* [PATCH nft 0/4] Add support for 8021.AD frame matching
@ 2021-04-01 14:08 Florian Westphal
2021-04-01 14:08 ` [PATCH nft 1/4] src: vlan: allow matching vlan id insider 802.1ad frame Florian Westphal
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Florian Westphal @ 2021-04-01 14:08 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
This allows to match vlan frames with 8021.AD ("QinQ") type.
Plan 'vlan id 1' will imply 8021Q, just as before, so explicit
type specification is needed.
This in turn makes it necessary to extend dependency removal so that
it will not auto-remove 8021ad check.
Add test case to make sure depdenencies are generated correctly,
this includes checks for 'vlan id 2' in a 'vlan id 1' vlan tag stack.
Florian Westphal (4):
src: vlan: allow matching vlan id insider 802.1ad frame
proto: add 8021ad as mnemonic for IEEE 802.1AD (0x88a8) ether type
payload: be careful on vlan dependency removal
tests: add 8021.AD vlan test cases
src/payload.c | 29 ++++-
src/proto.c | 4 +
src/scanner.l | 1 +
tests/py/bridge/vlan.t | 5 +
tests/py/bridge/vlan.t.json | 176 ++++++++++++++++++++++++++
tests/py/bridge/vlan.t.json.output | 173 +++++++++++++++++++++++++
tests/py/bridge/vlan.t.payload | 45 +++++++
tests/py/bridge/vlan.t.payload.netdev | 51 ++++++++
8 files changed, 481 insertions(+), 3 deletions(-)
--
2.26.3
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH nft 1/4] src: vlan: allow matching vlan id insider 802.1ad frame
2021-04-01 14:08 [PATCH nft 0/4] Add support for 8021.AD frame matching Florian Westphal
@ 2021-04-01 14:08 ` Florian Westphal
2021-04-01 14:08 ` [PATCH nft 2/4] proto: add 8021ad as mnemonic for IEEE 802.1AD (0x88a8) ether type Florian Westphal
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Florian Westphal @ 2021-04-01 14:08 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
This makes "ether type 0x88a8 vlan id 342" work.
Before this change, nft would still insert a dependency on 802.1q so the
rule would never match.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
src/proto.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/proto.c b/src/proto.c
index b75626df2861..b6466f8b65d4 100644
--- a/src/proto.c
+++ b/src/proto.c
@@ -1027,6 +1027,7 @@ const struct proto_desc proto_vlan = {
PROTO_LINK(__constant_htons(ETH_P_ARP), &proto_arp),
PROTO_LINK(__constant_htons(ETH_P_IPV6), &proto_ip6),
PROTO_LINK(__constant_htons(ETH_P_8021Q), &proto_vlan),
+ PROTO_LINK(__constant_htons(ETH_P_8021AD), &proto_vlan),
},
.templates = {
@@ -1099,6 +1100,7 @@ const struct proto_desc proto_eth = {
PROTO_LINK(__constant_htons(ETH_P_ARP), &proto_arp),
PROTO_LINK(__constant_htons(ETH_P_IPV6), &proto_ip6),
PROTO_LINK(__constant_htons(ETH_P_8021Q), &proto_vlan),
+ PROTO_LINK(__constant_htons(ETH_P_8021AD), &proto_vlan),
},
.templates = {
[ETHHDR_DADDR] = ETHHDR_ADDR("daddr", ether_dhost),
@@ -1124,6 +1126,7 @@ const struct proto_desc proto_netdev = {
PROTO_LINK(__constant_htons(ETH_P_ARP), &proto_arp),
PROTO_LINK(__constant_htons(ETH_P_IPV6), &proto_ip6),
PROTO_LINK(__constant_htons(ETH_P_8021Q), &proto_vlan),
+ PROTO_LINK(__constant_htons(ETH_P_8021AD), &proto_vlan),
},
.templates = {
[0] = PROTO_META_TEMPLATE("protocol", ðertype_type, NFT_META_PROTOCOL, 16),
--
2.26.3
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH nft 2/4] proto: add 8021ad as mnemonic for IEEE 802.1AD (0x88a8) ether type
2021-04-01 14:08 [PATCH nft 0/4] Add support for 8021.AD frame matching Florian Westphal
2021-04-01 14:08 ` [PATCH nft 1/4] src: vlan: allow matching vlan id insider 802.1ad frame Florian Westphal
@ 2021-04-01 14:08 ` Florian Westphal
2021-04-01 14:08 ` [PATCH nft 3/4] payload: be careful on vlan dependency removal Florian Westphal
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Florian Westphal @ 2021-04-01 14:08 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal, Pablo Neira Ayuso
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
src/proto.c | 1 +
src/scanner.l | 1 +
2 files changed, 2 insertions(+)
diff --git a/src/proto.c b/src/proto.c
index b6466f8b65d4..67c519be1382 100644
--- a/src/proto.c
+++ b/src/proto.c
@@ -1058,6 +1058,7 @@ static const struct symbol_table ethertype_tbl = {
SYMBOL("arp", __constant_htons(ETH_P_ARP)),
SYMBOL("ip6", __constant_htons(ETH_P_IPV6)),
SYMBOL("vlan", __constant_htons(ETH_P_8021Q)),
+ SYMBOL("8021ad", __constant_htons(ETH_P_8021AD)),
SYMBOL_LIST_END
},
};
diff --git a/src/scanner.l b/src/scanner.l
index b4e7cf199ccd..9eb79d2d2454 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -422,6 +422,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"cfi" { return CFI; }
"pcp" { return PCP; }
}
+"8021ad" { yylval->string = xstrdup(yytext); return STRING; }
"arp" { scanner_push_start_cond(yyscanner, SCANSTATE_ARP); return ARP; }
<SCANSTATE_ARP>{
--
2.26.3
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH nft 3/4] payload: be careful on vlan dependency removal
2021-04-01 14:08 [PATCH nft 0/4] Add support for 8021.AD frame matching Florian Westphal
2021-04-01 14:08 ` [PATCH nft 1/4] src: vlan: allow matching vlan id insider 802.1ad frame Florian Westphal
2021-04-01 14:08 ` [PATCH nft 2/4] proto: add 8021ad as mnemonic for IEEE 802.1AD (0x88a8) ether type Florian Westphal
@ 2021-04-01 14:08 ` Florian Westphal
2021-04-01 14:08 ` [PATCH nft 4/4] tests: add 8021.AD vlan test cases Florian Westphal
2021-04-02 10:54 ` [PATCH nft 5/4] proto: replace vlan ether type with 8021q Florian Westphal
4 siblings, 0 replies; 6+ messages in thread
From: Florian Westphal @ 2021-04-01 14:08 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
'vlan ...' implies 8021Q frame. In case the expression tests something else
(802.1AD for example) its not an implictly added one, so keep it.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
src/payload.c | 29 ++++++++++++++++++++++++++---
1 file changed, 26 insertions(+), 3 deletions(-)
diff --git a/src/payload.c b/src/payload.c
index a77ca5500550..cfa952248a15 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -661,6 +661,24 @@ static bool payload_may_dependency_kill_icmp(struct payload_dep_ctx *ctx, struct
return ctx->icmp_type == icmp_type;
}
+static bool payload_may_dependency_kill_ll(struct payload_dep_ctx *ctx, struct expr *expr)
+{
+ const struct expr *dep = ctx->pdep->expr;
+
+ /* Never remove a 'vlan type 0x...' expression, they are never added implicitly */
+ if (dep->left->payload.desc == &proto_vlan)
+ return false;
+
+ /* 'vlan id 2' implies 'ether type 8021Q'. If a different protocol is
+ * tested, this is not a redundant expression.
+ */
+ if (dep->left->payload.desc == &proto_eth &&
+ dep->right->etype == EXPR_VALUE && dep->right->len == 16)
+ return mpz_get_uint16(dep->right->value) == ETH_P_8021Q;
+
+ return true;
+}
+
static bool payload_may_dependency_kill(struct payload_dep_ctx *ctx,
unsigned int family, struct expr *expr)
{
@@ -689,9 +707,14 @@ static bool payload_may_dependency_kill(struct payload_dep_ctx *ctx,
* for stacked protocols if we only have protcol type matches.
*/
if (dep->left->etype == EXPR_PAYLOAD && dep->op == OP_EQ &&
- expr->flags & EXPR_F_PROTOCOL &&
- expr->payload.base == dep->left->payload.base)
- return false;
+ expr->payload.base == dep->left->payload.base) {
+ if (expr->flags & EXPR_F_PROTOCOL)
+ return false;
+
+ if (expr->payload.base == PROTO_BASE_LL_HDR)
+ return payload_may_dependency_kill_ll(ctx, expr);
+ }
+
break;
}
--
2.26.3
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH nft 4/4] tests: add 8021.AD vlan test cases
2021-04-01 14:08 [PATCH nft 0/4] Add support for 8021.AD frame matching Florian Westphal
` (2 preceding siblings ...)
2021-04-01 14:08 ` [PATCH nft 3/4] payload: be careful on vlan dependency removal Florian Westphal
@ 2021-04-01 14:08 ` Florian Westphal
2021-04-02 10:54 ` [PATCH nft 5/4] proto: replace vlan ether type with 8021q Florian Westphal
4 siblings, 0 replies; 6+ messages in thread
From: Florian Westphal @ 2021-04-01 14:08 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
Check nft doesn't remove the explicit '8021ad' type check and that
the expected dependency chains are generated.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
tests/py/bridge/vlan.t | 5 +
tests/py/bridge/vlan.t.json | 176 ++++++++++++++++++++++++++
tests/py/bridge/vlan.t.json.output | 173 +++++++++++++++++++++++++
tests/py/bridge/vlan.t.payload | 45 +++++++
tests/py/bridge/vlan.t.payload.netdev | 51 ++++++++
5 files changed, 450 insertions(+)
diff --git a/tests/py/bridge/vlan.t b/tests/py/bridge/vlan.t
index 7a52a5020efa..8553ba56351d 100644
--- a/tests/py/bridge/vlan.t
+++ b/tests/py/bridge/vlan.t
@@ -34,6 +34,11 @@ vlan id { 1, 2, 4, 100, 4096 };fail
ether type vlan ip protocol 1 accept;ok
+# IEEE 802.1AD
+ether type 8021ad vlan id 1 ip protocol 6 accept;ok
+ether type 8021ad vlan id 1 vlan type vlan vlan id 2 vlan type ip counter;ok
+ether type 8021ad vlan id 1 vlan type vlan vlan id 2 vlan type ip ip protocol 6;ok;ether type 8021ad vlan id 1 vlan type vlan vlan id 2 ip protocol 6
+
# illegal dependencies
ether type ip vlan id 1;fail
ether type ip vlan id 1 ip saddr 10.0.0.1;fail
diff --git a/tests/py/bridge/vlan.t.json b/tests/py/bridge/vlan.t.json
index 3fb2e4f71c75..8eab271d790b 100644
--- a/tests/py/bridge/vlan.t.json
+++ b/tests/py/bridge/vlan.t.json
@@ -530,3 +530,179 @@
}
]
+# ether type 8021ad vlan id 1 ip protocol 6 accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "ether"
+ }
+ },
+ "op": "==",
+ "right": "8021ad"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "protocol": "vlan"
+ }
+ },
+ "op": "==",
+ "right": 1
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "protocol",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": "tcp"
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# ether type 8021ad vlan id 1 vlan type vlan vlan id 2 vlan type ip counter
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "ether"
+ }
+ },
+ "op": "==",
+ "right": "8021ad"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "protocol": "vlan"
+ }
+ },
+ "op": "==",
+ "right": 1
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "vlan"
+ }
+ },
+ "op": "==",
+ "right": "vlan"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "protocol": "vlan"
+ }
+ },
+ "op": "==",
+ "right": 2
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "vlan"
+ }
+ },
+ "op": "==",
+ "right": "ip"
+ }
+ },
+ {
+ "counter": {
+ "bytes": 0,
+ "packets": 0
+ }
+ }
+]
+
+# ether type 8021ad vlan id 1 vlan type vlan vlan id 2 vlan type ip ip protocol 6
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "ether"
+ }
+ },
+ "op": "==",
+ "right": "8021ad"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "protocol": "vlan"
+ }
+ },
+ "op": "==",
+ "right": 1
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "vlan"
+ }
+ },
+ "op": "==",
+ "right": "vlan"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "protocol": "vlan"
+ }
+ },
+ "op": "==",
+ "right": 2
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "protocol",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": "tcp"
+ }
+ }
+]
diff --git a/tests/py/bridge/vlan.t.json.output b/tests/py/bridge/vlan.t.json.output
index 8f27ec0e7aad..a2cc212ea314 100644
--- a/tests/py/bridge/vlan.t.json.output
+++ b/tests/py/bridge/vlan.t.json.output
@@ -29,3 +29,176 @@
}
]
+# ether type 8021ad vlan id 1 ip protocol 6 accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "ether"
+ }
+ },
+ "op": "==",
+ "right": "8021ad"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "protocol": "vlan"
+ }
+ },
+ "op": "==",
+ "right": 1
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "protocol",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": 6
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# ether type 8021ad vlan id 1 vlan type vlan vlan id 2 vlan type ip counter
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "ether"
+ }
+ },
+ "op": "==",
+ "right": "8021ad"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "protocol": "vlan"
+ }
+ },
+ "op": "==",
+ "right": 1
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "vlan"
+ }
+ },
+ "op": "==",
+ "right": "vlan"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "protocol": "vlan"
+ }
+ },
+ "op": "==",
+ "right": 2
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "vlan"
+ }
+ },
+ "op": "==",
+ "right": "ip"
+ }
+ },
+ {
+ "counter": null
+ }
+]
+
+# ether type 8021ad vlan id 1 vlan type vlan vlan id 2 vlan type ip ip protocol 6
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "ether"
+ }
+ },
+ "op": "==",
+ "right": "8021ad"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "protocol": "vlan"
+ }
+ },
+ "op": "==",
+ "right": 1
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "vlan"
+ }
+ },
+ "op": "==",
+ "right": "vlan"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "protocol": "vlan"
+ }
+ },
+ "op": "==",
+ "right": 2
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "protocol",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": 6
+ }
+ }
+]
diff --git a/tests/py/bridge/vlan.t.payload b/tests/py/bridge/vlan.t.payload
index 2f045d18e564..f60c752de401 100644
--- a/tests/py/bridge/vlan.t.payload
+++ b/tests/py/bridge/vlan.t.payload
@@ -209,3 +209,48 @@ bridge test-bridge input
[ cmp eq reg 1 0x00000001 ]
[ immediate reg 0 accept ]
+# ether type 8021ad vlan id 1 ip protocol 6 accept
+bridge
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x0000a888 ]
+ [ payload load 2b @ link header + 14 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000100 ]
+ [ payload load 2b @ link header + 16 => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ immediate reg 0 accept ]
+
+# ether type 8021ad vlan id 1 vlan type vlan vlan id 2 vlan type ip counter
+bridge
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x0000a888 ]
+ [ payload load 2b @ link header + 14 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000100 ]
+ [ payload load 2b @ link header + 16 => reg 1 ]
+ [ cmp eq reg 1 0x00000081 ]
+ [ payload load 2b @ link header + 18 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000200 ]
+ [ payload load 2b @ link header + 20 => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ counter pkts 0 bytes 0 ]
+
+# ether type 8021ad vlan id 1 vlan type vlan vlan id 2 vlan type ip ip protocol 6
+bridge
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x0000a888 ]
+ [ payload load 2b @ link header + 14 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000100 ]
+ [ payload load 2b @ link header + 16 => reg 1 ]
+ [ cmp eq reg 1 0x00000081 ]
+ [ payload load 2b @ link header + 18 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000200 ]
+ [ payload load 2b @ link header + 20 => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
diff --git a/tests/py/bridge/vlan.t.payload.netdev b/tests/py/bridge/vlan.t.payload.netdev
index 9d1fe557c7ac..94ca6867c271 100644
--- a/tests/py/bridge/vlan.t.payload.netdev
+++ b/tests/py/bridge/vlan.t.payload.netdev
@@ -245,3 +245,54 @@ netdev test-netdev ingress
[ cmp eq reg 1 0x00000001 ]
[ immediate reg 0 accept ]
+# ether type 8021ad vlan id 1 ip protocol 6 accept
+netdev
+ [ meta load iiftype => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x0000a888 ]
+ [ payload load 2b @ link header + 14 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000100 ]
+ [ payload load 2b @ link header + 16 => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ immediate reg 0 accept ]
+
+# ether type 8021ad vlan id 1 vlan type vlan vlan id 2 vlan type ip counter
+netdev
+ [ meta load iiftype => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x0000a888 ]
+ [ payload load 2b @ link header + 14 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000100 ]
+ [ payload load 2b @ link header + 16 => reg 1 ]
+ [ cmp eq reg 1 0x00000081 ]
+ [ payload load 2b @ link header + 18 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000200 ]
+ [ payload load 2b @ link header + 20 => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ counter pkts 0 bytes 0 ]
+
+# ether type 8021ad vlan id 1 vlan type vlan vlan id 2 vlan type ip ip protocol 6
+netdev
+ [ meta load iiftype => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x0000a888 ]
+ [ payload load 2b @ link header + 14 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000100 ]
+ [ payload load 2b @ link header + 16 => reg 1 ]
+ [ cmp eq reg 1 0x00000081 ]
+ [ payload load 2b @ link header + 18 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000200 ]
+ [ payload load 2b @ link header + 20 => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
--
2.26.3
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH nft 5/4] proto: replace vlan ether type with 8021q
2021-04-01 14:08 [PATCH nft 0/4] Add support for 8021.AD frame matching Florian Westphal
` (3 preceding siblings ...)
2021-04-01 14:08 ` [PATCH nft 4/4] tests: add 8021.AD vlan test cases Florian Westphal
@ 2021-04-02 10:54 ` Florian Westphal
4 siblings, 0 replies; 6+ messages in thread
From: Florian Westphal @ 2021-04-02 10:54 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal, Pablo Neira Ayuso
Previous patches added "8021ad" mnemonic for IEEE 802.1AD frame type.
This adds the 8021q shorthand for the existing 'vlan' frame type.
nft will continue to recognize 'ether type vlan', but listing
will now print 8021q.
Adjust all test cases accordingly.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
src/proto.c | 5 ++++-
src/scanner.l | 1 +
tests/py/any/meta.t | 4 ++--
tests/py/any/meta.t.json | 4 ++--
tests/py/any/meta.t.json.output | 6 +++---
tests/py/any/meta.t.payload | 2 +-
tests/py/bridge/meta.t | 2 +-
tests/py/bridge/meta.t.json | 2 +-
tests/py/bridge/reject.t | 6 +++---
tests/py/bridge/reject.t.json | 6 +++---
tests/py/bridge/reject.t.json.output | 3 +--
tests/py/bridge/reject.t.payload | 2 +-
tests/py/bridge/vlan.t | 6 +++---
tests/py/bridge/vlan.t.json | 8 ++++----
tests/py/bridge/vlan.t.json.output | 10 +++++-----
tests/py/bridge/vlan.t.payload | 4 ++--
tests/py/bridge/vlan.t.payload.netdev | 4 ++--
17 files changed, 39 insertions(+), 36 deletions(-)
diff --git a/src/proto.c b/src/proto.c
index 67c519be1382..63727605a20a 100644
--- a/src/proto.c
+++ b/src/proto.c
@@ -1057,8 +1057,11 @@ static const struct symbol_table ethertype_tbl = {
SYMBOL("ip", __constant_htons(ETH_P_IP)),
SYMBOL("arp", __constant_htons(ETH_P_ARP)),
SYMBOL("ip6", __constant_htons(ETH_P_IPV6)),
- SYMBOL("vlan", __constant_htons(ETH_P_8021Q)),
+ SYMBOL("8021q", __constant_htons(ETH_P_8021Q)),
SYMBOL("8021ad", __constant_htons(ETH_P_8021AD)),
+
+ /* for compatibility with older versions */
+ SYMBOL("vlan", __constant_htons(ETH_P_8021Q)),
SYMBOL_LIST_END
},
};
diff --git a/src/scanner.l b/src/scanner.l
index 9eb79d2d2454..a9232db8978e 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -423,6 +423,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"pcp" { return PCP; }
}
"8021ad" { yylval->string = xstrdup(yytext); return STRING; }
+"8021q" { yylval->string = xstrdup(yytext); return STRING; }
"arp" { scanner_push_start_cond(yyscanner, SCANSTATE_ARP); return ARP; }
<SCANSTATE_ARP>{
diff --git a/tests/py/any/meta.t b/tests/py/any/meta.t
index 7b5825051c8a..0b894cce19c8 100644
--- a/tests/py/any/meta.t
+++ b/tests/py/any/meta.t
@@ -20,8 +20,8 @@ meta length != { 33, 55, 67, 88};ok
meta length { 33-55, 66-88};ok
meta length != { 33-55, 66-88};ok
-meta protocol { ip, arp, ip6, vlan };ok;meta protocol { ip6, ip, vlan, arp}
-meta protocol != {ip, arp, ip6, vlan};ok
+meta protocol { ip, arp, ip6, vlan };ok;meta protocol { ip6, ip, 8021q, arp}
+meta protocol != {ip, arp, ip6, 8021q};ok
meta protocol ip;ok
meta protocol != ip;ok
diff --git a/tests/py/any/meta.t.json b/tests/py/any/meta.t.json
index 47dc0724d0b8..1a98843c7b0e 100644
--- a/tests/py/any/meta.t.json
+++ b/tests/py/any/meta.t.json
@@ -199,7 +199,7 @@
}
]
-# meta protocol != {ip, arp, ip6, vlan}
+# meta protocol != {ip, arp, ip6, 8021q}
[
{
"match": {
@@ -212,7 +212,7 @@
"ip",
"arp",
"ip6",
- "vlan"
+ "8021q"
]
}
}
diff --git a/tests/py/any/meta.t.json.output b/tests/py/any/meta.t.json.output
index 74b934b84839..4e9e669fdbc3 100644
--- a/tests/py/any/meta.t.json.output
+++ b/tests/py/any/meta.t.json.output
@@ -10,7 +10,7 @@
"set": [
"ip",
"arp",
- "vlan",
+ "8021q",
"ip6"
]
}
@@ -18,7 +18,7 @@
}
]
-# meta protocol != {ip, arp, ip6, vlan}
+# meta protocol != {ip, arp, ip6, 8021q}
[
{
"match": {
@@ -30,7 +30,7 @@
"set": [
"ip",
"arp",
- "vlan",
+ "8021q",
"ip6"
]
}
diff --git a/tests/py/any/meta.t.payload b/tests/py/any/meta.t.payload
index 99aab29c54b2..4e43905e3094 100644
--- a/tests/py/any/meta.t.payload
+++ b/tests/py/any/meta.t.payload
@@ -68,7 +68,7 @@ ip test-ip4 input
[ meta load protocol => reg 1 ]
[ lookup reg 1 set __set%d ]
-# meta protocol != {ip, arp, ip6, vlan}
+# meta protocol != {ip, arp, ip6, 8021q}
__set%d test-ip4 3
__set%d test-ip4 0
element 00000008 : 0 [end] element 00000608 : 0 [end] element 0000dd86 : 0 [end] element 00000081 : 0 [end]
diff --git a/tests/py/bridge/meta.t b/tests/py/bridge/meta.t
index 94525f2944ce..eda7082f02b4 100644
--- a/tests/py/bridge/meta.t
+++ b/tests/py/bridge/meta.t
@@ -4,5 +4,5 @@
meta obrname "br0";ok
meta ibrname "br0";ok
-meta ibrvproto vlan;ok
+meta ibrvproto vlan;ok;meta ibrvproto 8021q
meta ibrpvid 100;ok
diff --git a/tests/py/bridge/meta.t.json b/tests/py/bridge/meta.t.json
index a7a180c29aa6..3122774eba8c 100644
--- a/tests/py/bridge/meta.t.json
+++ b/tests/py/bridge/meta.t.json
@@ -32,7 +32,7 @@
"meta": { "key": "ibrvproto" }
},
"op": "==",
- "right": "vlan"
+ "right": "8021q"
}
}
]
diff --git a/tests/py/bridge/reject.t b/tests/py/bridge/reject.t
index ee33af77eab6..b242eef49a2b 100644
--- a/tests/py/bridge/reject.t
+++ b/tests/py/bridge/reject.t
@@ -30,13 +30,13 @@ reject with icmpx type port-unreachable;ok;reject
ether type ipv6 reject with icmp type host-unreachable;fail
ether type ip6 reject with icmp type host-unreachable;fail
ether type ip reject with icmpv6 type no-route;fail
-ether type vlan reject;ok
+ether type vlan reject;ok;ether type 8021q reject
ether type arp reject;fail
-ether type vlan reject with tcp reset;ok;meta l4proto 6 ether type vlan reject with tcp reset
+ether type vlan reject with tcp reset;ok;meta l4proto 6 ether type 8021q reject with tcp reset
ether type arp reject with tcp reset;fail
ip protocol udp reject with tcp reset;fail
ether type ip reject with icmpx type admin-prohibited;ok
ether type ip6 reject with icmpx type admin-prohibited;ok
-ether type vlan reject with icmpx type admin-prohibited;ok
+ether type 8021q reject with icmpx type admin-prohibited;ok
ether type arp reject with icmpx type admin-prohibited;fail
diff --git a/tests/py/bridge/reject.t.json b/tests/py/bridge/reject.t.json
index aea871f70907..fe21734d0ae3 100644
--- a/tests/py/bridge/reject.t.json
+++ b/tests/py/bridge/reject.t.json
@@ -289,7 +289,7 @@
}
},
"op": "==",
- "right": "vlan"
+ "right": "8021q"
}
},
{
@@ -318,7 +318,7 @@
}
]
-# ether type vlan reject with icmpx type admin-prohibited
+# ether type 8021q reject with icmpx type admin-prohibited
[
{
"match": {
@@ -329,7 +329,7 @@
}
},
"op": "==",
- "right": "vlan"
+ "right": "8021q"
}
},
{
diff --git a/tests/py/bridge/reject.t.json.output b/tests/py/bridge/reject.t.json.output
index e01a63af5a35..b8a44f0eeb02 100644
--- a/tests/py/bridge/reject.t.json.output
+++ b/tests/py/bridge/reject.t.json.output
@@ -71,7 +71,7 @@
}
},
"op": "==",
- "right": "vlan"
+ "right": "8021q"
}
},
{
@@ -81,4 +81,3 @@
}
}
]
-
diff --git a/tests/py/bridge/reject.t.payload b/tests/py/bridge/reject.t.payload
index 7deb6fbf5fac..22569877c428 100644
--- a/tests/py/bridge/reject.t.payload
+++ b/tests/py/bridge/reject.t.payload
@@ -132,7 +132,7 @@ bridge
[ cmp eq reg 1 0x00000081 ]
[ reject type 1 code 0 ]
-# ether type vlan reject with icmpx type admin-prohibited
+# ether type 8021q reject with icmpx type admin-prohibited
bridge
[ payload load 2b @ link header + 12 => reg 1 ]
[ cmp eq reg 1 0x00000081 ]
diff --git a/tests/py/bridge/vlan.t b/tests/py/bridge/vlan.t
index 8553ba56351d..f67b8180996e 100644
--- a/tests/py/bridge/vlan.t
+++ b/tests/py/bridge/vlan.t
@@ -32,12 +32,12 @@ ether type vlan vlan id 1 ip saddr 10.0.0.0/23 udp dport 53;ok;vlan id 1 ip sadd
vlan id { 1, 2, 4, 100, 4095 } vlan pcp 1-3;ok
vlan id { 1, 2, 4, 100, 4096 };fail
-ether type vlan ip protocol 1 accept;ok
+ether type vlan ip protocol 1 accept;ok;ether type 8021q ip protocol 1 accept
# IEEE 802.1AD
ether type 8021ad vlan id 1 ip protocol 6 accept;ok
-ether type 8021ad vlan id 1 vlan type vlan vlan id 2 vlan type ip counter;ok
-ether type 8021ad vlan id 1 vlan type vlan vlan id 2 vlan type ip ip protocol 6;ok;ether type 8021ad vlan id 1 vlan type vlan vlan id 2 ip protocol 6
+ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip counter;ok
+ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip ip protocol 6;ok;ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 ip protocol 6
# illegal dependencies
ether type ip vlan id 1;fail
diff --git a/tests/py/bridge/vlan.t.json b/tests/py/bridge/vlan.t.json
index 8eab271d790b..2a4b64f2279f 100644
--- a/tests/py/bridge/vlan.t.json
+++ b/tests/py/bridge/vlan.t.json
@@ -573,7 +573,7 @@
}
]
-# ether type 8021ad vlan id 1 vlan type vlan vlan id 2 vlan type ip counter
+# ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip counter
[
{
"match": {
@@ -608,7 +608,7 @@
}
},
"op": "==",
- "right": "vlan"
+ "right": "8021q"
}
},
{
@@ -643,7 +643,7 @@
}
]
-# ether type 8021ad vlan id 1 vlan type vlan vlan id 2 vlan type ip ip protocol 6
+# ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip ip protocol 6
[
{
"match": {
@@ -678,7 +678,7 @@
}
},
"op": "==",
- "right": "vlan"
+ "right": "8021q"
}
},
{
diff --git a/tests/py/bridge/vlan.t.json.output b/tests/py/bridge/vlan.t.json.output
index a2cc212ea314..2f90c8ffd1e7 100644
--- a/tests/py/bridge/vlan.t.json.output
+++ b/tests/py/bridge/vlan.t.json.output
@@ -9,7 +9,7 @@
}
},
"op": "==",
- "right": "vlan"
+ "right": "8021q"
}
},
{
@@ -72,7 +72,7 @@
}
]
-# ether type 8021ad vlan id 1 vlan type vlan vlan id 2 vlan type ip counter
+# ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip counter
[
{
"match": {
@@ -107,7 +107,7 @@
}
},
"op": "==",
- "right": "vlan"
+ "right": "8021q"
}
},
{
@@ -139,7 +139,7 @@
}
]
-# ether type 8021ad vlan id 1 vlan type vlan vlan id 2 vlan type ip ip protocol 6
+# ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip ip protocol 6
[
{
"match": {
@@ -174,7 +174,7 @@
}
},
"op": "==",
- "right": "vlan"
+ "right": "8021q"
}
},
{
diff --git a/tests/py/bridge/vlan.t.payload b/tests/py/bridge/vlan.t.payload
index f60c752de401..a78f294671df 100644
--- a/tests/py/bridge/vlan.t.payload
+++ b/tests/py/bridge/vlan.t.payload
@@ -222,7 +222,7 @@ bridge
[ cmp eq reg 1 0x00000006 ]
[ immediate reg 0 accept ]
-# ether type 8021ad vlan id 1 vlan type vlan vlan id 2 vlan type ip counter
+# ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip counter
bridge
[ payload load 2b @ link header + 12 => reg 1 ]
[ cmp eq reg 1 0x0000a888 ]
@@ -238,7 +238,7 @@ bridge
[ cmp eq reg 1 0x00000008 ]
[ counter pkts 0 bytes 0 ]
-# ether type 8021ad vlan id 1 vlan type vlan vlan id 2 vlan type ip ip protocol 6
+# ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip ip protocol 6
bridge
[ payload load 2b @ link header + 12 => reg 1 ]
[ cmp eq reg 1 0x0000a888 ]
diff --git a/tests/py/bridge/vlan.t.payload.netdev b/tests/py/bridge/vlan.t.payload.netdev
index 94ca6867c271..22e244e2e791 100644
--- a/tests/py/bridge/vlan.t.payload.netdev
+++ b/tests/py/bridge/vlan.t.payload.netdev
@@ -260,7 +260,7 @@ netdev
[ cmp eq reg 1 0x00000006 ]
[ immediate reg 0 accept ]
-# ether type 8021ad vlan id 1 vlan type vlan vlan id 2 vlan type ip counter
+# ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip counter
netdev
[ meta load iiftype => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
@@ -278,7 +278,7 @@ netdev
[ cmp eq reg 1 0x00000008 ]
[ counter pkts 0 bytes 0 ]
-# ether type 8021ad vlan id 1 vlan type vlan vlan id 2 vlan type ip ip protocol 6
+# ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip ip protocol 6
netdev
[ meta load iiftype => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
--
2.26.3
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-04-02 10:55 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-01 14:08 [PATCH nft 0/4] Add support for 8021.AD frame matching Florian Westphal
2021-04-01 14:08 ` [PATCH nft 1/4] src: vlan: allow matching vlan id insider 802.1ad frame Florian Westphal
2021-04-01 14:08 ` [PATCH nft 2/4] proto: add 8021ad as mnemonic for IEEE 802.1AD (0x88a8) ether type Florian Westphal
2021-04-01 14:08 ` [PATCH nft 3/4] payload: be careful on vlan dependency removal Florian Westphal
2021-04-01 14:08 ` [PATCH nft 4/4] tests: add 8021.AD vlan test cases Florian Westphal
2021-04-02 10:54 ` [PATCH nft 5/4] proto: replace vlan ether type with 8021q Florian Westphal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.