From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Andreas Hoefler <andreas.hoefler@hitachi-powergrids.com>
Cc: "netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: Re: libnftnl vlan type filter
Date: Sat, 4 Jul 2020 02:28:47 +0200 [thread overview]
Message-ID: <20200704002847.GA1529@salvia> (raw)
In-Reply-To: <VI1PR06MB4639357B62CE26537FF54FE6C56A0@VI1PR06MB4639.eurprd06.prod.outlook.com>
On Fri, Jul 03, 2020 at 06:45:45AM +0000, Andreas Hoefler wrote:
> Hi
> I am trying to use libnftnl to construct this:
>
> table netdev filter {
> chain in {
> type filter hook ingress device pru20 priority 0; policy accept;
> vlan type 0x88ba
> }
> }
>
> I do :
> add_meta(r, NFT_META_IIFTYPE, NFT_REG_1);
> uint32_t iiftype = 1;
> add_cmp(r, NFT_REG_1, NFT_CMP_EQ, &iiftype, sizeof(iiftype));
>
> add_payload(r, NFT_PAYLOAD_LL_HEADER, NFT_REG_1, 12, sizeof(uint16_t));
> uint16_t vtype = htons(ETH_P_8021Q);
> add_cmp(r, NFT_REG_1, NFT_CMP_EQ, &vtype, sizeof(vtype));
Is your offset (in bytes) correct?
> add_payload(r, NFT_PAYLOAD_LL_HEADER, NFT_REG_1, 16, sizeof(uint16_t));
> uint16_t et = htons(0x88ba);
> add_cmp(r, NFT_REG_1, NFT_CMP_EQ, &et, sizeof(et));
>
> This produces the following rule
> table netdev filter {
> chain in {
> type filter hook ingress device pru20 priority 0; policy drop;
> iiftype ether @ll,96,16 33024 @ll,128,16 35002
> }
> }
> When I manually add the constructed rule:
> #nft add rule netdev filter in iiftype ether @ll,96,16 33024 @ll,128,16 35002
>
> then nft list ruleset translates it correctly so I assume that this rule is built right:
>
> table netdev filter {
> chain in {
> type filter hook ingress device pru20 priority 0; policy drop;
> iiftype ether @ll,96,16 33024 @ll,128,16 35002 <- constructed with code above
> vlan type 0x88ba <- manually added, same rule as above but translated ok
> }
> }
>
> My questions:
> - What are the correct enums to use for e.g iiftype =1;?
ARPHRD_ETHER
> - Is there something like offsetof(struct ???, vlan) which I could use instead of hardcoded offset?
man 3 offsetof
> - Why does list ruleset show the coded rule differently from the manually added one?
Is your bytecode matching packets? Probably adding a counter would
allow you to check for this.
> - uint16_t vtype = htons(ETH_P_8021Q); seems weird to use htons here, is there another enum I should use?
You can use --debug=netlink to display the bytecode that nft
generates:
# nft --debug=netlink add rule x y vlan type 0x88ba
ip
[ meta load iiftype => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
[ payload load 2b @ link header + 2 => reg 1 ]
[ cmp eq reg 1 0x0000ba88 ]
Error: Could not process rule: No such file or directory
add rule x y vlan type 0x88ba
Then, compare it with your manually generated bytecode.
next prev parent reply other threads:[~2020-07-04 0:28 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-03 6:45 libnftnl vlan type filter Andreas Hoefler
2020-07-04 0:28 ` Pablo Neira Ayuso [this message]
2020-07-07 7:53 ` Andreas Hoefler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200704002847.GA1529@salvia \
--to=pablo@netfilter.org \
--cc=andreas.hoefler@hitachi-powergrids.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.