From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: Brian Davidson <davidson.brian@gmail.com>, netfilter@vger.kernel.org
Subject: Re: ip6 dscp fails map lookup
Date: Sun, 5 Nov 2023 22:33:45 +0100 [thread overview]
Message-ID: <ZUgKOVCr06AtdVPu@calendula> (raw)
In-Reply-To: <20231105174139.GA3861@breakpoint.cc>
On Sun, Nov 05, 2023 at 06:41:39PM +0100, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > > > if (shift) {
> > > > - if (ctx->stmt_len > 0 && div_round_up(masklen, BITS_PER_BYTE) > 1) {
> > > > + if (masklen > BITS_PER_BYTE) {
> > >
> > > I think this is right but binop xfer
> > > won't remove the inserted byteorder conversion
> > > in case the shift is to be removed by adjusting
> > > a constant right hand side value.
> >
> > ctx->stmt_len > 0 is also set from stmt_evaluate_{ct,meta}() so this
> > transformation is restricted to statements.
> >
> > I was conservative edecd58755a8 with ("evaluate: support shifts larger than
> > the width of the left operand") to restrict this transformation to
> > statements only.
> >
> > Do you think think this applies to other cases too?
> >
> > BTW, whatever the final fix is, Fixes: tag for this should be:
> >
> > Fixes: 668c18f67203 ("evaluate: place byteorder conversion before rshift in payload statement")
>
> I don't think this is a regression, I do not think it has worked before.
>
> table ip6 t {
> map mapv6 {
> typeof ip6 dscp : meta mark
> elements = { cs1 : 0x0000002a }
> }
>
> chain output {
> type filter hook output priority filter; policy accept;
> meta mark set ip6 dscp map @mapv6
> meta mark 0x0000002a counter
> ip6 dscp @mapv6 counter
> ip6 dscp cs1 counter
> }
> }
>
> A "ping6 -q -Q 0x20 ::1 -c1" should cause all counters
> in above ruleset to increment, but that is not the case.
Thanks for your simple test, it is passing with these two patches:
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20231105174148.160390-1-pablo@netfilter.org/
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20231105212846.311755-1-pablo@netfilter.org/
I have extended it to also cover for dynamic sets:
table ip6 t {
map mapv6 {
typeof ip6 dscp : meta mark
elements = { cs1 : 0x0000002a }
}
map mapv62 {
typeof ip6 dscp : meta mark
size 65535
flags dynamic
}
chain output {
type filter hook output priority filter; policy accept;
meta mark set ip6 dscp map @mapv6
meta mark 0x0000002a counter
ip6 dscp @mapv6 counter
ip6 dscp cs1 counter
update @mapv62 { ip6 dscp : meta mark }
}
}
I just quickly checked for concatenations with ip6 dscp, it seems the
byteorder conversion is also missing there, so v2 will follow up.
prev parent reply other threads:[~2023-11-05 21:34 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-03 16:18 ip6 dscp fails map lookup Brian Davidson
2023-11-03 19:37 ` Florian Westphal
2023-11-03 21:59 ` Florian Westphal
2023-11-05 17:15 ` Pablo Neira Ayuso
2023-11-05 17:41 ` Florian Westphal
2023-11-05 17:58 ` Pablo Neira Ayuso
2023-11-05 21:33 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZUgKOVCr06AtdVPu@calendula \
--to=pablo@netfilter.org \
--cc=davidson.brian@gmail.com \
--cc=fw@strlen.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox