| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CADvbK_e25HuWG98OYCWsmWMB6cyRDSM6SovNYKa8ySZyJPchkA@mail.gmail.com>
Date: Thu, 12 Dec 2019 11:02:19 +0800
From: Xin Long <lucien.xin@...il.com>
To: network dev <netdev@...r.kernel.org>,
netfilter-devel@...r.kernel.org
Cc: davem <davem@...emloft.net>,
Pablo Neira Ayuso <pablo@...filter.org>
Subject: Re: [PATCH nf-next 0/7] netfilter: nft_tunnel: reinforce key opts support
On Sun, Dec 8, 2019 at 12:41 PM Xin Long <lucien.xin@...il.com> wrote:
>
> This patchset improves quite a few places to make vxlan/erspan
> opts in nft_tunnel work with userspace nftables/libnftnl, and
> also keep consistent with the support for vxlan/erspan opts in
> act_tunnel_key, cls_flower and ip_tunnel_core.
>
> Meanwhile, add support for geneve opts in nft_tunnel. One patch
> for nftables and one for libnftnl will be posted here for the
> testing. With them, nft_tunnel can be set and used by:
>
> # nft add table ip filter
> # nft add chain ip filter input { type filter hook input priority 0 \; }
> # nft add tunnel filter vxlan_01 { type vxlan\; id 2\; \
> ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \
> sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \
> opts \"ffff\"\; }
> # nft add tunnel filter erspan_01 { type erspan\; id 2\; \
> ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \
> sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \
> opts \"1:1:0:0\"\; }
> # nft add tunnel filter erspan_02 { type erspan\; id 2\; \
> ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \
> sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \
> opts \"2:0:1:1\"\; }
> # nft add tunnel filter geneve_01 { type geneve\; id 2\; \
> ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \
> sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \
> opts \"1:1:1212121234567890\"\; }
> # nft add tunnel filter geneve_02 { type geneve\; id 2\; \
> ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \
> sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \
> opts \"1:1:34567890,2:2:12121212,3:3:1212121234567890\"\; }
> # nft list tunnels table filter
> # nft add rule filter input ip protocol udp tunnel name geneve_02
> # nft add rule filter input meta l4proto udp tunnel id 2 drop
> # nft add rule filter input meta l4proto udp tunnel path 0 drop
> # nft list chain filter input -a
Hi, Pablo
as you commented on other patches, I will post v2 and
>
> Xin Long (7):
> netfilter: nft_tunnel: parse ERSPAN_VERSION attr as u8
> netfilter: nft_tunnel: parse VXLAN_GBP attr as u32 in nft_tunnel
drop these two patches
> netfilter: nft_tunnel: no need to call htons() when dumping ports
move this one to nf.git
> netfilter: nft_tunnel: also dump ERSPAN_VERSION
> netfilter: nft_tunnel: also dump OPTS_ERSPAN/VXLAN
> netfilter: nft_tunnel: add the missing nla_nest_cancel()
adjust these three for nf-next.git
> netfilter: nft_tunnel: add support for geneve opts
will you also check this one before my posting v2?
Thanks.
Powered by blists - more mailing lists