src: Fix dumping vlan rules

Given the following bridge rules:
1. ip protocol icmp accept
2. ether type vlan vlan type ip ip protocol icmp accept

The are currently both dumped by "nft list ruleset" as
1. ip protocol icmp accept
2. ip protocol icmp accept

Though, the netlink code actually is different

bridge filter FORWARD 4
  [ payload load 2b @ link header + 12 => reg 1 ]
  [ cmp eq reg 1 0x00000008 ]
  [ payload load 1b @ network header + 9 => reg 1 ]
  [ cmp eq reg 1 0x00000001 ]
  [ immediate reg 0 accept ]

bridge filter FORWARD 5 4
  [ payload load 2b @ link header + 12 => reg 1 ]
  [ cmp eq reg 1 0x00000081 ]
  [ payload load 2b @ link header + 16 => reg 1 ]
  [ cmp eq reg 1 0x00000008 ]
  [ payload load 1b @ network header + 9 => reg 1 ]
  [ cmp eq reg 1 0x00000001 ]
  [ immediate reg 0 accept ]

What happens here is that:

1. vlan type ip kills ether type vlan
2. ip protocol icmp kills vlan type ip

Fix this by avoiding the removal of all vlan statements
in the given example.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/payload.c b/src/payload.c
index abd5339c5b0bc80b02b50fc505939891430255ef..3576400bbfc87b84aa52d8f92a444b0cc4f8361b 100644 (file)
--- a/src/payload.c
+++ b/src/payload.c
@@ -529,6 +529,18 @@ static bool payload_may_dependency_kill(struct payload_dep_ctx *ctx,
                     dep->left->payload.desc == &proto_ip6) &&
                    expr->payload.base == PROTO_BASE_TRANSPORT_HDR)
                        return false;
+               /* Do not kill
+                *  ether type vlan and vlan type ip and ip protocol icmp
+                * into
+                *  ip protocol icmp
+                * as this lacks ether type vlan.
+                * More generally speaking, do not kill protocol type
+                * for stacked protocols if we only have protcol type matches.
+                */
+               if (dep->left->etype == EXPR_PAYLOAD && dep->op == OP_EQ &&
+                   expr->flags & EXPR_F_PROTOCOL &&
+                   expr->payload.base == dep->left->payload.base)
+                       return false;
                break;
        }
 

diff --git a/tests/py/bridge/vlan.t b/tests/py/bridge/vlan.t
index 526d7cc912464d5ba31743624b0f9119f3a467aa..7a52a5020efaa540db2cc3809c40062f1647f986 100644 (file)
--- a/tests/py/bridge/vlan.t
+++ b/tests/py/bridge/vlan.t
@@ -32,6 +32,8 @@ ether type vlan vlan id 1 ip saddr 10.0.0.0/23 udp dport 53;ok;vlan id 1 ip sadd
 vlan id { 1, 2, 4, 100, 4095 } vlan pcp 1-3;ok
 vlan id { 1, 2, 4, 100, 4096 };fail
 
+ether type vlan ip protocol 1 accept;ok
+
 # illegal dependencies
 ether type ip vlan id 1;fail
 ether type ip vlan id 1 ip saddr 10.0.0.1;fail

diff --git a/tests/py/bridge/vlan.t.payload b/tests/py/bridge/vlan.t.payload
index cb0e812f8ec3c29a1388d4b096045c36693862aa..bb8925e380c32fddbc32871af0f539c93f59ef20 100644 (file)
--- a/tests/py/bridge/vlan.t.payload
+++ b/tests/py/bridge/vlan.t.payload
@@ -199,3 +199,13 @@ bridge test-bridge input
   [ cmp gte reg 1 0x00000020 ]
   [ cmp lte reg 1 0x00000060 ]
 
+# ether type vlan ip protocol 1 accept
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ immediate reg 0 accept ]
+

diff --git a/tests/py/bridge/vlan.t.payload.netdev b/tests/py/bridge/vlan.t.payload.netdev
index c57955ec73941b5c27a29e1c2a24b840316d682a..0a3f90a5dfd299c72783e60388fed5cac607e442 100644 (file)
--- a/tests/py/bridge/vlan.t.payload.netdev
+++ b/tests/py/bridge/vlan.t.payload.netdev
@@ -233,3 +233,15 @@ netdev test-netdev ingress
   [ cmp gte reg 1 0x00000020 ]
   [ cmp lte reg 1 0x00000060 ]
 
+# ether type vlan ip protocol 1 accept
+netdev test-netdev ingress
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ immediate reg 0 accept ]
+