[nft PATCH 0/2] A bit of non-constant binop follow-up

[nft PATCH 0/2] A bit of non-constant binop follow-up

[Phil Sutter]

When asked about how to translate ebtables' --arp-gratuitous match, I
noticed that basically everything is there already but the parser
rejects it.

While we can't do a simple 'arp saddr ip == arp daddr ip' because cmp
expression requires for one side of the equation to be constant, using
XOR on LHS we can work around this limitation:

arp saddr ip ^ arp daddr ip == 0.0.0.0

Thanks to Jeremy's work on bitwise expression (which one might want to
repeat for cmp), the above is possible in VM code:

[ payload load 4b @ network header + 14 => reg 1 ]
[ payload load 4b @ network header + 24 => reg 2 ]
[ bitwise reg 1 = ( reg 1 ^ reg 2 ) ]
[ cmp eq reg 1 0x00000000 ]

Patch 2 of this series relaxes the parser so it accepts the input.
Basically it undoes an old workaround needed before we introduced start
conditions.

Patch 1 removes a similar restriction in JSON parser. It is needed at
least to accept the JSON equivalent of above match (conversion to JSON
on output was already correct).

Phil Sutter (2):
  parser_json: Accept non-RHS expressions in binop RHS
  parser_bison: Accept non-constant binop on LHS of relationals

 doc/payload-expression.txt        |  6 ++++
 src/parser_bison.y                | 16 +++++-----
 src/parser_json.c                 |  2 +-
 src/scanner.l                     |  2 +-
 tests/py/arp/arp.t                |  4 +++
 tests/py/arp/arp.t.json           | 51 +++++++++++++++++++++++++++++++
 tests/py/arp/arp.t.payload        | 14 +++++++++
 tests/py/arp/arp.t.payload.netdev | 18 +++++++++++
 8 files changed, 104 insertions(+), 9 deletions(-)

-- 
2.51.0

[nft PATCH 1/2] parser_json: Accept non-RHS expressions in binop RHS

[Phil Sutter]

No need to restrict this anymore, binop expressions may contain
non-constant expressions in all places nowadays.

Fixes: 54bfc38c522ba ("src: allow binop expressions with variable right-hand operands")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 src/parser_json.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/parser_json.c b/src/parser_json.c
index 2f70b9877c6ed..b8b623ce05722 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -1296,7 +1296,7 @@ static struct expr *json_parse_binop_expr(struct json_ctx *ctx,
 		json_error(ctx, "Failed to parse LHS of binop expression.");
 		return NULL;
 	}
-	right = json_parse_rhs_expr(ctx, jright);
+	right = json_parse_primary_expr(ctx, jright);
 	if (!right) {
 		json_error(ctx, "Failed to parse RHS of binop expression.");
 		expr_free(left);
-- 
2.51.0

[nft PATCH 2/2] parser_bison: Accept non-constant binop on LHS of relationals

[Phil Sutter]

This reverts commit 14a9968a56f8b35138bab172aa7ce796f5d98e03.

Thanks to start conditions, stray "ecn" is no longer recognized by flex
and returned as keyword, so the workaround is not needed anymore. All it
takes is to move it into the block for SCANSTATE_IP and SCANSTATE_IP6 in
scanner.l.

Likewise, keyword_expr no longer has to cover for ECN keyword.

Undoing the commit's workarounds in binop expression parser cases lifts
their restriction which is no longer needed since commit 54bfc38c522ba
("src: allow binop expressions with variable right-hand operands").

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 doc/payload-expression.txt        |  6 ++++
 src/parser_bison.y                | 16 +++++-----
 src/scanner.l                     |  2 +-
 tests/py/arp/arp.t                |  4 +++
 tests/py/arp/arp.t.json           | 51 +++++++++++++++++++++++++++++++
 tests/py/arp/arp.t.payload        | 14 +++++++++
 tests/py/arp/arp.t.payload.netdev | 18 +++++++++++
 7 files changed, 103 insertions(+), 8 deletions(-)

diff --git a/doc/payload-expression.txt b/doc/payload-expression.txt
index 8b538968c84b5..59be68be5e21b 100644
--- a/doc/payload-expression.txt
+++ b/doc/payload-expression.txt
@@ -87,6 +87,12 @@ IPv4 target address|
 ipv4_addr
 |======================
 
+.Using arp header expression
+----------------------------
+# matching on gratuitous ARP packets
+arp saddr ip ^ arp daddr ip == 0.0.0.0
+----------------------------
+
 IPV4 HEADER EXPRESSION
 ~~~~~~~~~~~~~~~~~~~~~~
 [verse]
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 5a334bf0c4997..368d1004c0ec4 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -4466,32 +4466,32 @@ osf_ttl			:	/* empty */	{ $$ = NF_OSF_TTL_TRUE; }
 			;
 
 shift_expr		:	primary_expr
-			|	shift_expr		LSHIFT		primary_rhs_expr
+			|	shift_expr		LSHIFT		primary_expr
 			{
 				$$ = binop_expr_alloc(&@$, OP_LSHIFT, $1, $3);
 			}
-			|	shift_expr		RSHIFT		primary_rhs_expr
+			|	shift_expr		RSHIFT		primary_expr
 			{
 				$$ = binop_expr_alloc(&@$, OP_RSHIFT, $1, $3);
 			}
 			;
 
 and_expr		:	shift_expr
-			|	and_expr		AMPERSAND	shift_rhs_expr
+			|	and_expr		AMPERSAND	shift_expr
 			{
 				$$ = binop_expr_alloc(&@$, OP_AND, $1, $3);
 			}
 			;
 
 exclusive_or_expr	:	and_expr
-			|	exclusive_or_expr	CARET		and_rhs_expr
+			|	exclusive_or_expr	CARET		and_expr
 			{
 				$$ = binop_expr_alloc(&@$, OP_XOR, $1, $3);
 			}
 			;
 
 inclusive_or_expr	:	exclusive_or_expr
-			|	inclusive_or_expr	'|'		exclusive_or_rhs_expr
+			|	inclusive_or_expr	'|'		exclusive_or_expr
 			{
 				$$ = binop_expr_alloc(&@$, OP_OR, $1, $3);
 			}
@@ -5186,6 +5186,10 @@ relational_expr		:	expr	/* implicit */	rhs_expr
 			{
 				$$ = relational_expr_alloc(&@2, $2, $1, $3);
 			}
+			|	expr	relational_op	'(' rhs_expr ')'
+			{
+				$$ = relational_expr_alloc(&@2, $2, $1, $4);
+			}
 			|	expr	relational_op	list_rhs_expr
 			{
 				$$ = relational_expr_alloc(&@2, $2, $1, $3);
@@ -5287,7 +5291,6 @@ keyword_expr		:	ETHER   close_scope_eth { $$ = symbol_value(&@$, "ether"); }
 			|	ARP	close_scope_arp { $$ = symbol_value(&@$, "arp"); }
 			|	DNAT	close_scope_nat	{ $$ = symbol_value(&@$, "dnat"); }
 			|	SNAT	close_scope_nat	{ $$ = symbol_value(&@$, "snat"); }
-			|	ECN			{ $$ = symbol_value(&@$, "ecn"); }
 			|	RESET	close_scope_reset	{ $$ = symbol_value(&@$, "reset"); }
 			|	DESTROY	close_scope_destroy	{ $$ = symbol_value(&@$, "destroy"); }
 			|	ORIGINAL		{ $$ = symbol_value(&@$, "original"); }
@@ -5391,7 +5394,6 @@ primary_rhs_expr	:	symbol_expr		{ $$ = $1; }
 							 BYTEORDER_HOST_ENDIAN,
 							 sizeof(data) * BITS_PER_BYTE, &data);
 			}
-			|	'('	basic_rhs_expr	')'	{ $$ = $2; }
 			;
 
 relational_op		:	EQ		{ $$ = OP_EQ; }
diff --git a/src/scanner.l b/src/scanner.l
index 1b4eb1cf13a47..912788ee0e55b 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -536,8 +536,8 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 }
 <SCANSTATE_IP,SCANSTATE_IP6,SCANSTATE_TYPE>{
 	"dscp"			{ return DSCP; }
+	"ecn"			{ return ECN; }
 }
-"ecn"			{ return ECN; }
 <SCANSTATE_EXPR_UDP,SCANSTATE_IP,SCANSTATE_IP6,SCANSTATE_META,SCANSTATE_TCP,SCANSTATE_SCTP,SCANSTATE_EXPR_SCTP_CHUNK>"length"		{ return LENGTH; }
 <SCANSTATE_EXPR_FRAG,SCANSTATE_IP>{
 	"frag-off"		{ return FRAG_OFF; }
diff --git a/tests/py/arp/arp.t b/tests/py/arp/arp.t
index 222b91cf08457..2c850315c662a 100644
--- a/tests/py/arp/arp.t
+++ b/tests/py/arp/arp.t
@@ -58,3 +58,7 @@ arp saddr ip 192.168.1.1 arp daddr ether fe:ed:00:c0:ff:ee;ok
 arp daddr ether fe:ed:00:c0:ff:ee arp saddr ip 192.168.1.1;ok;arp saddr ip 192.168.1.1 arp daddr ether fe:ed:00:c0:ff:ee
 
 meta iifname "invalid" arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566;ok;iifname "invalid" arp htype 1 arp ptype ip arp hlen 6 arp plen 4 arp daddr ip 192.168.143.16 arp daddr ether set 11:22:33:44:55:66
+
+# gratuitous ARP or not?
+arp saddr ip ^ arp daddr ip == 0.0.0.0;ok
+arp saddr ip ^ arp daddr ip != 0.0.0.0;ok
diff --git a/tests/py/arp/arp.t.json b/tests/py/arp/arp.t.json
index 7ce7609539ba4..ac7ef28d94a2b 100644
--- a/tests/py/arp/arp.t.json
+++ b/tests/py/arp/arp.t.json
@@ -891,3 +891,54 @@
     }
 ]
 
+# arp saddr ip ^ arp daddr ip == 0.0.0.0
+[
+    {
+        "match": {
+            "left": {
+                "^": [
+                    {
+                        "payload": {
+                            "field": "saddr ip",
+                            "protocol": "arp"
+                        }
+                    },
+                    {
+                        "payload": {
+                            "field": "daddr ip",
+                            "protocol": "arp"
+                        }
+                    }
+                ]
+            },
+            "op": "==",
+            "right": "0.0.0.0"
+        }
+    }
+]
+
+# arp saddr ip ^ arp daddr ip != 0.0.0.0
+[
+    {
+        "match": {
+            "left": {
+                "^": [
+                    {
+                        "payload": {
+                            "field": "saddr ip",
+                            "protocol": "arp"
+                        }
+                    },
+                    {
+                        "payload": {
+                            "field": "daddr ip",
+                            "protocol": "arp"
+                        }
+                    }
+                ]
+            },
+            "op": "!=",
+            "right": "0.0.0.0"
+        }
+    }
+]
diff --git a/tests/py/arp/arp.t.payload b/tests/py/arp/arp.t.payload
index e23c540ca8bc1..649bda9739431 100644
--- a/tests/py/arp/arp.t.payload
+++ b/tests/py/arp/arp.t.payload
@@ -254,3 +254,17 @@ arp
 arp 
   [ payload load 10b @ network header + 14 => reg 1 ]
   [ cmp eq reg 1 0xc0a80101 0xfeed00c0 0xffee ]
+
+# arp saddr ip ^ arp daddr ip == 0.0.0.0
+arp test-arp input
+  [ payload load 4b @ network header + 14 => reg 1 ]
+  [ payload load 4b @ network header + 24 => reg 2 ]
+  [ bitwise reg 1 = ( reg 1 ^ reg 2 ) ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# arp saddr ip ^ arp daddr ip != 0.0.0.0
+arp test-arp input
+  [ payload load 4b @ network header + 14 => reg 1 ]
+  [ payload load 4b @ network header + 24 => reg 2 ]
+  [ bitwise reg 1 = ( reg 1 ^ reg 2 ) ]
+  [ cmp neq reg 1 0x00000000 ]
diff --git a/tests/py/arp/arp.t.payload.netdev b/tests/py/arp/arp.t.payload.netdev
index ea238978fa73b..044f2712fd827 100644
--- a/tests/py/arp/arp.t.payload.netdev
+++ b/tests/py/arp/arp.t.payload.netdev
@@ -344,3 +344,21 @@ netdev
   [ cmp eq reg 1 0x0806 ]
   [ payload load 10b @ network header + 14 => reg 1 ]
   [ cmp eq reg 1 0xc0a80101 0xfeed00c0 0xffee ]
+
+# arp saddr ip ^ arp daddr ip == 0.0.0.0
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0806 ]
+  [ payload load 4b @ network header + 14 => reg 1 ]
+  [ payload load 4b @ network header + 24 => reg 2 ]
+  [ bitwise reg 1 = ( reg 1 ^ reg 2 ) ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# arp saddr ip ^ arp daddr ip != 0.0.0.0
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0806 ]
+  [ payload load 4b @ network header + 14 => reg 1 ]
+  [ payload load 4b @ network header + 24 => reg 2 ]
+  [ bitwise reg 1 = ( reg 1 ^ reg 2 ) ]
+  [ cmp neq reg 1 0x00000000 ]
-- 
2.51.0

Re: [nft PATCH 0/2] A bit of non-constant binop follow-up

[Jeremy Sowden]

[-- Attachment #1: Type: text/plain, Size: 1820 bytes --]

On 2026-04-02, at 20:43:18 +0200, Phil Sutter wrote:
> When asked about how to translate ebtables' --arp-gratuitous match, I
> noticed that basically everything is there already but the parser
> rejects it.
> 
> While we can't do a simple 'arp saddr ip == arp daddr ip' because cmp
> expression requires for one side of the equation to be constant, using
> XOR on LHS we can work around this limitation:
> 
> arp saddr ip ^ arp daddr ip == 0.0.0.0
> 
> Thanks to Jeremy's work on bitwise expression (which one might want to
> repeat for cmp),

I'll take a look. :)

J.

> the above is possible in VM code:
> 
> [ payload load 4b @ network header + 14 => reg 1 ]
> [ payload load 4b @ network header + 24 => reg 2 ]
> [ bitwise reg 1 = ( reg 1 ^ reg 2 ) ]
> [ cmp eq reg 1 0x00000000 ]
> 
> Patch 2 of this series relaxes the parser so it accepts the input.
> Basically it undoes an old workaround needed before we introduced start
> conditions.
> 
> Patch 1 removes a similar restriction in JSON parser. It is needed at
> least to accept the JSON equivalent of above match (conversion to JSON
> on output was already correct).
> 
> Phil Sutter (2):
>   parser_json: Accept non-RHS expressions in binop RHS
>   parser_bison: Accept non-constant binop on LHS of relationals
> 
>  doc/payload-expression.txt        |  6 ++++
>  src/parser_bison.y                | 16 +++++-----
>  src/parser_json.c                 |  2 +-
>  src/scanner.l                     |  2 +-
>  tests/py/arp/arp.t                |  4 +++
>  tests/py/arp/arp.t.json           | 51 +++++++++++++++++++++++++++++++
>  tests/py/arp/arp.t.payload        | 14 +++++++++
>  tests/py/arp/arp.t.payload.netdev | 18 +++++++++++
>  8 files changed, 104 insertions(+), 9 deletions(-)
> 
> -- 
> 2.51.0
> 
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 931 bytes --]

Re: [nft PATCH 0/2] A bit of non-constant binop follow-up

[Phil Sutter]

On Fri, Apr 03, 2026 at 04:53:14PM +0100, Jeremy Sowden wrote:
> On 2026-04-02, at 20:43:18 +0200, Phil Sutter wrote:
> > When asked about how to translate ebtables' --arp-gratuitous match, I
> > noticed that basically everything is there already but the parser
> > rejects it.
> > 
> > While we can't do a simple 'arp saddr ip == arp daddr ip' because cmp
> > expression requires for one side of the equation to be constant, using
> > XOR on LHS we can work around this limitation:
> > 
> > arp saddr ip ^ arp daddr ip == 0.0.0.0
> > 
> > Thanks to Jeremy's work on bitwise expression (which one might want to
> > repeat for cmp),
> 
> I'll take a look. :)

Cool, thanks! The ability for cmp to operate on two registers instead of
one register and payload ("data reg") would allow user space to
implement the above as 'arp saddr ip == arp daddr ip' (without the need
for an internal conversion into XOR). It is not a short-term solution
though due to the needed kernel support.

Cheers, Phil