[nf-next PATCH v2 1/5] netfilter: bitwise: keep track of bit-length of expressions

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Jeremy Sowden <jeremy@azazel.net>
To: Netfilter Devel <netfilter-devel@vger.kernel.org>
Subject: [nf-next PATCH v2 1/5] netfilter: bitwise: keep track of bit-length of expressions
Date: Mon,  4 Apr 2022 13:04:13 +0100	[thread overview]
Message-ID: <20220404120417.188410-2-jeremy@azazel.net> (raw)
In-Reply-To: <20220404120417.188410-1-jeremy@azazel.net>

Some bitwise operations are generated in user space when munging paylod
expressions.  During delinearization, user space attempts to eliminate
these operations.  However, it does this before deducing the byte-order
or the correct length in bits of the operands, which means that it
doesn't always handle multi-byte host-endian operations correctly.
Therefore, add support for storing the bit-length of the expression,
even though the kernel doesn't use it, in order to be able to pass it
back to user space.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 include/uapi/linux/netfilter/nf_tables.h | 2 ++
 net/netfilter/nft_bitwise.c              | 6 ++++++
 2 files changed, 8 insertions(+)

diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 466fd3f4447c..f3dcc4a34ff1 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -561,6 +561,7 @@ enum nft_bitwise_ops {
  * @NFTA_BITWISE_OP: type of operation (NLA_U32: nft_bitwise_ops)
  * @NFTA_BITWISE_DATA: argument for non-boolean operations
  *                     (NLA_NESTED: nft_data_attributes)
+ * @NFTA_BITWISE_NBITS: length of operation in bits (NLA_U32)
  *
  * The bitwise expression supports boolean and shift operations.  It implements
  * the boolean operations by performing the following operation:
@@ -584,6 +585,7 @@ enum nft_bitwise_attributes {
 	NFTA_BITWISE_XOR,
 	NFTA_BITWISE_OP,
 	NFTA_BITWISE_DATA,
+	NFTA_BITWISE_NBITS,
 	__NFTA_BITWISE_MAX
 };
 #define NFTA_BITWISE_MAX	(__NFTA_BITWISE_MAX - 1)
diff --git a/net/netfilter/nft_bitwise.c b/net/netfilter/nft_bitwise.c
index f590ee1c8a1b..cdace40c6ba0 100644
--- a/net/netfilter/nft_bitwise.c
+++ b/net/netfilter/nft_bitwise.c
@@ -23,6 +23,7 @@ struct nft_bitwise {
 	struct nft_data		mask;
 	struct nft_data		xor;
 	struct nft_data		data;
+	u8                      nbits;
 };
 
 static void nft_bitwise_eval_bool(u32 *dst, const u32 *src,
@@ -88,6 +89,7 @@ static const struct nla_policy nft_bitwise_policy[NFTA_BITWISE_MAX + 1] = {
 	[NFTA_BITWISE_XOR]	= { .type = NLA_NESTED },
 	[NFTA_BITWISE_OP]	= { .type = NLA_U32 },
 	[NFTA_BITWISE_DATA]	= { .type = NLA_NESTED },
+	[NFTA_BITWISE_NBITS]	= { .type = NLA_U32 },
 };
 
 static int nft_bitwise_init_bool(struct nft_bitwise *priv,
@@ -193,6 +195,8 @@ static int nft_bitwise_init(const struct nft_ctx *ctx,
 	} else {
 		priv->op = NFT_BITWISE_BOOL;
 	}
+	if (tb[NFTA_BITWISE_NBITS])
+		priv->nbits = ntohl(nla_get_be32(tb[NFTA_BITWISE_NBITS]));
 
 	switch(priv->op) {
 	case NFT_BITWISE_BOOL:
@@ -243,6 +247,8 @@ static int nft_bitwise_dump(struct sk_buff *skb, const struct nft_expr *expr)
 		return -1;
 	if (nla_put_be32(skb, NFTA_BITWISE_OP, htonl(priv->op)))
 		return -1;
+	if (nla_put_be32(skb, NFTA_BITWISE_NBITS, htonl(priv->nbits)))
+		return -1;
 
 	switch (priv->op) {
 	case NFT_BITWISE_BOOL:
-- 
2.35.1

next prev parent reply	other threads:[~2022-04-04 12:04 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-04-04 12:04 [nf-next PATCH v2 0/5] netfilter: bitwise: support boolean operations with variable RHS operands Jeremy Sowden
2022-04-04 12:04 ` Jeremy Sowden [this message]
2022-04-05 11:28   ` [nf-next PATCH v2 1/5] netfilter: bitwise: keep track of bit-length of expressions Florian Westphal
2022-04-05 20:47     ` Jeremy Sowden
2022-04-06  3:12       ` Florian Westphal
2022-05-05 19:54         ` Jeremy Sowden
2022-04-08 23:27   ` Florian Westphal
2022-04-09  9:38     ` Jeremy Sowden
2022-04-09  9:58       ` Florian Westphal
2022-04-04 12:04 ` [nf-next PATCH v2 2/5] netfilter: bitwise: replace hard-coded size with `sizeof` expression Jeremy Sowden
2022-04-09 10:07   ` Florian Westphal
2022-04-04 12:04 ` [nf-next PATCH v2 3/5] netfilter: bitwise: improve error goto labels Jeremy Sowden
2022-04-09 10:07   ` Florian Westphal
2022-04-04 12:04 ` [nf-next PATCH v2 4/5] netfilter: bitwise: rename some boolean operation functions Jeremy Sowden
2022-04-04 12:04 ` [nf-next PATCH v2 5/5] netfilter: bitwise: add support for doing AND, OR and XOR directly Jeremy Sowden

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:466fd3f4447 dfblob:f3dcc4a34ff dfblob:f590ee1c8a1
dfblob:cdace40c6ba )
 OR (
bs:"[nf-next PATCH v2 1/5] netfilter: bitwise: keep track of bit-length of expressions" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220404120417.188410-2-jeremy@azazel.net \
    --to=jeremy@azazel.net \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).