Re: [RFC ebtables-nft] unify ether type and meta protocol decoding

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Phil Sutter <phil@nwl.cc>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel <netfilter-devel@vger.kernel.org>
Subject: Re: [RFC ebtables-nft] unify ether type and meta protocol decoding
Date: Wed, 30 Nov 2022 15:47:20 +0100	[thread overview]
Message-ID: <Y4ds+Pk4ZrR+NxtT@orbyte.nwl.cc> (raw)
In-Reply-To: <20221130113718.85576-1-fw@strlen.de>

On Wed, Nov 30, 2022 at 12:37:18PM +0100, Florian Westphal wrote:
> Handle "ether protocol" and "meta protcol" the same.
> 
> Problem is that this breaks the test case *again*:
> 
> I: [EXECUTING]   iptables/tests/shell/testcases/ebtables/0006-flush_0
> --A FORWARD --among-dst fe:ed:ba:be:13:37=10.0.0.1 -j ACCEPT
> --A OUTPUT --among-src c0:ff:ee:90:0:0=192.168.0.1 -j DROP
> +-A FORWARD -p IPv4 --among-dst fe:ed:ba:be:13:37=10.0.0.1 -j ACCEPT
> +-A OUTPUT -p IPv4 --among-src c0:ff:ee:90:0:0=192.168.0.1 -j DROP
> 
> ... because ebtables-nft will now render meta protocol as "-p IPv4".
> 
> ebtables-legacy does not have any special handling for this.
> 
> Solving this would need more internal annotations during decode, so
> we can suppress/ignore "meta protocol" once a "among-type" set is
> encountered.
> 
> Any (other) suggestions?

Since ebtables among does not support IPv6, match elimination should be
pretty simple, no? Entirely untested:

diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index 08c93feeba2c9..0daebfd983127 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -520,6 +520,10 @@ static void nft_bridge_parse_lookup(struct nft_xt_ctx *ctx,
        if (set_elems_to_among_pairs(among_data->pairs + poff, s, cnt))
                xtables_error(OTHER_PROBLEM,
                              "ebtables among pair parsing failed");
+
+       if (!(ctx->cs.eb.bitmask & EBT_NOPROTO) &&
+           ctx->cs.eb.ethproto == htons(0x0800))
+               ctx->cs.eb.bitmask |= EBT_NOPROTO;
 }
 
 static void parse_watcher(void *object, struct ebt_match **match_list,

Cheers, Phil

next prev parent reply	other threads:[~2022-11-30 14:47 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-11-30 11:37 [RFC ebtables-nft] unify ether type and meta protocol decoding Florian Westphal
2022-11-30 14:47 ` Phil Sutter [this message]
2022-12-01 10:16   ` Florian Westphal
2022-12-01 11:40     ` Phil Sutter
2022-12-20 20:44 ` [iptables RFC] ebtables: among: Embed meta protocol match into set lookup Phil Sutter

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:08c93feeba2c dfblob:0daebfd98312 )
 OR (
bs:"Re: [RFC ebtables-nft] unify ether type and meta protocol decoding" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Y4ds+Pk4ZrR+NxtT@orbyte.nwl.cc \
    --to=phil@nwl.cc \
    --cc=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).