From: Phil Sutter <phil@nwl.cc>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel <netfilter-devel@vger.kernel.org>
Subject: Re: [RFC ebtables-nft] unify ether type and meta protocol decoding
Date: Thu, 1 Dec 2022 12:40:43 +0100 [thread overview]
Message-ID: <Y4iSu5DQmxXI5fIh@orbyte.nwl.cc> (raw)
In-Reply-To: <20221201101603.GF17072@breakpoint.cc>
On Thu, Dec 01, 2022 at 11:16:03AM +0100, Florian Westphal wrote:
> Phil Sutter <phil@nwl.cc> wrote:
> > On Wed, Nov 30, 2022 at 12:37:18PM +0100, Florian Westphal wrote:
> > > Handle "ether protocol" and "meta protcol" the same.
> > >
> > > Problem is that this breaks the test case *again*:
> > >
> > > I: [EXECUTING] iptables/tests/shell/testcases/ebtables/0006-flush_0
> > > --A FORWARD --among-dst fe:ed:ba:be:13:37=10.0.0.1 -j ACCEPT
> > > --A OUTPUT --among-src c0:ff:ee:90:0:0=192.168.0.1 -j DROP
> > > +-A FORWARD -p IPv4 --among-dst fe:ed:ba:be:13:37=10.0.0.1 -j ACCEPT
> > > +-A OUTPUT -p IPv4 --among-src c0:ff:ee:90:0:0=192.168.0.1 -j DROP
> > >
> > > ... because ebtables-nft will now render meta protocol as "-p IPv4".
> > >
> > > ebtables-legacy does not have any special handling for this.
> > >
> > > Solving this would need more internal annotations during decode, so
> > > we can suppress/ignore "meta protocol" once a "among-type" set is
> > > encountered.
> > >
> > > Any (other) suggestions?
> >
> > Since ebtables among does not support IPv6, match elimination should be
> > pretty simple, no? Entirely untested:
> >
> > diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
> > index 08c93feeba2c9..0daebfd983127 100644
> > --- a/iptables/nft-bridge.c
> > +++ b/iptables/nft-bridge.c
> > @@ -520,6 +520,10 @@ static void nft_bridge_parse_lookup(struct nft_xt_ctx *ctx,
> > if (set_elems_to_among_pairs(among_data->pairs + poff, s, cnt))
> > xtables_error(OTHER_PROBLEM,
> > "ebtables among pair parsing failed");
> > +
> > + if (!(ctx->cs.eb.bitmask & EBT_NOPROTO) &&
> > + ctx->cs.eb.ethproto == htons(0x0800))
> > + ctx->cs.eb.bitmask |= EBT_NOPROTO;
>
> But that would munge
> ebtables-nft -p ipv4 ....
> ebtables-nft ....
>
> We don't know if "-p" was added explicitly or not.
Ah, the infamous explicit vs. implicit problem. :(
Looking at ebt_among.c in kernel, it seems packets which are neither
IPv4 nor ARP are treated as non-matching. Since ebtables-nft doesn't
support ARP with among anyway, can we assume people will not specify '-p
ipv4' when using among?
Cheers, Phil
next prev parent reply other threads:[~2022-12-01 11:40 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-30 11:37 [RFC ebtables-nft] unify ether type and meta protocol decoding Florian Westphal
2022-11-30 14:47 ` Phil Sutter
2022-12-01 10:16 ` Florian Westphal
2022-12-01 11:40 ` Phil Sutter [this message]
2022-12-20 20:44 ` [iptables RFC] ebtables: among: Embed meta protocol match into set lookup Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y4iSu5DQmxXI5fIh@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).