From: Florian Westphal <fw@strlen.de>
To: Jan Engelhardt <ej@inai.de>
Cc: Florian Westphal <fw@strlen.de>,
netfilter-devel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
syzbot+256c348558aa5cf611a9@syzkaller.appspotmail.com
Subject: Re: [PATCH nf] netfilter: xt_cluster: enable ebtables operation?
Date: Fri, 4 Oct 2024 12:18:51 +0200 [thread overview]
Message-ID: <20241004101851.GA15968@breakpoint.cc> (raw)
In-Reply-To: <0n89n176-p660-1953-3sn7-0q4rn8359sso@vanv.qr>
Jan Engelhardt <ej@inai.de> wrote:
> >Module registers to NFPROTO_UNSPEC, but it assumes ipv4/ipv6 packet
> >processing. As this is only useful to restrict locally terminating
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >TCP/UDP traffic, reject non-ip families at rule load time.
> >@@ -124,6 +124,14 @@ static int xt_cluster_mt_checkentry(const struct xt_mtchk_param *par)
> > struct xt_cluster_match_info *info = par->matchinfo;
> > int ret;
> >
> >+ switch (par->family) {
> >+ case NFPROTO_IPV4:
> >+ case NFPROTO_IPV6:
> >+ break;
> >+ default:
> >+ return -EAFNOSUPPORT;
> >+ }
>
> I wonder if we could just implement the logic for it.
Whats the use case?
> Like this patch [untested!]:
>
> From d534984879b9b3c4b8cf536cad1044c29b843a2d Mon Sep 17 00:00:00 2001
> From: Jan Engelhardt <jengelh@inai.de>
> Date: Thu, 3 Oct 2024 20:49:02 +0200
> Subject: [PATCH] xt_cluster: add logic for use from NFPROTO_BRIDGE
>
> Signed-off-by: Jan Engelhardt <jengelh@inai.de>
> ---
> net/netfilter/xt_cluster.c | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
> diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c
> index a047a545371e..cf4a74d68577 100644
> --- a/net/netfilter/xt_cluster.c
> +++ b/net/netfilter/xt_cluster.c
> @@ -68,6 +68,9 @@ xt_cluster_is_multicast_addr(const struct sk_buff *skb, u_int8_t family)
> case NFPROTO_IPV6:
> is_multicast = ipv6_addr_is_multicast(&ipv6_hdr(skb)->daddr);
> break;
> + case NFPROTO_BRIDGE:
> + is_multicast = is_multicast_ether_addr(eth_hdr(skb)->h_dest);
> + break;
AFAIU this is always true: l2 address is always a multicast mac in
xt_cluster setups, we would need to peek into the L3 address to see if
its also multicast or if its the expected l3-unicast-in-l2-mcast.
I don't see a use case for supporting this from a bridge, but maybe I
missed something.
next prev parent reply other threads:[~2024-10-04 10:18 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-03 18:30 [PATCH nf] netfilter: xt_cluster: restrict to ip/ip6tables Florian Westphal
2024-10-03 18:50 ` [PATCH nf] netfilter: xt_cluster: enable ebtables operation? Jan Engelhardt
2024-10-04 10:18 ` Florian Westphal [this message]
2024-10-04 10:30 ` Pablo Neira Ayuso
2024-10-04 10:29 ` [PATCH nf] netfilter: xt_cluster: restrict to ip/ip6tables Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241004101851.GA15968@breakpoint.cc \
--to=fw@strlen.de \
--cc=ej@inai.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=syzbot+256c348558aa5cf611a9@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.