From: Jeremy Sowden <jeremy@azazel.net>
To: Netfilter Devel <netfilter-devel@vger.kernel.org>
Subject: [nft PATCH 00/11] Store multiple payload dependencies
Date: Tue, 21 Dec 2021 19:36:46 +0000 [thread overview]
Message-ID: <20211221193657.430866-1-jeremy@azazel.net> (raw)
The first patch in this set fixes a cut-and-paste error in an inet
Python test payload which leads to test-failures. However, even with
this fix in place, the test-case still fails:
inet/sets.t: WARNING: line 24: 'add rule inet test-inet input ip saddr . ip daddr . tcp dport @set3 accept': 'ip saddr . ip daddr . tcp dport @set3 accept' mismatches 'meta nfproto ipv4 ip saddr . ip daddr . tcp dport @set3 accept'
inet/sets.t: WARNING: line 24: 'add rule bridge test-inet input ip saddr . ip daddr . tcp dport @set3 accept': 'ip saddr . ip daddr . tcp dport @set3 accept' mismatches 'meta protocol ip ip saddr . ip daddr . tcp dport @set3 accept'
inet/sets.t: WARNING: line 24: 'add rule netdev test-netdev ingress ip saddr . ip daddr . tcp dport @set3 accept': 'ip saddr . ip daddr . tcp dport @set3 accept' mismatches 'meta protocol ip ip saddr . ip daddr . tcp dport @set3 accept'
inet/sets.t: WARNING: line 24: 'add rule netdev test-netdev egress ip saddr . ip daddr . tcp dport @set3 accept': 'ip saddr . ip daddr . tcp dport @set3 accept' mismatches 'meta protocol ip ip saddr . ip daddr . tcp dport @set3 accept'
The expected output does not include the initial protocol matches.
Since the netdev and bridge families express these matches differently
from how inet does it, it is not possible simply to add the correct
output to the test-case, e.g.:
-ip saddr . ip daddr . tcp dport @set3 accept;ok
+ip saddr . ip daddr . tcp dport @set3 accept;ok;meta nfproto ipv4 ip saddr . ip daddr . tcp dport @set3 accept
and so my initial approach was to split the test-case, moving the netdev
and bridge tests into their respective directories.
However, the protocol matches are redundant and on further thought it
seemed like a better idea to improve the code that performs payload-
dependency elimination. That is the purpose of this patch-set.
Here's the netlink dump for the test:
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x00000002 ]
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 4b @ network header + 12 => reg 1 ]
[ payload load 4b @ network header + 16 => reg 9 ]
[ payload load 2b @ transport header + 2 => reg 10 ]
[ lookup reg 1 set set3 ]
[ immediate reg 0 accept ]
The reason the `meta nfproto` match is not eliminated is that it is
overwritten in the dependency context by the `meta l4proto` match before
we get to the `ip saddr` and `ip daddr` expressions which would have
caused it to be eliminated. By contrast, the `meta l4proto` match _is_
eliminated because it is still present in the context we get to the `tcp
dport` expression. Therefore, this patch-set extends the payload-
dependency context to store not just a single dependency, but one per
protocol layer.
Patches 1-3 fix mistakes in Python test-cases. Patches 4-8 do a bit of
tidying and make some preliminary changes. Patch 9 adds the extra
dependencies. Patches 10 & 11 remove redundant protocol matches which
are now eliminated from test-cases.
At the end of this series all tests pass.
Jeremy Sowden (11):
tests: py: fix inet/sets.t netdev payload
tests: py: fix inet/ip.t payloads
tests: py: fix inet/ip_tcp.t test
netlink_delinearize: fix typo
src: remove arithmetic on booleans
src: reduce indentation
src: simplify logic governing storing payload dependencies
src: add a helper that returns a payload dependency for a particular
base
src: store more than one payload dependency
tests: py: remove redundant payload expressions
tests: shell: remove redundant payload expressions
include/payload.h | 15 ++--
src/netlink.c | 21 ++---
src/netlink_delinearize.c | 53 +++++------
src/payload.c | 90 +++++++++++++------
tests/py/inet/icmpX.t | 2 +-
tests/py/inet/icmpX.t.json.output | 9 --
tests/py/inet/ip.t.payload.bridge | 2 +-
tests/py/inet/ip.t.payload.netdev | 2 +-
tests/py/inet/ip_tcp.t | 4 +-
tests/py/inet/ip_tcp.t.json.output | 12 +++
tests/py/inet/sets.t.json | 11 ---
tests/py/inet/sets.t.payload.netdev | 6 +-
.../testcases/maps/dumps/0010concat_map_0.nft | 2 +-
.../testcases/maps/dumps/nat_addr_port.nft | 8 +-
14 files changed, 129 insertions(+), 108 deletions(-)
--
2.34.1
next reply other threads:[~2021-12-21 19:37 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-21 19:36 Jeremy Sowden [this message]
2021-12-21 19:36 ` [nft PATCH 01/11] tests: py: fix inet/sets.t netdev payload Jeremy Sowden
2021-12-21 19:36 ` [nft PATCH 02/11] tests: py: fix inet/ip.t payloads Jeremy Sowden
2021-12-21 19:36 ` [nft PATCH 03/11] tests: py: fix inet/ip_tcp.t test Jeremy Sowden
2021-12-21 19:36 ` [nft PATCH 04/11] netlink_delinearize: fix typo Jeremy Sowden
2021-12-21 19:36 ` [nft PATCH 05/11] src: remove arithmetic on booleans Jeremy Sowden
2021-12-21 19:36 ` [nft PATCH 06/11] src: reduce indentation Jeremy Sowden
2021-12-21 19:36 ` [nft PATCH 07/11] src: simplify logic governing storing payload dependencies Jeremy Sowden
2021-12-21 19:36 ` [nft PATCH 08/11] src: add a helper that returns a payload dependency for a particular base Jeremy Sowden
2022-01-15 16:48 ` Florian Westphal
2022-01-15 16:57 ` Jeremy Sowden
2022-01-15 17:07 ` Jeremy Sowden
2022-01-15 17:09 ` Florian Westphal
2022-01-15 17:09 ` Jeremy Sowden
2021-12-21 19:36 ` [nft PATCH 09/11] src: store more than one payload dependency Jeremy Sowden
2021-12-21 19:36 ` [nft PATCH 10/11] tests: py: remove redundant payload expressions Jeremy Sowden
2021-12-21 19:36 ` [nft PATCH 11/11] tests: shell: " Jeremy Sowden
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211221193657.430866-1-jeremy@azazel.net \
--to=jeremy@azazel.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).