From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: kaber@trash.net, fw@strlen.de
Subject: [PATCH nft 00/11] revisiting protocol conflict resolution
Date: Thu, 28 Jan 2016 22:24:49 +0100 [thread overview]
Message-ID: <1454016300-29969-1-git-send-email-pablo@netfilter.org> (raw)
Hi,
This patchset revisits Florian's protocol conflict resolution to fully
support vlan matching without having to specify 'ether type vlan',
through our automatic dependency generation happening from the
evaluation step.
Patches from 1 to 7 are cleanups, then 8 to 11 deal with the problem
above.
To show you an example:
# nft --debug=netlink add rule netdev filter ingress \
vlan id 1 ip saddr 10.0.0.0/23 udp dport 53 counter
generates the following bytecode:
netdev test-netdev ingress
[ meta load iiftype => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
[ payload load 2b @ link header + 12 => reg 1 ]
[ cmp eq reg 1 0x00000081 ]
[ payload load 2b @ link header + 14 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ]
[ cmp eq reg 1 0x00000100 ]
[ payload load 2b @ link header + 16 => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x00feffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x0000000a ]
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000011 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ cmp eq reg 1 0x00003500 ]
[ counter pkts 0 bytes 0 ]
So the only addition wrt. to bridge are these two new instructions:
[ meta load iiftype => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
that fetch the interface type and then check for ARPHRD_ETHER.
We can investigate later on if we can generalize the protocol context
code to deal with stackable headers in a more generic way. We can
discuss some idea during NetDev 1.1.
Thanks!
Pablo Neira Ayuso (11):
evaluate: resolve_protocol_conflict() should return int
evaluate: move inet/netdev protocol context supersede logic to supersede_dep()
evaluate: check if we have to resolve a conflict in first place
evaluate: don't adjust offset from resolve_protocol_conflict()
evaluate: only try to replace dummy protocol from link-layer context
evaluate: assert on invalid base in resolve_protocol_conflict()
evaluate: wrap protocol context debunk into function
evaluate: generate ether type payload after meta iiftype
proto: proto_dev_type() returns interface type for base protocols too
src: annotate follow up dependency just after killing another
tests/py: test vlan on ingress
src/evaluate.c | 133 +++++++++++--------
src/netlink_delinearize.c | 45 ++++---
src/proto.c | 12 +-
tests/py/bridge/vlan.t | 2 +
tests/py/bridge/vlan.t.payload.netdev | 235 ++++++++++++++++++++++++++++++++++
5 files changed, 355 insertions(+), 72 deletions(-)
create mode 100644 tests/py/bridge/vlan.t.payload.netdev
--
2.1.4
next reply other threads:[~2016-01-28 21:25 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-28 21:24 Pablo Neira Ayuso [this message]
2016-01-28 21:24 ` [PATCH nft 01/11] evaluate: resolve_protocol_conflict() should return int Pablo Neira Ayuso
2016-01-28 21:24 ` [PATCH nft 02/11] evaluate: move inet/netdev protocol context supersede logic to supersede_dep() Pablo Neira Ayuso
2016-01-28 21:24 ` [PATCH nft 03/11] evaluate: check if we have to resolve a conflict in first place Pablo Neira Ayuso
2016-01-28 21:24 ` [PATCH nft 04/11] evaluate: don't adjust offset from resolve_protocol_conflict() Pablo Neira Ayuso
2016-01-28 21:24 ` [PATCH nft 05/11] evaluate: only try to replace dummy protocol from link-layer context Pablo Neira Ayuso
2016-01-28 21:24 ` [PATCH nft 06/11] evaluate: assert on invalid base in resolve_protocol_conflict() Pablo Neira Ayuso
2016-01-28 21:24 ` [PATCH nft 07/11] evaluate: wrap protocol context debunk into function Pablo Neira Ayuso
2016-01-28 21:24 ` [PATCH nft 08/11] evaluate: generate ether type payload after meta iiftype Pablo Neira Ayuso
2016-01-28 21:24 ` [PATCH nft 09/11] proto: proto_dev_type() returns interface type for base protocols too Pablo Neira Ayuso
2016-01-28 21:24 ` [PATCH nft 10/11] src: annotate follow up dependency just after killing another Pablo Neira Ayuso
2016-01-28 21:25 ` [PATCH nft 11/11] tests/py: test vlan on ingress Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1454016300-29969-1-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).