ]
+  [ payload write reg 1 => 6b @ link header + 0 csum_type 0 csum_off 0 csum_flags 0x0 ]
-- 
2.51.0