From: Alvaro Neira Ayuso <alvaroneay@gmail.com>
To: netfilter-devel@vger.kernel.org
Cc: kaber@trash.net
Subject: [nft PATCH 5/5 v2] src: fix byteorder conversions in sets
Date: Mon, 4 Aug 2014 18:00:11 +0200 [thread overview]
Message-ID: <1407168011-6424-6-git-send-email-alvaroneay@gmail.com> (raw)
In-Reply-To: <1407168011-6424-1-git-send-email-alvaroneay@gmail.com>
In some rules if we use sets, we don't convert the values inside the set.
Usually, rule like the datatype is integer_type. For example:
nft add rule filter input tcp checksum {22-55}
set%d filter 7
set%d filter 0
element 00000000:1 [end] element 00000016: 0 [end] element 00000038 : 1 [end]
ip filter input
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 2b @ transport header + 16 => reg 1 ]
[ lookup reg 1 set set%d ]
Currently, we are going to do the byteorder conversion the values inside the set
like:
set%d filter 7
set%d filter 0
element 00000000 : 1 [end] element 00001600 : 0 [end] element 00003701: 1 [end]
ip filter input
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 2b @ transport header + 16 => reg 1 ]
[ lookup reg 1 set set%d ]
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
---
[changes in v2]
* Changed the solution for big endian and host endian cases.
src/evaluate.c | 32 +++++++++++++++++++++++++++-----
src/netlink_delinearize.c | 12 ++++++++++++
2 files changed, 39 insertions(+), 5 deletions(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index 8aaf1bf..d973cb8 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -670,6 +670,29 @@ static int expr_evaluate_list(struct eval_ctx *ctx, struct expr **expr)
return 0;
}
+static int expr_evaluate_set_elem(struct eval_ctx *ctx, struct expr *expr)
+{
+ switch (expr->ops->type) {
+ case EXPR_VALUE:
+ if (byteorder_conversion(ctx, &expr,
+ BYTEORDER_BIG_ENDIAN) < 0)
+ return -1;
+ break;
+ case EXPR_RANGE:
+ if (byteorder_conversion(ctx, &expr->right,
+ BYTEORDER_BIG_ENDIAN) < 0)
+ return -1;
+ if (byteorder_conversion(ctx, &expr->left,
+ BYTEORDER_BIG_ENDIAN) < 0)
+ return -1;
+ break;
+ default:
+ break;
+ }
+
+ return 0;
+}
+
static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr)
{
struct expr *set = *expr, *i, *next;
@@ -691,6 +714,10 @@ static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr)
expr_free(i);
} else if (!expr_is_singleton(i))
set->set_flags |= SET_F_INTERVAL;
+
+ /* Byteorder conversion of the set elements */
+ if (i->ops->type != EXPR_SET)
+ expr_evaluate_set_elem(ctx, i);
}
set->dtype = ctx->ectx.dtype;
@@ -927,11 +954,6 @@ static int expr_evaluate_relational(struct eval_ctx *ctx, struct expr **expr)
left->dtype->desc,
right->dtype->desc);
- /* Data for range lookups needs to be in big endian order */
- if (right->set->flags & SET_F_INTERVAL &&
- byteorder_conversion(ctx, &rel->left,
- BYTEORDER_BIG_ENDIAN) < 0)
- return -1;
left = rel->left;
break;
case OP_EQ:
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index af18dcc..f7961ad 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -629,10 +629,20 @@ static void payload_dependency_store(struct rule_pp_ctx *ctx,
static void payload_elem_postprocess(struct expr *expr)
{
+ struct expr *i;
+
switch (expr->ops->type) {
case EXPR_VALUE:
expr_switch_byteorder(expr);
break;
+ case EXPR_SET_REF:
+ list_for_each_entry(i, &expr->set->init->expressions, list)
+ payload_elem_postprocess(i);
+ break;
+ case EXPR_RANGE:
+ payload_elem_postprocess(expr->right);
+ payload_elem_postprocess(expr->left);
+ break;
default:
break;
}
@@ -889,6 +899,8 @@ static void expr_postprocess(struct rule_pp_ctx *ctx,
expr_postprocess(ctx, stmt, &expr->right);
break;
case EXPR_SET_REF:
+ expr_postprocess(ctx, stmt, &expr->set->init);
+ break;
case EXPR_EXTHDR:
case EXPR_META:
case EXPR_CT:
--
1.7.10.4
next prev parent reply other threads:[~2014-08-04 16:01 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-04 16:00 [nft PATCH 0/5] Changes in nft byteorder conversions Alvaro Neira Ayuso
2014-08-04 16:00 ` [nft PATCH 1/5] payload: fix update context with wrong byteorder Alvaro Neira Ayuso
2014-08-16 14:17 ` Patrick McHardy
2014-08-04 16:00 ` [nft PATCH 2/5] payload: generate dependency in the correct byteorder Alvaro Neira Ayuso
2014-08-16 14:19 ` Patrick McHardy
2014-08-04 16:00 ` [nft PATCH 3/5 v3] src: fix byteorder conversions in constant values Alvaro Neira Ayuso
2014-08-16 14:45 ` Patrick McHardy
2014-08-04 16:00 ` [nft PATCH 4/5 v2] src: fix byteorder conversions in range values Alvaro Neira Ayuso
2014-08-04 16:00 ` Alvaro Neira Ayuso [this message]
2014-08-04 16:15 ` [nft PATCH 5/5 v2] src: fix byteorder conversions in sets Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1407168011-6424-6-git-send-email-alvaroneay@gmail.com \
--to=alvaroneay@gmail.com \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).