libnftnl vlan type filter

Linux Netfilter discussions
 help / color / mirror / Atom feed

* libnftnl vlan type filter
@ 2020-07-03  6:45 Andreas Hoefler
  2020-07-04  0:28 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 3+ messages in thread
From: Andreas Hoefler @ 2020-07-03  6:45 UTC (permalink / raw)
  To: netfilter@vger.kernel.org; +Cc: Pablo Neira Ayuso

Hi 
I am trying to use libnftnl to construct this:

table netdev filter {
        chain in {
                type filter hook ingress device pru20 priority 0; policy accept;
                vlan type 0x88ba
        }
}

I do :
    add_meta(r, NFT_META_IIFTYPE, NFT_REG_1);
    uint32_t iiftype = 1;
    add_cmp(r, NFT_REG_1, NFT_CMP_EQ, &iiftype, sizeof(iiftype));

    add_payload(r, NFT_PAYLOAD_LL_HEADER, NFT_REG_1, 12, sizeof(uint16_t));
    uint16_t vtype = htons(ETH_P_8021Q);
    add_cmp(r, NFT_REG_1, NFT_CMP_EQ, &vtype, sizeof(vtype));

    add_payload(r, NFT_PAYLOAD_LL_HEADER, NFT_REG_1, 16, sizeof(uint16_t));
    uint16_t et = htons(0x88ba);
    add_cmp(r, NFT_REG_1, NFT_CMP_EQ, &et, sizeof(et));

This produces the following rule
table netdev filter {
        chain in {
                type filter hook ingress device pru20 priority 0; policy drop;
                iiftype ether @ll,96,16 33024 @ll,128,16 35002
        }
}
When I manually add the constructed rule:
#nft add rule netdev filter in iiftype ether @ll,96,16 33024 @ll,128,16 35002

then nft list ruleset translates it correctly so I assume that this rule is built right:

table netdev filter {
        chain in {
                type filter hook ingress device pru20 priority 0; policy drop;
                iiftype ether @ll,96,16 33024 @ll,128,16 35002 <- constructed with code above
                vlan type 0x88ba <- manually added,  same rule as above but translated ok
        }
}

My questions:
- What are the correct enums to use for e.g iiftype =1;?
- Is there something like offsetof(struct ???, vlan) which I could use instead of hardcoded offset?
- Why does list ruleset show the coded rule differently from the manually added one?
- uint16_t vtype = htons(ETH_P_8021Q); seems weird to use htons here, is there another enum I should use?

Any help is highly appreaciated.
BR
Andy


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: libnftnl vlan type filter
  2020-07-03  6:45 libnftnl vlan type filter Andreas Hoefler
@ 2020-07-04  0:28 ` Pablo Neira Ayuso
  2020-07-07  7:53   ` Andreas Hoefler
  0 siblings, 1 reply; 3+ messages in thread
From: Pablo Neira Ayuso @ 2020-07-04  0:28 UTC (permalink / raw)
  To: Andreas Hoefler; +Cc: netfilter@vger.kernel.org

On Fri, Jul 03, 2020 at 06:45:45AM +0000, Andreas Hoefler wrote:
> Hi 
> I am trying to use libnftnl to construct this:
> 
> table netdev filter {
>         chain in {
>                 type filter hook ingress device pru20 priority 0; policy accept;
>                 vlan type 0x88ba
>         }
> }
> 
> I do :
>     add_meta(r, NFT_META_IIFTYPE, NFT_REG_1);
>     uint32_t iiftype = 1;
>     add_cmp(r, NFT_REG_1, NFT_CMP_EQ, &iiftype, sizeof(iiftype));
> 
>     add_payload(r, NFT_PAYLOAD_LL_HEADER, NFT_REG_1, 12, sizeof(uint16_t));
>     uint16_t vtype = htons(ETH_P_8021Q);
>     add_cmp(r, NFT_REG_1, NFT_CMP_EQ, &vtype, sizeof(vtype));

Is your offset (in bytes) correct?

>     add_payload(r, NFT_PAYLOAD_LL_HEADER, NFT_REG_1, 16, sizeof(uint16_t));
>     uint16_t et = htons(0x88ba);
>     add_cmp(r, NFT_REG_1, NFT_CMP_EQ, &et, sizeof(et));
> 
> This produces the following rule
> table netdev filter {
>         chain in {
>                 type filter hook ingress device pru20 priority 0; policy drop;
>                 iiftype ether @ll,96,16 33024 @ll,128,16 35002
>         }
> }
> When I manually add the constructed rule:
> #nft add rule netdev filter in iiftype ether @ll,96,16 33024 @ll,128,16 35002
> 
> then nft list ruleset translates it correctly so I assume that this rule is built right:
> 
> table netdev filter {
>         chain in {
>                 type filter hook ingress device pru20 priority 0; policy drop;
>                 iiftype ether @ll,96,16 33024 @ll,128,16 35002 <- constructed with code above
>                 vlan type 0x88ba <- manually added,  same rule as above but translated ok
>         }
> }
> 
> My questions:
> - What are the correct enums to use for e.g iiftype =1;?

ARPHRD_ETHER

> - Is there something like offsetof(struct ???, vlan) which I could use instead of hardcoded offset?

man 3 offsetof

> - Why does list ruleset show the coded rule differently from the manually added one?

Is your bytecode matching packets? Probably adding a counter would
allow you to check for this.

> - uint16_t vtype = htons(ETH_P_8021Q); seems weird to use htons here, is there another enum I should use?

You can use --debug=netlink to display the bytecode that nft
generates:

# nft --debug=netlink add rule x y vlan type 0x88ba 
ip 
  [ meta load iiftype => reg 1 ]
  [ cmp eq reg 1 0x00000001 ]
  [ payload load 2b @ link header + 2 => reg 1 ]
  [ cmp eq reg 1 0x0000ba88 ]

Error: Could not process rule: No such file or directory
add rule x y vlan type 0x88ba

Then, compare it with your manually generated bytecode.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* RE: libnftnl vlan type filter
  2020-07-04  0:28 ` Pablo Neira Ayuso
@ 2020-07-07  7:53   ` Andreas Hoefler
  0 siblings, 0 replies; 3+ messages in thread
From: Andreas Hoefler @ 2020-07-07  7:53 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter@vger.kernel.org

Hi

First of all thanks a lot for your comments.

The offset I managed to figure out by looking at the netlink debug printout when adding the corresponding rule (add rule netdev filter in vlan type 0x88ba).
nft --debug=netlink add rule netdev filter in vlan type 0x88ba
netdev filter in
  [ meta load iiftype => reg 1 ]
  [ cmp eq reg 1 0x00000001 ]
  [ payload load 2b @ link header + 12 => reg 1 ]
  [ cmp eq reg 1 0x00000081 ]
  [ payload load 2b @ link header + 16 => reg 1 ]
  [ cmp eq reg 1 0x0000ba88 ]

What I meant by offsetof() is which struct do I need to use to get the correct offset. Similar to like offsetof(struct iphdr, protocol) it would be nice to have e.g offsetof(struct XX, vlan).

I added a counter to my rule and it seems to match the packets correctly.

table netdev filter {
        chain in {
                type filter hook ingress device pru10 priority 0; policy accept;
                iiftype ether @ll,96,16 33024 @ll,128,16 35002 counter packets 387948 bytes 43450176   <- done via libnftnl
                vlan type 0x88ba counter packets 62428 bytes 6991936    <- done with #nft add rule netdev filter in iiftype ether @ll,96,16 33024 @ll,128,16 35002 counter
        }
}

Any idea why #nft list ruleset shows the two identical rules differently?

Thanks a lot.

BR
Andy


On Fri, Jul 03, 2020 at 06:45:45AM +0000, Andreas Hoefler wrote:
> Hi
> I am trying to use libnftnl to construct this:
>
> table netdev filter {
>         chain in {
>                 type filter hook ingress device pru20 priority 0; policy accept;
>                 vlan type 0x88ba
>         }
> }
>
> I do :
>     add_meta(r, NFT_META_IIFTYPE, NFT_REG_1);
>     uint32_t iiftype = 1;
>     add_cmp(r, NFT_REG_1, NFT_CMP_EQ, &iiftype, sizeof(iiftype));
>
>     add_payload(r, NFT_PAYLOAD_LL_HEADER, NFT_REG_1, 12, sizeof(uint16_t));
>     uint16_t vtype = htons(ETH_P_8021Q);
>     add_cmp(r, NFT_REG_1, NFT_CMP_EQ, &vtype, sizeof(vtype));

Is your offset (in bytes) correct?

>     add_payload(r, NFT_PAYLOAD_LL_HEADER, NFT_REG_1, 16, sizeof(uint16_t));
>     uint16_t et = htons(0x88ba);
>     add_cmp(r, NFT_REG_1, NFT_CMP_EQ, &et, sizeof(et));
>
> This produces the following rule
> table netdev filter {
>         chain in {
>                 type filter hook ingress device pru20 priority 0; policy drop;
>                 iiftype ether @ll,96,16 33024 @ll,128,16 35002
>         }
> }
> When I manually add the constructed rule:
> #nft add rule netdev filter in iiftype ether @ll,96,16 33024 
> @ll,128,16 35002
>
> then nft list ruleset translates it correctly so I assume that this rule is built right:
>
> table netdev filter {
>         chain in {
>                 type filter hook ingress device pru20 priority 0; policy drop;
>                 iiftype ether @ll,96,16 33024 @ll,128,16 35002 <- constructed with code above
>                 vlan type 0x88ba <- manually added,  same rule as above but translated ok
>         }
> }
>
> My questions:
> - What are the correct enums to use for e.g iiftype =1;?

ARPHRD_ETHER

> - Is there something like offsetof(struct ???, vlan) which I could use instead of hardcoded offset?

man 3 offsetof

> - Why does list ruleset show the coded rule differently from the manually added one?

Is your bytecode matching packets? Probably adding a counter would allow you to check for this.

> - uint16_t vtype = htons(ETH_P_8021Q); seems weird to use htons here, is there another enum I should use?

You can use --debug=netlink to display the bytecode that nft
generates:

# nft --debug=netlink add rule x y vlan type 0x88ba ip
  [ meta load iiftype => reg 1 ]
  [ cmp eq reg 1 0x00000001 ]
  [ payload load 2b @ link header + 2 => reg 1 ]
  [ cmp eq reg 1 0x0000ba88 ]

Error: Could not process rule: No such file or directory add rule x y vlan type 0x88ba

Then, compare it with your manually generated bytecode.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2020-07-07  7:53 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-07-03  6:45 libnftnl vlan type filter Andreas Hoefler
2020-07-04  0:28 ` Pablo Neira Ayuso
2020-07-07  7:53   ` Andreas Hoefler

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox