RE: libnftnl vlan type filter

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi

First of all thanks a lot for your comments.

The offset I managed to figure out by looking at the netlink debug printout when adding the corresponding rule (add rule netdev filter in vlan type 0x88ba).
nft --debug=netlink add rule netdev filter in vlan type 0x88ba
netdev filter in
  [ meta load iiftype => reg 1 ]
  [ cmp eq reg 1 0x00000001 ]
  [ payload load 2b @ link header + 12 => reg 1 ]
  [ cmp eq reg 1 0x00000081 ]
  [ payload load 2b @ link header + 16 => reg 1 ]
  [ cmp eq reg 1 0x0000ba88 ]

What I meant by offsetof() is which struct do I need to use to get the correct offset. Similar to like offsetof(struct iphdr, protocol) it would be nice to have e.g offsetof(struct XX, vlan).

I added a counter to my rule and it seems to match the packets correctly.

table netdev filter {
        chain in {
                type filter hook ingress device pru10 priority 0; policy accept;
                iiftype ether @ll,96,16 33024 @ll,128,16 35002 counter packets 387948 bytes 43450176   <- done via libnftnl
                vlan type 0x88ba counter packets 62428 bytes 6991936    <- done with #nft add rule netdev filter in iiftype ether @ll,96,16 33024 @ll,128,16 35002 counter
        }
}

Any idea why #nft list ruleset shows the two identical rules differently?

Thanks a lot.

BR
Andy


On Fri, Jul 03, 2020 at 06:45:45AM +0000, Andreas Hoefler wrote:
> Hi
> I am trying to use libnftnl to construct this:
>
> table netdev filter {
>         chain in {
>                 type filter hook ingress device pru20 priority 0; policy accept;
>                 vlan type 0x88ba
>         }
> }
>
> I do :
>     add_meta(r, NFT_META_IIFTYPE, NFT_REG_1);
>     uint32_t iiftype = 1;
>     add_cmp(r, NFT_REG_1, NFT_CMP_EQ, &iiftype, sizeof(iiftype));
>
>     add_payload(r, NFT_PAYLOAD_LL_HEADER, NFT_REG_1, 12, sizeof(uint16_t));
>     uint16_t vtype = htons(ETH_P_8021Q);
>     add_cmp(r, NFT_REG_1, NFT_CMP_EQ, &vtype, sizeof(vtype));

Is your offset (in bytes) correct?

>     add_payload(r, NFT_PAYLOAD_LL_HEADER, NFT_REG_1, 16, sizeof(uint16_t));
>     uint16_t et = htons(0x88ba);
>     add_cmp(r, NFT_REG_1, NFT_CMP_EQ, &et, sizeof(et));
>
> This produces the following rule
> table netdev filter {
>         chain in {
>                 type filter hook ingress device pru20 priority 0; policy drop;
>                 iiftype ether @ll,96,16 33024 @ll,128,16 35002
>         }
> }
> When I manually add the constructed rule:
> #nft add rule netdev filter in iiftype ether @ll,96,16 33024 
> @ll,128,16 35002
>
> then nft list ruleset translates it correctly so I assume that this rule is built right:
>
> table netdev filter {
>         chain in {
>                 type filter hook ingress device pru20 priority 0; policy drop;
>                 iiftype ether @ll,96,16 33024 @ll,128,16 35002 <- constructed with code above
>                 vlan type 0x88ba <- manually added,  same rule as above but translated ok
>         }
> }
>
> My questions:
> - What are the correct enums to use for e.g iiftype =1;?

ARPHRD_ETHER

> - Is there something like offsetof(struct ???, vlan) which I could use instead of hardcoded offset?

man 3 offsetof

> - Why does list ruleset show the coded rule differently from the manually added one?

Is your bytecode matching packets? Probably adding a counter would allow you to check for this.

> - uint16_t vtype = htons(ETH_P_8021Q); seems weird to use htons here, is there another enum I should use?

You can use --debug=netlink to display the bytecode that nft
generates:

# nft --debug=netlink add rule x y vlan type 0x88ba ip
  [ meta load iiftype => reg 1 ]
  [ cmp eq reg 1 0x00000001 ]
  [ payload load 2b @ link header + 2 => reg 1 ]
  [ cmp eq reg 1 0x0000ba88 ]

Error: Could not process rule: No such file or directory add rule x y vlan type 0x88ba

Then, compare it with your manually generated bytecode.




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux