From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Florian Westphal <fw@strlen.de>, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nft 1/5] ct: add support for directional keys
Date: Mon, 4 Jan 2016 21:06:48 +0100 [thread overview]
Message-ID: <20160104200648.GB1731@breakpoint.cc> (raw)
In-Reply-To: <20151229234941.GB1386@salvia>
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Fri, Dec 18, 2015 at 10:07:59PM +0100, Florian Westphal wrote:
> > A few keys in the ct expression are directional, i.e.
> > we need to tell kernel if it should fetch REPLY or ORIGINAL direction.
> >
> > Split ct_keys into ct_keys & ct_keys_dir, the latter are those keys
> > that the kernel rejects unless also given a direction.
> >
> > During postprocessing we also need to invoke ct_expr_update_type,
> > problem is that e.g. ct saddr can be any family (ip, ipv6) so we need
> > to update the expected data type based on the network base.
>
> I think this is the way to go. My original proposal will not allow
> things like:
>
> ct direction reply ct daddr original 2.2.2.2
>
> which seems to me like a valid matching, specifically when NAT comes
> into place (where original and reply tuples are not the same). This is
> kind of corner case, but I think we shouldn't reduce the expressiveness.
Great, so this seems ready so I pushed the series to nft master.
> > diff --git a/include/expression.h b/include/expression.h
> > --- a/include/expression.h
> > +++ b/include/expression.h
> > @@ -273,6 +273,7 @@ struct expr {
> > struct {
> > /* EXPR_CT */
> > enum nft_ct_keys key;
> > + struct expr *dir_expr;
>
> I think you can store the direction as a value.
Ok, changed to int8_t ..
> > + expr_free(ct->ct.dir_expr);
> > + ct->ct.dir_expr = direction;
> > + }
>
> I'd suggest you parse the direction from the parser, I don't find any
... and added a helper to do just that.
There were no other changes.
If you get
ip/ct.t: WARNING: line: 16: 'src/nft add rule --debug=netlink ip test-ip4 output ct l3proto original ipv4': 'ct l3proto original ipv4' mismatches 'ct l3proto ipv4'
that means kernel lacks d5f79b6e4d1 ('netfilter: nft_ct: include direction when dumping NFT_CT_L3PROTOCOL key').
next prev parent reply other threads:[~2016-01-04 20:06 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-18 21:07 [PATCH nft 0/5] ct: add support for directional keys Florian Westphal
2015-12-18 21:07 ` [PATCH nft 1/5] " Florian Westphal
2015-12-29 23:49 ` Pablo Neira Ayuso
2016-01-04 20:06 ` Florian Westphal [this message]
2015-12-18 21:08 ` [PATCH nft 2/5] netlink: don't handle lhs zero-length expression as concat type Florian Westphal
2015-12-18 21:08 ` [PATCH nft 3/5] netlink: only drop mask if it matches left known-size operand Florian Westphal
2015-12-18 21:08 ` [PATCH nft 4/5] src: ct: make ct l3proto work Florian Westphal
2015-12-18 21:08 ` [PATCH nft 5/5] tests: add ct tests for ip family Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160104200648.GB1731@breakpoint.cc \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.