* [PATCH nft,v2 1/3] tests: py: idempotent tcp flags & syn != 0 to tcp flag syn
@ 2021-07-27 22:39 Pablo Neira Ayuso
2021-07-27 22:39 ` [PATCH nft,v2 2/3] netlink_delinearize: skip flags / mask notation for singleton bitmask Pablo Neira Ayuso
2021-07-27 22:39 ` [PATCH nft,v2 3/3] tests: py: tcp flags & (fin | syn | rst | ack) == syn Pablo Neira Ayuso
0 siblings, 2 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2021-07-27 22:39 UTC (permalink / raw)
To: netfilter-devel; +Cc: tom.ty89
Add a test to cover this case.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
v2: no changes
tests/py/inet/tcp.t | 1 +
tests/py/inet/tcp.t.json | 16 ++++++++++++++++
tests/py/inet/tcp.t.payload | 8 ++++++++
3 files changed, 25 insertions(+)
diff --git a/tests/py/inet/tcp.t b/tests/py/inet/tcp.t
index 13b84215bd86..5e2830b679a8 100644
--- a/tests/py/inet/tcp.t
+++ b/tests/py/inet/tcp.t
@@ -69,6 +69,7 @@ tcp flags != cwr;ok
tcp flags == syn;ok
tcp flags fin,syn / fin,syn;ok
tcp flags != syn / fin,syn;ok
+tcp flags & syn != 0;ok;tcp flags syn
tcp flags & (fin | syn | rst | ack) syn;ok;tcp flags syn / fin,syn,rst,ack
tcp flags & (fin | syn | rst | ack) != syn;ok;tcp flags != syn / fin,syn,rst,ack
tcp flags & (fin | syn | rst | psh | ack | urg | ecn | cwr) == fin | syn | rst | psh | ack | urg | ecn | cwr;ok;tcp flags == 0xff
diff --git a/tests/py/inet/tcp.t.json b/tests/py/inet/tcp.t.json
index 033a4f22e0fd..6155c81f6150 100644
--- a/tests/py/inet/tcp.t.json
+++ b/tests/py/inet/tcp.t.json
@@ -1521,6 +1521,22 @@
}
]
+# tcp flags & syn != 0
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "flags",
+ "protocol": "tcp"
+ }
+ },
+ "op": "in",
+ "right": "syn"
+ }
+ }
+]
+
# tcp flags & (fin | syn | rst | ack) syn
[
{
diff --git a/tests/py/inet/tcp.t.payload b/tests/py/inet/tcp.t.payload
index eaa7cd099bd6..6b8b4ecdb4ac 100644
--- a/tests/py/inet/tcp.t.payload
+++ b/tests/py/inet/tcp.t.payload
@@ -370,6 +370,14 @@ inet test-inet input
[ bitwise reg 1 = ( reg 1 & 0x00000003 ) ^ 0x00000000 ]
[ cmp neq reg 1 0x00000002 ]
+# tcp flags & syn != 0
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 1b @ transport header + 13 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ]
+ [ cmp neq reg 1 0x00000000 ]
+
# tcp flags & (fin | syn | rst | ack) syn
inet test-inet input
[ meta load l4proto => reg 1 ]
--
2.20.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH nft,v2 2/3] netlink_delinearize: skip flags / mask notation for singleton bitmask
2021-07-27 22:39 [PATCH nft,v2 1/3] tests: py: idempotent tcp flags & syn != 0 to tcp flag syn Pablo Neira Ayuso
@ 2021-07-27 22:39 ` Pablo Neira Ayuso
2021-07-27 22:39 ` [PATCH nft,v2 3/3] tests: py: tcp flags & (fin | syn | rst | ack) == syn Pablo Neira Ayuso
1 sibling, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2021-07-27 22:39 UTC (permalink / raw)
To: netfilter-devel; +Cc: tom.ty89
Do not transform 'tcp flags & flag == flag' to 'flag / flag'.
The parser does not accept this notation yet.
Fixes: c3d57114f119 ("parser_bison: add shortcut syntax for matching flags without binary operations")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
v2: skip transformation to flag / flag from delinearize path.
src/netlink_delinearize.c | 8 ++++++++
tests/py/inet/tcp.t | 2 ++
tests/py/inet/tcp.t.json | 21 +++++++++++++++++++++
tests/py/inet/tcp.t.payload | 8 ++++++++
4 files changed, 39 insertions(+)
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index c7dae26684cd..49870eeadd57 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -2285,6 +2285,14 @@ static void relational_binop_postprocess(struct rule_pp_ctx *ctx,
BUG("unknown operation type %d\n", expr->op);
}
expr_free(binop);
+ } else if (binop->right->etype == EXPR_VALUE &&
+ value->etype == EXPR_VALUE &&
+ expr->op == OP_EQ &&
+ !mpz_cmp(value->value, binop->right->value)) {
+ /* Skip flag / flag representation for:
+ * data & flag == flag
+ */
+ ;
} else {
*exprp = flagcmp_expr_alloc(&expr->location, expr->op,
expr_get(binop->left),
diff --git a/tests/py/inet/tcp.t b/tests/py/inet/tcp.t
index 5e2830b679a8..17e0d9b6df9f 100644
--- a/tests/py/inet/tcp.t
+++ b/tests/py/inet/tcp.t
@@ -70,6 +70,8 @@ tcp flags == syn;ok
tcp flags fin,syn / fin,syn;ok
tcp flags != syn / fin,syn;ok
tcp flags & syn != 0;ok;tcp flags syn
+# it should be possible to transform this to: tcp flags syn
+tcp flags & syn == syn;ok
tcp flags & (fin | syn | rst | ack) syn;ok;tcp flags syn / fin,syn,rst,ack
tcp flags & (fin | syn | rst | ack) != syn;ok;tcp flags != syn / fin,syn,rst,ack
tcp flags & (fin | syn | rst | psh | ack | urg | ecn | cwr) == fin | syn | rst | psh | ack | urg | ecn | cwr;ok;tcp flags == 0xff
diff --git a/tests/py/inet/tcp.t.json b/tests/py/inet/tcp.t.json
index 6155c81f6150..c1e4fb35a87c 100644
--- a/tests/py/inet/tcp.t.json
+++ b/tests/py/inet/tcp.t.json
@@ -1537,6 +1537,27 @@
}
]
+# tcp flags & syn == syn
+[
+ {
+ "match": {
+ "left": {
+ "&": [
+ {
+ "payload": {
+ "field": "flags",
+ "protocol": "tcp"
+ }
+ },
+ "syn"
+ ]
+ },
+ "op": "==",
+ "right": "syn"
+ }
+ }
+]
+
# tcp flags & (fin | syn | rst | ack) syn
[
{
diff --git a/tests/py/inet/tcp.t.payload b/tests/py/inet/tcp.t.payload
index 6b8b4ecdb4ac..77b301883a15 100644
--- a/tests/py/inet/tcp.t.payload
+++ b/tests/py/inet/tcp.t.payload
@@ -378,6 +378,14 @@ inet test-inet input
[ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ]
[ cmp neq reg 1 0x00000000 ]
+# tcp flags & syn == syn
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 1b @ transport header + 13 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000002 ]
+
# tcp flags & (fin | syn | rst | ack) syn
inet test-inet input
[ meta load l4proto => reg 1 ]
--
2.20.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH nft,v2 3/3] tests: py: tcp flags & (fin | syn | rst | ack) == syn
2021-07-27 22:39 [PATCH nft,v2 1/3] tests: py: idempotent tcp flags & syn != 0 to tcp flag syn Pablo Neira Ayuso
2021-07-27 22:39 ` [PATCH nft,v2 2/3] netlink_delinearize: skip flags / mask notation for singleton bitmask Pablo Neira Ayuso
@ 2021-07-27 22:39 ` Pablo Neira Ayuso
1 sibling, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2021-07-27 22:39 UTC (permalink / raw)
To: netfilter-devel; +Cc: tom.ty89
Add a test case to cover translation to tcp flags syn / fin,syn,rst,ack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
v2: new in this series.
tests/py/inet/tcp.t | 1 +
tests/py/inet/tcp.t.json | 27 +++++++++++++++++++++++++++
tests/py/inet/tcp.t.payload | 8 ++++++++
3 files changed, 36 insertions(+)
diff --git a/tests/py/inet/tcp.t b/tests/py/inet/tcp.t
index 17e0d9b6df9f..dece9eaa89f8 100644
--- a/tests/py/inet/tcp.t
+++ b/tests/py/inet/tcp.t
@@ -73,6 +73,7 @@ tcp flags & syn != 0;ok;tcp flags syn
# it should be possible to transform this to: tcp flags syn
tcp flags & syn == syn;ok
tcp flags & (fin | syn | rst | ack) syn;ok;tcp flags syn / fin,syn,rst,ack
+tcp flags & (fin | syn | rst | ack) == syn;ok;tcp flags syn / fin,syn,rst,ack
tcp flags & (fin | syn | rst | ack) != syn;ok;tcp flags != syn / fin,syn,rst,ack
tcp flags & (fin | syn | rst | psh | ack | urg | ecn | cwr) == fin | syn | rst | psh | ack | urg | ecn | cwr;ok;tcp flags == 0xff
tcp flags { syn, syn | ack };ok
diff --git a/tests/py/inet/tcp.t.json b/tests/py/inet/tcp.t.json
index c1e4fb35a87c..23244eaa2339 100644
--- a/tests/py/inet/tcp.t.json
+++ b/tests/py/inet/tcp.t.json
@@ -1584,6 +1584,33 @@
}
]
+# tcp flags & (fin | syn | rst | ack) == syn
+[
+ {
+ "match": {
+ "left": {
+ "&": [
+ {
+ "payload": {
+ "field": "flags",
+ "protocol": "tcp"
+ }
+ },
+ [
+ "fin",
+ "syn",
+ "rst",
+ "ack"
+ ]
+ ]
+ },
+ "op": "==",
+ "right": "syn"
+ }
+ }
+]
+
+
# tcp flags & (fin | syn | rst | ack) != syn
[
{
diff --git a/tests/py/inet/tcp.t.payload b/tests/py/inet/tcp.t.payload
index 77b301883a15..4e795aa931ac 100644
--- a/tests/py/inet/tcp.t.payload
+++ b/tests/py/inet/tcp.t.payload
@@ -394,6 +394,14 @@ inet test-inet input
[ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ]
[ cmp eq reg 1 0x00000002 ]
+# tcp flags & (fin | syn | rst | ack) == syn
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 1b @ transport header + 13 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000002 ]
+
# tcp flags & (fin | syn | rst | ack) != syn
inet test-inet input
[ meta load l4proto => reg 1 ]
--
2.20.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-07-27 22:39 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-07-27 22:39 [PATCH nft,v2 1/3] tests: py: idempotent tcp flags & syn != 0 to tcp flag syn Pablo Neira Ayuso
2021-07-27 22:39 ` [PATCH nft,v2 2/3] netlink_delinearize: skip flags / mask notation for singleton bitmask Pablo Neira Ayuso
2021-07-27 22:39 ` [PATCH nft,v2 3/3] tests: py: tcp flags & (fin | syn | rst | ack) == syn Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).