From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Cc: Florian Westphal <fw@strlen.de>
Subject: [PATCH nft 07/10] payload: auto-remove simple icmp/icmpv6 dependency expressions
Date: Wed, 9 Dec 2020 18:49:21 +0100 [thread overview]
Message-ID: <20201209174924.27720-8-fw@strlen.de> (raw)
In-Reply-To: <20201209174924.27720-1-fw@strlen.de>
Instead of:
icmpv6 type packet-too-big icmpv6 mtu 1280
display just
icmpv6 mtu 1280
The dependency added for id/sequence is still kept, its handled
by a anon set instead to cover both the echo 'request' and 'reply' cases.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/payload.h | 4 +++-
src/netlink_delinearize.c | 3 +++
src/payload.c | 50 ++++++++++++++++++++++++++++++++++++---
3 files changed, 53 insertions(+), 4 deletions(-)
diff --git a/include/payload.h b/include/payload.h
index 7bbb19b936a9..8bc3fb9a8a54 100644
--- a/include/payload.h
+++ b/include/payload.h
@@ -26,11 +26,13 @@ extern int exthdr_gen_dependency(struct eval_ctx *ctx, const struct expr *expr,
* struct payload_dep_ctx - payload protocol dependency tracking
*
* @pbase: protocol base of last dependency match
+ * @icmp_type: extra info for icmp(6) decoding
* @pdep: last dependency match
* @prev: previous statement
*/
struct payload_dep_ctx {
- enum proto_bases pbase;
+ enum proto_bases pbase:8;
+ uint8_t icmp_type;
struct stmt *pdep;
struct stmt *prev;
};
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 9faddde63974..8b06c4c0985f 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -1771,6 +1771,9 @@ static void payload_match_expand(struct rule_pp_ctx *ctx,
enum proto_bases base = left->payload.base;
bool stacked;
+ if (ctx->pdctx.icmp_type)
+ ctx->pctx.th_dep.icmp.type = ctx->pdctx.icmp_type;
+
payload_expr_expand(&list, left, &ctx->pctx);
list_for_each_entry(left, &list, list) {
diff --git a/src/payload.c b/src/payload.c
index 7cfa530c06c6..48529bcf5c51 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -98,7 +98,7 @@ static void payload_expr_pctx_update(struct proto_ctx *ctx,
desc = proto_find_upper(base, proto);
if (!desc) {
- if (base == &proto_icmp) {
+ if (base == &proto_icmp || base == &proto_icmp6) {
/* proto 0 is ECHOREPLY, just pretend its ECHO.
* Not doing this would need an additional marker
* bit to tell when icmp.type was set.
@@ -554,6 +554,35 @@ void payload_dependency_reset(struct payload_dep_ctx *ctx)
memset(ctx, 0, sizeof(*ctx));
}
+static uint8_t icmp_get_type(const struct proto_desc *desc, uint8_t value)
+{
+ if (desc == &proto_icmp && value == 0)
+ return ICMP_ECHO;
+
+ return value;
+}
+
+static uint8_t icmp_get_dep_type(const struct proto_desc *desc, struct expr *right)
+{
+ if (right->etype == EXPR_VALUE && right->len == BITS_PER_BYTE)
+ return icmp_get_type(desc, mpz_get_uint8(right->value));
+
+ return 0;
+}
+
+static void payload_dependency_store_icmp_type(struct payload_dep_ctx *ctx)
+{
+ struct expr *dep = ctx->pdep->expr;
+ const struct proto_desc *desc;
+
+ if (dep->left->etype != EXPR_PAYLOAD)
+ return;
+
+ desc = dep->left->payload.desc;
+ if (desc == &proto_icmp || desc == &proto_icmp6)
+ ctx->icmp_type = icmp_get_dep_type(dep->left->payload.desc, dep->right);
+}
+
/**
* payload_dependency_store - store a possibly redundant protocol match
*
@@ -566,6 +595,8 @@ void payload_dependency_store(struct payload_dep_ctx *ctx,
{
ctx->pbase = base + 1;
ctx->pdep = stmt;
+
+ payload_dependency_store_icmp_type(ctx);
}
/**
@@ -581,8 +612,8 @@ bool payload_dependency_exists(const struct payload_dep_ctx *ctx,
enum proto_bases base)
{
return ctx->pbase != PROTO_BASE_INVALID &&
- ctx->pbase == base &&
- ctx->pdep != NULL;
+ ctx->pdep != NULL &&
+ (ctx->pbase == base || (base == PROTO_BASE_TRANSPORT_HDR && ctx->pbase == base + 1));
}
void payload_dependency_release(struct payload_dep_ctx *ctx)
@@ -649,6 +680,10 @@ void payload_dependency_kill(struct payload_dep_ctx *ctx, struct expr *expr,
if (payload_dependency_exists(ctx, expr->payload.base) &&
payload_may_dependency_kill(ctx, family, expr))
payload_dependency_release(ctx);
+ else if (ctx->icmp_type && ctx->pdep) {
+ fprintf(stderr, "Did not kill \n");
+ payload_dependency_release(ctx);
+ }
}
void exthdr_dependency_kill(struct payload_dep_ctx *ctx, struct expr *expr,
@@ -716,6 +751,11 @@ void payload_expr_complete(struct expr *expr, const struct proto_ctx *ctx)
if (tmpl->offset != expr->payload.offset ||
tmpl->len != expr->len)
continue;
+
+ if (tmpl->icmp_dep && ctx->th_dep.icmp.type &&
+ ctx->th_dep.icmp.type != icmp_dep_to_type(tmpl->icmp_dep))
+ continue;
+
expr->dtype = tmpl->dtype;
expr->payload.desc = desc;
expr->payload.tmpl = tmpl;
@@ -842,6 +882,10 @@ void payload_expr_expand(struct list_head *list, struct expr *expr,
if (tmpl->offset != expr->payload.offset)
continue;
+ if (tmpl->icmp_dep && ctx->th_dep.icmp.type &&
+ ctx->th_dep.icmp.type != icmp_dep_to_type(tmpl->icmp_dep))
+ continue;
+
if (tmpl->len <= expr->len) {
new = payload_expr_alloc(&expr->location, desc, i);
list_add_tail(&new->list, list);
--
2.26.2
next prev parent reply other threads:[~2020-12-09 17:50 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-09 17:49 [PATCH nft 0/10] nft: add automatic icmp/icmpv6 dependencies Florian Westphal
2020-12-09 17:49 ` [PATCH nft 01/10] exthdr: remove unused proto_key member from struct Florian Westphal
2020-12-09 17:49 ` [PATCH nft 02/10] proto: reduce size of proto_desc structure Florian Westphal
2020-12-09 17:49 ` [PATCH nft 03/10] src: add auto-dependencies for ipv4 icmp Florian Westphal
2020-12-09 17:49 ` [PATCH nft 04/10] tests: fix exepcted payload of icmp expressions Florian Westphal
2020-12-09 17:49 ` [PATCH nft 05/10] src: add auto-dependencies for ipv6 icmp6 Florian Westphal
2020-12-09 17:49 ` [PATCH nft 06/10] tests: fix exepcted payload of icmpv6 expressions Florian Westphal
2020-12-09 17:49 ` Florian Westphal [this message]
2020-12-09 17:49 ` [PATCH nft 08/10] tests: icmp, icmpv6: avoid remaining warnings Florian Westphal
2020-12-09 17:49 ` [PATCH nft 09/10] tests: ip: add one test case to cover both id and sequence Florian Westphal
2020-12-09 17:49 ` [PATCH nft 10/10] tests: icmp, icmpv6: check we don't add second dependency Florian Westphal
2020-12-11 14:30 ` [PATCH nft 0/10] nft: add automatic icmp/icmpv6 dependencies Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201209174924.27720-8-fw@strlen.de \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).