From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Michal Soltys <msoltyspl@yandex.pl>
Cc: netfilter@vger.kernel.org
Subject: Re: [BUG] "ether type ip" forgotten/implied when listing rules for 'netdev' family
Date: Mon, 23 Feb 2026 20:09:40 +0100 [thread overview]
Message-ID: <aZyl9JUreTr9Bw39@chamomile> (raw)
In-Reply-To: <6dbbb6b3-da22-4a09-8de7-ec2dc60d179f@yandex.pl>
Hi,
Would you file a bug to netfilter's bugzilla so it is possible to
follow track of this issue?
Thanks.
On Mon, Feb 23, 2026 at 03:57:28PM +0100, Michal Soltys wrote:
> Hi,
>
> While testing the behavior of early filtering in netdev / ingress, I noticed
> something that possibly looks like a bug.
>
> Consider following and interface with one vlan, e.g.
>
> ip add add 10.0.0.1/24 dev eno1
> ip li add li eno1 name v250 type vlan id 250
> ip add add 10.10.10.1/24 dev v250
> ip li set eno1 up
> ip li set v250 up
>
>
> Now consider following simple nft setup:
>
> nft add table netdev efil
> nft add chain netdev efil edev { hook ingress type filter device eno1
> priority filter; }
> nft add rule netdev efil edev ether type ip icmp type echo-request counter
> nft add rule netdev efil edev ether type vlan icmp type echo-request counter
> nft add rule netdev efil edev icmp type echo-request counter
>
> These will be listed by nft ruleset list as such:
> table netdev efil {
> chain edev {
> type filter hook ingress device "eno1" priority filter;
> policy accept;
> icmp type echo-request counter packets 0 bytes 0
> ether type 8021q icmp type echo-request counter packets 0
> bytes 0
> icmp type echo-request counter packets 0 bytes 0
> }
> }
>
> Note that the first rule omits the "ether type ip" as if it was 'ip' family
> instead of 'netdev'. So the 1st and the 3rd are listed the same - but they
> work differently.
>
> The first rule will only count plain ip payload, the 2nd rule will count
> only vlan payload, the 3rd will count both. So after 1 ping to 10.10.10.1
> and 1 ping to 10.0.0.1, the effect would be:
>
> table netdev efil {
> chain edev {
> type filter hook ingress device "eno1" priority filter;
> policy accept;
> icmp type echo-request counter packets 1 bytes 84
> ether type 8021q icmp type echo-request counter packets 1
> bytes 84
> icmp type echo-request counter packets 2 bytes 168
> }
> }
>
> Furthermore it seems it's impossible to return to such ruleset via:
>
> - nft list ruleset >rules
> - flush tables
> - nft -f rules
>
> As this time the 1st and the 3rd rule actually will be identical both
> visually and functionally, omitting 'ether type ip' check completely.
>
next prev parent reply other threads:[~2026-02-23 19:09 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-23 14:57 [BUG] "ether type ip" forgotten/implied when listing rules for 'netdev' family Michal Soltys
2026-02-23 19:09 ` Pablo Neira Ayuso [this message]
2026-02-24 11:49 ` Michal Soltys
2026-02-26 12:49 ` Michal Soltys
2026-02-23 19:24 ` Florian Westphal
2026-02-24 16:08 ` Michal Soltys
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aZyl9JUreTr9Bw39@chamomile \
--to=pablo@netfilter.org \
--cc=msoltyspl@yandex.pl \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.