[nftables] payload: gen l4proto dependency on bridge

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [nftables] payload: gen l4proto dependency on bridge
@ 2015-06-26  8:51 Eric Leblond
  0 siblings, 0 replies; only message in thread
From: Eric Leblond @ 2015-06-26  8:51 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, Eric Leblond

It was not possible to add a rule like:
 bridge filter input tcp dport 22 accept

Instead we had to use:
 bridge filter input meta l4proto tcp tcp dport 22 accept
or
 bridge filter input ether type ip tcp dport 22 accept

As l4proto is available on bridge, we can simply use
payload_gen_dependency to generate the addition of
the l4proto expression like it is done for inet filtering.

The result is the following netlink message:
 bridge filter input
   [ meta load l4proto => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ cmp eq reg 1 0x00001600 ]
   [ immediate reg 0 accept ]

And it is correctly simplified by delinearize as:
 tcp dport 22 accept

This patch also fixes an issue linked to the simplication
because
 bridge filter input meta l4proto tcp tcp dport 22 accept
was transformed into
 bridge filter input tcp dport 22 accept
when read from kernel. So it was not possible to restore
the ruleset after adding this type of rules.

Signed-off-by: Eric Leblond <eric@regit.org>
---
 src/payload.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/payload.c b/src/payload.c
index 08578fd..e67ef17 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -219,6 +219,9 @@ int payload_gen_dependency(struct eval_ctx *ctx, const struct expr *expr,
 			case PROTO_BASE_LL_HDR:
 				desc = &proto_eth;
 				break;
+			case PROTO_BASE_TRANSPORT_HDR:
+				desc = &proto_inet_service;
+				break;
 			default:
 				break;
 			}
-- 
2.1.4


^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2015-06-26  8:52 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-06-26  8:51 [nftables] payload: gen l4proto dependency on bridge Eric Leblond

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).