From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Cc: Florian Westphal <fw@strlen.de>
Subject: [PATCH 05/12] src: netlink_linearize: handle sub-byte lengths
Date: Sun, 16 Aug 2015 21:05:48 +0200 [thread overview]
Message-ID: <1439751955-31190-6-git-send-email-fw@strlen.de> (raw)
In-Reply-To: <1439751955-31190-1-git-send-email-fw@strlen.de>
Currently length is expr->len / BITS_PER_BYTE, i.e. expr->len
has to be a multiple of 8.
When core asks for e.g. '9 bits', we truncate this to 8.
Round up to 16 and inject a 9-bit mask to zero out the parts we're not
interested in.
This will also need change to the delinarization step to
remove the extra op when dumping rules from kernel.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
src/netlink_linearize.c | 45 ++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 44 insertions(+), 1 deletion(-)
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index bf1e56b..0467872 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -99,6 +99,44 @@ static void netlink_gen_concat(struct netlink_linearize_ctx *ctx,
}
}
+static void netlink_gen_payload_mask(struct netlink_linearize_ctx *ctx,
+ const struct expr *expr,
+ enum nft_registers dreg)
+{
+ struct nft_data_linearize nld, zero = {};
+ struct nft_rule_expr *nle;
+ unsigned int offset, len, masklen;
+ mpz_t mask;
+
+ offset = expr->payload.offset % BITS_PER_BYTE;
+ masklen = expr->len + offset;
+
+ if (masklen > 128)
+ BUG("expr mask length is %u (len %u, offset %u)\n",
+ masklen, expr->len, offset);
+
+ mpz_init2(mask, masklen);
+ mpz_bitmask(mask, expr->len);
+
+ if (offset)
+ mpz_lshift_ui(mask, offset);
+
+ nle = alloc_nft_expr("bitwise");
+
+ len = div_round_up(expr->len, BITS_PER_BYTE);
+
+ nft_rule_expr_set_u32(nle, NFT_EXPR_BITWISE_SREG, dreg);
+ nft_rule_expr_set_u32(nle, NFT_EXPR_BITWISE_DREG, dreg);
+ nft_rule_expr_set_u32(nle, NFT_EXPR_BITWISE_LEN, len);
+
+ netlink_gen_raw_data(mask, expr->byteorder, len, &nld);
+ nft_rule_expr_set(nle, NFT_EXPR_BITWISE_MASK, nld.value, nld.len);
+ nft_rule_expr_set(nle, NFT_EXPR_BITWISE_XOR, &zero.value, nld.len);
+
+ mpz_clear(mask);
+ nft_rule_add_expr(ctx->nlr, nle);
+}
+
static void netlink_gen_payload(struct netlink_linearize_ctx *ctx,
const struct expr *expr,
enum nft_registers dreg)
@@ -111,9 +149,14 @@ static void netlink_gen_payload(struct netlink_linearize_ctx *ctx,
expr->payload.base - 1);
nft_rule_expr_set_u32(nle, NFT_EXPR_PAYLOAD_OFFSET,
expr->payload.offset / BITS_PER_BYTE);
+
nft_rule_expr_set_u32(nle, NFT_EXPR_PAYLOAD_LEN,
- expr->len / BITS_PER_BYTE);
+ div_round_up(expr->len, BITS_PER_BYTE));
+
nft_rule_add_expr(ctx->nlr, nle);
+
+ if (expr->len % BITS_PER_BYTE)
+ netlink_gen_payload_mask(ctx, expr, dreg);
}
static void netlink_gen_exthdr(struct netlink_linearize_ctx *ctx,
--
2.0.5
next prev parent reply other threads:[~2015-08-16 19:06 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-16 19:05 [PATCH nft 0/12] add support for VLAN header filtering in bridge family Florian Westphal
2015-08-16 19:05 ` [PATCH 01/12] tests: use the src/nft binary instead of $PATH one Florian Westphal
2015-08-16 19:05 ` [PATCH 02/12] tests: add 'awkward' prefix match expression Florian Westphal
2015-08-16 19:05 ` [PATCH 03/12] nft: allow stacking vlan header on top of ethernet Florian Westphal
2015-08-16 19:05 ` [PATCH 04/12] payload: disable payload merge if offsets are not on byte boundary Florian Westphal
2015-08-16 19:05 ` Florian Westphal [this message]
2015-08-16 19:05 ` [PATCH 06/12] src: netlink: don't truncate set key lengths Florian Westphal
2015-08-16 19:05 ` [PATCH 07/12] nft: fill in doff and fix ihl/version template entries Florian Westphal
2015-08-16 19:05 ` [PATCH 08/12] netlink: cmp: shift rhs constant if lhs offset doesn't start on byte boundary Florian Westphal
2015-08-16 19:05 ` [PATCH 09/12] tests: add tests for ip version/hdrlength/tcp doff Florian Westphal
2015-08-16 19:05 ` [PATCH 10/12] nft: support listing expressions that use non-byte header fields Florian Westphal
2015-08-16 19:05 ` [PATCH 11/12] tests: vlan tests Florian Westphal
2015-08-16 19:05 ` [PATCH 12/13] vlan: make != tests work Florian Westphal
2015-08-23 21:24 ` [PATCH nft 0/12] add support for VLAN header filtering in bridge family Florian Westphal
2015-09-21 14:18 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1439751955-31190-6-git-send-email-fw@strlen.de \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).