Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> series LGTM.
>
> A few more nits:
>
> # cat test.nft
> add table netdev x
> add chain netdev x y
> add rule netdev x y ip saddr 1.2.3.4 vlan id 10
> # nft -f test.nft
> test.nft:3:38-44: Error: conflicting protocols specified: ether vs. vlan
> add rule netdev x y ip saddr 1.2.3.4 vlan id 10
> ^^^^^^^
But thats not a regression, right?
> # cat test.nft
> add table netdev x
> add chain netdev x y
> add set netdev x macset { typeof ip saddr . vlan id; flags dynamic,timeout; }
> add rule netdev x y update @macset { ip saddr . vlan id }
> # nft -f test.nft
> test.nft:4:49-55: Error: conflicting protocols specified: ether vs. vlan
> add rule netdev x y update @macset { ip saddr . vlan id }
> ^^^^^^^
>
> This is related to an implicit ether dependency.
Yes, it needs two implcit deps.
> If you see a way to fix this incrementally, I'm fine with you pushing
> out this series and then you follow up.
OK, will do that then.
> Another issue: probably it would make sense to bail out when trying to
> use 'vlan id' (and any other vlan fields) from ip/ip6/inet families?
> vlan_do_receive() sets skb->dev to the vlan device, and the vlan
> fields in the skbuff are cleared. In iptables, there is not vlan match
> for this reason.
Thanks for the hint. Right, so it makes sense to refuse the implcit dep
and/or reject it from eval phase.
I will have a look next week.
