On 6/18/2019 6:42 AM, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
>>> Subject: Change bridge l3 dependency to meta protocol
>>>
>>> This examines skb->protocol instead of ethernet header type, which
>>> might be different when vlan is involved.
>>>
>>> + if (ctx->pctx.family == NFPROTO_BRIDGE && desc == &proto_eth) {
>>> + if (expr->payload.desc == &proto_ip ||
>>> + expr->payload.desc == &proto_ip6)
>>> + desc = &proto_metaeth;
>>> + }i
>> Is this sufficient to restrict the matching? Is this still buggy from
>> ingress?
> This is what netdev family uses as well (skb->protocol i mean).
> I'm not sure it will work for output however (haven't checked).
>
>> I wonder if an explicit NFT_PAYLOAD_CHECK_VLAN flag would be useful in
>> the kernel, if so we could rename NFTA_PAYLOAD_CSUM_FLAGS to
>> NFTA_PAYLOAD_FLAGS and place it there. Just an idea.
>
> Another unresolved issue is presence of multiple vlan tags, so we might
> have to add yet another meta key to retrieve the l3 protocol in use
Maybe add a l3proto meta key can handle the multiple vlan tags case with the l3proto dependency. It
should travese all the vlan tags and find the real l3 proto.
>
>
>
