* [PATCH,v2 nft 1/2] evaluate: skip byteorder conversion for selector smaller than 2 bytes
@ 2024-02-08 12:54 Pablo Neira Ayuso
2024-02-08 12:54 ` [PATCH nft 2/2] netlink_linearize: add assertion to catch for buggy byteorder Pablo Neira Ayuso
0 siblings, 1 reply; 2+ messages in thread
From: Pablo Neira Ayuso @ 2024-02-08 12:54 UTC (permalink / raw)
To: netfilter-devel
Add unary expression to trigger byteorder conversion for host byteorder
selectors only if selectors length is larger or equal than 2 bytes.
# cat test.nft
table ip x {
set test {
type ipv4_addr . ether_addr . inet_proto
flags interval
}
chain y {
ip saddr . ether saddr . meta l4proto @test counter
}
}
# nft -f test.nft
ip x y
[ meta load iiftype => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
[ payload load 4b @ network header + 12 => reg 1 ]
[ payload load 6b @ link header + 6 => reg 9 ]
[ meta load l4proto => reg 11 ]
[ byteorder reg 11 = hton(reg 11, 2, 1) ] <--- should not be here
[ lookup reg 1 set test ]
[ counter pkts 0 bytes 0 ]
Fixes: 1017d323cafa ("src: support for selectors with different byteorder with interval concatenations")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/evaluate.c | 12 ++++++----
tests/py/inet/meta.t | 1 +
tests/py/inet/meta.t.json | 41 ++++++++++++++++++++++++++++++++
tests/py/inet/meta.t.json.output | 41 ++++++++++++++++++++++++++++++++
tests/py/inet/meta.t.payload | 14 +++++++++++
5 files changed, 104 insertions(+), 5 deletions(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index 1b430b72de20..92e009efd4b1 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -199,12 +199,14 @@ static int byteorder_conversion(struct eval_ctx *ctx, struct expr **expr,
assert(basetype == TYPE_INTEGER);
- op = byteorder_conversion_op(i, byteorder);
- unary = unary_expr_alloc(&i->location, op, i);
- if (expr_evaluate(ctx, &unary) < 0)
- return -1;
+ if (div_round_up(i->len, BITS_PER_BYTE) >= 2) {
+ op = byteorder_conversion_op(i, byteorder);
+ unary = unary_expr_alloc(&i->location, op, i);
+ if (expr_evaluate(ctx, &unary) < 0)
+ return -1;
- list_replace(&i->list, &unary->list);
+ list_replace(&i->list, &unary->list);
+ }
}
return 0;
diff --git a/tests/py/inet/meta.t b/tests/py/inet/meta.t
index 5c062b39b8a9..7d2515c97f47 100644
--- a/tests/py/inet/meta.t
+++ b/tests/py/inet/meta.t
@@ -25,6 +25,7 @@ meta mark set ct mark >> 8;ok
meta mark . tcp dport { 0x0000000a-0x00000014 . 80-90, 0x00100000-0x00100123 . 100-120 };ok
ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 };ok
ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 5.6.7.8 . 0x00000200 };ok
+ip saddr . ether saddr . meta l4proto { 1.2.3.4 . aa:bb:cc:dd:ee:ff . 6 };ok
meta mark set ip dscp;ok
meta mark set ip dscp | 0x40;ok
diff --git a/tests/py/inet/meta.t.json b/tests/py/inet/meta.t.json
index 3ba0fd1dee2a..0fee165ff18a 100644
--- a/tests/py/inet/meta.t.json
+++ b/tests/py/inet/meta.t.json
@@ -526,3 +526,44 @@
}
]
+# ip saddr . ether saddr . meta l4proto { 1.2.3.4 . aa:bb:cc:dd:ee:ff . 6 }
+[
+ {
+ "match": {
+ "left": {
+ "concat": [
+ {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip"
+ }
+ },
+ {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ether"
+ }
+ },
+ {
+ "meta": {
+ "key": "l4proto"
+ }
+ }
+ ]
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ {
+ "concat": [
+ "1.2.3.4",
+ "aa:bb:cc:dd:ee:ff",
+ "tcp"
+ ]
+ }
+ ]
+ }
+ }
+ }
+]
+
diff --git a/tests/py/inet/meta.t.json.output b/tests/py/inet/meta.t.json.output
index 3e7dd2145e67..8697d5a2b9e2 100644
--- a/tests/py/inet/meta.t.json.output
+++ b/tests/py/inet/meta.t.json.output
@@ -51,3 +51,44 @@
}
]
+# ip saddr . ether saddr . meta l4proto { 1.2.3.4 . aa:bb:cc:dd:ee:ff . 6 }
+[
+ {
+ "match": {
+ "left": {
+ "concat": [
+ {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip"
+ }
+ },
+ {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ether"
+ }
+ },
+ {
+ "meta": {
+ "key": "l4proto"
+ }
+ }
+ ]
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ {
+ "concat": [
+ "1.2.3.4",
+ "aa:bb:cc:dd:ee:ff",
+ 6
+ ]
+ }
+ ]
+ }
+ }
+ }
+]
+
diff --git a/tests/py/inet/meta.t.payload b/tests/py/inet/meta.t.payload
index c53b5077f9a6..7184fa0c0c9d 100644
--- a/tests/py/inet/meta.t.payload
+++ b/tests/py/inet/meta.t.payload
@@ -173,3 +173,17 @@ inet test-inet input
[ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ]
[ meta set mark with reg 1 ]
+# ip saddr . ether saddr . meta l4proto { 1.2.3.4 . aa:bb:cc:dd:ee:ff . 6 }
+__set%d test-inet 3 size 1
+__set%d test-inet 0
+ element 04030201 ddccbbaa 0000ffee 00000006 : 0 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ meta load iiftype => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ payload load 6b @ link header + 6 => reg 9 ]
+ [ meta load l4proto => reg 11 ]
+ [ lookup reg 1 set __set%d ]
+
--
2.30.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [PATCH nft 2/2] netlink_linearize: add assertion to catch for buggy byteorder
2024-02-08 12:54 [PATCH,v2 nft 1/2] evaluate: skip byteorder conversion for selector smaller than 2 bytes Pablo Neira Ayuso
@ 2024-02-08 12:54 ` Pablo Neira Ayuso
0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2024-02-08 12:54 UTC (permalink / raw)
To: netfilter-devel
Add assertion to catch buggy bytecode where unary expression is present
with 1-byte, where no byteorder conversion is required.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/netlink_linearize.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index 50dbd36c1b8e..6204d8fd2668 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -797,6 +797,8 @@ static void netlink_gen_unary(struct netlink_linearize_ctx *ctx,
struct nftnl_expr *nle;
int byte_size;
+ assert(div_round_up(expr->arg->len, BITS_PER_BYTE) != 1);
+
if ((expr->arg->len % 64) == 0)
byte_size = 8;
else if ((expr->arg->len % 32) == 0)
--
2.30.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-02-08 12:54 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-02-08 12:54 [PATCH,v2 nft 1/2] evaluate: skip byteorder conversion for selector smaller than 2 bytes Pablo Neira Ayuso
2024-02-08 12:54 ` [PATCH nft 2/2] netlink_linearize: add assertion to catch for buggy byteorder Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).