| Message ID | 20190627081047.24537-1-nikolay@cumulusnetworks.com |
|---|---|
| Headers | show |
| Series | em_ipt: add support for addrtype | expand |
On Thu, 27 Jun 2019 11:10:43 +0300 Nikolay Aleksandrov <nikolay@cumulusnetworks.com> wrote: > Hi, > We would like to be able to use the addrtype from tc for ACL rules and > em_ipt seems the best place to add support for the already existing xt > match. The biggest issue is that addrtype revision 1 (with ipv6 > support) is NFPROTO_UNSPEC and currently em_ipt can't differentiate > between v4/v6 if such xt match is used because it passes the match's > family instead of the packet one. The first 3 patches make em_ipt > match only on IP traffic (currently both policy and addrtype > recognize such traffic only) and make it pass the actual packet's > protocol instead of the xt match family when it's unspecified. They > also add support for NFPROTO_UNSPEC xt matches. The last patch allows > to add addrtype rules via em_ipt. We need to keep the user-specified > nfproto for dumping in order to be compatible with libxtables, we > cannot dump NFPROTO_UNSPEC as the nfproto or we'll get an error from > libxtables, thus the nfproto is limited to ipv4/ipv6 in patch 03 and > is recorded. > > v3: don't use the user nfproto for matching, only for dumping, more > information is available in the commit message in patch 03 > v2: change patch 02 to set the nfproto only when unspecified and drop > patch 04 from v1 (Eyal Birger) > > Thank you, > Nikolay Aleksandrov > > > Nikolay Aleksandrov (4): > net: sched: em_ipt: match only on ip/ipv6 traffic > net: sched: em_ipt: set the family based on the packet if it's > unspecified > net: sched: em_ipt: keep the user-specified nfproto and dump it > net: sched: em_ipt: add support for addrtype matching > > net/sched/em_ipt.c | 48 > ++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 46 > insertions(+), 2 deletions(-) > Looks great! thanks for adding this! For the series: Acked-by: Eyal Birger <eyal.birger@gmail.com>
From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> Date: Thu, 27 Jun 2019 11:10:43 +0300 > We would like to be able to use the addrtype from tc for ACL rules and > em_ipt seems the best place to add support for the already existing xt > match. The biggest issue is that addrtype revision 1 (with ipv6 support) > is NFPROTO_UNSPEC and currently em_ipt can't differentiate between v4/v6 > if such xt match is used because it passes the match's family instead of > the packet one. The first 3 patches make em_ipt match only on IP > traffic (currently both policy and addrtype recognize such traffic > only) and make it pass the actual packet's protocol instead of the xt > match family when it's unspecified. They also add support for NFPROTO_UNSPEC > xt matches. The last patch allows to add addrtype rules via em_ipt. > We need to keep the user-specified nfproto for dumping in order to be > compatible with libxtables, we cannot dump NFPROTO_UNSPEC as the nfproto > or we'll get an error from libxtables, thus the nfproto is limited to > ipv4/ipv6 in patch 03 and is recorded. > > v3: don't use the user nfproto for matching, only for dumping, more > information is available in the commit message in patch 03 > v2: change patch 02 to set the nfproto only when unspecified and drop > patch 04 from v1 (Eyal Birger) Series applied, thanks Nikolay.
Hi, We would like to be able to use the addrtype from tc for ACL rules and em_ipt seems the best place to add support for the already existing xt match. The biggest issue is that addrtype revision 1 (with ipv6 support) is NFPROTO_UNSPEC and currently em_ipt can't differentiate between v4/v6 if such xt match is used because it passes the match's family instead of the packet one. The first 3 patches make em_ipt match only on IP traffic (currently both policy and addrtype recognize such traffic only) and make it pass the actual packet's protocol instead of the xt match family when it's unspecified. They also add support for NFPROTO_UNSPEC xt matches. The last patch allows to add addrtype rules via em_ipt. We need to keep the user-specified nfproto for dumping in order to be compatible with libxtables, we cannot dump NFPROTO_UNSPEC as the nfproto or we'll get an error from libxtables, thus the nfproto is limited to ipv4/ipv6 in patch 03 and is recorded. v3: don't use the user nfproto for matching, only for dumping, more information is available in the commit message in patch 03 v2: change patch 02 to set the nfproto only when unspecified and drop patch 04 from v1 (Eyal Birger) Thank you, Nikolay Aleksandrov Nikolay Aleksandrov (4): net: sched: em_ipt: match only on ip/ipv6 traffic net: sched: em_ipt: set the family based on the packet if it's unspecified net: sched: em_ipt: keep the user-specified nfproto and dump it net: sched: em_ipt: add support for addrtype matching net/sched/em_ipt.c | 48 ++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 46 insertions(+), 2 deletions(-)