From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Cc: netfilter-devel@vger.kernel.org, giuseppelng@gmail.com
Subject: Re: [ebtables-compat-experimental3 PATCH 1/2] nft-bridge: fix inversion of matches
Date: Mon, 10 Nov 2014 18:33:23 +0100 [thread overview]
Message-ID: <20141110173323.GB29762@salvia> (raw)
In-Reply-To: <20141108213750.28047.14081.stgit@nfdev.cica.es>
On Sat, Nov 08, 2014 at 10:39:33PM +0100, Arturo Borrero Gonzalez wrote:
> The inversion in bridge specific matches is failing because before this
> patch NFT_CMP_EQ is used unconditionally.
>
> No need to change the invesion in family-agnostic functions, given
> ebt inv flags are translated to ipt inv flags and inversion is properly
> calculated there.
>
> Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
> ---
> NOTE: I think the previous patch to fix this isse was wrong in several aspects.
> This is a new approach. Compile-tested only. Please comment.
>
> iptables/nft-bridge.c | 25 ++++++++++++++++++++++---
> 1 file changed, 22 insertions(+), 3 deletions(-)
>
> diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
> index 0e21b46..66bbefd 100644
> --- a/iptables/nft-bridge.c
> +++ b/iptables/nft-bridge.c
> @@ -165,6 +165,7 @@ static int nft_bridge_add(struct nft_rule *r, void *data)
> struct ebtables_command_state *cs = data;
> struct ebt_entry *fw = &cs->fw;
> uint8_t flags = ebt_to_ipt_flags(fw->invflags);
> + uint32_t op = NFT_CMP_EQ;
> char *addr;
>
> if (fw->in[0] != '\0')
> @@ -182,18 +183,36 @@ static int nft_bridge_add(struct nft_rule *r, void *data)
> addr = ether_ntoa((struct ether_addr *) fw->sourcemac);
> if (strcmp(addr, "0:0:0:0:0:0") != 0) {
> add_payload(r, offsetof(struct ethhdr, h_source), 6);
> - add_cmp_ptr(r, NFT_CMP_EQ, fw->sourcemac, 6);
> +
> + if (fw->invflags & EBT_ISOURCE)
> + op = NFT_CMP_NEQ;
> + else
> + op = NFT_CMP_EQ;
> +
> + add_cmp_ptr(r, op, fw->sourcemac, 6);
Please, use ETH_ALEN instead of hardcoded values. I know this code is
full of this, but when it comes to source code readability, it's
always better to use something meaningful.
Apart from that, looks good. Please test and resubmit. Thanks.
prev parent reply other threads:[~2014-11-10 17:31 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-08 21:39 [ebtables-compat-experimental3 PATCH 1/2] nft-bridge: fix inversion of matches Arturo Borrero Gonzalez
2014-11-08 21:40 ` [ebtables-compat-experimental3 PATCH 2/2] nft-bridge: fix printing of inverted protocols, addresses Arturo Borrero Gonzalez
2014-11-10 17:36 ` Pablo Neira Ayuso
2014-11-10 17:33 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141110173323.GB29762@salvia \
--to=pablo@netfilter.org \
--cc=arturo.borrero.glez@gmail.com \
--cc=giuseppelng@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).