[nftables] vmap and bit-sized headers

[nftables] vmap and bit-sized headers

[Florian Westphal]

nftables doesn't support vmap with bit-sized headers, such as flow label or dscp:

nft add rule ip filter input ip dscp vmap \{ 4 : accept, 63 : continue \}
BUG: invalid binary operation 5

Unlike plain 'ip dscp { ..' we do not have a relational operation,
so binop_transfer() is never invoked to fix up the shifts.

I tried to fix this without success, this is the best I could come up with.
Please consider this a bug report only, altough I am resonable sure the
first 2 patches are correct.

[PATCH nft] netlink_linearize: exthdr op must be u32

[Florian Westphal]

libnftnl casts this to u32. Broke exthdr expressions on bigendian.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 src/netlink_linearize.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index cf6ffdb05ebf..99a4dde22adb 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -178,7 +178,7 @@ static void netlink_gen_exthdr(struct netlink_linearize_ctx *ctx,
 	nftnl_expr_set_u32(nle, NFTNL_EXPR_EXTHDR_OFFSET, offset / BITS_PER_BYTE);
 	nftnl_expr_set_u32(nle, NFTNL_EXPR_EXTHDR_LEN,
 			   div_round_up(expr->len, BITS_PER_BYTE));
-	nftnl_expr_set_u8(nle, NFTNL_EXPR_EXTHDR_OP, expr->exthdr.op);
+	nftnl_expr_set_u32(nle, NFTNL_EXPR_EXTHDR_OP, expr->exthdr.op);
 	nftnl_expr_set_u32(nle, NFTNL_EXPR_EXTHDR_FLAGS, expr->exthdr.flags);
 	nftnl_rule_add_expr(ctx->nlr, nle);
 }
@@ -839,7 +839,7 @@ static void netlink_gen_exthdr_stmt(struct netlink_linearize_ctx *ctx,
 	nftnl_expr_set_u32(nle, NFTNL_EXPR_EXTHDR_OFFSET, offset / BITS_PER_BYTE);
 	nftnl_expr_set_u32(nle, NFTNL_EXPR_EXTHDR_LEN,
 			   div_round_up(expr->len, BITS_PER_BYTE));
-	nftnl_expr_set_u8(nle, NFTNL_EXPR_EXTHDR_OP, expr->exthdr.op);
+	nftnl_expr_set_u32(nle, NFTNL_EXPR_EXTHDR_OP, expr->exthdr.op);
 	nftnl_rule_add_expr(ctx->nlr, nle);
 }
 
-- 
2.13.6

[PATCH nft 1/5] src: segtree: use value expression length

[Florian Westphal]

In case of EXPR_MAPPING, expr->len is 0, we need to use
the length of the key instead.

Without this we can get assertion failure later on:
nft: netlink_delinearize.c:1484: binop_adjust_one: Assertion `value->len >= binop->right->len' failed.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 src/segtree.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/segtree.c b/src/segtree.c
index 8d36cc9b0d65..1f0d1a4ba7ae 100644
--- a/src/segtree.c
+++ b/src/segtree.c
@@ -697,7 +697,7 @@ void interval_map_decompose(struct expr *set)
 			struct expr *tmp;
 
 			tmp = constant_expr_alloc(&low->location, low->dtype,
-						  low->byteorder, low->len,
+						  low->byteorder, expr_value(low)->len,
 						  NULL);
 
 			mpz_add(range, range, expr_value(low)->value);
-- 
2.13.6

[PATCH nft 2/5] src: netlink_delinearize: don't assume element contains a value

[Florian Westphal]

We cannot assume i->key->key is EXPR_VALUE, we could look e.g.  at a range,
which will trigger an assertion failure in binop_adjust_one().

We should call __binop_adjust recursively again in the EXPR_SET_ELEM case,
using key as new input.

Fixes: b8b8e7b6ae10 ("evaluate: transfer right shifts to set reference side")
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 src/netlink_delinearize.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 2637f4baaec4..655de9e252b8 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -1515,7 +1515,7 @@ static void __binop_adjust(const struct expr *binop, struct expr *right,
 				binop_adjust_one(binop, i->key->right, shift);
 				break;
 			case EXPR_SET_ELEM:
-				binop_adjust_one(binop, i->key->key, shift);
+				__binop_adjust(binop, i->key->key, shift);
 				break;
 			default:
 				BUG("unknown expression type %s\n", i->key->ops->name);
-- 
2.13.6

[PATCH nft 3/5] evaluate: handle binop adjustment recursively

[Florian Westphal]

currently this is fine, but a followup commit will add
EXPR_SET_ELEM handling.

And unlike RANGE we cannot assume the key is a value.
Therefore make binop_can_transfer and binop_transfer_one handle
right hand recursively if needed.  For RANGE, call it again with
from/to.

For future SET_ELEM, we can then just call the function recursively
again with right->key as new RHS.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 src/evaluate.c | 55 ++++++++++++++++++++++++++++++++++---------------------
 1 file changed, 34 insertions(+), 21 deletions(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index 7fe738d8d590..cc32f74bd95e 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1408,6 +1408,21 @@ static int expr_evaluate_hash(struct eval_ctx *ctx, struct expr **exprp)
 static int binop_can_transfer(struct eval_ctx *ctx,
 			      struct expr *left, struct expr *right)
 {
+	int err;
+
+	switch (right->ops->type) {
+	case EXPR_VALUE:
+		break;
+	case EXPR_RANGE:
+		err = binop_can_transfer(ctx, left, right->left);
+		if (err <= 0)
+			return err;
+		return binop_can_transfer(ctx, left, right->right);
+	default:
+		fprintf(stderr, "ERR: UNHANDLED %s\n", right->ops->name);
+		return 0;
+	}
+
 	switch (left->op) {
 	case OP_LSHIFT:
 		if (mpz_scan1(right->value, 0) < mpz_get_uint32(left->right->value))
@@ -1428,6 +1443,21 @@ static int binop_can_transfer(struct eval_ctx *ctx,
 static int binop_transfer_one(struct eval_ctx *ctx,
 			      const struct expr *left, struct expr **right)
 {
+	int err;
+
+	switch ((*right)->ops->type) {
+	case EXPR_VALUE:
+		break;
+	case EXPR_RANGE:
+		err = binop_transfer_one(ctx, left, &(*right)->left);
+		if (err < 0)
+			return err;
+		return binop_transfer_one(ctx, left, &(*right)->right);
+	default:
+		fprintf(stderr, "ERR2: UNHANDLED %s\n", (*right)->ops->name);
+		return 0;
+	}
+
 	expr_get(*right);
 
 	switch (left->op) {
@@ -1468,15 +1498,10 @@ static int binop_transfer(struct eval_ctx *ctx, struct expr **expr)
 			return -1;
 		break;
 	case EXPR_RANGE:
-		err = binop_can_transfer(ctx, left, (*expr)->right->left);
-		if (err <= 0)
-			return err;
-		err = binop_can_transfer(ctx, left, (*expr)->right->right);
+		err = binop_can_transfer(ctx, left, (*expr)->right);
 		if (err <= 0)
 			return err;
-		if (binop_transfer_one(ctx, left, &(*expr)->right->left) < 0)
-			return -1;
-		if (binop_transfer_one(ctx, left, &(*expr)->right->right) < 0)
+		if (binop_transfer_one(ctx, left, &(*expr)->right) < 0)
 			return -1;
 		break;
 	case EXPR_SET:
@@ -1497,15 +1522,8 @@ static int binop_transfer(struct eval_ctx *ctx, struct expr **expr)
 		list_for_each_entry(i, &(*expr)->right->set->init->expressions, list) {
 			switch (i->key->ops->type) {
 			case EXPR_VALUE:
-				err = binop_can_transfer(ctx, left, i->key);
-				if (err <= 0)
-					return err;
-				break;
 			case EXPR_RANGE:
-				err = binop_can_transfer(ctx, left, i->key->left);
-				if (err <= 0)
-					return err;
-				err = binop_can_transfer(ctx, left, i->key->right);
+				err = binop_can_transfer(ctx, left, i->key);
 				if (err <= 0)
 					return err;
 				break;
@@ -1518,13 +1536,8 @@ static int binop_transfer(struct eval_ctx *ctx, struct expr **expr)
 			list_del(&i->list);
 			switch (i->key->ops->type) {
 			case EXPR_VALUE:
-				if (binop_transfer_one(ctx, left, &i->key) < 0)
-					return -1;
-				break;
 			case EXPR_RANGE:
-				if (binop_transfer_one(ctx, left, &i->key->left) < 0)
-					return -1;
-				if (binop_transfer_one(ctx, left, &i->key->right) < 0)
+				if (binop_transfer_one(ctx, left, &i->key) < 0)
 					return -1;
 				break;
 			default:
-- 
2.13.6

[PATCH nft 4/5] src: evaluate: add binop transfer support for vmaps

[Florian Westphal]

nft add rule ip filter input ip dscp vmap \{ 4 : accept, 63 : continue \}
BUG: invalid binary operation 5

Unlike plain "ip dscp { 4, 63 }", we don't have a relational op in case
of vmap, we need to do the binop ifxups when evaluating the map
statement.

NB: This patch is incorrect or incomplete:

  nft add rule --debug=netlink ip6 test-ip6 input ip6 dscp vmap { 0x04 : accept, 0x3f : continue } counter

doesn't work, even though the generated expressions look sane.
It looks like there is disagreement between the key size and the sizes
of the individual elements in the set, but I don't know why this occurs
(and not e.g. with ip dscp).

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 src/evaluate.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index cc32f74bd95e..f62f727ffd34 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1247,6 +1247,7 @@ static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr)
 	return 0;
 }
 
+static int binop_transfer(struct eval_ctx *ctx, struct expr **expr);
 static int expr_evaluate_map(struct eval_ctx *ctx, struct expr **expr)
 {
 	struct expr_ctx ectx = ctx->ectx;
@@ -1282,8 +1283,12 @@ static int expr_evaluate_map(struct eval_ctx *ctx, struct expr **expr)
 		ctx->set = mappings->set;
 		if (expr_evaluate(ctx, &map->mappings->set->init) < 0)
 			return -1;
-		ctx->set = NULL;
+		expr_set_context(&ctx->ectx, ctx->set->key->dtype, ctx->set->key->len);
+		if (binop_transfer(ctx, expr) < 0)
+			return -1;
 
+		map = *expr;
+		ctx->set = NULL;
 		map->mappings->set->flags |= map->mappings->set->init->set_flags;
 		break;
 	case EXPR_SYMBOL:
@@ -1413,6 +1418,8 @@ static int binop_can_transfer(struct eval_ctx *ctx,
 	switch (right->ops->type) {
 	case EXPR_VALUE:
 		break;
+	case EXPR_SET_ELEM:
+		return binop_can_transfer(ctx, left, right->key);
 	case EXPR_RANGE:
 		err = binop_can_transfer(ctx, left, right->left);
 		if (err <= 0)
@@ -1448,6 +1455,8 @@ static int binop_transfer_one(struct eval_ctx *ctx,
 	switch ((*right)->ops->type) {
 	case EXPR_VALUE:
 		break;
+	case EXPR_SET_ELEM:
+		return binop_transfer_one(ctx, left, &(*right)->key);
 	case EXPR_RANGE:
 		err = binop_transfer_one(ctx, left, &(*right)->left);
 		if (err < 0)
@@ -1523,6 +1532,7 @@ static int binop_transfer(struct eval_ctx *ctx, struct expr **expr)
 			switch (i->key->ops->type) {
 			case EXPR_VALUE:
 			case EXPR_RANGE:
+			case EXPR_SET_ELEM:
 				err = binop_can_transfer(ctx, left, i->key);
 				if (err <= 0)
 					return err;
@@ -1537,6 +1547,7 @@ static int binop_transfer(struct eval_ctx *ctx, struct expr **expr)
 			switch (i->key->ops->type) {
 			case EXPR_VALUE:
 			case EXPR_RANGE:
+			case EXPR_SET_ELEM:
 				if (binop_transfer_one(ctx, left, &i->key) < 0)
 					return -1;
 				break;
-- 
2.13.6

[PATCH nft 5/5] tests: add test cases for vmap binop transfer

[Florian Westphal]

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 tests/py/ip/ip.t                |  2 ++
 tests/py/ip/ip.t.payload        | 20 ++++++++++++++++++++
 tests/py/ip/ip.t.payload.bridge | 24 ++++++++++++++++++++++++
 tests/py/ip/ip.t.payload.inet   | 24 ++++++++++++++++++++++++
 tests/py/ip/ip.t.payload.netdev | 24 ++++++++++++++++++++++++
 tests/py/ip6/ip6.t              |  2 ++
 tests/py/ip6/ip6.t.payload.inet | 23 +++++++++++++++++++++++
 tests/py/ip6/ip6.t.payload.ip6  | 19 +++++++++++++++++++
 8 files changed, 138 insertions(+)

diff --git a/tests/py/ip/ip.t b/tests/py/ip/ip.t
index 35ea36e00061..d773042afe02 100644
--- a/tests/py/ip/ip.t
+++ b/tests/py/ip/ip.t
@@ -31,6 +31,7 @@ ip dscp != 0x20;ok;ip dscp != cs4
 ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef};ok
 - ip dscp {0x08, 0x10, 0x18, 0x20, 0x28, 0x30, 0x38, 0x00, 0x0a, 0x0c, 0x0e, 0x12, 0x14, 0x16, 0x1a, 0x1c, 0x1e, 0x22, 0x24, 0x26, 0x2e};ok
 ip dscp != {cs0, cs3};ok
+ip dscp vmap { cs1 : continue , cs4 : accept } counter;ok
 
 ip length 232;ok
 ip length != 233;ok
@@ -120,6 +121,7 @@ ip saddr \& 0xffff0000 == 0xffff0000;ok;ip saddr 255.255.0.0/16
 ip version 4 ip hdrlength 5;ok
 ip hdrlength 0;ok
 ip hdrlength 15;ok
+ip hdrlength vmap { 0-4 : drop, 5 : accept, 6 : continue } counter;ok
 ip hdrlength 16;fail
 
 # limit impact to lo
diff --git a/tests/py/ip/ip.t.payload b/tests/py/ip/ip.t.payload
index f14f33bc5c1b..e9de690d8f70 100644
--- a/tests/py/ip/ip.t.payload
+++ b/tests/py/ip/ip.t.payload
@@ -40,6 +40,16 @@ ip test-ip4 input
   [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ]
   [ lookup reg 1 set __set%d 0x1 ]
 
+# ip dscp vmap { cs1 : continue , cs4 : accept } counter
+__map%d test-ip4 b size 2
+__map%d test-ip4 0
+	element 00000020  : 0 [end]	element 00000080  : 0 [end]
+ip test-ip4 input 
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+  [ counter pkts 0 bytes 0 ]
+
 # ip length 232
 ip test-ip4 input
   [ payload load 2b @ network header + 2 => reg 1 ]
@@ -523,6 +533,16 @@ ip test-ip4 input
   [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ]
   [ cmp eq reg 1 0x0000000f ]
 
+# ip hdrlength vmap { 0-4 : drop, 5 : accept, 6 : continue } counter
+__map%d test-ip4 f size 4
+__map%d test-ip4 0
+	element 00000000  : 0 [end]	element 00000005  : 0 [end]	element 00000006  : 0 [end]	element 00000007  : 1 [end]
+ip test-ip4 input 
+  [ payload load 1b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+  [ counter pkts 0 bytes 0 ]
+
 # iif "lo" ip daddr set 127.0.0.1
 ip test-ip4 input
   [ meta load iif => reg 1 ]
diff --git a/tests/py/ip/ip.t.payload.bridge b/tests/py/ip/ip.t.payload.bridge
index 5d5f7d22db92..d1c57a01db73 100644
--- a/tests/py/ip/ip.t.payload.bridge
+++ b/tests/py/ip/ip.t.payload.bridge
@@ -52,6 +52,18 @@ bridge test-bridge input
   [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ]
   [ lookup reg 1 set __set%d 0x1 ]
 
+# ip dscp vmap { cs1 : continue , cs4 : accept } counter
+__map%d test-bridge b size 2
+__map%d test-bridge 0
+	element 00000020  : 0 [end]	element 00000080  : 0 [end]
+bridge test-bridge input 
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+  [ counter pkts 0 bytes 0 ]
+
 # ip length 232
 bridge test-bridge input 
   [ payload load 2b @ link header + 12 => reg 1 ]
@@ -671,6 +683,18 @@ bridge test-bridge input
   [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ]
   [ cmp eq reg 1 0x0000000f ]
 
+# ip hdrlength vmap { 0-4 : drop, 5 : accept, 6 : continue } counter
+__map%d test-bridge f size 4
+__map%d test-bridge 0
+	element 00000000  : 0 [end]	element 00000005  : 0 [end]	element 00000006  : 0 [end]	element 00000007  : 1 [end]
+bridge test-bridge input 
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+  [ counter pkts 0 bytes 0 ]
+
 # iif "lo" ip daddr set 127.0.0.1
 bridge test-bridge input 
   [ meta load iif => reg 1 ]
diff --git a/tests/py/ip/ip.t.payload.inet b/tests/py/ip/ip.t.payload.inet
index ef6725ebf42a..e6cb700f0db3 100644
--- a/tests/py/ip/ip.t.payload.inet
+++ b/tests/py/ip/ip.t.payload.inet
@@ -52,6 +52,18 @@ inet test-inet input
   [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ]
   [ lookup reg 1 set __set%d 0x1 ]
 
+# ip dscp vmap { cs1 : continue , cs4 : accept } counter
+__map%d test-inet b size 2
+__map%d test-inet 0
+	element 00000020  : 0 [end]	element 00000080  : 0 [end]
+inet test-inet input 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+  [ counter pkts 0 bytes 0 ]
+
 # ip length 232
 inet test-inet input
   [ meta load nfproto => reg 1 ]
@@ -683,6 +695,18 @@ inet test-inet input
   [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ]
   [ cmp eq reg 1 0x0000000f ]
 
+# ip hdrlength vmap { 0-4 : drop, 5 : accept, 6 : continue } counter
+__map%d test-inet f size 4
+__map%d test-inet 0
+	element 00000000  : 0 [end]	element 00000005  : 0 [end]	element 00000006  : 0 [end]	element 00000007  : 1 [end]
+inet test-inet input 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+  [ counter pkts 0 bytes 0 ]
+
 # iif "lo" ip daddr set 127.0.0.1
 inet test-inet input
   [ meta load iif => reg 1 ]
diff --git a/tests/py/ip/ip.t.payload.netdev b/tests/py/ip/ip.t.payload.netdev
index e33ce4a15d5e..0f15247fa0f3 100644
--- a/tests/py/ip/ip.t.payload.netdev
+++ b/tests/py/ip/ip.t.payload.netdev
@@ -582,6 +582,18 @@ netdev test-netdev ingress
   [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ]
   [ cmp eq reg 1 0x0000000f ]
 
+# ip hdrlength vmap { 0-4 : drop, 5 : accept, 6 : continue } counter
+__map%d test-netdev f size 4
+__map%d test-netdev 0
+	element 00000000  : 0 [end]	element 00000005  : 0 [end]	element 00000006  : 0 [end]	element 00000007  : 1 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x0000000f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+  [ counter pkts 0 bytes 0 ]
+
 # ip ttl 233
 netdev test-netdev ingress 
   [ meta load protocol => reg 1 ]
@@ -783,6 +795,18 @@ netdev test-netdev ingress
   [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ]
   [ lookup reg 1 set __set%d 0x1 ]
 
+# ip dscp vmap { cs1 : continue , cs4 : accept } counter
+__map%d test-netdev b size 2
+__map%d test-netdev 0
+	element 00000020  : 0 [end]	element 00000080  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+  [ counter pkts 0 bytes 0 ]
+
 # iif "lo" ip daddr set 127.0.0.1
 netdev test-netdev ingress
   [ meta load iif => reg 1 ]
diff --git a/tests/py/ip6/ip6.t b/tests/py/ip6/ip6.t
index 438b94db79e4..8210d22be3d5 100644
--- a/tests/py/ip6/ip6.t
+++ b/tests/py/ip6/ip6.t
@@ -15,6 +15,7 @@ ip6 dscp != cs1;ok
 ip6 dscp 0x38;ok;ip6 dscp cs7
 ip6 dscp != 0x20;ok;ip6 dscp != cs4
 ip6 dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef};ok
+ip6 dscp vmap { 0x04 : accept, 0x3f : continue } counter;ok
 
 ip6 flowlabel 22;ok
 ip6 flowlabel != 233;ok
@@ -25,6 +26,7 @@ ip6 flowlabel { 33, 55, 67, 88};ok
 ip6 flowlabel != { 33, 55, 67, 88};ok
 ip6 flowlabel { 33-55};ok
 ip6 flowlabel != { 33-55};ok
+ip6 flowlabel vmap { 0 : accept, 2 : continue } ;ok
 
 ip6 length 22;ok
 ip6 length != 233;ok
diff --git a/tests/py/ip6/ip6.t.payload.inet b/tests/py/ip6/ip6.t.payload.inet
index c9cb999dcdcd..d015c8efaa25 100644
--- a/tests/py/ip6/ip6.t.payload.inet
+++ b/tests/py/ip6/ip6.t.payload.inet
@@ -41,6 +41,18 @@ inet test-inet input
   [ bitwise reg 1 = (reg=1 & 0x0000c00f ) ^ 0x00000000 ]
   [ lookup reg 1 set __set%d ]
 
+# ip6 dscp vmap { 0x04 : accept, 0x3f : continue } counter
+__map%d test-inet b size 2
+__map%d test-inet 0
+	element 00000001  : 0 [end]	element 0000c00f  : 0 [end]
+ip6 test-ip6 input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x0000c00f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+  [ counter pkts 0 bytes 0 ]
+
 # ip6 flowlabel 22
 inet test-inet input
   [ meta load nfproto => reg 1 ]
@@ -101,6 +113,17 @@ inet test-inet input
   [ bitwise reg 1 = (reg=1 & 0x00ffff0f ) ^ 0x00000000 ]
   [ lookup reg 1 set __set%d 0x1 ]
 
+# ip6 flowlabel vmap { 0 : accept, 2 : continue } 
+__map%d test-inet b size 2
+__map%d test-inet 0
+	element 00000000  : 0 [end]	element 00020000  : 0 [end]
+inet test-inet input 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 3b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x00ffff0f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
 # ip6 length 22
 inet test-inet input
   [ meta load nfproto => reg 1 ]
diff --git a/tests/py/ip6/ip6.t.payload.ip6 b/tests/py/ip6/ip6.t.payload.ip6
index d8afe60671b6..b2e8363c01e1 100644
--- a/tests/py/ip6/ip6.t.payload.ip6
+++ b/tests/py/ip6/ip6.t.payload.ip6
@@ -31,6 +31,16 @@ ip6 test-ip6 input
   [ bitwise reg 1 = (reg=1 & 0x0000c00f ) ^ 0x00000000 ]
   [ lookup reg 1 set __set%d ]
 
+# ip6 dscp vmap { 0x04 : accept, 0x3f : continue } counter
+__map%d test-ip6 b size 2
+__map%d test-ip6 0
+	element 00000001  : 0 [end]	element 0000c00f  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x0000c00f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+  [ counter pkts 0 bytes 0 ]
+
 # ip6 flowlabel 22
 ip6 test-ip6 input
   [ payload load 3b @ network header + 1 => reg 1 ]
@@ -79,6 +89,15 @@ ip6 test-ip6 input
   [ bitwise reg 1 = (reg=1 & 0x00ffff0f ) ^ 0x00000000 ]
   [ lookup reg 1 set __set%d 0x1 ]
 
+# ip6 flowlabel vmap { 0 : accept, 2 : continue } 
+__map%d test-ip6 b size 2
+__map%d test-ip6 0
+	element 00000000  : 0 [end]	element 00020000  : 0 [end]
+ip6 test-ip6 input 
+  [ payload load 3b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x00ffff0f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
 # ip6 length 22
 ip6 test-ip6 input
   [ payload load 2b @ network header + 4 => reg 1 ]
-- 
2.13.6

Re: [PATCH nft] netlink_linearize: exthdr op must be u32

[Pablo Neira Ayuso]

On Thu, Jan 11, 2018 at 04:30:19PM +0100, Florian Westphal wrote:
> libnftnl casts this to u32. Broke exthdr expressions on bigendian.
> 
> Signed-off-by: Florian Westphal <fw@strlen.de>

Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>