* [PATCH nft 1/2] tests: py: missing json for different byteorder selector with interval concatenation
@ 2022-12-07 21:27 Pablo Neira Ayuso
2022-12-07 21:27 ` [PATCH nft 2/2] netlink: swap byteorder of value component in interval set with concatenation Pablo Neira Ayuso
0 siblings, 1 reply; 3+ messages in thread
From: Pablo Neira Ayuso @ 2022-12-07 21:27 UTC (permalink / raw)
To: netfilter-devel; +Cc: eric
Add missing json output, otherwise -j reports an error.
Fixes: 1017d323cafa ("src: support for selectors with different byteorder with interval concatenations")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
tests/py/inet/meta.t.json | 61 +++++++++++++++++++++++++++++++++++++++
1 file changed, 61 insertions(+)
diff --git a/tests/py/inet/meta.t.json b/tests/py/inet/meta.t.json
index 723a36f74946..bc268a2ef2ae 100644
--- a/tests/py/inet/meta.t.json
+++ b/tests/py/inet/meta.t.json
@@ -289,3 +289,64 @@
}
}
]
+
+# meta mark . tcp dport { 0x0000000a-0x00000014 . 80-90, 0x00100000-0x00100123 . 100-120 }
+[
+ {
+ "match": {
+ "left": {
+ "concat": [
+ {
+ "meta": {
+ "key": "mark"
+ }
+ },
+ {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ }
+ ]
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ {
+ "concat": [
+ {
+ "range": [
+ 10,
+ 20
+ ]
+ },
+ {
+ "range": [
+ 80,
+ 90
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "range": [
+ 1048576,
+ 1048867
+ ]
+ },
+ {
+ "range": [
+ 100,
+ 120
+ ]
+ }
+ ]
+ }
+ ]
+ }
+ }
+ }
+]
+
--
2.30.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH nft 2/2] netlink: swap byteorder of value component in interval set with concatenation
2022-12-07 21:27 [PATCH nft 1/2] tests: py: missing json for different byteorder selector with interval concatenation Pablo Neira Ayuso
@ 2022-12-07 21:27 ` Pablo Neira Ayuso
2022-12-07 21:32 ` Pablo Neira Ayuso
0 siblings, 1 reply; 3+ messages in thread
From: Pablo Neira Ayuso @ 2022-12-07 21:27 UTC (permalink / raw)
To: netfilter-devel; +Cc: eric
Store the meta mark value component of the element tuple in the set in
big endian as it is required for the comparisons. This singleton value
is actually represented as a range in the kernel.
Reported-by: Eric Garver <eric@garver.life>
Fixes: 1017d323cafa ("src: support for selectors with different byteorder with interval concatenations")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/netlink.c | 7 +++
tests/py/inet/meta.t | 1 +
tests/py/inet/meta.t.json | 51 +++++++++++++++++++
tests/py/inet/meta.t.payload | 13 +++++
tests/shell/testcases/sets/concat_interval_0 | 6 +++
.../sets/dumps/concat_interval_0.nft | 7 +++
6 files changed, 85 insertions(+)
diff --git a/src/netlink.c b/src/netlink.c
index db5e79f235d0..ce19af3b4db6 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -281,6 +281,13 @@ static int netlink_gen_concat_data_expr(int end, const struct expr *i,
}
return netlink_export_pad(data, i->prefix->value, i);
case EXPR_VALUE:
+ if (end)
+ break;
+
+ expr = (struct expr *)i;
+ if (expr_basetype(expr)->type == TYPE_INTEGER &&
+ expr->byteorder == BYTEORDER_HOST_ENDIAN)
+ mpz_switch_byteorder(expr->value, expr->len / BITS_PER_BYTE);
break;
default:
BUG("invalid expression type '%s' in set", expr_ops(i)->name);
diff --git a/tests/py/inet/meta.t b/tests/py/inet/meta.t
index 0d7d5f255c00..5b8f4f42a28f 100644
--- a/tests/py/inet/meta.t
+++ b/tests/py/inet/meta.t
@@ -23,3 +23,4 @@ meta obrname "br0";fail
meta mark set ct mark >> 8;ok
meta mark . tcp dport { 0x0000000a-0x00000014 . 80-90, 0x00100000-0x00100123 . 100-120 };ok
+ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 };ok
diff --git a/tests/py/inet/meta.t.json b/tests/py/inet/meta.t.json
index bc268a2ef2ae..e99db14a20aa 100644
--- a/tests/py/inet/meta.t.json
+++ b/tests/py/inet/meta.t.json
@@ -350,3 +350,54 @@
}
]
+
+# ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 }
+[
+ {
+ "match": {
+ "left": {
+ "concat": [
+ {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip"
+ }
+ },
+ {
+ "meta": {
+ "key": "mark"
+ }
+ }
+ ]
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ {
+ "concat": [
+ "1.2.3.4",
+ 256
+ ]
+ },
+ {
+ "concat": [
+ {
+ "range": [
+ "1.2.3.6",
+ "1.2.3.8"
+ ]
+ },
+ {
+ "range": [
+ 512,
+ 768
+ ]
+ }
+ ]
+ }
+ ]
+ }
+ }
+ }
+]
+
diff --git a/tests/py/inet/meta.t.payload b/tests/py/inet/meta.t.payload
index 2b4e6c2d180d..94fb00bda955 100644
--- a/tests/py/inet/meta.t.payload
+++ b/tests/py/inet/meta.t.payload
@@ -109,3 +109,16 @@ ip test-inet input
[ byteorder reg 1 = hton(reg 1, 4, 4) ]
[ payload load 2b @ transport header + 2 => reg 9 ]
[ lookup reg 1 set __set%d ]
+
+# ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 }
+__set%d test-inet 87 size 2
+__set%d test-inet 0
+ element 04030201 00010000 - 04030201 00010000 : 0 [end] element 06030201 00020000 - 08030201 00030000 : 0 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ meta load mark => reg 9 ]
+ [ byteorder reg 9 = hton(reg 9, 4, 4) ]
+ [ lookup reg 1 set __set%d ]
+
diff --git a/tests/shell/testcases/sets/concat_interval_0 b/tests/shell/testcases/sets/concat_interval_0
index 3812a94d18c8..4d90af9a6557 100755
--- a/tests/shell/testcases/sets/concat_interval_0
+++ b/tests/shell/testcases/sets/concat_interval_0
@@ -9,6 +9,12 @@ RULESET="table ip t {
counter
elements = { 1.0.0.1 . udp . 53 }
}
+ set s2 {
+ type ipv4_addr . mark
+ flags interval
+ elements = { 10.10.10.10 . 0x00000100,
+ 20.20.20.20 . 0x00000200 }
+ }
}"
$NFT -f - <<< $RULESET
diff --git a/tests/shell/testcases/sets/dumps/concat_interval_0.nft b/tests/shell/testcases/sets/dumps/concat_interval_0.nft
index 875ec1d5c6a0..61547c5e75f9 100644
--- a/tests/shell/testcases/sets/dumps/concat_interval_0.nft
+++ b/tests/shell/testcases/sets/dumps/concat_interval_0.nft
@@ -4,4 +4,11 @@ table ip t {
flags interval
counter
}
+
+ set s2 {
+ type ipv4_addr . mark
+ flags interval
+ elements = { 10.10.10.10 . 0x00000100,
+ 20.20.20.20 . 0x00000200 }
+ }
}
--
2.30.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH nft 2/2] netlink: swap byteorder of value component in interval set with concatenation
2022-12-07 21:27 ` [PATCH nft 2/2] netlink: swap byteorder of value component in interval set with concatenation Pablo Neira Ayuso
@ 2022-12-07 21:32 ` Pablo Neira Ayuso
0 siblings, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2022-12-07 21:32 UTC (permalink / raw)
To: netfilter-devel; +Cc: eric
On Wed, Dec 07, 2022 at 10:27:31PM +0100, Pablo Neira Ayuso wrote:
> Store the meta mark value component of the element tuple in the set in
> big endian as it is required for the comparisons. This singleton value
> is actually represented as a range in the kernel.
Scratch this, it breaks otherwise, I'll send v2.
> Reported-by: Eric Garver <eric@garver.life>
> Fixes: 1017d323cafa ("src: support for selectors with different byteorder with interval concatenations")
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
> src/netlink.c | 7 +++
> tests/py/inet/meta.t | 1 +
> tests/py/inet/meta.t.json | 51 +++++++++++++++++++
> tests/py/inet/meta.t.payload | 13 +++++
> tests/shell/testcases/sets/concat_interval_0 | 6 +++
> .../sets/dumps/concat_interval_0.nft | 7 +++
> 6 files changed, 85 insertions(+)
>
> diff --git a/src/netlink.c b/src/netlink.c
> index db5e79f235d0..ce19af3b4db6 100644
> --- a/src/netlink.c
> +++ b/src/netlink.c
> @@ -281,6 +281,13 @@ static int netlink_gen_concat_data_expr(int end, const struct expr *i,
> }
> return netlink_export_pad(data, i->prefix->value, i);
> case EXPR_VALUE:
> + if (end)
> + break;
> +
> + expr = (struct expr *)i;
> + if (expr_basetype(expr)->type == TYPE_INTEGER &&
> + expr->byteorder == BYTEORDER_HOST_ENDIAN)
> + mpz_switch_byteorder(expr->value, expr->len / BITS_PER_BYTE);
> break;
> default:
> BUG("invalid expression type '%s' in set", expr_ops(i)->name);
> diff --git a/tests/py/inet/meta.t b/tests/py/inet/meta.t
> index 0d7d5f255c00..5b8f4f42a28f 100644
> --- a/tests/py/inet/meta.t
> +++ b/tests/py/inet/meta.t
> @@ -23,3 +23,4 @@ meta obrname "br0";fail
> meta mark set ct mark >> 8;ok
>
> meta mark . tcp dport { 0x0000000a-0x00000014 . 80-90, 0x00100000-0x00100123 . 100-120 };ok
> +ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 };ok
> diff --git a/tests/py/inet/meta.t.json b/tests/py/inet/meta.t.json
> index bc268a2ef2ae..e99db14a20aa 100644
> --- a/tests/py/inet/meta.t.json
> +++ b/tests/py/inet/meta.t.json
> @@ -350,3 +350,54 @@
> }
> ]
>
> +
> +# ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 }
> +[
> + {
> + "match": {
> + "left": {
> + "concat": [
> + {
> + "payload": {
> + "field": "saddr",
> + "protocol": "ip"
> + }
> + },
> + {
> + "meta": {
> + "key": "mark"
> + }
> + }
> + ]
> + },
> + "op": "==",
> + "right": {
> + "set": [
> + {
> + "concat": [
> + "1.2.3.4",
> + 256
> + ]
> + },
> + {
> + "concat": [
> + {
> + "range": [
> + "1.2.3.6",
> + "1.2.3.8"
> + ]
> + },
> + {
> + "range": [
> + 512,
> + 768
> + ]
> + }
> + ]
> + }
> + ]
> + }
> + }
> + }
> +]
> +
> diff --git a/tests/py/inet/meta.t.payload b/tests/py/inet/meta.t.payload
> index 2b4e6c2d180d..94fb00bda955 100644
> --- a/tests/py/inet/meta.t.payload
> +++ b/tests/py/inet/meta.t.payload
> @@ -109,3 +109,16 @@ ip test-inet input
> [ byteorder reg 1 = hton(reg 1, 4, 4) ]
> [ payload load 2b @ transport header + 2 => reg 9 ]
> [ lookup reg 1 set __set%d ]
> +
> +# ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 }
> +__set%d test-inet 87 size 2
> +__set%d test-inet 0
> + element 04030201 00010000 - 04030201 00010000 : 0 [end] element 06030201 00020000 - 08030201 00030000 : 0 [end]
> +inet test-inet input
> + [ meta load nfproto => reg 1 ]
> + [ cmp eq reg 1 0x00000002 ]
> + [ payload load 4b @ network header + 12 => reg 1 ]
> + [ meta load mark => reg 9 ]
> + [ byteorder reg 9 = hton(reg 9, 4, 4) ]
> + [ lookup reg 1 set __set%d ]
> +
> diff --git a/tests/shell/testcases/sets/concat_interval_0 b/tests/shell/testcases/sets/concat_interval_0
> index 3812a94d18c8..4d90af9a6557 100755
> --- a/tests/shell/testcases/sets/concat_interval_0
> +++ b/tests/shell/testcases/sets/concat_interval_0
> @@ -9,6 +9,12 @@ RULESET="table ip t {
> counter
> elements = { 1.0.0.1 . udp . 53 }
> }
> + set s2 {
> + type ipv4_addr . mark
> + flags interval
> + elements = { 10.10.10.10 . 0x00000100,
> + 20.20.20.20 . 0x00000200 }
> + }
> }"
>
> $NFT -f - <<< $RULESET
> diff --git a/tests/shell/testcases/sets/dumps/concat_interval_0.nft b/tests/shell/testcases/sets/dumps/concat_interval_0.nft
> index 875ec1d5c6a0..61547c5e75f9 100644
> --- a/tests/shell/testcases/sets/dumps/concat_interval_0.nft
> +++ b/tests/shell/testcases/sets/dumps/concat_interval_0.nft
> @@ -4,4 +4,11 @@ table ip t {
> flags interval
> counter
> }
> +
> + set s2 {
> + type ipv4_addr . mark
> + flags interval
> + elements = { 10.10.10.10 . 0x00000100,
> + 20.20.20.20 . 0x00000200 }
> + }
> }
> --
> 2.30.2
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-12-07 21:33 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-12-07 21:27 [PATCH nft 1/2] tests: py: missing json for different byteorder selector with interval concatenation Pablo Neira Ayuso
2022-12-07 21:27 ` [PATCH nft 2/2] netlink: swap byteorder of value component in interval set with concatenation Pablo Neira Ayuso
2022-12-07 21:32 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).