From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Arturo Borrero Gonzalez <arturo@debian.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [nft PATCH] payload: use explicit network ctx assignation for icmp/icmp6 in inet family
Date: Tue, 24 Jan 2017 21:12:58 +0100 [thread overview]
Message-ID: <20170124201258.GA10947@salvia> (raw)
In-Reply-To: <20170124194854.GA10867@salvia>
On Tue, Jan 24, 2017 at 08:48:54PM +0100, Pablo Neira Ayuso wrote:
> On Fri, Jan 20, 2017 at 01:20:11PM +0100, Arturo Borrero Gonzalez wrote:
> > In the inet family, we can add rules like these:
> >
> > % nft add rule inet t c ip protocol icmp icmp type echo-request
> > % nft add rule inet t c ip6 nexthdr icmpv6 icmpv6 type echo-request
> >
> > However, when we print the ruleset:
> >
> > % nft list ruleset
> > table inet t {
> > chain c {
> > icmpv6 type echo-request
> > icmp type echo-request
> > }
> > }
> >
> > These rules we obtain can't be added again:
> >
> > % nft add rule inet t c icmp type echo-request
> > <cmdline>:1:19-27: Error: conflicting protocols specified: inet-service vs. icmp
> > add rule inet t c icmp type echo-request
> > ^^^^^^^^^
> >
> > % nft add rule inet t c icmpv6 type echo-request
> > <cmdline>:1:19-29: Error: conflicting protocols specified: inet-service vs. icmpv6
> > add rule inet t c icmpv6 type echo-request
> > ^^^^^^^^^^^
> >
> > Since I wouldn't expect an IP packet carrying ICMPv6, or IPv6 packet
> > carrying ICMP, if the link layer is inet, the network layer protocol context
> > can be safely update to 'ip' or 'ip6'.
> >
> > Moreover, nft currently generates a 'meta nfproto ipvX' depedency when
> > using icmp or icmp6 in the inet family.
>
> Applied, thanks Arturo.
>
> BTW, it would be great if you can cook a patch with new tests/py lines
> covering this case.
Wait. This only solves the inet case. Bridge and netdev still remain
broken.
next prev parent reply other threads:[~2017-01-24 20:13 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-20 12:20 [nft PATCH] payload: use explicit network ctx assignation for icmp/icmp6 in inet family Arturo Borrero Gonzalez
2017-01-24 19:48 ` Pablo Neira Ayuso
2017-01-24 20:12 ` Pablo Neira Ayuso [this message]
-- strict thread matches above, loose matches on Subject: below --
2017-01-20 12:02 Arturo Borrero Gonzalez
2017-01-22 19:59 ` Arturo Borrero Gonzalez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170124201258.GA10947@salvia \
--to=pablo@netfilter.org \
--cc=arturo@debian.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.