Hi Florian, On Tue, Mar 01, 2016 at 04:37:40PM +0100, Florian Westphal wrote: > This adds following enhancements and fixes for the exthdr > expression. > > #1. Treat exthdr as if user asked for an ip6 protocol header field, > i.e. add ipv6 dependency for bridge/netdev/inet family. > > #2. Add scaling and masking to handle protocol headers that have > non-byte divisible sizes. > > Tested briefly with following dummy rules (nf_defrag_ipv6 module not loaded): > > frag frag-off 0 counter packets 40 bytes 59840 > frag frag-off 131 counter packets 0 bytes 0 > frag frag-off 1448 counter packets 0 bytes 0 > frag frag-off 181 counter packets 40 bytes 59840 > frag frag-off > 0 counter packets 120 bytes 148160 > > Note that the offsets are *NOT* scaled, i.e. we match the raw values > contained in the packet. To match offset of 1448 one thus needs to > ask for 181. > > This is same behaviour as ip hdrlength, where 5 matches a value of 20 bytes. This looks good to me. I still think we should move part of this to the evaluation phase so we catch other corner cases, but we can revisit that later on. Willing to have a look at this at some point. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
