* [PATCH nft 0/3] use skb->protocol as l3 protocol dependency
@ 2019-06-18 18:43 Florian Westphal
2019-06-18 18:43 ` [PATCH nft 1/3] netlink_delinerize: remove network header dep for reject statement also in bridge family Florian Westphal
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Florian Westphal @ 2019-06-18 18:43 UTC (permalink / raw)
To: netfilter-devel
Real patch is the last one, first two do preparation work:
1. Allow removal of the dependency for the reject statement
2. Keep exact icmp type for bridge when printing.
This is needed so we do not lose the l3 protocol information.
In the ip family, "reject" and "reject with icmp type
port-unreachable" are the same, but in case of bridge the latter
adds a protocol dependency on ipv4, whereas the former rejects
ip with icmp and ipv6 with a similar icmp-v6 error packet.
3. Prefer meta protocol for bridge family for all implicit
depencencies.
include/statement.h | 3
src/json.c | 6 -
src/meta.c | 6 -
src/netlink_delinearize.c | 10 +
src/payload.c | 18 +++
src/statement.c | 6 -
tests/py/bridge/ether.t | 4
tests/py/bridge/ether.t.json.output | 48 ---------
tests/py/bridge/ether.t.payload | 24 +++-
tests/py/bridge/icmpX.t.payload | 4
tests/py/bridge/reject.t | 28 ++---
tests/py/bridge/reject.t.json.output | 170 +++++---------------------------
tests/py/bridge/reject.t.payload | 24 ++--
tests/py/inet/ip_tcp.t.payload.bridge | 8 -
tests/py/inet/sets.t.payload.bridge | 4
tests/py/ip/ip.t.payload.bridge | 180 +++++++++++++++++-----------------
16 files changed, 217 insertions(+), 326 deletions(-)
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH nft 1/3] netlink_delinerize: remove network header dep for reject statement also in bridge family
2019-06-18 18:43 [PATCH nft 0/3] use skb->protocol as l3 protocol dependency Florian Westphal
@ 2019-06-18 18:43 ` Florian Westphal
2019-06-19 17:21 ` Pablo Neira Ayuso
2019-06-18 18:43 ` [PATCH nft 2/3] src: statement: disable reject statement type omission for bridge Florian Westphal
2019-06-18 18:43 ` [PATCH nft 3/3] src: prefer meta protocol as bridge l3 dependency Florian Westphal
2 siblings, 1 reply; 7+ messages in thread
From: Florian Westphal @ 2019-06-18 18:43 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
add rule bridge test-bridge input reject with icmp type ...
is shown as
ether type ip reject type ...
i.e., the dependency is not removed.
Allow dependency removal -- this adds a problem where some icmp types
will be shortened to 'reject', losing the icmp ipv4 dependency.
Next patch resolves this problem by disabling short-hand abbreviations
for bridge reject statements.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
src/netlink_delinearize.c | 4 +
tests/py/bridge/ether.t.json.output | 48 +-------
tests/py/bridge/reject.t | 28 ++---
tests/py/bridge/reject.t.json.output | 170 +++++----------------------
4 files changed, 50 insertions(+), 200 deletions(-)
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 1f63d9d5e2c2..4d720d2938fc 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -2217,6 +2217,10 @@ static void stmt_reject_postprocess(struct rule_pp_ctx *rctx)
default:
break;
}
+
+ if (payload_dependency_exists(&rctx->pdctx, PROTO_BASE_NETWORK_HDR))
+ payload_dependency_release(&rctx->pdctx);
+
break;
default:
break;
diff --git a/tests/py/bridge/ether.t.json.output b/tests/py/bridge/ether.t.json.output
index 05e568f6592d..5bb2e47a458a 100644
--- a/tests/py/bridge/ether.t.json.output
+++ b/tests/py/bridge/ether.t.json.output
@@ -8,22 +8,10 @@
"protocol": "tcp"
}
},
- "op": "==",
+ "op": "==",
"right": 22
}
},
- {
- "match": {
- "left": {
- "payload": {
- "field": "saddr",
- "protocol": "ether"
- }
- },
- "op": "==",
- "right": "00:0f:54:0c:11:04"
- }
- },
{
"match": {
"left": {
@@ -32,29 +20,10 @@
"protocol": "ip"
}
},
- "op": "==",
+ "op": "==",
"right": "1.2.3.4"
}
},
- {
- "accept": null
- }
-]
-
-# tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "dport",
- "protocol": "tcp"
- }
- },
- "op": "==",
- "right": 22
- }
- },
{
"match": {
"left": {
@@ -63,21 +32,12 @@
"protocol": "ether"
}
},
- "op": "==",
+ "op": "==",
"right": "00:0f:54:0c:11:04"
}
},
{
- "match": {
- "left": {
- "payload": {
- "field": "daddr",
- "protocol": "ip"
- }
- },
- "op": "==",
- "right": "1.2.3.4"
- }
+ "accept": null
}
]
diff --git a/tests/py/bridge/reject.t b/tests/py/bridge/reject.t
index ad5280f7d573..ee7e93c81449 100644
--- a/tests/py/bridge/reject.t
+++ b/tests/py/bridge/reject.t
@@ -3,24 +3,24 @@
*bridge;test-bridge;input
# The output is specific for bridge family
-reject with icmp type host-unreachable;ok;ether type ip reject with icmp type host-unreachable
-reject with icmp type net-unreachable;ok;ether type ip reject with icmp type net-unreachable
-reject with icmp type prot-unreachable;ok;ether type ip reject with icmp type prot-unreachable
-reject with icmp type port-unreachable;ok;ether type ip reject
-reject with icmp type net-prohibited;ok;ether type ip reject with icmp type net-prohibited
-reject with icmp type host-prohibited;ok;ether type ip reject with icmp type host-prohibited
-reject with icmp type admin-prohibited;ok;ether type ip reject with icmp type admin-prohibited
-
-reject with icmpv6 type no-route;ok;ether type ip6 reject with icmpv6 type no-route
-reject with icmpv6 type admin-prohibited;ok;ether type ip6 reject with icmpv6 type admin-prohibited
-reject with icmpv6 type addr-unreachable;ok;ether type ip6 reject with icmpv6 type addr-unreachable
-reject with icmpv6 type port-unreachable;ok;ether type ip6 reject
+reject with icmp type host-unreachable;ok
+reject with icmp type net-unreachable;ok
+reject with icmp type prot-unreachable;ok
+reject with icmp type port-unreachable;ok
+reject with icmp type net-prohibited;ok
+reject with icmp type host-prohibited;ok
+reject with icmp type admin-prohibited;ok
+
+reject with icmpv6 type no-route;ok
+reject with icmpv6 type admin-prohibited;ok
+reject with icmpv6 type addr-unreachable;ok
+reject with icmpv6 type port-unreachable;ok
mark 12345 ip protocol tcp reject with tcp reset;ok;meta mark 0x00003039 ip protocol 6 reject with tcp reset
reject;ok
-ether type ip reject;ok
-ether type ip6 reject;ok
+ether type ip reject;ok;reject with icmp type port-unreachable
+ether type ip6 reject;ok;reject with icmpv6 type port-unreachable
reject with icmpx type host-unreachable;ok
reject with icmpx type no-route;ok
diff --git a/tests/py/bridge/reject.t.json.output b/tests/py/bridge/reject.t.json.output
index 08dfaf6a1778..dcfeceb88b13 100644
--- a/tests/py/bridge/reject.t.json.output
+++ b/tests/py/bridge/reject.t.json.output
@@ -1,17 +1,5 @@
# reject with icmp type host-unreachable
[
- {
- "match": {
- "left": {
- "payload": {
- "field": "type",
- "protocol": "ether"
- }
- },
- "op": "==",
- "right": "ip"
- }
- },
{
"reject": {
"expr": "host-unreachable",
@@ -22,18 +10,6 @@
# reject with icmp type net-unreachable
[
- {
- "match": {
- "left": {
- "payload": {
- "field": "type",
- "protocol": "ether"
- }
- },
- "op": "==",
- "right": "ip"
- }
- },
{
"reject": {
"expr": "net-unreachable",
@@ -44,18 +20,6 @@
# reject with icmp type prot-unreachable
[
- {
- "match": {
- "left": {
- "payload": {
- "field": "type",
- "protocol": "ether"
- }
- },
- "op": "==",
- "right": "ip"
- }
- },
{
"reject": {
"expr": "prot-unreachable",
@@ -64,39 +28,8 @@
}
]
-# reject with icmp type port-unreachable
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "type",
- "protocol": "ether"
- }
- },
- "op": "==",
- "right": "ip"
- }
- },
- {
- "reject": null
- }
-]
-
# reject with icmp type net-prohibited
[
- {
- "match": {
- "left": {
- "payload": {
- "field": "type",
- "protocol": "ether"
- }
- },
- "op": "==",
- "right": "ip"
- }
- },
{
"reject": {
"expr": "net-prohibited",
@@ -107,18 +40,6 @@
# reject with icmp type host-prohibited
[
- {
- "match": {
- "left": {
- "payload": {
- "field": "type",
- "protocol": "ether"
- }
- },
- "op": "==",
- "right": "ip"
- }
- },
{
"reject": {
"expr": "host-prohibited",
@@ -129,18 +50,6 @@
# reject with icmp type admin-prohibited
[
- {
- "match": {
- "left": {
- "payload": {
- "field": "type",
- "protocol": "ether"
- }
- },
- "op": "==",
- "right": "ip"
- }
- },
{
"reject": {
"expr": "admin-prohibited",
@@ -151,18 +60,6 @@
# reject with icmpv6 type no-route
[
- {
- "match": {
- "left": {
- "payload": {
- "field": "type",
- "protocol": "ether"
- }
- },
- "op": "==",
- "right": "ip6"
- }
- },
{
"reject": {
"expr": "no-route",
@@ -173,18 +70,6 @@
# reject with icmpv6 type admin-prohibited
[
- {
- "match": {
- "left": {
- "payload": {
- "field": "type",
- "protocol": "ether"
- }
- },
- "op": "==",
- "right": "ip6"
- }
- },
{
"reject": {
"expr": "admin-prohibited",
@@ -195,18 +80,6 @@
# reject with icmpv6 type addr-unreachable
[
- {
- "match": {
- "left": {
- "payload": {
- "field": "type",
- "protocol": "ether"
- }
- },
- "op": "==",
- "right": "ip6"
- }
- },
{
"reject": {
"expr": "addr-unreachable",
@@ -218,19 +91,10 @@
# reject with icmpv6 type port-unreachable
[
{
- "match": {
- "left": {
- "payload": {
- "field": "type",
- "protocol": "ether"
- }
- },
- "op": "==",
- "right": "ip6"
+ "reject": {
+ "expr": "port-unreachable",
+ "type": "icmpv6"
}
- },
- {
- "reject": null
}
]
@@ -239,9 +103,11 @@
{
"match": {
"left": {
- "meta": { "key": "mark" }
+ "meta": {
+ "key": "mark"
+ }
},
- "op": "==",
+ "op": "==",
"right": 12345
}
},
@@ -253,7 +119,7 @@
"protocol": "ip"
}
},
- "op": "==",
+ "op": "==",
"right": 6
}
},
@@ -271,3 +137,23 @@
}
]
+# ether type ip reject
+[
+ {
+ "reject": {
+ "expr": "port-unreachable",
+ "type": "icmp"
+ }
+ }
+]
+
+# ether type ip6 reject
+[
+ {
+ "reject": {
+ "expr": "port-unreachable",
+ "type": "icmpv6"
+ }
+ }
+]
+
--
2.21.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH nft 2/3] src: statement: disable reject statement type omission for bridge
2019-06-18 18:43 [PATCH nft 0/3] use skb->protocol as l3 protocol dependency Florian Westphal
2019-06-18 18:43 ` [PATCH nft 1/3] netlink_delinerize: remove network header dep for reject statement also in bridge family Florian Westphal
@ 2019-06-18 18:43 ` Florian Westphal
2019-06-19 17:21 ` Pablo Neira Ayuso
2019-06-18 18:43 ` [PATCH nft 3/3] src: prefer meta protocol as bridge l3 dependency Florian Westphal
2 siblings, 1 reply; 7+ messages in thread
From: Florian Westphal @ 2019-06-18 18:43 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
add rule bridge test-bridge input reject with icmp type port-unreachable
... will be printed as 'reject', which is fine on ip family, but not on
bridge -- 'with icmp type' adds an ipv4 dependency, but simple reject
does not (it will use icmpx to also reject ipv6 packets with an icmpv6 error).
Add a toggle to supress short-hand versions in this case.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/statement.h | 3 ++-
src/json.c | 6 ++++--
src/netlink_delinearize.c | 6 ++++++
src/statement.c | 6 ++++--
4 files changed, 16 insertions(+), 5 deletions(-)
diff --git a/include/statement.h b/include/statement.h
index 91d6e0e2cb81..6fb5cf15f8bd 100644
--- a/include/statement.h
+++ b/include/statement.h
@@ -102,8 +102,9 @@ extern void __limit_stmt_print(const struct limit_stmt *limit);
struct reject_stmt {
struct expr *expr;
- enum nft_reject_types type;
+ enum nft_reject_types type:8;
int8_t icmp_code;
+ uint8_t verbose_print:1;
unsigned int family;
};
diff --git a/src/json.c b/src/json.c
index a503a97500a9..e0127c5741a0 100644
--- a/src/json.c
+++ b/src/json.c
@@ -1311,13 +1311,15 @@ json_t *reject_stmt_json(const struct stmt *stmt, struct output_ctx *octx)
case NFT_REJECT_ICMP_UNREACH:
switch (stmt->reject.family) {
case NFPROTO_IPV4:
- if (stmt->reject.icmp_code == ICMP_PORT_UNREACH)
+ if (!stmt->reject.verbose_print &&
+ stmt->reject.icmp_code == ICMP_PORT_UNREACH)
break;
type = "icmp";
jexpr = expr_print_json(stmt->reject.expr, octx);
break;
case NFPROTO_IPV6:
- if (stmt->reject.icmp_code == ICMP6_DST_UNREACH_NOPORT)
+ if (!stmt->reject.verbose_print &&
+ stmt->reject.icmp_code == ICMP6_DST_UNREACH_NOPORT)
break;
type = "icmpv6";
jexpr = expr_print_json(stmt->reject.expr, octx);
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 4d720d2938fc..a4044f0c7329 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -2202,6 +2202,12 @@ static void stmt_reject_postprocess(struct rule_pp_ctx *rctx)
datatype_set(stmt->reject.expr, &icmpx_code_type);
break;
}
+
+ /* always print full icmp(6) name, simple 'reject' might be ambiguious
+ * because ipv4 vs. ipv6 info might be lost
+ */
+ stmt->reject.verbose_print = 1;
+
base = rctx->pctx.protocol[PROTO_BASE_LL_HDR].desc;
desc = rctx->pctx.protocol[PROTO_BASE_NETWORK_HDR].desc;
protocol = proto_find_num(base, desc);
diff --git a/src/statement.c b/src/statement.c
index a9e8b3ae0780..c5594233a45f 100644
--- a/src/statement.c
+++ b/src/statement.c
@@ -516,13 +516,15 @@ static void reject_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
case NFT_REJECT_ICMP_UNREACH:
switch (stmt->reject.family) {
case NFPROTO_IPV4:
- if (stmt->reject.icmp_code == ICMP_PORT_UNREACH)
+ if (!stmt->reject.verbose_print &&
+ stmt->reject.icmp_code == ICMP_PORT_UNREACH)
break;
nft_print(octx, " with icmp type ");
expr_print(stmt->reject.expr, octx);
break;
case NFPROTO_IPV6:
- if (stmt->reject.icmp_code == ICMP6_DST_UNREACH_NOPORT)
+ if (!stmt->reject.verbose_print &&
+ stmt->reject.icmp_code == ICMP6_DST_UNREACH_NOPORT)
break;
nft_print(octx, " with icmpv6 type ");
expr_print(stmt->reject.expr, octx);
--
2.21.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH nft 3/3] src: prefer meta protocol as bridge l3 dependency
2019-06-18 18:43 [PATCH nft 0/3] use skb->protocol as l3 protocol dependency Florian Westphal
2019-06-18 18:43 ` [PATCH nft 1/3] netlink_delinerize: remove network header dep for reject statement also in bridge family Florian Westphal
2019-06-18 18:43 ` [PATCH nft 2/3] src: statement: disable reject statement type omission for bridge Florian Westphal
@ 2019-06-18 18:43 ` Florian Westphal
2019-06-19 17:35 ` Pablo Neira Ayuso
2 siblings, 1 reply; 7+ messages in thread
From: Florian Westphal @ 2019-06-18 18:43 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
On families other than 'ip', the rule
ip protocol icmp
needs a dependency on the ip protocol so we do not treat e.g. an ipv6
header as ip.
Bridge currently uses eth_hdr.type for this, but that will cause the
rule above to not match in case the ip packet is within a VLAN tagged
frame -- ether.type will appear as ETH_P_8021Q.
Due to vlan tag stripping, skb->protocol will be ETH_P_IP -- so prefer
to use this instead.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
src/meta.c | 6 +-
src/payload.c | 18 +++
tests/py/bridge/ether.t | 4 +-
tests/py/bridge/ether.t.payload | 24 ++--
tests/py/bridge/icmpX.t.payload | 4 +-
tests/py/bridge/reject.t.payload | 24 ++--
tests/py/inet/ip_tcp.t.payload.bridge | 8 +-
tests/py/inet/sets.t.payload.bridge | 4 +-
tests/py/ip/ip.t.payload.bridge | 180 +++++++++++++-------------
9 files changed, 151 insertions(+), 121 deletions(-)
diff --git a/src/meta.c b/src/meta.c
index 583e790ff47d..1e8964eb48c4 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -539,7 +539,11 @@ static void meta_expr_pctx_update(struct proto_ctx *ctx,
proto_ctx_update(ctx, PROTO_BASE_TRANSPORT_HDR, &expr->location, desc);
break;
case NFT_META_PROTOCOL:
- if (h->base < PROTO_BASE_NETWORK_HDR && ctx->family != NFPROTO_NETDEV)
+ if (h->base != PROTO_BASE_LL_HDR)
+ return;
+
+ if (ctx->family != NFPROTO_NETDEV &&
+ ctx->family != NFPROTO_BRIDGE)
return;
desc = proto_find_upper(h->desc, ntohs(mpz_get_uint16(right->value)));
diff --git a/src/payload.c b/src/payload.c
index 338a4b762cf8..7e4f935be293 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -18,6 +18,7 @@
#include <net/if_arp.h>
#include <arpa/inet.h>
#include <linux/netfilter.h>
+#include <linux/if_ether.h>
#include <rule.h>
#include <expression.h>
@@ -369,6 +370,23 @@ int payload_gen_dependency(struct eval_ctx *ctx, const struct expr *expr,
"no %s protocol specified",
proto_base_names[expr->payload.base - 1]);
+ if (ctx->pctx.family == NFPROTO_BRIDGE && desc == &proto_eth) {
+ /* prefer netdev proto, which adds dependencies based
+ * on skb->protocol.
+ *
+ * This has the advantage that we will also match
+ * vlan encapsulated traffic.
+ *
+ * eth_hdr(skb)->type would not match, as nft_payload
+ * will pretend vlan tag was not offloaded, i.e.
+ * type is ETH_P_8021Q in such a case, but skb->protocol
+ * would still match the l3 header type.
+ */
+ if (expr->payload.desc == &proto_ip ||
+ expr->payload.desc == &proto_ip6)
+ desc = &proto_netdev;
+ }
+
return payload_add_dependency(ctx, desc, expr->payload.desc, expr, res);
}
diff --git a/tests/py/bridge/ether.t b/tests/py/bridge/ether.t
index 15f5f857b198..e4f75d160477 100644
--- a/tests/py/bridge/ether.t
+++ b/tests/py/bridge/ether.t
@@ -2,8 +2,8 @@
*bridge;test-bridge;input
-tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept;ok;tcp dport 22 ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4 accept
-tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04;ok;tcp dport 22 ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4
+tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept;ok;tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04 accept
+tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04;ok
tcp dport 22 ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4;ok
ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4 accept;ok
diff --git a/tests/py/bridge/ether.t.payload b/tests/py/bridge/ether.t.payload
index 1caa2d509ea2..eaff9c312bae 100644
--- a/tests/py/bridge/ether.t.payload
+++ b/tests/py/bridge/ether.t.payload
@@ -6,10 +6,12 @@ bridge test-bridge input
[ cmp eq reg 1 0x00001600 ]
[ meta load iiftype => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
- [ payload load 8b @ link header + 6 => reg 1 ]
- [ cmp eq reg 1 0x0c540f00 0x00080411 ]
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
[ payload load 4b @ network header + 16 => reg 1 ]
[ cmp eq reg 1 0x04030201 ]
+ [ payload load 6b @ link header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x0c540f00 0x00000411 ]
[ immediate reg 0 accept ]
# tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04
@@ -18,10 +20,12 @@ bridge test-bridge input
[ cmp eq reg 1 0x00000006 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ cmp eq reg 1 0x00001600 ]
- [ payload load 8b @ link header + 6 => reg 1 ]
- [ cmp eq reg 1 0x0c540f00 0x00080411 ]
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
[ payload load 4b @ network header + 16 => reg 1 ]
[ cmp eq reg 1 0x04030201 ]
+ [ payload load 6b @ link header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x0c540f00 0x00000411 ]
# tcp dport 22 ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4
bridge test-bridge input
@@ -29,15 +33,19 @@ bridge test-bridge input
[ cmp eq reg 1 0x00000006 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ cmp eq reg 1 0x00001600 ]
- [ payload load 8b @ link header + 6 => reg 1 ]
- [ cmp eq reg 1 0x0c540f00 0x00080411 ]
+ [ payload load 6b @ link header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
[ payload load 4b @ network header + 16 => reg 1 ]
[ cmp eq reg 1 0x04030201 ]
# ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4 accept
bridge test-bridge input
- [ payload load 8b @ link header + 6 => reg 1 ]
- [ cmp eq reg 1 0x0c540f00 0x00080411 ]
+ [ payload load 6b @ link header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
[ payload load 4b @ network header + 16 => reg 1 ]
[ cmp eq reg 1 0x04030201 ]
[ immediate reg 0 accept ]
diff --git a/tests/py/bridge/icmpX.t.payload b/tests/py/bridge/icmpX.t.payload
index 0fab1abf61ea..f9ea7b60450a 100644
--- a/tests/py/bridge/icmpX.t.payload
+++ b/tests/py/bridge/icmpX.t.payload
@@ -1,6 +1,6 @@
# ip protocol icmp icmp type echo-request
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
@@ -18,7 +18,7 @@ bridge test-bridge input
# ip6 nexthdr icmpv6 icmpv6 type echo-request
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x0000dd86 ]
[ payload load 1b @ network header + 6 => reg 1 ]
[ cmp eq reg 1 0x0000003a ]
diff --git a/tests/py/bridge/reject.t.payload b/tests/py/bridge/reject.t.payload
index 888179df9c97..0d10547bbce6 100644
--- a/tests/py/bridge/reject.t.payload
+++ b/tests/py/bridge/reject.t.payload
@@ -1,66 +1,66 @@
# reject with icmp type host-unreachable
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 1 ]
# reject with icmp type net-unreachable
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 0 ]
# reject with icmp type prot-unreachable
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 2 ]
# reject with icmp type port-unreachable
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 3 ]
# reject with icmp type net-prohibited
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 9 ]
# reject with icmp type host-prohibited
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 10 ]
# reject with icmp type admin-prohibited
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 13 ]
# reject with icmpv6 type no-route
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x0000dd86 ]
[ reject type 0 code 0 ]
# reject with icmpv6 type admin-prohibited
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x0000dd86 ]
[ reject type 0 code 1 ]
# reject with icmpv6 type addr-unreachable
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x0000dd86 ]
[ reject type 0 code 3 ]
# reject with icmpv6 type port-unreachable
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x0000dd86 ]
[ reject type 0 code 4 ]
@@ -68,7 +68,7 @@ bridge test-bridge input
bridge test-bridge input
[ meta load mark => reg 1 ]
[ cmp eq reg 1 0x00003039 ]
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
diff --git a/tests/py/inet/ip_tcp.t.payload.bridge b/tests/py/inet/ip_tcp.t.payload.bridge
index f9f2e0a137f6..0344cd66668c 100644
--- a/tests/py/inet/ip_tcp.t.payload.bridge
+++ b/tests/py/inet/ip_tcp.t.payload.bridge
@@ -1,6 +1,6 @@
# ip protocol tcp tcp dport 22
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
@@ -9,7 +9,7 @@ bridge test-bridge input
# ip protocol tcp ip saddr 1.2.3.4 tcp dport 22
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
@@ -20,7 +20,7 @@ bridge test-bridge input
# ip protocol tcp counter ip saddr 1.2.3.4 tcp dport 22
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
@@ -32,7 +32,7 @@ bridge test-bridge input
# ip protocol tcp counter tcp dport 22
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
diff --git a/tests/py/inet/sets.t.payload.bridge b/tests/py/inet/sets.t.payload.bridge
index 6f21f827bc96..f5aaab1d79bc 100644
--- a/tests/py/inet/sets.t.payload.bridge
+++ b/tests/py/inet/sets.t.payload.bridge
@@ -1,6 +1,6 @@
# ip saddr @set1 drop
bridge test-inet input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 4b @ network header + 12 => reg 1 ]
[ lookup reg 1 set set1 ]
@@ -8,7 +8,7 @@ bridge test-inet input
# ip6 daddr != @set2 accept
bridge test-inet input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x0000dd86 ]
[ payload load 16b @ network header + 24 => reg 1 ]
[ lookup reg 1 set set2 0x1 ]
diff --git a/tests/py/ip/ip.t.payload.bridge b/tests/py/ip/ip.t.payload.bridge
index ad1d0aa801d5..91a4fde382e6 100644
--- a/tests/py/ip/ip.t.payload.bridge
+++ b/tests/py/ip/ip.t.payload.bridge
@@ -1,6 +1,6 @@
# ip dscp cs1
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 1 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ]
@@ -8,7 +8,7 @@ bridge test-bridge input
# ip dscp != cs1
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 1 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ]
@@ -16,7 +16,7 @@ bridge test-bridge input
# ip dscp 0x38
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 1 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ]
@@ -24,7 +24,7 @@ bridge test-bridge input
# ip dscp != 0x20
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 1 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ]
@@ -35,7 +35,7 @@ __set%d test-bridge 3 size 21
__set%d test-bridge 0
element 00000000 : 0 [end] element 00000020 : 0 [end] element 00000040 : 0 [end] element 00000060 : 0 [end] element 00000080 : 0 [end] element 000000a0 : 0 [end] element 000000c0 : 0 [end] element 000000e0 : 0 [end] element 00000028 : 0 [end] element 00000030 : 0 [end] element 00000038 : 0 [end] element 00000048 : 0 [end] element 00000050 : 0 [end] element 00000058 : 0 [end] element 00000068 : 0 [end] element 00000070 : 0 [end] element 00000078 : 0 [end] element 00000088 : 0 [end] element 00000090 : 0 [end] element 00000098 : 0 [end] element 000000b8 : 0 [end]
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 1 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ]
@@ -46,7 +46,7 @@ __set%d test-bridge 3 size 2
__set%d test-bridge 0
element 00000000 : 0 [end] element 00000060 : 0 [end]
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 1 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ]
@@ -57,7 +57,7 @@ __map%d test-bridge b size 2
__map%d test-bridge 0
element 00000020 : 0 [end] element 00000080 : 0 [end]
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 1 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ]
@@ -66,21 +66,21 @@ bridge test-bridge input
# ip length 232
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 2 => reg 1 ]
[ cmp eq reg 1 0x0000e800 ]
# ip length != 233
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 2 => reg 1 ]
[ cmp neq reg 1 0x0000e900 ]
# ip length 333-435
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 2 => reg 1 ]
[ cmp gte reg 1 0x00004d01 ]
@@ -88,7 +88,7 @@ bridge test-bridge input
# ip length != 333-453
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 2 => reg 1 ]
[ range neq reg 1 0x00004d01 0x0000c501 ]
@@ -98,7 +98,7 @@ __set%d test-bridge 3 size 4
__set%d test-bridge 0
element 00004d01 : 0 [end] element 00002902 : 0 [end] element 0000a102 : 0 [end] element 00004603 : 0 [end]
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 2 => reg 1 ]
[ lookup reg 1 set __set%d ]
@@ -108,7 +108,7 @@ __set%d test-bridge 3 size 4
__set%d test-bridge 0
element 00004d01 : 0 [end] element 00002902 : 0 [end] element 0000a102 : 0 [end] element 00004603 : 0 [end]
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 2 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
@@ -118,7 +118,7 @@ __set%d test-bridge 7 size 3
__set%d test-bridge 0
element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end]
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 2 => reg 1 ]
[ lookup reg 1 set __set%d ]
@@ -128,28 +128,28 @@ __set%d test-bridge 7 size 3
__set%d test-bridge 0
element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end]
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 2 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
# ip id 22
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 4 => reg 1 ]
[ cmp eq reg 1 0x00001600 ]
# ip id != 233
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 4 => reg 1 ]
[ cmp neq reg 1 0x0000e900 ]
# ip id 33-45
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 4 => reg 1 ]
[ cmp gte reg 1 0x00002100 ]
@@ -157,7 +157,7 @@ bridge test-bridge input
# ip id != 33-45
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 4 => reg 1 ]
[ range neq reg 1 0x00002100 0x00002d00 ]
@@ -167,7 +167,7 @@ __set%d test-bridge 3 size 4
__set%d test-bridge 0
element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 4 => reg 1 ]
[ lookup reg 1 set __set%d ]
@@ -177,7 +177,7 @@ __set%d test-bridge 3 size 4
__set%d test-bridge 0
element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
@@ -187,7 +187,7 @@ __set%d test-bridge 7 size 3
__set%d test-bridge 0
element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 4 => reg 1 ]
[ lookup reg 1 set __set%d ]
@@ -197,14 +197,14 @@ __set%d test-bridge 7 size 3
__set%d test-bridge 0
element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
# ip frag-off 222 accept
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 6 => reg 1 ]
[ cmp eq reg 1 0x0000de00 ]
@@ -212,14 +212,14 @@ bridge test-bridge input
# ip frag-off != 233
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 6 => reg 1 ]
[ cmp neq reg 1 0x0000e900 ]
# ip frag-off 33-45
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 6 => reg 1 ]
[ cmp gte reg 1 0x00002100 ]
@@ -227,7 +227,7 @@ bridge test-bridge input
# ip frag-off != 33-45
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 6 => reg 1 ]
[ range neq reg 1 0x00002100 0x00002d00 ]
@@ -237,7 +237,7 @@ __set%d test-bridge 3 size 4
__set%d test-bridge 0
element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 6 => reg 1 ]
[ lookup reg 1 set __set%d ]
@@ -247,7 +247,7 @@ __set%d test-bridge 3 size 4
__set%d test-bridge 0
element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 6 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
@@ -257,7 +257,7 @@ __set%d test-bridge 7 size 3
__set%d test-bridge 0
element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 6 => reg 1 ]
[ lookup reg 1 set __set%d ]
@@ -267,14 +267,14 @@ __set%d test-bridge 7 size 3
__set%d test-bridge 0
element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 6 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
# ip ttl 0 drop
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 8 => reg 1 ]
[ cmp eq reg 1 0x00000000 ]
@@ -282,14 +282,14 @@ bridge test-bridge input
# ip ttl 233
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 8 => reg 1 ]
[ cmp eq reg 1 0x000000e9 ]
# ip ttl 33-55
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 8 => reg 1 ]
[ cmp gte reg 1 0x00000021 ]
@@ -297,7 +297,7 @@ bridge test-bridge input
# ip ttl != 45-50
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 8 => reg 1 ]
[ range neq reg 1 0x0000002d 0x00000032 ]
@@ -307,7 +307,7 @@ __set%d test-bridge 3 size 3
__set%d test-bridge 0
element 0000002b : 0 [end] element 00000035 : 0 [end] element 0000002d : 0 [end]
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 8 => reg 1 ]
[ lookup reg 1 set __set%d ]
@@ -317,7 +317,7 @@ __set%d test-bridge 3 size 3
__set%d test-bridge 0
element 0000002b : 0 [end] element 00000035 : 0 [end] element 0000002d : 0 [end]
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 8 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
@@ -327,7 +327,7 @@ __set%d test-bridge 7 size 3
__set%d test-bridge 0
element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 8 => reg 1 ]
[ lookup reg 1 set __set%d ]
@@ -337,21 +337,21 @@ __set%d test-bridge 7 size 3
__set%d test-bridge 0
element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 8 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
# ip protocol tcp
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
# ip protocol != tcp
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp neq reg 1 0x00000006 ]
@@ -361,7 +361,7 @@ __set%d test-bridge 3 size 9
__set%d test-bridge 0
element 00000001 : 0 [end] element 00000032 : 0 [end] element 00000033 : 0 [end] element 0000006c : 0 [end] element 00000011 : 0 [end] element 00000088 : 0 [end] element 00000006 : 0 [end] element 00000021 : 0 [end] element 00000084 : 0 [end]
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 9 => reg 1 ]
[ lookup reg 1 set __set%d ]
@@ -372,7 +372,7 @@ __set%d test-bridge 3 size 9
__set%d test-bridge 0
element 00000001 : 0 [end] element 00000032 : 0 [end] element 00000033 : 0 [end] element 0000006c : 0 [end] element 00000011 : 0 [end] element 00000088 : 0 [end] element 00000006 : 0 [end] element 00000021 : 0 [end] element 00000084 : 0 [end]
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 9 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
@@ -380,14 +380,14 @@ bridge test-bridge input
# ip protocol 255
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x000000ff ]
# ip checksum 13172 drop
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 10 => reg 1 ]
[ cmp eq reg 1 0x00007433 ]
@@ -395,21 +395,21 @@ bridge test-bridge input
# ip checksum 22
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 10 => reg 1 ]
[ cmp eq reg 1 0x00001600 ]
# ip checksum != 233
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 10 => reg 1 ]
[ cmp neq reg 1 0x0000e900 ]
# ip checksum 33-45
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 10 => reg 1 ]
[ cmp gte reg 1 0x00002100 ]
@@ -417,7 +417,7 @@ bridge test-bridge input
# ip checksum != 33-45
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 10 => reg 1 ]
[ range neq reg 1 0x00002100 0x00002d00 ]
@@ -427,7 +427,7 @@ __set%d test-bridge 3 size 4
__set%d test-bridge 0
element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 10 => reg 1 ]
[ lookup reg 1 set __set%d ]
@@ -437,7 +437,7 @@ __set%d test-bridge 3 size 4
__set%d test-bridge 0
element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 10 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
@@ -447,7 +447,7 @@ __set%d test-bridge 7 size 3
__set%d test-bridge 0
element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 10 => reg 1 ]
[ lookup reg 1 set __set%d ]
@@ -457,14 +457,14 @@ __set%d test-bridge 7 size 3
__set%d test-bridge 0
element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 10 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
# ip saddr 192.168.2.0/24
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
@@ -472,7 +472,7 @@ bridge test-bridge input
# ip saddr != 192.168.2.0/24
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
@@ -480,7 +480,7 @@ bridge test-bridge input
# ip saddr 192.168.3.1 ip daddr 192.168.3.100
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 4b @ network header + 12 => reg 1 ]
[ cmp eq reg 1 0x0103a8c0 ]
@@ -489,21 +489,21 @@ bridge test-bridge input
# ip saddr != 1.1.1.1
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 4b @ network header + 12 => reg 1 ]
[ cmp neq reg 1 0x01010101 ]
# ip saddr 1.1.1.1
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 4b @ network header + 12 => reg 1 ]
[ cmp eq reg 1 0x01010101 ]
# ip daddr 192.168.0.1-192.168.0.250
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 4b @ network header + 16 => reg 1 ]
[ cmp gte reg 1 0x0100a8c0 ]
@@ -511,7 +511,7 @@ bridge test-bridge input
# ip daddr 10.0.0.0-10.255.255.255
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 4b @ network header + 16 => reg 1 ]
[ cmp gte reg 1 0x0000000a ]
@@ -519,7 +519,7 @@ bridge test-bridge input
# ip daddr 172.16.0.0-172.31.255.255
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 4b @ network header + 16 => reg 1 ]
[ cmp gte reg 1 0x000010ac ]
@@ -527,7 +527,7 @@ bridge test-bridge input
# ip daddr 192.168.3.1-192.168.4.250
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 4b @ network header + 16 => reg 1 ]
[ cmp gte reg 1 0x0103a8c0 ]
@@ -535,7 +535,7 @@ bridge test-bridge input
# ip daddr != 192.168.0.1-192.168.0.250
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 4b @ network header + 16 => reg 1 ]
[ range neq reg 1 0x0100a8c0 0xfa00a8c0 ]
@@ -545,7 +545,7 @@ __set%d test-bridge 7 size 3
__set%d test-bridge 0
element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end]
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 4b @ network header + 16 => reg 1 ]
[ lookup reg 1 set __set%d ]
@@ -555,7 +555,7 @@ __set%d test-bridge 7 size 3
__set%d test-bridge 0
element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end]
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 4b @ network header + 16 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
@@ -565,7 +565,7 @@ __set%d test-bridge 3 size 3
__set%d test-bridge 0
element 0105a8c0 : 0 [end] element 0205a8c0 : 0 [end] element 0305a8c0 : 0 [end]
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 4b @ network header + 16 => reg 1 ]
[ lookup reg 1 set __set%d ]
@@ -576,7 +576,7 @@ __set%d test-bridge 3 size 3
__set%d test-bridge 0
element 0105a8c0 : 0 [end] element 0205a8c0 : 0 [end] element 0305a8c0 : 0 [end]
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 4b @ network header + 16 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
@@ -584,7 +584,7 @@ bridge test-bridge input
# ip daddr 192.168.1.2-192.168.1.55
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 4b @ network header + 16 => reg 1 ]
[ cmp gte reg 1 0x0201a8c0 ]
@@ -592,14 +592,14 @@ bridge test-bridge input
# ip daddr != 192.168.1.2-192.168.1.55
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 4b @ network header + 16 => reg 1 ]
[ range neq reg 1 0x0201a8c0 0x3701a8c0 ]
# ip saddr 192.168.1.3-192.168.33.55
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 4b @ network header + 12 => reg 1 ]
[ cmp gte reg 1 0x0301a8c0 ]
@@ -607,21 +607,21 @@ bridge test-bridge input
# ip saddr != 192.168.1.3-192.168.33.55
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 4b @ network header + 12 => reg 1 ]
[ range neq reg 1 0x0301a8c0 0x3721a8c0 ]
# ip daddr 192.168.0.1
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 4b @ network header + 16 => reg 1 ]
[ cmp eq reg 1 0x0100a8c0 ]
# ip daddr 192.168.0.1 drop
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 4b @ network header + 16 => reg 1 ]
[ cmp eq reg 1 0x0100a8c0 ]
@@ -629,14 +629,14 @@ bridge test-bridge input
# ip daddr 192.168.0.2
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 4b @ network header + 16 => reg 1 ]
[ cmp eq reg 1 0x0200a8c0 ]
# ip saddr & 0xff == 1
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xff000000 ) ^ 0x00000000 ]
@@ -644,7 +644,7 @@ bridge test-bridge input
# ip saddr & 0.0.0.255 < 0.0.0.127
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xff000000 ) ^ 0x00000000 ]
@@ -652,7 +652,7 @@ bridge test-bridge input
# ip saddr & 0xffff0000 == 0xffff0000
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x0000ffff ) ^ 0x00000000 ]
@@ -660,7 +660,7 @@ bridge test-bridge input
# ip version 4 ip hdrlength 5
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 0 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x000000f0 ) ^ 0x00000000 ]
@@ -671,7 +671,7 @@ bridge test-bridge input
# ip hdrlength 0
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 0 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ]
@@ -679,7 +679,7 @@ bridge test-bridge input
# ip hdrlength 15
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 0 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ]
@@ -690,7 +690,7 @@ __map%d test-bridge f size 4
__map%d test-bridge 0
element 00000000 : 0 [end] element 00000005 : 0 [end] element 00000006 : 0 [end] element 00000007 : 1 [end]
bridge test-bridge input
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 0 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ]
@@ -701,7 +701,7 @@ bridge test-bridge input
bridge test-bridge input
[ meta load iif => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ immediate reg 1 0x0100007f ]
[ payload write reg 1 => 4b @ network header + 16 csum_type 1 csum_off 10 csum_flags 0x1 ]
@@ -710,7 +710,7 @@ bridge test-bridge input
bridge test-bridge input
[ meta load iif => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ immediate reg 1 0x00000000 ]
[ payload write reg 1 => 2b @ network header + 10 csum_type 1 csum_off 10 csum_flags 0x0 ]
@@ -719,7 +719,7 @@ bridge test-bridge input
bridge test-bridge input
[ meta load iif => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ immediate reg 1 0x00000000 ]
[ payload write reg 1 => 2b @ network header + 4 csum_type 1 csum_off 10 csum_flags 0x0 ]
@@ -728,7 +728,7 @@ bridge test-bridge input
bridge test-bridge input
[ meta load iif => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 0 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x0000fcff ) ^ 0x00000100 ]
@@ -738,7 +738,7 @@ bridge test-bridge input
bridge test-bridge input
[ meta load iif => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 0 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x0000fcff ) ^ 0x00000300 ]
@@ -748,7 +748,7 @@ bridge test-bridge input
bridge test-bridge input
[ meta load iif => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 8 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x0000ff00 ) ^ 0x00000017 ]
@@ -758,7 +758,7 @@ bridge test-bridge input
bridge test-bridge input
[ meta load iif => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 8 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x000000ff ) ^ 0x00000100 ]
@@ -768,7 +768,7 @@ bridge test-bridge input
bridge test-bridge input
[ meta load iif => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 0 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x000003ff ) ^ 0x00005800 ]
@@ -778,7 +778,7 @@ bridge test-bridge input
bridge test-bridge input
[ meta load iif => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
- [ payload load 2b @ link header + 12 => reg 1 ]
+ [ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 2b @ network header + 0 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x000003ff ) ^ 0x00000000 ]
--
2.21.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH nft 1/3] netlink_delinerize: remove network header dep for reject statement also in bridge family
2019-06-18 18:43 ` [PATCH nft 1/3] netlink_delinerize: remove network header dep for reject statement also in bridge family Florian Westphal
@ 2019-06-19 17:21 ` Pablo Neira Ayuso
0 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2019-06-19 17:21 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
On Tue, Jun 18, 2019 at 08:43:57PM +0200, Florian Westphal wrote:
> add rule bridge test-bridge input reject with icmp type ...
>
> is shown as
>
> ether type ip reject type ...
>
> i.e., the dependency is not removed.
>
> Allow dependency removal -- this adds a problem where some icmp types
> will be shortened to 'reject', losing the icmp ipv4 dependency.
>
> Next patch resolves this problem by disabling short-hand abbreviations
> for bridge reject statements.
>
> Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH nft 2/3] src: statement: disable reject statement type omission for bridge
2019-06-18 18:43 ` [PATCH nft 2/3] src: statement: disable reject statement type omission for bridge Florian Westphal
@ 2019-06-19 17:21 ` Pablo Neira Ayuso
0 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2019-06-19 17:21 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
On Tue, Jun 18, 2019 at 08:43:58PM +0200, Florian Westphal wrote:
> add rule bridge test-bridge input reject with icmp type port-unreachable
>
> ... will be printed as 'reject', which is fine on ip family, but not on
> bridge -- 'with icmp type' adds an ipv4 dependency, but simple reject
> does not (it will use icmpx to also reject ipv6 packets with an icmpv6 error).
>
> Add a toggle to supress short-hand versions in this case.
>
> Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH nft 3/3] src: prefer meta protocol as bridge l3 dependency
2019-06-18 18:43 ` [PATCH nft 3/3] src: prefer meta protocol as bridge l3 dependency Florian Westphal
@ 2019-06-19 17:35 ` Pablo Neira Ayuso
0 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2019-06-19 17:35 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
On Tue, Jun 18, 2019 at 08:43:59PM +0200, Florian Westphal wrote:
> On families other than 'ip', the rule
>
> ip protocol icmp
>
> needs a dependency on the ip protocol so we do not treat e.g. an ipv6
> header as ip.
>
> Bridge currently uses eth_hdr.type for this, but that will cause the
> rule above to not match in case the ip packet is within a VLAN tagged
> frame -- ether.type will appear as ETH_P_8021Q.
>
> Due to vlan tag stripping, skb->protocol will be ETH_P_IP -- so prefer
> to use this instead.
>
> Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2019-06-19 17:35 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-06-18 18:43 [PATCH nft 0/3] use skb->protocol as l3 protocol dependency Florian Westphal
2019-06-18 18:43 ` [PATCH nft 1/3] netlink_delinerize: remove network header dep for reject statement also in bridge family Florian Westphal
2019-06-19 17:21 ` Pablo Neira Ayuso
2019-06-18 18:43 ` [PATCH nft 2/3] src: statement: disable reject statement type omission for bridge Florian Westphal
2019-06-19 17:21 ` Pablo Neira Ayuso
2019-06-18 18:43 ` [PATCH nft 3/3] src: prefer meta protocol as bridge l3 dependency Florian Westphal
2019-06-19 17:35 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).