Am 15. Juli 2019 20:06:39 MESZ schrieb Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>: >> Given the following bridge rules: >> 1. ip protocol icmp accept >> 2. ether type vlan vlan type ip ip protocol icmp accept > >No testcase for #2? The added testcase covers #2 due to the netlink dump check and thus is basically a synonym with respect to the netlink parser. > >So, what happens here is that: > > #1 vlan type ip kills ether type vlan > #2 ip protocol icmp kills vlan type ip > >right? Right >> + */ >> + if (dep->left->etype == EXPR_PAYLOAD && dep->op == OP_EQ && >> + expr->flags & EXPR_F_PROTOCOL && >> + expr->payload.base == dep->left->payload.base) > >If the current expression is a key (EXPR_F_PROTOCOL expressions tells >us what it comes in the upper layer) and base of such expression is >the same as the dependency. > >I'd prefer this rule is restricted to vlan, and wait for more similar >usecases before this rule can be generalized. > >OK? I used nft list ruleset to generate /etc/nftables.conf. In case too few statements are killed, nftables.conf becomes a bit longer but it is still correct and parseable although not minimal. In case too many statements are killed, the semantic changes on next reboot or for review with all kinds of implications. Therefore killing to many statements seems critical too many, kill too few only like a minor issue. I'd therefore prefer to take the risk of being overly broad here rathen than having incorrect information and thus not restrict this to vlan. Stacked protocols like ipsec, ipip tunnel or vlan tend to have the same upper layer payload protocol, e.g. udp in ip, udp in ipip or udp in esp/ah. Therefore killing protocol type statements for stacked protocols generally does not look safe to me, as the upper layer will not imply any stacked protocol. Regards, M. Braun