From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Laura Garcia Liebana <nevola@gmail.com>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH] nft: Add support for inverted bitwise value list
Date: Wed, 22 Jun 2016 20:20:38 +0200 [thread overview]
Message-ID: <20160622182038.GA14851@salvia> (raw)
In-Reply-To: <20160622154945.GA12610@sonyv>
On Wed, Jun 22, 2016 at 05:49:48PM +0200, Laura Garcia Liebana wrote:
> Add support for inverted state and status bitwise value list required in the
> ct match.
>
> Before this patch, nft didn't support the rule:
>
> $ nft add rule ip filter INPUT ct state != new,related counter accept
> <cmdline>:1:41-41: Error: syntax error, unexpected comma, expecting end of file or newline or semicolon
> add rule ip filter INPUT ct state != new,related counter accept
> ^
>
> This patch includes in the parser the ability to understand a list of
> bitwise values.
>
> nft --debug=netlink add rule ip filter INPUT ct state != new,related,established,untracked counter accept
> ip filter INPUT
> [ ct load state => reg 1 ]
> [ cmp neq reg 1 0x0000004e ]
> [ counter pkts 0 bytes 0 ]
> [ immediate reg 0 accept ]
This bytecode looks incorrect.
nft --debug=netlink add rule ip filter INPUT ct state new,related,established,untracked
ip filter INPUT
[ ct load state => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x0000004e ) ^ 0x00000000 ]
[ cmp neq reg 1 0x00000000 ]
so I think the right bytecode should look like:
nft --debug=netlink add rule ip filter INPUT ct state new,related,established,untracked
ip filter INPUT
[ ct load state => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x0000004e ) ^ 0x00000000 ]
[ cmp eq reg 1 0x00000000 ]
I guess something is missing from the expr_evaluate_relational(), I
can see:
if (rel->op == OP_IMPLICIT) {
switch (right->ops->type) {
...
case EXPR_LIST:
rel->op = OP_FLAGCMP;
I guess rel->op is OP_NEQ for your case above, that's why it is
generating the wrong code.
Note that from netlink_linearize.c, it is netlink_gen_flagcmp() that
generates the bitwise + cmp when we see OP_FLAGCMP.
Instead of this, I would kill the OP_FLAGCMP and transform the left
hand side of the tree to get a bitwise from evaluate.c, so this looks
like:
relational (OP_NEQ)
/ \
/ \
/ \
bitwise value
/ \
/ \
ct state mask
Then, we can kill netlink_gen_flagcmp() too since the
netlink_linearize.c will generate the right bytecode for us based on
that tree.
prev parent reply other threads:[~2016-06-22 18:20 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-22 15:49 [PATCH] nft: Add support for inverted bitwise value list Laura Garcia Liebana
2016-06-22 16:14 ` Florian Westphal
2016-06-22 16:56 ` Jan Engelhardt
2016-06-22 17:13 ` Florian Westphal
2016-06-22 18:20 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160622182038.GA14851@salvia \
--to=pablo@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=nevola@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.