From: Florian Westphal <fw@strlen.de>
To: Phil Sutter <phil@nwl.cc>, Florian Westphal <fw@strlen.de>,
netfilter-devel <netfilter-devel@vger.kernel.org>
Subject: Re: [RFC ebtables-nft] unify ether type and meta protocol decoding
Date: Thu, 1 Dec 2022 11:16:03 +0100 [thread overview]
Message-ID: <20221201101603.GF17072@breakpoint.cc> (raw)
In-Reply-To: <Y4ds+Pk4ZrR+NxtT@orbyte.nwl.cc>
Phil Sutter <phil@nwl.cc> wrote:
> On Wed, Nov 30, 2022 at 12:37:18PM +0100, Florian Westphal wrote:
> > Handle "ether protocol" and "meta protcol" the same.
> >
> > Problem is that this breaks the test case *again*:
> >
> > I: [EXECUTING] iptables/tests/shell/testcases/ebtables/0006-flush_0
> > --A FORWARD --among-dst fe:ed:ba:be:13:37=10.0.0.1 -j ACCEPT
> > --A OUTPUT --among-src c0:ff:ee:90:0:0=192.168.0.1 -j DROP
> > +-A FORWARD -p IPv4 --among-dst fe:ed:ba:be:13:37=10.0.0.1 -j ACCEPT
> > +-A OUTPUT -p IPv4 --among-src c0:ff:ee:90:0:0=192.168.0.1 -j DROP
> >
> > ... because ebtables-nft will now render meta protocol as "-p IPv4".
> >
> > ebtables-legacy does not have any special handling for this.
> >
> > Solving this would need more internal annotations during decode, so
> > we can suppress/ignore "meta protocol" once a "among-type" set is
> > encountered.
> >
> > Any (other) suggestions?
>
> Since ebtables among does not support IPv6, match elimination should be
> pretty simple, no? Entirely untested:
>
> diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
> index 08c93feeba2c9..0daebfd983127 100644
> --- a/iptables/nft-bridge.c
> +++ b/iptables/nft-bridge.c
> @@ -520,6 +520,10 @@ static void nft_bridge_parse_lookup(struct nft_xt_ctx *ctx,
> if (set_elems_to_among_pairs(among_data->pairs + poff, s, cnt))
> xtables_error(OTHER_PROBLEM,
> "ebtables among pair parsing failed");
> +
> + if (!(ctx->cs.eb.bitmask & EBT_NOPROTO) &&
> + ctx->cs.eb.ethproto == htons(0x0800))
> + ctx->cs.eb.bitmask |= EBT_NOPROTO;
But that would munge
ebtables-nft -p ipv4 ....
ebtables-nft ....
We don't know if "-p" was added explicitly or not.
next prev parent reply other threads:[~2022-12-01 10:16 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-30 11:37 [RFC ebtables-nft] unify ether type and meta protocol decoding Florian Westphal
2022-11-30 14:47 ` Phil Sutter
2022-12-01 10:16 ` Florian Westphal [this message]
2022-12-01 11:40 ` Phil Sutter
2022-12-20 20:44 ` [iptables RFC] ebtables: among: Embed meta protocol match into set lookup Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221201101603.GF17072@breakpoint.cc \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).