From: Alvaro Neira Ayuso <alvaroneay@gmail.com>
To: netfilter-devel@vger.kernel.org
Cc: kaber@trash.net
Subject: [nft PATCH 1/4] payload: fix update context with wrong byteorder
Date: Mon, 28 Jul 2014 13:51:48 +0200 [thread overview]
Message-ID: <1406548311-31354-2-git-send-email-alvaroneay@gmail.com> (raw)
In-Reply-To: <1406548311-31354-1-git-send-email-alvaroneay@gmail.com>
In the evaluation step and delinealize step, we update the protocol
context. When we update the context, we expect that the expressions
are in host endian but the expressions are in big endian from this
two steps.
To fix this, We do the correct byteorder conversion for finding the
protocol number for updating the context. Example:
nft add rule bridge filter input ether type ip
We have a expression like this:
[ payload load 2b @ link header + 12 => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
The byteorder of this expressions is big endian and it's in
host endian, for that when we try to update the context, we
don't find the protocol with this number. This is a output,
example:
update network layer protocol context:
link layer : ether
network layer : none <-
transport layer : none
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
---
[Tested with the rules]
* nft add rule filter input ip protocol tcp counter
* nft add rule filter input ip protocol udp counter
* nft add rule filter input tcp dport 22 counter
* nft add rule filter bridge input ether type ip
src/payload.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/payload.c b/src/payload.c
index a1785a5..be3d610 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -69,13 +69,18 @@ static void payload_expr_pctx_update(struct proto_ctx *ctx,
{
const struct expr *left = expr->left, *right = expr->right;
const struct proto_desc *base, *desc;
+ const struct proto_hdr_template *tmpl;
+ uint32_t value = 0;
if (!(left->flags & EXPR_F_PROTOCOL))
return;
assert(expr->op == OP_EQ);
base = ctx->protocol[left->payload.base].desc;
- desc = proto_find_upper(base, mpz_get_uint32(right->value));
+ tmpl = left->payload.tmpl;
+ mpz_export_data(&value, right->value, tmpl->dtype->byteorder,
+ div_round_up(tmpl->len, BITS_PER_BYTE));
+ desc = proto_find_upper(base, value);
proto_ctx_update(ctx, left->payload.base + 1, &expr->location, desc);
}
--
1.7.10.4
next prev parent reply other threads:[~2014-07-28 11:51 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-28 11:51 [nft PATCH 0/4] Changes in nft byteorder conversions Alvaro Neira Ayuso
2014-07-28 11:51 ` Alvaro Neira Ayuso [this message]
2014-07-28 11:51 ` [nft PATCH 2/4 v2] src: fix byteorder conversions in simple values Alvaro Neira Ayuso
2014-07-28 11:51 ` [nft PATCH 3/4] src: fix byteorder conversions in range values Alvaro Neira Ayuso
2014-07-28 11:51 ` [nft PATCH 4/4] src: fix byteorder conversions in sets Alvaro Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1406548311-31354-2-git-send-email-alvaroneay@gmail.com \
--to=alvaroneay@gmail.com \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).