From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nftables 5/9] src: add host byte order integer type
Date: Mon, 6 Feb 2017 19:17:27 +0100 [thread overview]
Message-ID: <20170206181727.GA19350@salvia> (raw)
In-Reply-To: <20170206173110.GA18703@salvia>
[-- Attachment #1: Type: text/plain, Size: 1056 bytes --]
On Mon, Feb 06, 2017 at 06:31:10PM +0100, Pablo Neira Ayuso wrote:
> On Fri, Feb 03, 2017 at 01:35:52PM +0100, Florian Westphal wrote:
> > diff --git a/include/datatype.h b/include/datatype.h
> > index 9f127f2954e3..8c1c827253be 100644
> > --- a/include/datatype.h
> > +++ b/include/datatype.h
> > @@ -82,6 +82,7 @@ enum datatypes {
> > TYPE_DSCP,
> > TYPE_ECN,
> > TYPE_FIB_ADDR,
> > + TYPE_U32,
> > __TYPE_MAX
> > };
> > #define TYPE_MAX (__TYPE_MAX - 1)
>
> Right, this is a real problem with host byteorder integer, the
> bytecode that we generate is not correct.
>
> I have a patch to avoid this, it's still incomplete. I'm attaching it.
>
> Note this is still incomplete, since this doesn't solve the netlink
> delinearize path. We can use the NFT_SET_USERDATA area and the tlv
> infrastructure that Carlos made in summer to store this
> metainformation that is only useful to
>
> This shouldn't be a showstopper to get kernel patches in, we have a
> bit of time ahead to solve this userspace issue.
Forgot attachment, here it comes.
[-- Attachment #2: 0001-evaluate-store-byteorder-for-set-keys-patch --]
[-- Type: text/plain, Size: 4245 bytes --]
>From 52594fb4130560e2072524193296019d209e3bf8 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 6 Sep 2016 19:49:05 +0200
Subject: [PATCH] evaluate: store byteorder for set keys
Selectors that rely on the integer type and expect host endian
byteorder don't work properly.
We need to keep the byteorder around based on the left hand size
expression that provides the context, so store the byteorder when
evaluating the map.
Before this patch.
# nft --debug=netlink add rule x y meta mark set meta cpu map { 0 : 1, 1 : 2 }
__map%d x b
__map%d x 0
element 00000000 : 00000001 0 [end] element 01000000 : 00000002 0 [end]
^^^^^^^^
This is expressed in network byteorder, because the invalid byteorder
defaults on this.
After this patch:
# nft --debug=netlink add rule x y meta mark set meta cpu map { 0 : 1, 1 : 2 }
__map%d x b
__map%d x 0
element 00000000 : 00000001 0 [end] element 00000001 : 00000002 0 [end]
^^^^^^^^
This is in host byteorder, as the key selector in the map mandates.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/rule.h | 3 +++
src/evaluate.c | 23 +++++++++++++++--------
2 files changed, 18 insertions(+), 8 deletions(-)
diff --git a/include/rule.h b/include/rule.h
index 99e92ee..ae9e462 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -209,6 +209,8 @@ enum set_flags {
SET_F_EVAL = 0x20,
};
+#include <datatype.h>
+
/**
* struct set - nftables set
*
@@ -237,6 +239,7 @@ struct set {
uint64_t timeout;
const struct datatype *keytype;
unsigned int keylen;
+ enum byteorder keybyteorder;
const struct datatype *datatype;
unsigned int datalen;
struct expr *init;
diff --git a/src/evaluate.c b/src/evaluate.c
index 45af329..b64dfc1 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -63,6 +63,7 @@ static struct expr *implicit_set_declaration(struct eval_ctx *ctx,
const char *name,
const struct datatype *keytype,
unsigned int keylen,
+ enum byteorder byteorder,
struct expr *expr)
{
struct cmd *cmd;
@@ -70,11 +71,12 @@ static struct expr *implicit_set_declaration(struct eval_ctx *ctx,
struct handle h;
set = set_alloc(&expr->location);
- set->flags = SET_F_ANONYMOUS | expr->set_flags;
- set->handle.set = xstrdup(name),
- set->keytype = keytype;
- set->keylen = keylen;
- set->init = expr;
+ set->flags = SET_F_ANONYMOUS | expr->set_flags;
+ set->handle.set = xstrdup(name),
+ set->keytype = keytype;
+ set->keylen = keylen;
+ set->keybyteorder = byteorder;
+ set->init = expr;
if (ctx->table != NULL)
list_add_tail(&set->list, &ctx->table->sets);
@@ -1104,7 +1106,9 @@ static int expr_evaluate_map(struct eval_ctx *ctx, struct expr **expr)
case EXPR_SET:
mappings = implicit_set_declaration(ctx, "__map%d",
ctx->ectx.dtype,
- ctx->ectx.len, mappings);
+ ctx->ectx.len,
+ ctx->ectx.byteorder,
+ mappings);
mappings->set->datatype = ectx.dtype;
mappings->set->datalen = ectx.len;
@@ -1159,7 +1163,8 @@ static int expr_evaluate_mapping(struct eval_ctx *ctx, struct expr **expr)
if (!(set->flags & SET_F_MAP))
return set_error(ctx, set, "set is not a map");
- expr_set_context(&ctx->ectx, set->keytype, set->keylen);
+ __expr_set_context(&ctx->ectx, set->keytype, set->keybyteorder,
+ set->keylen, 0);
if (expr_evaluate(ctx, &mapping->left) < 0)
return -1;
if (!expr_is_constant(mapping->left))
@@ -1443,6 +1448,7 @@ static int expr_evaluate_relational(struct eval_ctx *ctx, struct expr **expr)
right = rel->right =
implicit_set_declaration(ctx, "__set%d",
left->dtype,
+ left->byteorder,
left->len, right);
break;
case EXPR_SET_REF:
@@ -1818,7 +1824,8 @@ static int stmt_evaluate_flow(struct eval_ctx *ctx, struct stmt *stmt)
set->set_flags |= SET_F_TIMEOUT;
setref = implicit_set_declaration(ctx, stmt->flow.table ?: "__ft%d",
- key->dtype, key->len, set);
+ key->dtype, key->dtype->byteorder,
+ key->len, set);
stmt->flow.set = setref;
--
2.1.4
next prev parent reply other threads:[~2017-02-06 18:17 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-03 12:35 [PATCH -next 0/9] nftables: add zone support to ct statement Florian Westphal
2017-02-03 12:35 ` [PATCH nf-next 1/9] netfilter: nft_ct: add zone id get support Florian Westphal
2017-02-08 9:28 ` Pablo Neira Ayuso
2017-02-03 12:35 ` [PATCH nf-next 2/9] netfilter: nft_ct: prepare for key-dependent error unwind Florian Westphal
2017-02-08 9:29 ` Pablo Neira Ayuso
2017-02-03 12:35 ` [PATCH nf-next 3/9] netfilter: nft_ct: add zone id set support Florian Westphal
2017-02-08 9:29 ` Pablo Neira Ayuso
2017-02-03 12:35 ` [PATCH libnftnl 4/9] src: ct: add zone support Florian Westphal
2017-02-19 19:22 ` Pablo Neira Ayuso
2017-02-03 12:35 ` [PATCH nftables 5/9] src: add host byte order integer type Florian Westphal
2017-02-06 17:31 ` Pablo Neira Ayuso
2017-02-06 18:17 ` Pablo Neira Ayuso [this message]
2017-02-06 22:33 ` Florian Westphal
2017-02-07 11:58 ` Pablo Neira Ayuso
2017-02-07 12:29 ` Pablo Neira Ayuso
2017-02-03 12:35 ` [PATCH nftables 6/9] src: add conntrack zone support Florian Westphal
2017-02-03 12:35 ` [PATCH nftables 7/9] ct: refactor print function so it can be re-used for ct statement Florian Westphal
2017-02-03 12:35 ` [PATCH nftables 8/9] src: support zone set statement with optional direction Florian Westphal
2017-02-03 12:35 ` [PATCH nftables 9/9] tests: add test entries for conntrack zones Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170206181727.GA19350@salvia \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).