Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > On Sun, Nov 29, 2015 at 01:09:29AM +0100, Florian Westphal wrote: > > Thanks for looking at this. I'll take a closer look tomorrow, > > your patch works fine for ip version/hdrlength but seems it messes > > with endianess somewhere. > > I forgot to update payload_shift_value() too, to skip the shift when > not needed, sorry, new patch attached. Almost there. Again, with Patricks patch to fix VLAN header: # src/nft --debug=netlink add rule bridge raw prerouting ether type vlan vlan type ip vlan id 4094 ip version 4 counter bridge raw prerouting [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 16 => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ link header + 14 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x00000f00 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000f00 ] [ payload load 1b @ network header + 0 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x000000f0 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000040 ] [ counter pkts 0 bytes 0 ] for comparision, master. All looks ok except the bitwise and cmp of vlan id. # nft --debug=netlink add rule bridge raw prerouting ether type vlan vlan type ip vlan id 4094 ip version 4 counter bridge raw prerouting [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 16 => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 2b @ link header + 14 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x0000ff0f ) ^ 0x00000000 ] [ cmp eq reg 1 0x0000fe0f ] [ payload load 1b @ network header + 0 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x000000f0 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000040 ] [ counter pkts 0 bytes 0 ] -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
