Am 15. Juli 2019 20:06:39 MESZ schrieb Pablo Neira Ayuso <[email protected]>:
>> Given the following bridge rules:
>> 1. ip protocol icmp accept
>> 2. ether type vlan vlan type ip ip protocol icmp accept
>
>No testcase for #2?
The added testcase covers #2 due to the netlink dump check and thus is
basically a synonym with respect to the netlink parser.
>
>So, what happens here is that:
>
> #1 vlan type ip kills ether type vlan
> #2 ip protocol icmp kills vlan type ip
>
>right?
Right
>> + */
>> + if (dep->left->etype == EXPR_PAYLOAD && dep->op == OP_EQ &&
>> + expr->flags & EXPR_F_PROTOCOL &&
>> + expr->payload.base == dep->left->payload.base)
>
>If the current expression is a key (EXPR_F_PROTOCOL expressions tells
>us what it comes in the upper layer) and base of such expression is
>the same as the dependency.
>
>I'd prefer this rule is restricted to vlan, and wait for more similar
>usecases before this rule can be generalized.
>
>OK?
I used nft list ruleset to generate /etc/nftables.conf. In case too few
statements are killed, nftables.conf becomes a bit longer but it is still
correct and parseable although not minimal. In case too many statements are
killed, the semantic changes on next reboot or for review with all kinds of
implications.
Therefore killing to many statements seems critical too many, kill too few only
like a minor issue. I'd therefore prefer to take the risk of being overly broad
here rathen than having incorrect information and thus not restrict this to
vlan.
Stacked protocols like ipsec, ipip tunnel or vlan tend to have the same upper
layer payload protocol, e.g. udp in ip, udp in ipip or udp in esp/ah. Therefore
killing protocol type statements for stacked protocols generally does not look
safe to me, as the upper layer will not imply any stacked protocol.
Regards,
M. Braun
