On 12/09/17 08:32, Arturo Borrero Gonzalez wrote: > On 11 September 2017 at 23:10, Louis Sautier <sautier.louis@xxxxxxxxx> wrote: >> Hello, >> >> I noticed that I can not use "ip protocol tcp" for IPv6, I assume that >> this is due to IPv6 packets not having a protocol field. >> However, I also noticed that "meta l4proto tcp" works for IPv4 and it >> seems to match exactly the same packets as "ip protocol tcp". >> >> The only relevant piece of information that I could gather is a message >> (https://patchwork.ozlabs.org/patch/593221/) stating that (for "meta >> l4proto" and "ip protocol") "However, the two statements are >> redundants... the second implies the first". >> >> >> If those expressions are different, what exactly do they use to match >> packets? Is one more efficient? >> > > > Both are similar in term os efficiency. > > ip protocol tcp checks the IPv4 header looking for the l4 protocol number. > meta l4proto tcp checks packet meta information (not header) to know > about the l4 protocol, regardless of l3 protocol. > > Obviously, meta l4proto tcp can be used in IPv4/IPv6 while the first > only makes sense in IPv4. > You should read 'ip protocol tcp' as if it was explicit about l3 > protocol, like 'ipv4 protocol tcp': this wont match any IPv6 packet. > Thanks for the reply. So if I understand correctly, "ip protocol" refers to an actual IPv4 packet field whereas "meta" refers to metadata that does not necessarily have an associated packet field (such as all the unqualified meta expressions like "skuid"). I guess in the case of IPv4, "meta l4proto" is obtained from the protocol field whereas in the case of IPv6 it is obtained from the "next header" field. But it doesn't matter to us because we use this "meta" abstraction, is that right?
Attachment:
signature.asc
Description: OpenPGP digital signature
