On Sat, Jun 01, 2019 at 10:27:06PM -0400, Stephen Suryaputra wrote:
> On Mon, Jun 03, 2019 at 02:30:06PM +0200, Pablo Neira Ayuso wrote:
> > > I developed this patchset to suit my employer needs and there is no plan
> > > for a follow up patchset, however I think non-zero offset might be useful
> >
On Mon, Jun 03, 2019 at 02:30:06PM +0200, Pablo Neira Ayuso wrote:
> > I developed this patchset to suit my employer needs and there is no plan
> > for a follow up patchset, however I think non-zero offset might be useful
> > in the future for tunneled packets.
>
> For tunneled traffic, we can sto
On Sat, Jun 01, 2019 at 11:04:29AM -0400, Stephen Suryaputra wrote:
> On Sat, Jun 01, 2019 at 02:22:30AM +0200, Pablo Neira Ayuso wrote:
> > > It is the same as the IPv6 one. The offset returned is the offset to the
> > > specific option (target) or the byte beyond the options if the target
> > > i
On Sat, Jun 01, 2019 at 02:22:30AM +0200, Pablo Neira Ayuso wrote:
> > It is the same as the IPv6 one. The offset returned is the offset to the
> > specific option (target) or the byte beyond the options if the target
> > isn't specified (< 0).
>
> Thanks for explaining. So you are using ipv6_find
Pablo Neira Ayuso wrote:
> > > if (skb->protocol != htons(ETH_P_IP))
> > > goto err;
> >
> > Wouldn't it be preferable to just use nft_pf() != NFPROTO_IPV4?
>
> Then IPv4 options extension won't work from bridge and netdev families
> too, right?
Ah, right.
On Sat, Jun 01, 2019 at 10:27:32AM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > > » iph = skb_header_pointer(skb, *offset, sizeof(_iph), &_iph);
> > > » if (!iph || skb->protocol != htons(ETH_P_IP))
> > > » » return -EBADMSG;
> >
> > I mean, you make this
Pablo Neira Ayuso wrote:
> > » iph = skb_header_pointer(skb, *offset, sizeof(_iph), &_iph);
> > » if (!iph || skb->protocol != htons(ETH_P_IP))
> > » » return -EBADMSG;
>
> I mean, you make this check upfront from the _eval() path, ie.
>
> static void nft_exthdr_ipv4_eval
On Fri, May 31, 2019 at 03:35:58PM -0400, Stephen Suryaputra wrote:
> On Fri, May 31, 2019 at 07:11:01PM +0200, Pablo Neira Ayuso wrote:
> > > +/* find the offset to specified option or the header beyond the options
> > > + * if target < 0.
> > > + *
> > > + * Note that *offset is used as input/out
On Fri, May 31, 2019 at 07:11:01PM +0200, Pablo Neira Ayuso wrote:
> > +/* find the offset to specified option or the header beyond the options
> > + * if target < 0.
> > + *
> > + * Note that *offset is used as input/output parameter, and if it is not
> > zero,
> > + * then it must be a valid off
Hi Stephen,
On Thu, May 23, 2019 at 05:38:01AM -0400, Stephen Suryaputra wrote:
> This is the kernel change for the overall changes with this description:
> Add capability to have rules matching IPv4 options. This is developed
> mainly to support dropping of IP packets with loose and/or strict sou
This is the kernel change for the overall changes with this description:
Add capability to have rules matching IPv4 options. This is developed
mainly to support dropping of IP packets with loose and/or strict source
route route options. Nevertheless, the implementation include others and
ability to
11 matches
Mail list logo
