From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Cc: Florian Westphal <fw@strlen.de>
Subject: [PATCH nft 5/8] payload: add basic infrastructure to keep some dependencies
Date: Fri, 27 Oct 2017 01:06:08 +0200 [thread overview]
Message-ID: <20171026230611.14269-6-fw@strlen.de> (raw)
In-Reply-To: <20171026230611.14269-1-fw@strlen.de>
all the errors highlighted by the new test cases are because our current
dependency removal scheme is too trigger-happy.
Add infrastructure to do extra checks to see if the dependency can really
be removed.
This change has no effect because the new pdep_is_redundant() function
always returns true.
The next patch changes the default to false (keep dependency).
The split is to clarify infrastructure vs. conditions that need to be met
for a dependency to be okay.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
src/payload.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 59 insertions(+), 1 deletion(-)
diff --git a/src/payload.c b/src/payload.c
index 12d359fd1738..9cb8c6144d70 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -468,6 +468,63 @@ static enum proto_bases expr_to_base(const struct expr *expr)
return PROTO_BASE_INVALID;
}
+static bool get_relop_base(const struct stmt *stmt,
+ enum proto_bases *base)
+{
+ const struct expr *lhs, *rel;
+
+ if (stmt->ops->type != STMT_EXPRESSION)
+ return false;
+
+ rel = stmt->expr;
+ if (rel->ops->type != EXPR_RELATIONAL)
+ return false;
+
+ lhs = rel->left;
+ if ((lhs->flags & EXPR_F_PROTOCOL) == 0)
+ return false;
+
+ *base = expr_to_base(lhs);
+ return *base != PROTO_BASE_INVALID;
+}
+
+/*
+ * For INET/BRIDGE/NETDEV families extra care needs to be taken before
+ * removing a dependency, it might restrict the l3 protocol. Examples:
+ *
+ * ip protocol tcp tcp dport 22
+ *
+ * In bridge/inet/netdev case, this rule only matches tcp/ipv4 so the
+ * l3 dependency cannot be removed.
+ *
+ * ip protocol ipv6-icmp meta l4proto ipv6-icmp icmpv6 type 1
+ *
+ * This only matches ipv6-icmp in ipv4, so 'ip protocol' must not be
+ * removed either.
+ */
+static bool pdep_is_redundant(struct payload_dep_ctx *pdctx,
+ const struct proto_ctx *pctx,
+ enum proto_bases base)
+{
+ const struct proto_desc *proto, *proto_upper;
+ const struct stmt *stmt = pdctx->pdep;
+ unsigned int family = pctx->family;
+ enum proto_bases depbase;
+
+ if (family == NFPROTO_IPV4 || family == NFPROTO_IPV6)
+ return true;
+
+ if (!get_relop_base(stmt, &depbase))
+ return true;
+
+ proto = pctx->protocol[depbase].desc;
+ proto_upper = pctx->protocol[base].desc;
+ if (proto == proto_upper)
+ return true;
+
+ return true;
+}
+
/**
* __payload_dependency_kill - kill a redundant payload depedency
*
@@ -484,7 +541,8 @@ void __payload_dependency_kill(struct payload_dep_ctx *pdctx,
{
if (pdctx->pbase != PROTO_BASE_INVALID &&
pdctx->pbase == base &&
- pdctx->pdep != NULL) {
+ pdctx->pdep != NULL &&
+ pdep_is_redundant(pdctx, pctx, base)) {
list_del(&pdctx->pdep->list);
stmt_free(pdctx->pdep);
--
2.13.6
next prev parent reply other threads:[~2017-10-26 23:06 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-26 23:06 [PATCH nft 0/8] rework dependency removal Florian Westphal
2017-10-26 23:06 ` [PATCH nft 1/8] tests: adjust output to silence warnings Florian Westphal
2017-10-27 10:29 ` Pablo Neira Ayuso
2017-10-27 12:41 ` Florian Westphal
2017-10-27 12:52 ` Florian Westphal
2017-10-27 14:07 ` Pablo Neira Ayuso
2017-10-27 18:03 ` Florian Westphal
2017-10-26 23:06 ` [PATCH nft 2/8] src: remove exthdr_dependency_kill Florian Westphal
2017-10-26 23:06 ` [PATCH nft 3/8] src: add and use payload_dependency_update helper Florian Westphal
2017-10-26 23:06 ` [PATCH nft 4/8] src: pass proto_ctx to payload_dependency_kill Florian Westphal
2017-10-26 23:06 ` Florian Westphal [this message]
2017-10-26 23:06 ` [PATCH nft 6/8] payload: keep dependencies that enforce a specific l3 protocol Florian Westphal
2017-10-26 23:06 ` [PATCH nft 7/8] payload: consider expression type during dependency removal Florian Westphal
2017-10-26 23:06 ` [PATCH nft 8/8] tests: silence test case Florian Westphal
2017-10-27 10:39 ` [PATCH nft 0/8] rework dependency removal Pablo Neira Ayuso
2017-10-27 12:46 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171026230611.14269-6-fw@strlen.de \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).