It was not possible to add a rule like: bridge filter input tcp dport 22 accept Instead we had to use: bridge filter input meta l4proto tcp tcp dport 22 accept or bridge filter input ether type ip tcp dport 22 accept As l4proto is available on bridge, we can simply use payload_gen_dependency to generate the addition of the l4proto expression like it is done for inet filtering. The result is the following netlink message: bridge filter input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x00001600 ] [ immediate reg 0 accept ] And it is correctly simplified by delinearize as: tcp dport 22 accept This patch also fixes an issue linked to the simplication because bridge filter input meta l4proto tcp tcp dport 22 accept was transformed into bridge filter input tcp dport 22 accept when read from kernel. So it was not possible to restore the ruleset after adding this type of rules. Signed-off-by: Eric Leblond <eric@xxxxxxxxx> --- src/payload.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/payload.c b/src/payload.c index 08578fd..e67ef17 100644 --- a/src/payload.c +++ b/src/payload.c @@ -219,6 +219,9 @@ int payload_gen_dependency(struct eval_ctx *ctx, const struct expr *expr, case PROTO_BASE_LL_HDR: desc = &proto_eth; break; + case PROTO_BASE_TRANSPORT_HDR: + desc = &proto_inet_service; + break; default: break; } -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
