From mboxrd@z Thu Jan  1 00:00:00 1970
From: Florian Westphal <fw@strlen.de>
Subject: Re: [PATCH nft] proto: fix VLAN header definition
Date: Fri, 27 Nov 2015 11:42:48 +0100
Message-ID: <20151127104248.GD15392@breakpoint.cc>
References: <1448615614-16510-1-git-send-email-kaber@trash.net>
 <20151127094958.GB15392@breakpoint.cc>
 <20151127095424.GF4263@macbook.localdomain>
 <20151127103428.GC15392@breakpoint.cc>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: Patrick McHardy <kaber@trash.net>, pablo@netfilter.org,
	netfilter-devel@vger.kernel.org
To: Florian Westphal <fw@strlen.de>
Return-path: <netfilter-devel-owner@vger.kernel.org>
Received: from Chamillionaire.breakpoint.cc ([80.244.247.6]:38792 "EHLO
	Chamillionaire.breakpoint.cc" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1753526AbbK0Kmu (ORCPT
	<rfc822;netfilter-devel@vger.kernel.org>);
	Fri, 27 Nov 2015 05:42:50 -0500
Content-Disposition: inline
In-Reply-To: <20151127103428.GC15392@breakpoint.cc>
Sender: netfilter-devel-owner@vger.kernel.org
List-ID: <netfilter-devel.vger.kernel.org>

Florian Westphal <fw@strlen.de> wrote:
> Patrick McHardy <kaber@trash.net> wrote:
> > On 27.11, Florian Westphal wrote:
> > > Patrick McHardy <kaber@trash.net> wrote:
> > > > The VID is located after Priority and CFI.
> > > 
> > > With this patch matching on vlan id does not work for me anymore
> > > on x86-64.
> > > 
> > > With trace-patch nft but without this patch:
> > > 
> > > table bridge filter {
> > > chain input {
> > >    type filter hook input priority -200; policy accept;
> > >    vlan id 4094 counter packets 827 bytes 63839
> > > 
> > > With this patch, the counters remain at zero:
> > > 
> > > unknown unknown & 0xfff [invalid type] == 0xffe [invalid type] counter packets 850 bytes 65375
> > > vlan id 4094 counter packets 0 bytes 0
> > > 
> > > (The 'unknown unknown' line is the 'old' vlan rule added by unpatched
> > >  nft binary, the 'vlan id' is the one added with the patched one).
> > 
> > Odd, since it decodes correctly. Could you send the output of
> > nft --debug=netlink with and without the patch?
> 
> master:
> nft --debug=netlink  add rule  bridge filter input vlan id 4094 counter
> bridge filter input
>  [ payload load 2b @ link header + 12 => reg 1 ]
>  [ cmp eq reg 1 0x00000081 ]
>  [ payload load 2b @ link header + 14 => reg 1 ]
>  [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ]
>  [ cmp eq reg 1 0x0000fe0f ]
>  [ counter pkts 0 bytes 0 ]

I checked nft_payload again and I believe rebuild of the vlan header is
correct (a bug there would also explain this problem).