From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pablo Neira Ayuso Subject: Re: libnftnl vlan type filter Date: Sat, 4 Jul 2020 02:28:47 +0200 Message-ID: <20200704002847.GA1529@salvia> References: Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: Content-Disposition: inline In-Reply-To: Sender: netfilter-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="iso-8859-1" To: Andreas Hoefler Cc: "netfilter@vger.kernel.org" On Fri, Jul 03, 2020 at 06:45:45AM +0000, Andreas Hoefler wrote: > Hi=20 > I am trying to use libnftnl to construct this: >=20 > table netdev filter { > chain in { > type filter hook ingress device pru20 priority 0; policy = accept; > vlan type 0x88ba > } > } >=20 > I do : > add_meta(r, NFT_META_IIFTYPE, NFT_REG_1); > uint32_t iiftype =3D 1; > add_cmp(r, NFT_REG_1, NFT_CMP_EQ, &iiftype, sizeof(iiftype)); >=20 > add_payload(r, NFT_PAYLOAD_LL_HEADER, NFT_REG_1, 12, sizeof(uint16_t)= ); > uint16_t vtype =3D htons(ETH_P_8021Q); > add_cmp(r, NFT_REG_1, NFT_CMP_EQ, &vtype, sizeof(vtype)); Is your offset (in bytes) correct? > add_payload(r, NFT_PAYLOAD_LL_HEADER, NFT_REG_1, 16, sizeof(uint16_t)= ); > uint16_t et =3D htons(0x88ba); > add_cmp(r, NFT_REG_1, NFT_CMP_EQ, &et, sizeof(et)); >=20 > This produces=A0the following rule > table netdev filter { > chain in { > type filter hook ingress device pru20 priority 0; policy = drop; > iiftype ether @ll,96,16 33024 @ll,128,16 35002 > } > } > When I manually add the constructed rule: > #nft add rule netdev filter in iiftype ether @ll,96,16 33024 @ll,128,16 3= 5002 >=20 > then nft list ruleset translates it correctly so I assume that this rule = is built right: >=20 > table netdev filter { > chain in { > type filter hook ingress device pru20 priority 0; policy = drop; > iiftype ether @ll,96,16 33024 @ll,128,16 35002 <- constru= cted with code above > vlan type 0x88ba <- manually added, same rule as above b= ut translated ok > } > } >=20 > My questions: > - What are the correct enums to use for e.g iiftype =3D1;? ARPHRD_ETHER > - Is there something like offsetof(struct ???, vlan) which I could use in= stead of hardcoded offset? man 3 offsetof > - Why does list ruleset show the coded rule differently from the manually= added one? Is your bytecode matching packets? Probably adding a counter would allow you to check for this. > - uint16_t vtype =3D htons(ETH_P_8021Q); seems weird to use htons here, i= s there another enum I should use? You can use --debug=3Dnetlink to display the bytecode that nft generates: # nft --debug=3Dnetlink add rule x y vlan type 0x88ba=20 ip=20 [ meta load iiftype =3D> reg 1 ] [ cmp eq reg 1 0x00000001 ] [ payload load 2b @ link header + 2 =3D> reg 1 ] [ cmp eq reg 1 0x0000ba88 ] Error: Could not process rule: No such file or directory add rule x y vlan type 0x88ba Then, compare it with your manually generated bytecode.