Ahmed Abdelsalam <amsalam20@xxxxxxxxx> wrote:
> > Ahmed Abdelsalam <amsalam20@xxxxxxxxx> wrote:
> > > Type 0 and 2 of the IPv6 Routing extension header are not handled
> > > properly by exthdr_init_raw() in src/exthdr.c
> > >
> > > In order to fix the bug, we extended the "enum nft_exthdr_op" to
> > > differentiate between rt, rt0, and rt2.
> > >
> > > This patch should fix the bug. We tested the patch against the
> > > same configuration reported in the bug and the output is as
> > > shown below.
> > >
> > > table ip6 filter {
> > > chain input {
> > > type filter hook input priority 0; policy accept;
> > > rt0 addr[1] a::2
> > > }
> > > }
> >
> > I think this patch should be solved in userspace only.
> >
> >
> > > + if (desc != NULL && desc->proto_key >= 0) {
> > > + switch (desc->proto_key) {
> > > + case 0:
> > > + expr->exthdr.op = NFT_EXTHDR_OP_RT0;
> >
> > In particular, there is no need to store this in the kernel.
> > I agree that doing it this way is easier, but still ...
> >
> > Here is a minimal patch.
> >
> > I write 'minimal' because it doesn't handle dependency correctly,
> > but it should add correct rt0/rt2 (type was 0...) and also decode
> > rt2 vs. hbh correctly.
> >
>
> I think Routing type 0, 2 and 4 (SRH) shouldn't be implemented as
> an extension to General IPv6 routing header.
>
> I agree they share some fields, but Routing header is just a template.
> In real world, we use either routing type 0, 2, or 4.
OK.
> I think, If I, as a user of nftables, want to write an nft rule for routing type_0,
> I would prefer to write as below
>
> $ nft add rule ip6 filter input rt0 nexthdr 6 rt0 seg-left 2 rt0 hdrlength rt0 addr [1]A::2
This should insert a 'rt0 type 0' check too, right (as a dependency to
not match other route header type).
> Instead, using the current implmentation, I will need to write half of the rule using rt
> and the second half with rt0. something like
>
> $ nft add rule ip6 filter input rt nexthdr 6 rt seg-left 2 rt hdrlength rt0 addr [1]A::2
Right, thats looks ugly indeed.
> If you agree, I think we should extend the templates of exthdr_rt0 and exthdr_rt2.
> I can send another patch also for routing type 4.
Would be good, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
