From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Subject: [PATCH nft 05/12] evaluate: handle payload matching split in two bytes
Date: Wed, 11 May 2016 23:05:09 +0200 [thread overview]
Message-ID: <1463000716-11885-5-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1463000716-11885-1-git-send-email-pablo@netfilter.org>
When the bits are split between two bytes and the payload field is
smaller than one byte, we need to extend the expression length on both
sides (payload and constant) of the relational expression.
The existing trimming from the delinerization step handles the listing
for us, so no changes on that front.
This patch allows us to match the IPv6 DSCP field which falls into the
case that is described above.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/evaluate.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index ab73261..fcd4ecd 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -362,7 +362,8 @@ conflict_resolution_gen_dependency(struct eval_ctx *ctx, int protocol,
return 0;
}
-static uint8_t expr_offset_shift(const struct expr *expr, unsigned int offset)
+static uint8_t expr_offset_shift(const struct expr *expr, unsigned int offset,
+ unsigned int *extra_len)
{
unsigned int new_offset, len;
int shift;
@@ -370,34 +371,38 @@ static uint8_t expr_offset_shift(const struct expr *expr, unsigned int offset)
new_offset = offset % BITS_PER_BYTE;
len = round_up(expr->len, BITS_PER_BYTE);
shift = len - (new_offset + expr->len);
- assert(shift >= 0);
-
+ while (shift < 0) {
+ shift += BITS_PER_BYTE;
+ *extra_len += BITS_PER_BYTE;
+ }
return shift;
}
static void expr_evaluate_bits(struct eval_ctx *ctx, struct expr **exprp)
{
struct expr *expr = *exprp, *and, *mask, *lshift, *off;
- unsigned masklen;
+ unsigned masklen, len = expr->len, extra_len = 0;
uint8_t shift;
mpz_t bitmask;
switch (expr->ops->type) {
case EXPR_PAYLOAD:
- shift = expr_offset_shift(expr, expr->payload.offset);
+ shift = expr_offset_shift(expr, expr->payload.offset,
+ &extra_len);
break;
case EXPR_EXTHDR:
- shift = expr_offset_shift(expr, expr->exthdr.tmpl->offset);
+ shift = expr_offset_shift(expr, expr->exthdr.tmpl->offset,
+ &extra_len);
break;
default:
BUG("Unknown expression %s\n", expr->ops->name);
}
- masklen = expr->len + shift;
+ masklen = len + shift;
assert(masklen <= NFT_REG_SIZE * BITS_PER_BYTE);
mpz_init2(bitmask, masklen);
- mpz_bitmask(bitmask, expr->len);
+ mpz_bitmask(bitmask, len);
mpz_lshift_ui(bitmask, shift);
mask = constant_expr_alloc(&expr->location, expr_basetype(expr),
@@ -423,6 +428,9 @@ static void expr_evaluate_bits(struct eval_ctx *ctx, struct expr **exprp)
*exprp = lshift;
} else
*exprp = and;
+
+ if (extra_len)
+ expr->len += extra_len;
}
static int __expr_evaluate_exthdr(struct eval_ctx *ctx, struct expr **exprp)
--
2.1.4
next prev parent reply other threads:[~2016-05-11 21:05 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-11 21:05 [PATCH nft 01/12] evaluate: transfer right shifts to constant side Pablo Neira Ayuso
2016-05-11 21:05 ` [PATCH nft 02/12] evaluate: transfer right shifts to range side Pablo Neira Ayuso
2016-05-11 21:05 ` [PATCH nft 03/12] evaluate: transfer right shifts to set reference side Pablo Neira Ayuso
2016-05-11 21:05 ` [PATCH nft 04/12] src: move payload sub-byte matching to the evaluation step Pablo Neira Ayuso
2016-05-11 21:05 ` Pablo Neira Ayuso [this message]
2016-05-11 21:05 ` [PATCH nft 06/12] proto: update IPv6 flowlabel offset and length according to RFC2460 Pablo Neira Ayuso
2016-05-11 21:05 ` [PATCH nft 07/12] proto: remove priority field definition from IPv6 header Pablo Neira Ayuso
2016-05-11 21:05 ` [PATCH nft 08/12] src: add dscp support Pablo Neira Ayuso
2016-05-11 21:05 ` [PATCH nft 09/12] src: add ecn support Pablo Neira Ayuso
2016-05-11 21:05 ` [PATCH nft 10/12] tests/py: add missing netdev ip dscp payload tests Pablo Neira Ayuso
2016-05-11 21:05 ` [PATCH nft 11/12] tests/py: fix fragment-offset field Pablo Neira Ayuso
2016-05-11 21:05 ` [PATCH nft 12/12] tests/py: fix payload of dccp type in set elements Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1463000716-11885-5-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).