On Wed, Mar 22, 2017 at 08:22:52PM +0100, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > On Wed, Mar 22, 2017 at 04:44:00PM +0100, Florian Westphal wrote:
> > > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > > > Hm, I wonder why you need this new line in proto_inet_service:
> > > >
> > > > + PROTO_LINK(IPPROTO_ICMPV6, &proto_icmp6),
> > >
> > > meta_expr_pctx_update calls proto_find_upper(), without this
> > > that returns NULL and proto base is set to 'unknown'.
> >
> > Oh right.
> >
> > Will this still happen if you tell nft to generate the dependency
> > using meta l4proto instead of ip6 nexthdr?
>
> Yes, tried with
>
> src/nft add rule ip6 f i meta l4proto ipv6-icmp icmpv6 type nd-router-advert
> <cmdline>:1:41-51: Error: conflicting protocols specified: unknown vs. icmpv6
>
> and this patch:
>
> diff --git a/src/proto.c b/src/proto.c
> --- a/src/proto.c
> +++ b/src/proto.c
> @@ -707,7 +707,7 @@ const struct proto_desc proto_icmp6 = {
> const struct proto_desc proto_ip6 = {
> .name = "ip6",
> .base = PROTO_BASE_NETWORK_HDR,
> - .protocol_key = IP6HDR_NEXTHDR,
> + .protocol_key = IP6HDR_INVALID,
In order spots, we just remove this line given IP6HDR_INVALID is zero.
I think this may be confusing to newcomers reading the code.
> .protocols = {
> PROTO_LINK(IPPROTO_ESP, &proto_esp),
> PROTO_LINK(IPPROTO_AH, &proto_ah),
> @@ -720,6 +720,7 @@ const struct proto_desc proto_ip6 = {
> PROTO_LINK(IPPROTO_ICMPV6, &proto_icmp6),
> },
> .templates = {
> + [IP6HDR_INVALID] = PROTO_META_TEMPLATE("nfproto", &inet_protocol_type, NFT_META_L4PROTO, 8),
We can just use NFT_META_L4PROTO all the time, so we use it from IPv4
too, right?
And use:
[0] = PROTO_META_TEMPLATE(...)
for consistency.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
