Possible nftables U32 equivalent to read packet's data contents

Possible nftables U32 equivalent to read packet's data contents

[Raul Martinez]

Hi all,

Looking for a way to implement an expression that can read the first few bytes of an packet's data contents.
It seems this is only possible using raw expressions such as @ll and @nh  with an offset that goes past the header length and into the packet's data.
Is there another keyword that supports u32 behavior that I am missing? Will this approach fail because of some internal check to prevent out of bounds reads?

Another question is if raw expressions have been fixed or is there a kernel change required to enable raw expressions?
I still get the below error when I try to use 2017 nftables. 

Re: nftables: Example involving payload_raw_expr

On Mon, Nov 30, 2015 at 02:28:38PM +0100, Stefan Berghofer wrote:
> > Hi all,
> >
> > I just tried out the example file tests/payload-ll distributed with nftables,
> >  which makes use of payload raw expressions of the form "@..,..,..". While the first
> > two declarations in the file, i.e.
> >
> >  nft add table ip filter
> > nft add chain ip filter input \{ type filter hook input priority 0\; \}
> >
> >work as expected, the third declaration
> >
> >  nft add rule ip filter input @ll,48,48 00:15:e9:f0:10:f8 counter
> >
> > is rejected with the error message
> > 
> >   Error: protocol specification is invalid for this family

> It seems this got broken at some stage of the development, so it would
> be good to get this back working and add tests to our regression test
> infrastructure so we make sure this doesn't break again.

Thanks,
Raul

Re: Possible nftables U32 equivalent to read packet's data contents

[Pablo Neira Ayuso]

Hi Raul,

On Wed, Aug 30, 2017 at 09:59:26PM +0000, Raul Martinez wrote:
> Hi all,
> 
> Looking for a way to implement an expression that can read the first
> few bytes of an packet's data contents.  It seems this is only
> possible using raw expressions such as @ll and @nh  with an offset
> that goes past the header length and into the packet's data.  Is
> there another keyword that supports u32 behavior that I am missing?
> Will this approach fail because of some internal check to prevent
> out of bounds reads?
> 
> Another question is if raw expressions have been fixed or is there a
> kernel change required to enable raw expressions?  I still get the
> below error when I try to use 2017 nftables. 

If not much asking, what application layer patterns would you like to
match?

RE: Possible nftables U32 equivalent to read packet's data contents

[Raul Martinez]

Hi Pablo,

Ultimately my use would be to read the first byte of a ESP IP 
packet's data payload. So IP layer is where I would want the 
expression to work in.

The packets I am working with are identical and need to be 
routed to one of two interfaces based on if the first byte of 
the data contents is non-zero. 

Regards,
Raul



-----Original Message-----
From: Pablo Neira Ayuso [mailto:pablo@netfilter.org] 
Sent: Friday, September 1, 2017 3:30 AM
To: Raul Martinez <mraul@qti.qualcomm.com>
Cc: netfilter@vger.kernel.org
Subject: Re: Possible nftables U32 equivalent to read packet's data contents

Hi Raul,

On Wed, Aug 30, 2017 at 09:59:26PM +0000, Raul Martinez wrote:
> Hi all,
> 
> Looking for a way to implement an expression that can read the first 
> few bytes of an packet's data contents.  It seems this is only 
> possible using raw expressions such as @ll and @nh  with an offset 
> that goes past the header length and into the packet's data.  Is there 
> another keyword that supports u32 behavior that I am missing?
> Will this approach fail because of some internal check to prevent out 
> of bounds reads?
> 
> Another question is if raw expressions have been fixed or is there a 
> kernel change required to enable raw expressions?  I still get the 
> below error when I try to use 2017 nftables.

If not much asking, what application layer patterns would you like to match?

Re: Possible nftables U32 equivalent to read packet's data contents

[Pablo Neira Ayuso]

Hi Raul,

On Fri, Sep 01, 2017 at 04:39:35PM +0000, Raul Martinez wrote:
> Hi Pablo,
> 
> Ultimately my use would be to read the first byte of a ESP IP 
> packet's data payload. So IP layer is where I would want the 
> expression to work in.
> 
> The packets I am working with are identical and need to be 
> routed to one of two interfaces based on if the first byte of 
> the data contents is non-zero. 

OK, so it's just an arbitrary byte. Not anything in a standard header
that needs to be matched.

I'm asking because we could add the protocol definition for what you
need, so we don't need to use raw expressions.

RE: Possible nftables U32 equivalent to read packet's data contents

[Raul Martinez]

Yes, that is correct.  The first byte of the payload needs to be read not a field in a the protocol defined header.. 

>OK, so it's just an arbitrary byte. Not anything in a standard header that needs to be matched.

>I'm asking because we could add the protocol definition for what you need, so we don't need to use raw expressions.

Thanks,
Raul

Re: Possible nftables U32 equivalent to read packet's data contents

[Pablo Neira Ayuso]

Hi Raul, 

On Wed, Aug 30, 2017 at 09:59:26PM +0000, Raul Martinez wrote:
> Hi all,
> 
> Looking for a way to implement an expression that can read the first few bytes of an packet's data contents.
> It seems this is only possible using raw expressions such as @ll and @nh  with an offset that goes past the header length and into the packet's data.
> Is there another keyword that supports u32 behavior that I am missing? Will this approach fail because of some internal check to prevent out of bounds reads?
> 
> Another question is if raw expressions have been fixed or is there a kernel change required to enable raw expressions?
> I still get the below error when I try to use 2017 nftables. 

Would you follow up on this patch to address my comments?

http://patchwork.ozlabs.org/patch/778719/

And send a new version?

Thanks.