On 8/26/2019 10:37 PM, Pablo Neira Ayuso wrote:
> On Mon, Aug 26, 2019 at 09:51:57PM +0800, wenxu wrote:
>> 在 2019/8/26 18:26, Pablo Neira Ayuso 写道:
>>> On Fri, Aug 23, 2019 at 09:45:28PM +0800, wenxu@xxxxxxxxx wrote:
>>>> From: wenxu <wenxu@xxxxxxxxx>
>>>>
>>>> This allows you to match the bridge pvid and vlan protocol, for
>>>> instance:
>>>>
>>>> nft add rule bridge firewall zones meta ibrvproto 0x8100
>>>> nft add rule bridge firewall zones meta ibrpvid 100
>>> When running python nft-tests.py with -j, I get this here:
>>>
>>> bridge/meta.t: WARNING: line 7: '{"nftables": [{"add": {"rule":
>>> {"table": "test-bridge", "chain": "input", "family": "bridge", "expr":
>>> [{"match": {"op": "==", "right": "0x8100", "left": {"meta": {"key":
>>> "ibrvproto"}}}}]}}}]}': '[{"match": {"left": {"meta": {"key":
>>> "ibrvproto"}}, "op": "==", "right": "0x8100"}}]' mismatches
>>> '[{"match": {"left": {"meta": {"key": "ibrvproto"}}, "op": "==",
>>> "right": 33024}}]'
>>> /tmp/nftables/tests/py/bridge/meta.t.json.output.got:
>>> WARNING: line 2: Wrote JSON output for rule meta ibrvproto 0x8100
>>>
>>> Then, if I type:
>>>
>>> nft rule x y meta protocol vlan
>>>
>>> Then, printing shows:
>>>
>>> table ip x {
>>> chain y {
>>> meta protocol vlan
>>> }
>>> }
>>>
>>> However, with:
>>>
>>> nft rule x y meta ibrvproto vlan
>>>
>>> I get this:
>>>
>>> table bridge x {
>>> chain y {
>>> meta ibrvproto 0x8100
>>> }
>>> }
>>>
>>> I think the problem the endianess in the new key definitions are not
>>> correct.
>>>
>>> The br_vlan_get_proto() in the kernel returns a value in network byte
>>> order.
>>>
>>> I think this does not match either then? Because bytecode is
>>> incorrect?
>> The br_vlan_get_proto returns vlan_proto in host byte order.
> Then, that's why ethertype datatype does not work, because it expects
> this network byteorder.
So should I add new vlanproto datatype for this case? Or Convert the vlanproto to network byteorder in kernel like what NFT_META_PROTOCOL did?
>
