On Tue, Jun 18, 2019 at 10:27:12PM +0800, wenxu wrote:
>
> 在 2019/6/18 17:37, Florian Westphal 写道:
> > wenxu <wenxu@xxxxxxxxx> wrote:
> >> On 6/18/2019 6:42 AM, Florian Westphal wrote:
> >>> Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> >>>>> Subject: Change bridge l3 dependency to meta protocol
> >>>>>
> >>>>> This examines skb->protocol instead of ethernet header type, which
> >>>>> might be different when vlan is involved.
> >>>>>
> >>>>> + if (ctx->pctx.family == NFPROTO_BRIDGE && desc == &proto_eth) {
> >>>>> + if (expr->payload.desc == &proto_ip ||
> >>>>> + expr->payload.desc == &proto_ip6)
> >>>>> + desc = &proto_metaeth;
> >>>>> + }i
> >>>> Is this sufficient to restrict the matching? Is this still buggy from
> >>>> ingress?
> >>> This is what netdev family uses as well (skb->protocol i mean).
> >>> I'm not sure it will work for output however (haven't checked).
> >>>
> >>>> I wonder if an explicit NFT_PAYLOAD_CHECK_VLAN flag would be useful in
> >>>> the kernel, if so we could rename NFTA_PAYLOAD_CSUM_FLAGS to
> >>>> NFTA_PAYLOAD_FLAGS and place it there. Just an idea.
> >>> Another unresolved issue is presence of multiple vlan tags, so we might
> >>> have to add yet another meta key to retrieve the l3 protocol in use
> >> Maybe add a l3proto meta key can handle the multiple vlan tags case with the l3proto dependency. It
> >> should travese all the vlan tags and find the real l3 proto.
> > Yes, something like this.
> >
> > We also need to audit netdev and bridge expressions (reject is known broken)
> > to handle vlans properly.
> >
> > Still, switching nft to prefer skb->protocol instead of eth_hdr->type
> > for dependencies would be good as this doesn't need kernel changes and solves
> > the immediate problem of 'ip ...' not matching in case of vlan.
> >
> > If you have time, could you check if using skb->protocol works for nft
> > bridge in output, i.e. does 'nft ip protocol icmp' match when its used
> > from bridge output path with meta protocol dependency with and without
> > vlan in use?
>
> I just check the kernel codes and test with the output chain, the
> meta protocol dependency can also work in the outpu chain.
OK.
Florian, would you submit a patch, including a test for this?
Thanks!
