mark set datatype check too strict?

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: netfilter-devel@vger.kernel.org
Subject: mark set datatype check too strict?
Date: Wed, 20 Jan 2016 17:31:24 +0100	[thread overview]
Message-ID: <20160120163124.GB10903@breakpoint.cc> (raw)

Hello Patrick

last your you added check to make this illegal:

nft add rule ip filter input ip daddr 192.168.7.1 meta mark set '(ip saddr & 0xff)'
datatype mismatch: expected packet mark, expression has type IPv4 address

My question is -- why?
The changelog for 068e138a8d9eb doesn't say :)
Doesn't that take away a lot of flexibility?

For instance one could e.g. set conntrack zones based on the VLAN id:

bridge ... prerouting ct zone set vlan id
(yes, I know that zone cannot be set at the moment).

'nft add rule bridge filter prerouting meta mark set vlan id'
should work, in my opinion.  Any ideas/comments?

In case its relevant: I'm working on bridge defrag+conntrack, and one
of the open questions is handling of vlan identifiers
so that we can deal with overlapping addresses in different VLANs.

Since it might be feasible to allow tracking inside other encap
protocols (e.g. pppoe) at one point I would prefer to handle isolation
via conntrack zones since thats already available and not have
to deal with vlan identifiers directly in the kernel.

But if doing operations like 'set zone based on vlan id' is illegal/
considered bad I will have to reconsider...

Thanks!

next             reply	other threads:[~2016-01-20 16:31 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-01-20 16:31 Florian Westphal [this message]
2016-01-22 13:15 ` mark set datatype check too strict? Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160120163124.GB10903@breakpoint.cc \
    --to=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).