From: Florian Westphal <fw@strlen.de>
To: Eddie Linder <eddi@guardicore.com>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH 1/1] netfilter: Added vlan matching extension
Date: Mon, 25 May 2015 23:51:08 +0200 [thread overview]
Message-ID: <20150525215108.GH3629@breakpoint.cc> (raw)
In-Reply-To: <1432586250-42147-1-git-send-email-eddi@guardicore.com>
Eddie Linder <eddi@guardicore.com> wrote:
> Signed-off-by: Eddie Linder <eddi@guardicore.com>
Why do we need a vlan tag match in iptables?
For bridged traffic we have ebtables' net/bridge/netfilter/ebt_vlan.c .
And for routed traffic you'd just use -i vlan.id.0 or whatever?
What is this match being used for, and more importantly where/how?
(Is this for call-iptables=1 invocation from bridge netfilter?)
Nevertheless, a couple of comments below.
> diff --git a/include/uapi/linux/netfilter/Kbuild b/include/uapi/linux/netfilter/Kbuild
> index 1d973d2..2ca36db 100644
> --- a/include/uapi/linux/netfilter/Kbuild
> +++ b/include/uapi/linux/netfilter/Kbuild
> @@ -85,3 +85,4 @@ header-y += xt_tcpmss.h
> header-y += xt_tcpudp.h
> header-y += xt_time.h
> header-y += xt_u32.h
> +header-y += xt_vlan.h
> diff --git a/include/uapi/linux/netfilter/xt_vlan.h b/include/uapi/linux/netfilter/xt_vlan.h
> new file mode 100644
> index 0000000..3c31b6b
> --- /dev/null
> +++ b/include/uapi/linux/netfilter/xt_vlan.h
> @@ -0,0 +1,11 @@
> +#ifndef _XT_VLAN_H
> +#define _XT_VLAN_H
> +
> +
> +struct xt_vlan_info {
> + unsigned short vlan_id;
> + unsigned char vlan_pcp;
Please consider using explicit types for all of these, i.e.
__u16 vlan_id;
__u8 vlan_pcp;
> +MODULE_ALIAS("ipt_vlan");
> +MODULE_ALIAS("ip6t_vlan");
> +MODULE_ALIAS("ipt_VLAN");
> +MODULE_ALIAS("ip6t_VLAN");
_VLAN aliases are only needed for -j VLAN target, which isn't
added here, please remove them.
> +static bool vlan_mt(const struct sk_buff *skb, struct xt_action_param *par)
> +{
> + const struct xt_vlan_info *info = par->matchinfo;
> + u16 vlan_tci = ~VLAN_TAG_PRESENT;
> + bool ret;
> +
> + if (skb->vlan_tci & VLAN_TAG_PRESENT)
> + /* Strip the 4096 bit (invalid vlan) from the vlan tci bits */
> + vlan_tci = skb->vlan_tci;
if (skb_vlan_tag_present(skb))
vlan_tci = skb_vlan_tag_get(skb);
> + else {
> + if (unlikely(skb->len < VLAN_ETH_HLEN &&
This is weird. Why test len < VLAN_ETH_HLEN (> ? >= ? )
> + skb->protocol == htons(ETH_P_8021Q)))
> + if (unlikely(!parse_vlan(skb, &vlan_tci)))
> + return false;
> + else
> + return false;
> + }
Why call parse_vlan? We always return false without looking at
vlan_tci...
next prev parent reply other threads:[~2015-05-25 21:51 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-25 20:37 [PATCH 1/1] netfilter: Added vlan matching extension Eddie Linder
2015-05-25 21:51 ` Florian Westphal [this message]
2015-05-26 14:24 ` Eddi Linder
2015-05-27 12:35 ` Pablo Neira Ayuso
-- strict thread matches above, loose matches on Subject: below --
2015-05-26 9:13 Eddie Linder
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150525215108.GH3629@breakpoint.cc \
--to=fw@strlen.de \
--cc=eddi@guardicore.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).