From: Florian Westphal <fw@strlen.de>
To: Sriram Yagnaraman <sriram.yagnaraman@est.tech>
Cc: Florian Westphal <fw@strlen.de>,
"netfilter-devel@vger.kernel.org"
<netfilter-devel@vger.kernel.org>,
Pablo Neira Ayuso <pablo@netfilter.org>
Subject: Re: [PATCH nf-next] netfilter: bridge: introduce broute meta statement
Date: Fri, 24 Feb 2023 10:10:03 +0100 [thread overview]
Message-ID: <20230224091003.GF26596@breakpoint.cc> (raw)
In-Reply-To: <DBBP189MB14336D817E987CEBA648123195A89@DBBP189MB1433.EURP189.PROD.OUTLOOK.COM>
Sriram Yagnaraman <sriram.yagnaraman@est.tech> wrote:
> > -----Original Message-----
> > From: Florian Westphal <fw@strlen.de>
> > Sent: Friday, 24 February 2023 00:02
> > To: Sriram Yagnaraman <sriram.yagnaraman@est.tech>
> > Cc: netfilter-devel@vger.kernel.org; Florian Westphal <fw@strlen.de>; Pablo
> > Neira Ayuso <pablo@netfilter.org>
> > Subject: Re: [PATCH nf-next] netfilter: bridge: introduce broute meta
> > statement
> >
> > Sriram Yagnaraman <sriram.yagnaraman@est.tech> wrote:
> > > +void nft_meta_bridge_set_eval(const struct nft_expr *expr,
> > > + struct nft_regs *regs,
> > > + const struct nft_pktinfo *pkt)
> >
> > static?
> >
> > > +{
> > > + dest = eth_hdr(skb)->h_dest;
> > > + if (skb->pkt_type == PACKET_HOST &&
> > > + !ether_addr_equal(skb->dev->dev_addr, dest) &&
> > > + ether_addr_equal(p->br->dev->dev_addr, dest))
> > > + skb->pkt_type = PACKET_OTHERHOST;
> >
> > We already support override of skb->pkt_type, I would prefer if users to this
> > explicitly from their ruleset if they need it.
>
> Ok, that is better, I will remove this chunk.
>
> >
> > > + priv->key = ntohl(nla_get_be32(tb[NFTA_META_KEY]));
> >
> > I think you need to check for !tb[NFTA_META_KEY] and bail out before this
> > line.
>
> We already validate this in nft_meta_bridge_select_ops(), isn’t that enough?
Right, thats enough.
> > > + switch (priv->key) {
> > > + case NFT_META_BRI_BROUTE:
> > > + len = sizeof(u8);
> > > + break;
> >
> > Can you bail out if this is called from something else than PREROUTING hook?
> >
> > You can look at nft_tproxy.c or similar on how to do this.
>
> nft_meta_set_validate() already checks meta statements can only be used in the PREROUTING hook. Isn't that enough?
It only restricts NFT_META_PKTTYPE.
prev parent reply other threads:[~2023-02-24 9:10 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-23 20:22 [PATCH nf-next] netfilter: bridge: introduce broute meta statement Sriram Yagnaraman
2023-02-23 22:01 ` Jan Engelhardt
2023-02-23 23:01 ` Florian Westphal
2023-02-24 9:03 ` Sriram Yagnaraman
2023-02-24 9:10 ` Florian Westphal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230224091003.GF26596@breakpoint.cc \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=sriram.yagnaraman@est.tech \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.