From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Cc: Florian Westphal <fw@strlen.de>
Subject: [nft PATCH 6/7] netlink: make checksum fixup work with odd-sized header fields
Date: Wed, 27 Jul 2016 02:43:15 +0200 [thread overview]
Message-ID: <1469580196-2100-7-git-send-email-fw@strlen.de> (raw)
In-Reply-To: <1469580196-2100-1-git-send-email-fw@strlen.de>
The kernel checksum functions want even-sized lengths except for
the last block at the end of the data.
This means that
nft --debug=netlink add rule filter output ip ecn set 1
must generate a two byte read and a two byte write:
[ payload load 2b @ network header + 0 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x0000fcff ) ^ 0x00000100 ]
[ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 ]
Otherwise, while a one-byte write is enough, the kernel will
generate invalid checksums (unless checksum is offloaded).
Signed-off-by: Florian Westphal <fw@strlen.de>
---
src/evaluate.c | 36 ++++++++++++++++++++++++++++++++----
1 file changed, 32 insertions(+), 4 deletions(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index e6d4642..eca46f7 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1606,14 +1606,24 @@ static int stmt_evaluate_verdict(struct eval_ctx *ctx, struct stmt *stmt)
return 0;
}
+static bool stmt_evaluate_payload_need_csum(const struct expr *payload)
+{
+ const struct proto_desc *desc;
+
+ desc = payload->payload.desc;
+
+ return desc && desc->checksum_key;
+}
+
static int stmt_evaluate_payload(struct eval_ctx *ctx, struct stmt *stmt)
{
struct expr *binop, *mask, *and, *payload_bytes;
unsigned int masklen, extra_len = 0;
- unsigned int payload_byte_size;
+ unsigned int payload_byte_size, payload_byte_offset;
uint8_t shift_imm, data[16];
struct expr *payload;
mpz_t bitmask, ff;
+ bool need_csum;
if (__expr_evaluate_payload(ctx, stmt->payload.expr) < 0)
return -1;
@@ -1623,10 +1633,18 @@ static int stmt_evaluate_payload(struct eval_ctx *ctx, struct stmt *stmt)
&stmt->payload.val) < 0)
return -1;
+ need_csum = stmt_evaluate_payload_need_csum(payload);
+
/* Normal case: byte sized and byte aligned */
if (payload->payload.offset % BITS_PER_BYTE == 0 &&
- payload->len % BITS_PER_BYTE == 0)
- return 0;
+ payload->len % BITS_PER_BYTE == 0) {
+
+ if (!need_csum || ((payload->len / BITS_PER_BYTE) & 1) == 0)
+ return 0;
+ /* Can't deal with odd checksum fixup in kernel */
+ }
+
+ payload_byte_offset = payload->payload.offset / BITS_PER_BYTE;
shift_imm = expr_offset_shift(payload, payload->payload.offset, &extra_len);
if (shift_imm) {
@@ -1647,6 +1665,16 @@ static int stmt_evaluate_payload(struct eval_ctx *ctx, struct stmt *stmt)
payload_byte_size = round_up(payload->len, BITS_PER_BYTE) / BITS_PER_BYTE;
payload_byte_size += (extra_len / BITS_PER_BYTE);
+
+ if (need_csum && payload_byte_size & 1) {
+ payload_byte_size++;
+
+ if (payload_byte_offset & 1) { /* prefer 16bit aligned fetch */
+ payload_byte_offset--;
+ assert(payload->payload.offset >= BITS_PER_BYTE);
+ }
+ }
+
masklen = payload_byte_size * BITS_PER_BYTE;
mpz_init_bitmask(ff, masklen);
@@ -1664,7 +1692,7 @@ static int stmt_evaluate_payload(struct eval_ctx *ctx, struct stmt *stmt)
payload_bytes = payload_expr_alloc(&payload->location, NULL, 0);
payload_init_raw(payload_bytes, payload->payload.base,
- (payload->payload.offset / BITS_PER_BYTE) * BITS_PER_BYTE,
+ payload_byte_offset * BITS_PER_BYTE,
payload_byte_size * BITS_PER_BYTE);
payload_bytes->payload.desc = payload->payload.desc;
--
2.7.3
next prev parent reply other threads:[~2016-07-27 1:15 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-27 0:43 [nft PATCH 0/7] add payload set support for sub-byte sizes Florian Westphal
2016-07-27 0:43 ` [nft PATCH 1/7] netlink: add __binop_adjust helper Florian Westphal
2016-07-27 0:43 ` [nft PATCH 2/7] payload: print base and raw values for unknown payloads Florian Westphal
2016-07-27 0:43 ` [nft PATCH 3/7] evaluate: add support to set IPv6 non-byte header fields Florian Westphal
2016-08-01 10:29 ` Pablo Neira Ayuso
2016-08-01 14:23 ` Florian Westphal
2016-07-27 0:43 ` [nft PATCH 4/7] netlink: decode payload statment Florian Westphal
2016-08-01 10:34 ` Pablo Neira Ayuso
2016-07-27 0:43 ` [nft PATCH 5/7] tests: ip6 dscp, flowlabel and ecn test cases Florian Westphal
2016-07-27 0:43 ` Florian Westphal [this message]
2016-07-27 0:43 ` [nft PATCH 7/7] tests: ip payload set support for ecn and dscp Florian Westphal
2016-08-01 10:35 ` [nft PATCH 0/7] add payload set support for sub-byte sizes Pablo Neira Ayuso
2016-08-01 15:12 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1469580196-2100-7-git-send-email-fw@strlen.de \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).