Re: Clarification of the procedure for filtering IP option fields

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Thu, 30 Jan 2025 19:06:58 +0100

On Thu, Jan 30, 2025 at 06:52:52PM +0100, Pablo Neira Ayuso wrote:
> On Thu, Jan 30, 2025 at 06:49:41PM +0100, Pablo Neira Ayuso wrote:
> > Hi,
> > 
> > On Thu, Jan 30, 2025 at 04:52:29PM +0300, Alexey Kashavkin wrote:
> > > Hello, 
> > > 
> > > I am still figuring out the syntax for adding rules to filter IP
> > > options. Please, if anyone has an understanding of how this works
> > > give at least a short reply.
> > 
> > This 'type' field is redundant.
> > 
> > > I understand how the exthdr expression works in the kernel code. But
> > > so far there is still a question about specifying the type field,
> > > what is the purpose of this field here? There is also a question
> > > about other fields, let's take for example the IP option LSRR, it
> > > has an addr field. I assume, knowing this option from RFC791 it
> > > specifies IP addresses, but in the case of nft it is not so, this
> > > field has datatype intereger.
> > 
> > Yes, this should be at least 32-bits.
> 
> Actually, this is 32-bits already:
> 
> # nft describe ip option lsrr addr
> exthdr expression, datatype integer (integer), 32 bits

This is what you mean:

# nft describe ip option lsrr addr
exthdr expression, datatype ipv4_addr (IPv4 address) (basetype integer), 32 bits

diff --git a/src/ipopt.c b/src/ipopt.c
index 37f779d468ab..ddb42f5712d4 100644
--- a/src/ipopt.c
+++ b/src/ipopt.c
@@ -24,7 +24,7 @@ static const struct exthdr_desc ipopt_lsrr = {
 		[IPOPT_FIELD_TYPE]		= PHT("type",    0,  8),
 		[IPOPT_FIELD_LENGTH]		= PHT("length",  8,  8),
 		[IPOPT_FIELD_PTR]		= PHT("ptr",    16,  8),
-		[IPOPT_FIELD_ADDR_0]		= PHT("addr",   24, 32),
+		[IPOPT_FIELD_ADDR_0]		= PROTO_HDR_TEMPLATE("addr", &ipaddr_type, BYTEORDER_BIG_ENDIAN, 24, 32),
 	},
 };
 
@@ -35,7 +35,7 @@ static const struct exthdr_desc ipopt_rr = {
 		[IPOPT_FIELD_TYPE]		= PHT("type",   0,   8),
 		[IPOPT_FIELD_LENGTH]		= PHT("length",  8,  8),
 		[IPOPT_FIELD_PTR]		= PHT("ptr",    16,  8),
-		[IPOPT_FIELD_ADDR_0]		= PHT("addr",   24, 32),
+		[IPOPT_FIELD_ADDR_0]		= PROTO_HDR_TEMPLATE("addr", &ipaddr_type, BYTEORDER_BIG_ENDIAN, 24, 32),
 	},
 };
 
@@ -46,7 +46,7 @@ static const struct exthdr_desc ipopt_ssrr = {
 		[IPOPT_FIELD_TYPE]		= PHT("type",   0,   8),
 		[IPOPT_FIELD_LENGTH]		= PHT("length",  8,  8),
 		[IPOPT_FIELD_PTR]		= PHT("ptr",    16,  8),
-		[IPOPT_FIELD_ADDR_0]		= PHT("addr",   24, 32),
+		[IPOPT_FIELD_ADDR_0]		= PROTO_HDR_TEMPLATE("addr", &ipaddr_type, BYTEORDER_BIG_ENDIAN, 24, 32),
 	},
 };
 
@@ -56,7 +56,7 @@ static const struct exthdr_desc ipopt_ra = {
 	.templates	= {
 		[IPOPT_FIELD_TYPE]		= PHT("type",   0,   8),
 		[IPOPT_FIELD_LENGTH]		= PHT("length", 8,   8),
-		[IPOPT_FIELD_VALUE]		= PHT("value",  16, 16),
+		[IPOPT_FIELD_ADDR_0]		= PROTO_HDR_TEMPLATE("addr", &ipaddr_type, BYTEORDER_BIG_ENDIAN, 24, 32),
 	},
 };
 




