Re: [netfilter-core] [PATCH nft v4] src: Support netdev egress hook

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jan 25, 2021 at 04:02:50PM +0100, Phil Sutter wrote:
> Hi,
> 
> On Mon, Jan 25, 2021 at 03:31:57PM +0100, Pablo Neira Ayuso wrote:
> > On Mon, Jan 25, 2021 at 02:44:32PM +0100, Phil Sutter wrote:
> > > On Mon, Jan 25, 2021 at 02:34:05PM +0100, Florian Westphal wrote:
> > > > Phil Sutter <phil@xxxxxx> wrote:
> > > > > > diff --git a/tests/py/inet/ip.t.payload.netdev b/tests/py/inet/ip.t.payload.netdev
> > > > > > index 95be919..38ed0ad 100644
> > > > > > --- a/tests/py/inet/ip.t.payload.netdev
> > > > > > +++ b/tests/py/inet/ip.t.payload.netdev
> > > > > > @@ -12,3 +12,17 @@ netdev test-netdev ingress
> > > > > >    [ payload load 6b @ link header + 6 => reg 10 ]
> > > > > >    [ lookup reg 1 set __set%d ]
> > > > > >  
> > > > > > +# meta protocol ip ip saddr . ip daddr . ether saddr { 1.1.1.1 . 2.2.2.2 . ca:fe:ca:fe:ca:fe }
> > > > > > +__set%d test-netdev 3
> > > > > > +__set%d test-netdev 0
> > > > > > +	element 01010101 02020202 fecafeca 0000feca  : 0 [end]
> > > > > > +netdev test-netdev egress 
> > > > > > +  [ meta load protocol => reg 1 ]
> > > > > > +  [ cmp eq reg 1 0x00000008 ]
> > > > > > +  [ meta load iiftype => reg 1 ]
> > > >                    ~~~~~~~
> > > > 
> > > > shouldn't nft add oiftype for egress?
> > > 
> > > Oh, you're right. So I "take everything back and claim the opposite". ;)
> > > To cover for the different dependency expressions, we need to introduce
> > > hook-specific payload files. :/
> > 
> > I'm planning to generalize iftype to check for iiftype from the
> > ingress path and oiftype from the egress path. This check is there to
> > make sure this is an ethernet device. This can be done once this hook
> > hits net-next.
> 
> Maybe a dumb question, but doesn't the meta protocol match suffice? If
> not, can it pass while the following iftype check then fails?

I think so, yes, it should be possible to generate more efficient
bytecode if the rule pulls in the meta protocol. This dependency
should cancel the iftype match dependency.



[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux