Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> On Fri, Sep 09, 2016 at 12:16:56AM +0200, Florian Westphal wrote:
> > Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
>
> Acked-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
>
> BTW, related to payload mangling, Laura sent me this report:
>
> When adding this rule:
>
> # nft add rule netdev filter ingress \
> ip daddr 192.168.0.92 tcp dport 80 \
> ether daddr set 00:03:2d:2b:74:ec fwd to enp3s0
>
> The listing shows:
>
> # nft list ruleset
> table netdev filter {
> chain ingress {
> type filter hook ingress device enp0s25 priority 0; policy accept;
> ip daddr 192.168.0.92 tcp dport http ether daddr set ec:74:2b:2d:03:00 fwd to "enp3s0"
> ^^^^^^^^^^^^^^^^^
>
> Note that the MAC address is reversed, probably something wrong in the
> delinearize path. In case you have some spare cycle, I didn't look at
> this yet.
Too late for now, but it looks like the postprocessing
for payload statements does not set byteorder of the immediate value
(its 0/undefined).
For ip addresses this doesn't matter as 0 is treated like BIG_ENDIAN.
But ether_addr is set as HOST_ENDIAN.
The normal payload expression path contains conversion calls for this
case:
if (tmp->byteorder == BYTEORDER_HOST_ENDIAN)
mpz_switch_byteorder(tmp->value, tmp->len / BITS_PER_BYTE);
Will check more later today.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
