From: Phil Sutter <phil@nwl.cc>
To: netfilter-devel@vger.kernel.org
Cc: Pablo Neira Ayuso <pablo@netfilter.org>, Florian Westphal <fw@strlen.de>
Subject: RFC: Ideas about possible solutions for nfbz#949
Date: Wed, 10 May 2017 17:34:29 +0200 [thread overview]
Message-ID: <20170510153429.GZ20805@orbyte.nwl.cc> (raw)
Hi,
Netfilter Bugzilla #949[1] complains about broken output when trying to
match icmpv6 message fields. This is a problem in how payload match is
implemented in nft: The given match (e.g. 'icmp6 id 2') is broken down
to a simple match of header data at a specific offset. Sadly this does
not work with ICMP(v6) since header structure depends on the packet's
ICMP type and on return path there is no information about which type of
message the user wanted to match against.
My idea was to build something like the protocol dependencies we have
for e.g. TCP header fields but with ICMP, a given header field might be
present in multiple message types (e.g. icmp6_id is present in echo
request as well as reply).
I already considered inserting a match for icmp6 type against an
anonymous set (like 'icmp6 type { echo-request, echo-reply }'), but
having this as an implicit dependency and resolving with previous
matches, etc. becomes pretty complex.
Do you think I should try following a different approach (via userdata
e.g.)?
Thanks, Phil
[1] https://bugzilla.netfilter.org/show_bug.cgi?id=949
next reply other threads:[~2017-05-10 15:34 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-10 15:34 Phil Sutter [this message]
2017-05-29 17:52 ` RFC: Ideas about possible solutions for nfbz#949 Pablo Neira Ayuso
2017-05-30 11:04 ` Phil Sutter
2017-05-30 12:08 ` Pablo Neira Ayuso
2017-06-23 14:03 ` Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170510153429.GZ20805@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).