From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Michal Soltys <msoltyspl@yandex.pl>
Cc: netfilter@vger.kernel.org
Subject: Re: [BUG] "ether type ip" forgotten/implied when listing rules for 'netdev' family
Date: Mon, 23 Feb 2026 20:09:40 +0100 [thread overview]
Message-ID: <aZyl9JUreTr9Bw39@chamomile> (raw)
In-Reply-To: <6dbbb6b3-da22-4a09-8de7-ec2dc60d179f@yandex.pl>
Hi,
Would you file a bug to netfilter's bugzilla so it is possible to
follow track of this issue?
Thanks.
On Mon, Feb 23, 2026 at 03:57:28PM +0100, Michal Soltys wrote:
> Hi,
>
> While testing the behavior of early filtering in netdev / ingress, I noticed
> something that possibly looks like a bug.
>
> Consider following and interface with one vlan, e.g.
>
> ip add add 10.0.0.1/24 dev eno1
> ip li add li eno1 name v250 type vlan id 250
> ip add add 10.10.10.1/24 dev v250
> ip li set eno1 up
> ip li set v250 up
>
>
> Now consider following simple nft setup:
>
> nft add table netdev efil
> nft add chain netdev efil edev { hook ingress type filter device eno1
> priority filter; }
> nft add rule netdev efil edev ether type ip icmp type echo-request counter
> nft add rule netdev efil edev ether type vlan icmp type echo-request counter
> nft add rule netdev efil edev icmp type echo-request counter
>
> These will be listed by nft ruleset list as such:
> table netdev efil {
> chain edev {
> type filter hook ingress device "eno1" priority filter;
> policy accept;
> icmp type echo-request counter packets 0 bytes 0
> ether type 8021q icmp type echo-request counter packets 0
> bytes 0
> icmp type echo-request counter packets 0 bytes 0
> }
> }
>
> Note that the first rule omits the "ether type ip" as if it was 'ip' family
> instead of 'netdev'. So the 1st and the 3rd are listed the same - but they
> work differently.
>
> The first rule will only count plain ip payload, the 2nd rule will count
> only vlan payload, the 3rd will count both. So after 1 ping to 10.10.10.1
> and 1 ping to 10.0.0.1, the effect would be:
>
> table netdev efil {
> chain edev {
> type filter hook ingress device "eno1" priority filter;
> policy accept;
> icmp type echo-request counter packets 1 bytes 84
> ether type 8021q icmp type echo-request counter packets 1
> bytes 84
> icmp type echo-request counter packets 2 bytes 168
> }
> }
>
> Furthermore it seems it's impossible to return to such ruleset via:
>
> - nft list ruleset >rules
> - flush tables
> - nft -f rules
>
> As this time the 1st and the 3rd rule actually will be identical both
> visually and functionally, omitting 'ether type ip' check completely.
>
next prev parent reply other threads:[~2026-02-23 19:09 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-23 14:57 [BUG] "ether type ip" forgotten/implied when listing rules for 'netdev' family Michal Soltys
2026-02-23 19:09 ` Pablo Neira Ayuso [this message]
2026-02-24 11:49 ` Michal Soltys
2026-02-26 12:49 ` Michal Soltys
2026-02-23 19:24 ` Florian Westphal
2026-02-24 16:08 ` Michal Soltys
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aZyl9JUreTr9Bw39@chamomile \
--to=pablo@netfilter.org \
--cc=msoltyspl@yandex.pl \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox