From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Andreas Hoefler <andreas.hoefler@hitachi-powergrids.com>
Cc: "netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: Re: libnftnl vlan type filter
Date: Sat, 4 Jul 2020 02:28:47 +0200 [thread overview]
Message-ID: <20200704002847.GA1529@salvia> (raw)
In-Reply-To: <VI1PR06MB4639357B62CE26537FF54FE6C56A0@VI1PR06MB4639.eurprd06.prod.outlook.com>
On Fri, Jul 03, 2020 at 06:45:45AM +0000, Andreas Hoefler wrote:
> Hi
> I am trying to use libnftnl to construct this:
>
> table netdev filter {
> chain in {
> type filter hook ingress device pru20 priority 0; policy accept;
> vlan type 0x88ba
> }
> }
>
> I do :
> add_meta(r, NFT_META_IIFTYPE, NFT_REG_1);
> uint32_t iiftype = 1;
> add_cmp(r, NFT_REG_1, NFT_CMP_EQ, &iiftype, sizeof(iiftype));
>
> add_payload(r, NFT_PAYLOAD_LL_HEADER, NFT_REG_1, 12, sizeof(uint16_t));
> uint16_t vtype = htons(ETH_P_8021Q);
> add_cmp(r, NFT_REG_1, NFT_CMP_EQ, &vtype, sizeof(vtype));
Is your offset (in bytes) correct?
> add_payload(r, NFT_PAYLOAD_LL_HEADER, NFT_REG_1, 16, sizeof(uint16_t));
> uint16_t et = htons(0x88ba);
> add_cmp(r, NFT_REG_1, NFT_CMP_EQ, &et, sizeof(et));
>
> This produces the following rule
> table netdev filter {
> chain in {
> type filter hook ingress device pru20 priority 0; policy drop;
> iiftype ether @ll,96,16 33024 @ll,128,16 35002
> }
> }
> When I manually add the constructed rule:
> #nft add rule netdev filter in iiftype ether @ll,96,16 33024 @ll,128,16 35002
>
> then nft list ruleset translates it correctly so I assume that this rule is built right:
>
> table netdev filter {
> chain in {
> type filter hook ingress device pru20 priority 0; policy drop;
> iiftype ether @ll,96,16 33024 @ll,128,16 35002 <- constructed with code above
> vlan type 0x88ba <- manually added, same rule as above but translated ok
> }
> }
>
> My questions:
> - What are the correct enums to use for e.g iiftype =1;?
ARPHRD_ETHER
> - Is there something like offsetof(struct ???, vlan) which I could use instead of hardcoded offset?
man 3 offsetof
> - Why does list ruleset show the coded rule differently from the manually added one?
Is your bytecode matching packets? Probably adding a counter would
allow you to check for this.
> - uint16_t vtype = htons(ETH_P_8021Q); seems weird to use htons here, is there another enum I should use?
You can use --debug=netlink to display the bytecode that nft
generates:
# nft --debug=netlink add rule x y vlan type 0x88ba
ip
[ meta load iiftype => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
[ payload load 2b @ link header + 2 => reg 1 ]
[ cmp eq reg 1 0x0000ba88 ]
Error: Could not process rule: No such file or directory
add rule x y vlan type 0x88ba
Then, compare it with your manually generated bytecode.
next prev parent reply other threads:[~2020-07-04 0:28 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-03 6:45 libnftnl vlan type filter Andreas Hoefler
2020-07-04 0:28 ` Pablo Neira Ayuso [this message]
2020-07-07 7:53 ` Andreas Hoefler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200704002847.GA1529@salvia \
--to=pablo@netfilter.org \
--cc=andreas.hoefler@hitachi-powergrids.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox