Re: [iptables PATCH 14/14] nft: bridge: Rudimental among extension support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Aug 27, 2019 at 02:21:11PM +0200, Pablo Neira Ayuso wrote:
> On Tue, Aug 27, 2019 at 01:35:26PM +0200, Phil Sutter wrote:
> > Hi Pablo,
> > 
> > On Tue, Aug 27, 2019 at 12:49:19PM +0200, Pablo Neira Ayuso wrote:
> > > On Wed, Aug 21, 2019 at 11:26:02AM +0200, Phil Sutter wrote:
> > > [...]
> > > > +/* Make sure previous payload expression(s) is/are consistent and extract if
> > > > + * matching on source or destination address and if matching on MAC and IP or
> > > > + * only MAC address. */
> > > > +static int lookup_analyze_payloads(const struct nft_xt_ctx *ctx,
> > > > +				   bool *dst, bool *ip)
> > > > +{
> > > > +	int val, val2 = -1;
> > > > +
> > > > +	if (ctx->flags & NFT_XT_CTX_PREV_PAYLOAD) {
> > > 
> > > Can you probably achieve this by storing protocol context?
> > > 
> > > Something like storing the current network base in the nft_xt_ctx
> > > structure, rather than the last payload that you have seen.
> > > 
> > > From the context you annotate, then among will find the information
> > > that it needs in the context.
> > > 
> > > We can reuse this context later on to generate native tcp/udp/etc.
> > > matching.
> > 
> > Sorry, I don't understand your approach. With protocol context as it is
> > used in nftables in mind, I don't see how that applies here. For among
> > match, we simply have a payload match for MAC address and optionally a
> > second one for IP address. These are not related apart from the fact
> > that among allows to match only source or only destination addresses.
> > The problem lookup_analyze_payloads() solves is:
> > 
> > 1) Are we matching MAC only or MAC and IP?
> > 2) Are we matching source or destination?
> > 3) Is everything consistent, i.e., no IP match without MAC one and no
> >    mixed source/destination matches?

Ok, so you are storing the last two payload expressions in the
nft_xt_ctx object. Looks fine to me.

We might need to revisit this when supporting for native payload
matching. The existing context infrastructure might not be enough if
we need to express more complex things. But that can be done later on.
[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux