From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Cc: Florian Westphal <fw@strlen.de>
Subject: [PATCH nft 0/10] nft: add automatic icmp/icmpv6 dependencies
Date: Wed, 9 Dec 2020 18:49:14 +0100 [thread overview]
Message-ID: <20201209174924.27720-1-fw@strlen.de> (raw)
icmp and icmpv6 protocol header are special, they have overlapping
fields whose interpretation (or existence) depends on the icmp type.
This series allows nft to automatically add the dependency so that
the type-dependant field is not evaluated for any type.
Support for dependency removal is also added, but not for id/sequence.
Those need to check for both echo and echo reply, we'd have to extend
the delinearization step to also check relational expressions with
a non-constant RHS.
For now, the test cases are amended to expect the depenency, i.e.
'icmp id 42' will expect 'icmp type {echo-reply, echo-request} icmp id 42'
as the output.
Also add test cases to cover both id/sequence in same rule (payload
merging is used for those) and add a test with a rule that already
contains a type match.
Florian Westphal (10):
exthdr: remove unused proto_key member from struct
proto: reduce size of proto_desc structure
src: add auto-dependencies for ipv4 icmp
tests: fix exepcted payload of icmp expressions
src: add auto-dependencies for ipv6 icmp6
tests: fix exepcted payload of icmpv6 expressions
payload: auto-remove simple icmp/icmpv6 dependency expressions
tests: icmp, icmpv6: avoid remaining warnings
tests: ip: add one test case to cover both id and sequence
tests: icmp, icmpv6: check we don't add second dependency
include/exthdr.h | 1 -
include/payload.h | 7 +-
include/proto.h | 34 +++--
src/evaluate.c | 20 ++-
src/exthdr.c | 4 -
src/netlink_delinearize.c | 3 +
src/parser_bison.y | 1 -
src/payload.c | 210 +++++++++++++++++++++++++++++-
src/proto.c | 45 ++++---
tests/py/ip/icmp.t | 38 +++---
tests/py/ip/icmp.t.payload.ip | 155 +++++++++++++++++++++-
tests/py/ip6/icmpv6.t | 42 +++---
tests/py/ip6/icmpv6.t.payload.ip6 | 116 +++++++++++++++--
13 files changed, 588 insertions(+), 88 deletions(-)
--
2.26.2
next reply other threads:[~2020-12-09 17:50 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-09 17:49 Florian Westphal [this message]
2020-12-09 17:49 ` [PATCH nft 01/10] exthdr: remove unused proto_key member from struct Florian Westphal
2020-12-09 17:49 ` [PATCH nft 02/10] proto: reduce size of proto_desc structure Florian Westphal
2020-12-09 17:49 ` [PATCH nft 03/10] src: add auto-dependencies for ipv4 icmp Florian Westphal
2020-12-09 17:49 ` [PATCH nft 04/10] tests: fix exepcted payload of icmp expressions Florian Westphal
2020-12-09 17:49 ` [PATCH nft 05/10] src: add auto-dependencies for ipv6 icmp6 Florian Westphal
2020-12-09 17:49 ` [PATCH nft 06/10] tests: fix exepcted payload of icmpv6 expressions Florian Westphal
2020-12-09 17:49 ` [PATCH nft 07/10] payload: auto-remove simple icmp/icmpv6 dependency expressions Florian Westphal
2020-12-09 17:49 ` [PATCH nft 08/10] tests: icmp, icmpv6: avoid remaining warnings Florian Westphal
2020-12-09 17:49 ` [PATCH nft 09/10] tests: ip: add one test case to cover both id and sequence Florian Westphal
2020-12-09 17:49 ` [PATCH nft 10/10] tests: icmp, icmpv6: check we don't add second dependency Florian Westphal
2020-12-11 14:30 ` [PATCH nft 0/10] nft: add automatic icmp/icmpv6 dependencies Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201209174924.27720-1-fw@strlen.de \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).