* [PATCH nft 0/10] nft: add automatic icmp/icmpv6 dependencies
@ 2020-12-09 17:49 Florian Westphal
2020-12-09 17:49 ` [PATCH nft 01/10] exthdr: remove unused proto_key member from struct Florian Westphal
` (10 more replies)
0 siblings, 11 replies; 12+ messages in thread
From: Florian Westphal @ 2020-12-09 17:49 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
icmp and icmpv6 protocol header are special, they have overlapping
fields whose interpretation (or existence) depends on the icmp type.
This series allows nft to automatically add the dependency so that
the type-dependant field is not evaluated for any type.
Support for dependency removal is also added, but not for id/sequence.
Those need to check for both echo and echo reply, we'd have to extend
the delinearization step to also check relational expressions with
a non-constant RHS.
For now, the test cases are amended to expect the depenency, i.e.
'icmp id 42' will expect 'icmp type {echo-reply, echo-request} icmp id 42'
as the output.
Also add test cases to cover both id/sequence in same rule (payload
merging is used for those) and add a test with a rule that already
contains a type match.
Florian Westphal (10):
exthdr: remove unused proto_key member from struct
proto: reduce size of proto_desc structure
src: add auto-dependencies for ipv4 icmp
tests: fix exepcted payload of icmp expressions
src: add auto-dependencies for ipv6 icmp6
tests: fix exepcted payload of icmpv6 expressions
payload: auto-remove simple icmp/icmpv6 dependency expressions
tests: icmp, icmpv6: avoid remaining warnings
tests: ip: add one test case to cover both id and sequence
tests: icmp, icmpv6: check we don't add second dependency
include/exthdr.h | 1 -
include/payload.h | 7 +-
include/proto.h | 34 +++--
src/evaluate.c | 20 ++-
src/exthdr.c | 4 -
src/netlink_delinearize.c | 3 +
src/parser_bison.y | 1 -
src/payload.c | 210 +++++++++++++++++++++++++++++-
src/proto.c | 45 ++++---
tests/py/ip/icmp.t | 38 +++---
tests/py/ip/icmp.t.payload.ip | 155 +++++++++++++++++++++-
tests/py/ip6/icmpv6.t | 42 +++---
tests/py/ip6/icmpv6.t.payload.ip6 | 116 +++++++++++++++--
13 files changed, 588 insertions(+), 88 deletions(-)
--
2.26.2
^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH nft 01/10] exthdr: remove unused proto_key member from struct
2020-12-09 17:49 [PATCH nft 0/10] nft: add automatic icmp/icmpv6 dependencies Florian Westphal
@ 2020-12-09 17:49 ` Florian Westphal
2020-12-09 17:49 ` [PATCH nft 02/10] proto: reduce size of proto_desc structure Florian Westphal
` (9 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Florian Westphal @ 2020-12-09 17:49 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
also, no need for this struct to be in the parser.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/exthdr.h | 1 -
src/exthdr.c | 4 ----
src/parser_bison.y | 1 -
3 files changed, 6 deletions(-)
diff --git a/include/exthdr.h b/include/exthdr.h
index c9a3c211b8c4..1bc756f93649 100644
--- a/include/exthdr.h
+++ b/include/exthdr.h
@@ -30,7 +30,6 @@ struct exthdr_desc {
const char *name;
enum exthdr_desc_id id;
uint8_t type;
- int proto_key;
struct proto_hdr_template templates[10];
};
diff --git a/src/exthdr.c b/src/exthdr.c
index 5eb66529b5d7..b0243adad1da 100644
--- a/src/exthdr.c
+++ b/src/exthdr.c
@@ -409,7 +409,6 @@ const struct exthdr_desc exthdr_rt2 = {
.name = "rt2",
.id = EXTHDR_DESC_RT2,
.type = IPPROTO_ROUTING,
- .proto_key = 2,
.templates = {
[RT2HDR_RESERVED] = {},
[RT2HDR_ADDR] = {},
@@ -423,7 +422,6 @@ const struct exthdr_desc exthdr_rt0 = {
.name = "rt0",
.id = EXTHDR_DESC_RT0,
.type = IPPROTO_ROUTING,
- .proto_key = 0,
.templates = {
[RT0HDR_RESERVED] = RT0_FIELD("reserved", ip6r0_reserved, &integer_type),
[RT0HDR_ADDR_1] = RT0_FIELD("addr[1]", ip6r0_addr[0], &ip6addr_type),
@@ -439,7 +437,6 @@ const struct exthdr_desc exthdr_rt4 = {
.name = "srh",
.id = EXTHDR_DESC_SRH,
.type = IPPROTO_ROUTING,
- .proto_key = 4,
.templates = {
[RT4HDR_LASTENT] = RT4_FIELD("last-entry", ip6r4_last_entry, &integer_type),
[RT4HDR_FLAGS] = RT4_FIELD("flags", ip6r4_flags, &integer_type),
@@ -458,7 +455,6 @@ const struct exthdr_desc exthdr_rt = {
.name = "rt",
.id = EXTHDR_DESC_RT,
.type = IPPROTO_ROUTING,
- .proto_key = -1,
#if 0
.protocol_key = RTHDR_TYPE,
.protocols = {
diff --git a/src/parser_bison.y b/src/parser_bison.y
index e8aa5bb8eb3d..08aadaa32a86 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -184,7 +184,6 @@ int nft_lex(void *, void *, void *);
struct handle_spec handle_spec;
struct position_spec position_spec;
struct prio_spec prio_spec;
- const struct exthdr_desc *exthdr_desc;
}
%token TOKEN_EOF 0 "end of file"
--
2.26.2
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH nft 02/10] proto: reduce size of proto_desc structure
2020-12-09 17:49 [PATCH nft 0/10] nft: add automatic icmp/icmpv6 dependencies Florian Westphal
2020-12-09 17:49 ` [PATCH nft 01/10] exthdr: remove unused proto_key member from struct Florian Westphal
@ 2020-12-09 17:49 ` Florian Westphal
2020-12-09 17:49 ` [PATCH nft 03/10] src: add auto-dependencies for ipv4 icmp Florian Westphal
` (8 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Florian Westphal @ 2020-12-09 17:49 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
This will need an additional field. We can compress state
here to avoid further size increase.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/proto.h | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/include/proto.h b/include/proto.h
index 6ef332c3966f..667650d67c97 100644
--- a/include/proto.h
+++ b/include/proto.h
@@ -39,8 +39,8 @@ struct proto_hdr_template {
const struct datatype *dtype;
uint16_t offset;
uint16_t len;
- enum byteorder byteorder;
- enum nft_meta_keys meta_key;
+ enum byteorder byteorder:8;
+ enum nft_meta_keys meta_key:8;
};
#define PROTO_HDR_TEMPLATE(__token, __dtype, __byteorder, __offset, __len)\
@@ -101,11 +101,11 @@ enum proto_desc_id {
*/
struct proto_desc {
const char *name;
- enum proto_desc_id id;
- enum proto_bases base;
- enum nft_payload_csum_types checksum_type;
- unsigned int checksum_key;
- unsigned int protocol_key;
+ enum proto_desc_id id:8;
+ enum proto_bases base:8;
+ enum nft_payload_csum_types checksum_type:8;
+ uint16_t checksum_key;
+ uint16_t protocol_key;
unsigned int length;
struct {
unsigned int num;
--
2.26.2
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH nft 03/10] src: add auto-dependencies for ipv4 icmp
2020-12-09 17:49 [PATCH nft 0/10] nft: add automatic icmp/icmpv6 dependencies Florian Westphal
2020-12-09 17:49 ` [PATCH nft 01/10] exthdr: remove unused proto_key member from struct Florian Westphal
2020-12-09 17:49 ` [PATCH nft 02/10] proto: reduce size of proto_desc structure Florian Westphal
@ 2020-12-09 17:49 ` Florian Westphal
2020-12-09 17:49 ` [PATCH nft 04/10] tests: fix exepcted payload of icmp expressions Florian Westphal
` (7 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Florian Westphal @ 2020-12-09 17:49 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
The ICMP header has field values that are only exist
for certain types.
Mark the icmp proto 'type' field as a nextheader field
and add a new th description to store the icmp type
dependency. This can later be re-used for other protocol
dependend definitions such as mptcp options -- which are all share the
same tcp option number and have a special 4 bit marker inside the
mptcp option space that tells how the remaining option looks like.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/payload.h | 3 ++
include/proto.h | 16 +++++-
src/evaluate.c | 20 ++++++-
src/payload.c | 129 +++++++++++++++++++++++++++++++++++++++++++++-
src/proto.c | 25 ++++++---
5 files changed, 182 insertions(+), 11 deletions(-)
diff --git a/include/payload.h b/include/payload.h
index a914d23930e9..7bbb19b936a9 100644
--- a/include/payload.h
+++ b/include/payload.h
@@ -15,6 +15,9 @@ struct eval_ctx;
struct stmt;
extern int payload_gen_dependency(struct eval_ctx *ctx, const struct expr *expr,
struct stmt **res);
+extern int payload_gen_icmp_dependency(struct eval_ctx *ctx,
+ const struct expr *expr,
+ struct stmt **res);
extern int exthdr_gen_dependency(struct eval_ctx *ctx, const struct expr *expr,
const struct proto_desc *dependency,
enum proto_bases pb, struct stmt **res);
diff --git a/include/proto.h b/include/proto.h
index 667650d67c97..f383291b5a79 100644
--- a/include/proto.h
+++ b/include/proto.h
@@ -25,6 +25,13 @@ enum proto_bases {
extern const char *proto_base_names[];
extern const char *proto_base_tokens[];
+enum icmp_hdr_field_type {
+ PROTO_ICMP_ANY = 0,
+ PROTO_ICMP_ECHO, /* echo and reply */
+ PROTO_ICMP_MTU, /* destination unreachable */
+ PROTO_ICMP_ADDRESS, /* redirect */
+};
+
/**
* struct proto_hdr_template - protocol header field description
*
@@ -33,6 +40,7 @@ extern const char *proto_base_tokens[];
* @offset: offset of the header field from base
* @len: length of header field
* @meta_key: special case: meta expression key
+ * @icmp_dep: special case: icmp header dependency
*/
struct proto_hdr_template {
const char *token;
@@ -41,6 +49,7 @@ struct proto_hdr_template {
uint16_t len;
enum byteorder byteorder:8;
enum nft_meta_keys meta_key:8;
+ enum icmp_hdr_field_type icmp_dep:8;
};
#define PROTO_HDR_TEMPLATE(__token, __dtype, __byteorder, __offset, __len)\
@@ -170,7 +179,12 @@ extern const struct proto_desc *proto_dev_desc(uint16_t type);
*/
struct proto_ctx {
unsigned int debug_mask;
- unsigned int family;
+ uint8_t family;
+ union {
+ struct {
+ uint8_t type;
+ } icmp;
+ } th_dep;
struct {
struct location location;
const struct proto_desc *desc;
diff --git a/src/evaluate.c b/src/evaluate.c
index 76b25b408d55..3eb8e1bfc2c5 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -706,7 +706,8 @@ static int __expr_evaluate_payload(struct eval_ctx *ctx, struct expr *expr)
return -1;
rule_stmt_insert_at(ctx->rule, nstmt, ctx->stmt);
- return 0;
+ desc = ctx->pctx.protocol[base].desc;
+ goto check_icmp;
}
if (payload->payload.base == desc->base &&
@@ -724,7 +725,24 @@ static int __expr_evaluate_payload(struct eval_ctx *ctx, struct expr *expr)
* if needed.
*/
if (desc == payload->payload.desc) {
+ const struct proto_hdr_template *tmpl;
+
payload->payload.offset += ctx->pctx.protocol[base].offset;
+check_icmp:
+ if (desc != &proto_icmp)
+ return 0;
+
+ tmpl = expr->payload.tmpl;
+
+ if (!tmpl || !tmpl->icmp_dep)
+ return 0;
+
+ if (payload_gen_icmp_dependency(ctx, expr, &nstmt) < 0)
+ return -1;
+
+ if (nstmt)
+ rule_stmt_insert_at(ctx->rule, nstmt, ctx->stmt);
+
return 0;
}
/* If we already have context and this payload is on the same
diff --git a/src/payload.c b/src/payload.c
index e51c5797c589..54b08f051dc0 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -19,6 +19,7 @@
#include <arpa/inet.h>
#include <linux/netfilter.h>
#include <linux/if_ether.h>
+#include <netinet/ip_icmp.h>
#include <rule.h>
#include <expression.h>
@@ -95,8 +96,16 @@ static void payload_expr_pctx_update(struct proto_ctx *ctx,
base = ctx->protocol[left->payload.base].desc;
desc = proto_find_upper(base, proto);
- if (!desc)
+ if (!desc) {
+ if (base == &proto_icmp) {
+ /* proto 0 is ECHOREPLY, just pretend its ECHO.
+ * Not doing this would need an additional marker
+ * bit to tell when icmp.type was set.
+ */
+ ctx->th_dep.icmp.type = proto ? proto : ICMP_ECHO;
+ }
return;
+ }
assert(desc->base <= PROTO_BASE_MAX);
if (desc->base == base->base) {
@@ -662,6 +671,19 @@ void exthdr_dependency_kill(struct payload_dep_ctx *ctx, struct expr *expr,
}
}
+static uint8_t icmp_dep_to_type(enum icmp_hdr_field_type t)
+{
+ switch (t) {
+ case PROTO_ICMP_ANY:
+ BUG("Invalid map for simple dependency");
+ case PROTO_ICMP_ECHO: return ICMP_ECHO;
+ case PROTO_ICMP_MTU: return ICMP_DEST_UNREACH;
+ case PROTO_ICMP_ADDRESS: return ICMP_REDIRECT;
+ }
+
+ BUG("Missing icmp type mapping");
+}
+
/**
* payload_expr_complete - fill in type information of a raw payload expr
*
@@ -913,3 +935,108 @@ struct expr *payload_expr_join(const struct expr *e1, const struct expr *e2)
expr->len = e1->len + e2->len;
return expr;
}
+
+static struct stmt *
+__payload_gen_icmp_simple_dependency(struct eval_ctx *ctx, const struct expr *expr,
+ const struct datatype *icmp_type,
+ const struct proto_desc *desc,
+ uint8_t type)
+{
+ struct expr *left, *right, *dep;
+
+ left = payload_expr_alloc(&expr->location, desc, desc->protocol_key);
+ right = constant_expr_alloc(&expr->location, icmp_type,
+ BYTEORDER_BIG_ENDIAN, BITS_PER_BYTE,
+ constant_data_ptr(type, BITS_PER_BYTE));
+
+ dep = relational_expr_alloc(&expr->location, OP_EQ, left, right);
+ return expr_stmt_alloc(&dep->location, dep);
+}
+
+static struct stmt *
+__payload_gen_icmp_echo_dependency(struct eval_ctx *ctx, const struct expr *expr,
+ uint8_t echo, uint8_t reply,
+ const struct datatype *icmp_type,
+ const struct proto_desc *desc)
+{
+ struct expr *left, *right, *dep, *set;
+
+ left = payload_expr_alloc(&expr->location, desc, desc->protocol_key);
+
+ set = set_expr_alloc(&expr->location, NULL);
+
+ right = constant_expr_alloc(&expr->location, icmp_type,
+ BYTEORDER_BIG_ENDIAN, BITS_PER_BYTE,
+ constant_data_ptr(echo, BITS_PER_BYTE));
+ right = set_elem_expr_alloc(&expr->location, right);
+ compound_expr_add(set, right);
+
+ right = constant_expr_alloc(&expr->location, icmp_type,
+ BYTEORDER_BIG_ENDIAN, BITS_PER_BYTE,
+ constant_data_ptr(reply, BITS_PER_BYTE));
+ right = set_elem_expr_alloc(&expr->location, right);
+ compound_expr_add(set, right);
+
+ dep = relational_expr_alloc(&expr->location, OP_IMPLICIT, left, set);
+ return expr_stmt_alloc(&dep->location, dep);
+}
+
+int payload_gen_icmp_dependency(struct eval_ctx *ctx, const struct expr *expr,
+ struct stmt **res)
+{
+ const struct proto_hdr_template *tmpl;
+ const struct proto_desc *desc;
+ struct stmt *stmt = NULL;
+ uint8_t type;
+
+ assert(expr->etype == EXPR_PAYLOAD);
+
+ tmpl = expr->payload.tmpl;
+ desc = expr->payload.desc;
+
+ switch (tmpl->icmp_dep) {
+ case PROTO_ICMP_ANY:
+ BUG("No dependency needed");
+ break;
+ case PROTO_ICMP_ECHO:
+ /* do not test ICMP_ECHOREPLY here: its 0 */
+ if (ctx->pctx.th_dep.icmp.type == ICMP_ECHO)
+ goto done;
+
+ type = ICMP_ECHO;
+ if (ctx->pctx.th_dep.icmp.type)
+ goto bad_proto;
+
+ stmt = __payload_gen_icmp_echo_dependency(ctx, expr,
+ ICMP_ECHO, ICMP_ECHOREPLY,
+ &icmp_type_type,
+ desc);
+ break;
+ case PROTO_ICMP_MTU:
+ case PROTO_ICMP_ADDRESS:
+ type = icmp_dep_to_type(tmpl->icmp_dep);
+ if (ctx->pctx.th_dep.icmp.type == type)
+ goto done;
+ if (ctx->pctx.th_dep.icmp.type)
+ goto bad_proto;
+ stmt = __payload_gen_icmp_simple_dependency(ctx, expr,
+ &icmp_type_type,
+ desc, type);
+ break;
+ default:
+ BUG("Unhandled icmp dependency code");
+ }
+
+ ctx->pctx.th_dep.icmp.type = type;
+
+ if (stmt_evaluate(ctx, stmt) < 0)
+ return expr_error(ctx->msgs, expr,
+ "icmp dependency statement is invalid");
+done:
+ *res = stmt;
+ return 0;
+
+bad_proto:
+ return expr_error(ctx->msgs, expr, "incompatible icmp match: rule has %d, need %u",
+ ctx->pctx.th_dep.icmp.type, type);
+}
diff --git a/src/proto.c b/src/proto.c
index c42e8f517bae..d3371ac65975 100644
--- a/src/proto.c
+++ b/src/proto.c
@@ -396,25 +396,34 @@ const struct datatype icmp_type_type = {
.sym_tbl = &icmp_type_tbl,
};
-#define ICMPHDR_FIELD(__name, __member) \
- HDR_FIELD(__name, struct icmphdr, __member)
+#define ICMPHDR_FIELD(__token, __member, __dep) \
+ { \
+ .token = (__token), \
+ .dtype = &integer_type, \
+ .byteorder = BYTEORDER_BIG_ENDIAN, \
+ .offset = offsetof(struct icmphdr, __member) * 8, \
+ .len = field_sizeof(struct icmphdr, __member) * 8, \
+ .icmp_dep = (__dep), \
+ }
+
#define ICMPHDR_TYPE(__name, __type, __member) \
- HDR_TYPE(__name, __type, struct icmphdr, __member)
+ HDR_TYPE(__name, __type, struct icmphdr, __member)
const struct proto_desc proto_icmp = {
.name = "icmp",
.id = PROTO_DESC_ICMP,
.base = PROTO_BASE_TRANSPORT_HDR,
+ .protocol_key = ICMPHDR_TYPE,
.checksum_key = ICMPHDR_CHECKSUM,
.checksum_type = NFT_PAYLOAD_CSUM_INET,
.templates = {
[ICMPHDR_TYPE] = ICMPHDR_TYPE("type", &icmp_type_type, type),
[ICMPHDR_CODE] = ICMPHDR_TYPE("code", &icmp_code_type, code),
- [ICMPHDR_CHECKSUM] = ICMPHDR_FIELD("checksum", checksum),
- [ICMPHDR_ID] = ICMPHDR_FIELD("id", un.echo.id),
- [ICMPHDR_SEQ] = ICMPHDR_FIELD("sequence", un.echo.sequence),
- [ICMPHDR_GATEWAY] = ICMPHDR_FIELD("gateway", un.gateway),
- [ICMPHDR_MTU] = ICMPHDR_FIELD("mtu", un.frag.mtu),
+ [ICMPHDR_CHECKSUM] = ICMPHDR_FIELD("checksum", checksum, PROTO_ICMP_ANY),
+ [ICMPHDR_ID] = ICMPHDR_FIELD("id", un.echo.id, PROTO_ICMP_ECHO),
+ [ICMPHDR_SEQ] = ICMPHDR_FIELD("sequence", un.echo.sequence, PROTO_ICMP_ECHO),
+ [ICMPHDR_GATEWAY] = ICMPHDR_FIELD("gateway", un.gateway, PROTO_ICMP_ADDRESS),
+ [ICMPHDR_MTU] = ICMPHDR_FIELD("mtu", un.frag.mtu, PROTO_ICMP_MTU),
},
};
--
2.26.2
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH nft 04/10] tests: fix exepcted payload of icmp expressions
2020-12-09 17:49 [PATCH nft 0/10] nft: add automatic icmp/icmpv6 dependencies Florian Westphal
` (2 preceding siblings ...)
2020-12-09 17:49 ` [PATCH nft 03/10] src: add auto-dependencies for ipv4 icmp Florian Westphal
@ 2020-12-09 17:49 ` Florian Westphal
2020-12-09 17:49 ` [PATCH nft 05/10] src: add auto-dependencies for ipv6 icmp6 Florian Westphal
` (6 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Florian Westphal @ 2020-12-09 17:49 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
after previous change nft will insert explicit icmp type match.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
tests/py/ip/icmp.t.payload.ip | 131 +++++++++++++++++++++++++++++++++-
1 file changed, 130 insertions(+), 1 deletion(-)
diff --git a/tests/py/ip/icmp.t.payload.ip b/tests/py/ip/icmp.t.payload.ip
index 2185feb81021..6ed4dff86d10 100644
--- a/tests/py/ip/icmp.t.payload.ip
+++ b/tests/py/ip/icmp.t.payload.ip
@@ -272,148 +272,233 @@ ip test-ip4 input
[ immediate reg 0 accept ]
# icmp id 1245 log
+__set%d test-ip4 3
+__set%d test-ip4 0
+ element 00000008 : 0 [end] element 00000000 : 0 [end]
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
[ payload load 2b @ transport header + 4 => reg 1 ]
[ cmp eq reg 1 0x0000dd04 ]
[ log ]
# icmp id 22
+__set%d test-ip4 3
+__set%d test-ip4 0
+ element 00000008 : 0 [end] element 00000000 : 0 [end]
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
[ payload load 2b @ transport header + 4 => reg 1 ]
[ cmp eq reg 1 0x00001600 ]
# icmp id != 233
+__set%d test-ip4 3
+__set%d test-ip4 0
+ element 00000008 : 0 [end] element 00000000 : 0 [end]
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
[ payload load 2b @ transport header + 4 => reg 1 ]
[ cmp neq reg 1 0x0000e900 ]
# icmp id 33-45
+__set%d test-ip4 3
+__set%d test-ip4 input
+ element 00000008 : 0 [end] element 00000000 : 0 [end]
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
[ payload load 2b @ transport header + 4 => reg 1 ]
[ cmp gte reg 1 0x00002100 ]
[ cmp lte reg 1 0x00002d00 ]
# icmp id != 33-45
+__set%d test-ip4 3
+__set%d test-ip4 0
+ element 00000008 : 0 [end] element 00000000 : 0 [end]
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
[ payload load 2b @ transport header + 4 => reg 1 ]
[ range neq reg 1 0x00002100 0x00002d00 ]
# icmp id { 33-55}
+__set%d test-ip4 3
+__set%d test-ip4 0
+ element 00000008 : 0 [end] element 00000000 : 0 [end]
__set%d test-ip4 7
__set%d test-ip4 0
element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
[ payload load 2b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d ]
# icmp id != { 33-55}
+__set%d test-ip4 3
+__set%d test-ip4 0
+ element 00000008 : 0 [end] element 00000000 : 0 [end]
__set%d test-ip4 7
__set%d test-ip4 0
element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
[ payload load 2b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
# icmp id { 22, 34, 333}
__set%d test-ip4 3
+__set%d test-ip4 0
+ element 00000008 : 0 [end] element 00000000 : 0 [end]
+__set%d test-ip4 3
__set%d test-ip4 0
element 00001600 : 0 [end] element 00002200 : 0 [end] element 00004d01 : 0 [end]
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
[ payload load 2b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d ]
# icmp id != { 22, 34, 333}
__set%d test-ip4 3
+__set%d test-ip4 0
+ element 00000008 : 0 [end] element 00000000 : 0 [end]
+__set%d test-ip4 3
__set%d test-ip4 0
element 00001600 : 0 [end] element 00002200 : 0 [end] element 00004d01 : 0 [end]
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
[ payload load 2b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
# icmp sequence 22
-ip test-ip4 input
+__set%d test-ip4 3
+__set%d test-ip4 0
+ element 00000008 : 0 [end] element 00000000 : 0 [end]
+ip
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ cmp eq reg 1 0x00001600 ]
# icmp sequence != 233
+__set%d test-ip4 3
+__set%d test-ip4 0
+ element 00000008 : 0 [end] element 00000000 : 0 [end]
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ cmp neq reg 1 0x0000e900 ]
# icmp sequence 33-45
+__set%d test-ip4 3
+__set%d test-ip4 0
+ element 00000008 : 0 [end] element 00000000 : 0 [end]
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ cmp gte reg 1 0x00002100 ]
[ cmp lte reg 1 0x00002d00 ]
# icmp sequence != 33-45
+__set%d test-ip4 3
+__set%d test-ip4 0
+ element 00000008 : 0 [end] element 00000000 : 0 [end]
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ range neq reg 1 0x00002100 0x00002d00 ]
# icmp sequence { 33, 55, 67, 88}
__set%d test-ip4 3
+__set%d test-ip4 0
+ element 00000008 : 0 [end] element 00000000 : 0 [end]
+__set%d test-ip4 3
__set%d test-ip4 0
element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ lookup reg 1 set __set%d ]
# icmp sequence != { 33, 55, 67, 88}
__set%d test-ip4 3
+__set%d test-ip4 0
+ element 00000008 : 0 [end] element 00000000 : 0 [end]
+__set%d test-ip4 3
__set%d test-ip4 0
element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
# icmp sequence { 33-55}
+__set%d test-ip4 3
+__set%d test-ip4 0
+ element 00000008 : 0 [end] element 00000000 : 0 [end]
__set%d test-ip4 7
__set%d test-ip4 0
element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ lookup reg 1 set __set%d ]
# icmp sequence != { 33-55}
+__set%d test-ip4 3
+__set%d test-ip4 0
+ element 00000008 : 0 [end] element 00000000 : 0 [end]
__set%d test-ip4 7
__set%d test-ip4 0
element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
@@ -421,6 +506,8 @@ ip test-ip4 input
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000003 ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ cmp eq reg 1 0x00002100 ]
@@ -428,6 +515,8 @@ ip test-ip4 input
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000003 ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ cmp gte reg 1 0x00001600 ]
[ cmp lte reg 1 0x00002100 ]
@@ -439,6 +528,8 @@ __set%d test-ip4 0
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000003 ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ lookup reg 1 set __set%d ]
@@ -449,6 +540,8 @@ __set%d test-ip4 0
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000003 ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
@@ -456,6 +549,8 @@ ip test-ip4 input
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000003 ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ cmp eq reg 1 0x00001600 ]
@@ -463,6 +558,8 @@ ip test-ip4 input
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000003 ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ cmp neq reg 1 0x0000e900 ]
@@ -470,6 +567,8 @@ ip test-ip4 input
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000003 ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ cmp gte reg 1 0x00002100 ]
[ cmp lte reg 1 0x00002d00 ]
@@ -478,6 +577,8 @@ ip test-ip4 input
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000003 ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ range neq reg 1 0x00002100 0x00002d00 ]
@@ -488,6 +589,8 @@ __set%d test-ip4 0
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000003 ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ lookup reg 1 set __set%d ]
@@ -498,6 +601,8 @@ __set%d test-ip4 0
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000003 ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
@@ -508,6 +613,8 @@ __set%d test-ip4 0
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000003 ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ lookup reg 1 set __set%d ]
@@ -518,6 +625,8 @@ __set%d test-ip4 0
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000003 ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
@@ -525,6 +634,8 @@ ip test-ip4 input
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000005 ]
[ payload load 4b @ transport header + 4 => reg 1 ]
[ cmp eq reg 1 0x16000000 ]
@@ -532,6 +643,8 @@ ip test-ip4 input
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000005 ]
[ payload load 4b @ transport header + 4 => reg 1 ]
[ cmp neq reg 1 0xe9000000 ]
@@ -539,6 +652,8 @@ ip test-ip4 input
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000005 ]
[ payload load 4b @ transport header + 4 => reg 1 ]
[ cmp gte reg 1 0x21000000 ]
[ cmp lte reg 1 0x2d000000 ]
@@ -547,6 +662,8 @@ ip test-ip4 input
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000005 ]
[ payload load 4b @ transport header + 4 => reg 1 ]
[ range neq reg 1 0x21000000 0x2d000000 ]
@@ -557,6 +674,8 @@ __set%d test-ip4 0
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000005 ]
[ payload load 4b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d ]
@@ -567,6 +686,8 @@ __set%d test-ip4 0
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000005 ]
[ payload load 4b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
@@ -577,6 +698,8 @@ __set%d test-ip4 0
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000005 ]
[ payload load 4b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d ]
@@ -587,6 +710,8 @@ __set%d test-ip4 0
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000005 ]
[ payload load 4b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
@@ -594,6 +719,8 @@ ip test-ip4 input
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000005 ]
[ payload load 4b @ transport header + 4 => reg 1 ]
[ cmp neq reg 1 0x22000000 ]
@@ -604,6 +731,8 @@ __set%d test-ip4 0
ip test-ip4 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000005 ]
[ payload load 4b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
--
2.26.2
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH nft 05/10] src: add auto-dependencies for ipv6 icmp6
2020-12-09 17:49 [PATCH nft 0/10] nft: add automatic icmp/icmpv6 dependencies Florian Westphal
` (3 preceding siblings ...)
2020-12-09 17:49 ` [PATCH nft 04/10] tests: fix exepcted payload of icmp expressions Florian Westphal
@ 2020-12-09 17:49 ` Florian Westphal
2020-12-09 17:49 ` [PATCH nft 06/10] tests: fix exepcted payload of icmpv6 expressions Florian Westphal
` (5 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Florian Westphal @ 2020-12-09 17:49 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
Extend the earlier commit to also cover icmpv6.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/proto.h | 4 ++++
src/evaluate.c | 2 +-
src/payload.c | 33 +++++++++++++++++++++++++++++++++
src/proto.c | 26 +++++++++++++++-----------
4 files changed, 53 insertions(+), 12 deletions(-)
diff --git a/include/proto.h b/include/proto.h
index f383291b5a79..b9217588f3e3 100644
--- a/include/proto.h
+++ b/include/proto.h
@@ -30,6 +30,10 @@ enum icmp_hdr_field_type {
PROTO_ICMP_ECHO, /* echo and reply */
PROTO_ICMP_MTU, /* destination unreachable */
PROTO_ICMP_ADDRESS, /* redirect */
+ PROTO_ICMP6_MTU,
+ PROTO_ICMP6_PPTR,
+ PROTO_ICMP6_ECHO,
+ PROTO_ICMP6_MGMQ,
};
/**
diff --git a/src/evaluate.c b/src/evaluate.c
index 3eb8e1bfc2c5..e776cd018051 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -729,7 +729,7 @@ static int __expr_evaluate_payload(struct eval_ctx *ctx, struct expr *expr)
payload->payload.offset += ctx->pctx.protocol[base].offset;
check_icmp:
- if (desc != &proto_icmp)
+ if (desc != &proto_icmp && desc != &proto_icmp6)
return 0;
tmpl = expr->payload.tmpl;
diff --git a/src/payload.c b/src/payload.c
index 54b08f051dc0..7cfa530c06c6 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -20,6 +20,7 @@
#include <linux/netfilter.h>
#include <linux/if_ether.h>
#include <netinet/ip_icmp.h>
+#include <netinet/icmp6.h>
#include <rule.h>
#include <expression.h>
@@ -677,8 +678,12 @@ static uint8_t icmp_dep_to_type(enum icmp_hdr_field_type t)
case PROTO_ICMP_ANY:
BUG("Invalid map for simple dependency");
case PROTO_ICMP_ECHO: return ICMP_ECHO;
+ case PROTO_ICMP6_ECHO: return ICMP6_ECHO_REQUEST;
case PROTO_ICMP_MTU: return ICMP_DEST_UNREACH;
case PROTO_ICMP_ADDRESS: return ICMP_REDIRECT;
+ case PROTO_ICMP6_MTU: return ICMP6_PACKET_TOO_BIG;
+ case PROTO_ICMP6_MGMQ: return MLD_LISTENER_QUERY;
+ case PROTO_ICMP6_PPTR: return ICMP6_PARAM_PROB;
}
BUG("Missing icmp type mapping");
@@ -1023,6 +1028,34 @@ int payload_gen_icmp_dependency(struct eval_ctx *ctx, const struct expr *expr,
&icmp_type_type,
desc, type);
break;
+ case PROTO_ICMP6_ECHO:
+ if (ctx->pctx.th_dep.icmp.type == ICMP6_ECHO_REQUEST ||
+ ctx->pctx.th_dep.icmp.type == ICMP6_ECHO_REPLY)
+ goto done;
+
+ type = ICMP6_ECHO_REQUEST;
+ if (ctx->pctx.th_dep.icmp.type)
+ goto bad_proto;
+
+ stmt = __payload_gen_icmp_echo_dependency(ctx, expr,
+ ICMP6_ECHO_REQUEST,
+ ICMP6_ECHO_REPLY,
+ &icmp6_type_type,
+ desc);
+ break;
+ case PROTO_ICMP6_MTU:
+ case PROTO_ICMP6_MGMQ:
+ case PROTO_ICMP6_PPTR:
+ type = icmp_dep_to_type(tmpl->icmp_dep);
+ if (ctx->pctx.th_dep.icmp.type == type)
+ goto done;
+ if (ctx->pctx.th_dep.icmp.type)
+ goto bad_proto;
+ stmt = __payload_gen_icmp_simple_dependency(ctx, expr,
+ &icmp6_type_type,
+ desc, type);
+ break;
+ break;
default:
BUG("Unhandled icmp dependency code");
}
diff --git a/src/proto.c b/src/proto.c
index d3371ac65975..b75626df2861 100644
--- a/src/proto.c
+++ b/src/proto.c
@@ -396,16 +396,19 @@ const struct datatype icmp_type_type = {
.sym_tbl = &icmp_type_tbl,
};
-#define ICMPHDR_FIELD(__token, __member, __dep) \
+#define ICMP46HDR_FIELD(__token, __struct, __member, __dep) \
{ \
.token = (__token), \
.dtype = &integer_type, \
.byteorder = BYTEORDER_BIG_ENDIAN, \
- .offset = offsetof(struct icmphdr, __member) * 8, \
- .len = field_sizeof(struct icmphdr, __member) * 8, \
+ .offset = offsetof(__struct, __member) * 8, \
+ .len = field_sizeof(__struct, __member) * 8, \
.icmp_dep = (__dep), \
}
+#define ICMPHDR_FIELD(__token, __member, __dep) \
+ ICMP46HDR_FIELD(__token, struct icmphdr, __member, __dep)
+
#define ICMPHDR_TYPE(__name, __type, __member) \
HDR_TYPE(__name, __type, struct icmphdr, __member)
@@ -822,8 +825,8 @@ const struct datatype icmp6_type_type = {
.sym_tbl = &icmp6_type_tbl,
};
-#define ICMP6HDR_FIELD(__name, __member) \
- HDR_FIELD(__name, struct icmp6_hdr, __member)
+#define ICMP6HDR_FIELD(__token, __member, __dep) \
+ ICMP46HDR_FIELD(__token, struct icmp6_hdr, __member, __dep)
#define ICMP6HDR_TYPE(__name, __type, __member) \
HDR_TYPE(__name, __type, struct icmp6_hdr, __member)
@@ -831,17 +834,18 @@ const struct proto_desc proto_icmp6 = {
.name = "icmpv6",
.id = PROTO_DESC_ICMPV6,
.base = PROTO_BASE_TRANSPORT_HDR,
+ .protocol_key = ICMP6HDR_TYPE,
.checksum_key = ICMP6HDR_CHECKSUM,
.checksum_type = NFT_PAYLOAD_CSUM_INET,
.templates = {
[ICMP6HDR_TYPE] = ICMP6HDR_TYPE("type", &icmp6_type_type, icmp6_type),
[ICMP6HDR_CODE] = ICMP6HDR_TYPE("code", &icmpv6_code_type, icmp6_code),
- [ICMP6HDR_CHECKSUM] = ICMP6HDR_FIELD("checksum", icmp6_cksum),
- [ICMP6HDR_PPTR] = ICMP6HDR_FIELD("parameter-problem", icmp6_pptr),
- [ICMP6HDR_MTU] = ICMP6HDR_FIELD("mtu", icmp6_mtu),
- [ICMP6HDR_ID] = ICMP6HDR_FIELD("id", icmp6_id),
- [ICMP6HDR_SEQ] = ICMP6HDR_FIELD("sequence", icmp6_seq),
- [ICMP6HDR_MAXDELAY] = ICMP6HDR_FIELD("max-delay", icmp6_maxdelay),
+ [ICMP6HDR_CHECKSUM] = ICMP6HDR_FIELD("checksum", icmp6_cksum, PROTO_ICMP_ANY),
+ [ICMP6HDR_PPTR] = ICMP6HDR_FIELD("parameter-problem", icmp6_pptr, PROTO_ICMP6_PPTR),
+ [ICMP6HDR_MTU] = ICMP6HDR_FIELD("mtu", icmp6_mtu, PROTO_ICMP6_MTU),
+ [ICMP6HDR_ID] = ICMP6HDR_FIELD("id", icmp6_id, PROTO_ICMP6_ECHO),
+ [ICMP6HDR_SEQ] = ICMP6HDR_FIELD("sequence", icmp6_seq, PROTO_ICMP6_ECHO),
+ [ICMP6HDR_MAXDELAY] = ICMP6HDR_FIELD("max-delay", icmp6_maxdelay, PROTO_ICMP6_MGMQ),
},
};
--
2.26.2
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH nft 06/10] tests: fix exepcted payload of icmpv6 expressions
2020-12-09 17:49 [PATCH nft 0/10] nft: add automatic icmp/icmpv6 dependencies Florian Westphal
` (4 preceding siblings ...)
2020-12-09 17:49 ` [PATCH nft 05/10] src: add auto-dependencies for ipv6 icmp6 Florian Westphal
@ 2020-12-09 17:49 ` Florian Westphal
2020-12-09 17:49 ` [PATCH nft 07/10] payload: auto-remove simple icmp/icmpv6 dependency expressions Florian Westphal
` (4 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Florian Westphal @ 2020-12-09 17:49 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
nft will now auto-insert a icmpv6 type match.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
tests/py/ip6/icmpv6.t.payload.ip6 | 107 +++++++++++++++++++++++++++---
1 file changed, 97 insertions(+), 10 deletions(-)
diff --git a/tests/py/ip6/icmpv6.t.payload.ip6 b/tests/py/ip6/icmpv6.t.payload.ip6
index 51d71f4149b5..406bdd6dab93 100644
--- a/tests/py/ip6/icmpv6.t.payload.ip6
+++ b/tests/py/ip6/icmpv6.t.payload.ip6
@@ -327,6 +327,8 @@ ip6 test-ip6 input
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
[ payload load 4b @ transport header + 4 => reg 1 ]
[ cmp eq reg 1 0x16000000 ]
@@ -334,6 +336,8 @@ ip6 test-ip6 input
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
[ payload load 4b @ transport header + 4 => reg 1 ]
[ cmp neq reg 1 0xe9000000 ]
@@ -341,6 +345,8 @@ ip6 test-ip6 input
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
[ payload load 4b @ transport header + 4 => reg 1 ]
[ cmp gte reg 1 0x21000000 ]
[ cmp lte reg 1 0x2d000000 ]
@@ -349,6 +355,8 @@ ip6 test-ip6 input
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
[ payload load 4b @ transport header + 4 => reg 1 ]
[ range neq reg 1 0x21000000 0x2d000000 ]
@@ -359,6 +367,8 @@ __set%d test-ip6 0
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
[ payload load 4b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d ]
@@ -369,6 +379,8 @@ __set%d test-ip6 0
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
[ payload load 4b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
@@ -379,6 +391,8 @@ __set%d test-ip6 0
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
[ payload load 4b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d ]
@@ -389,145 +403,206 @@ __set%d test-ip6 0
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
[ payload load 4b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
# icmpv6 id 33-45
+__set%d test-ip6 3
+__set%d test-ip6 0
+ element 00000080 : 0 [end] element 00000081 : 0 [end]
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
[ payload load 2b @ transport header + 4 => reg 1 ]
[ cmp gte reg 1 0x00002100 ]
[ cmp lte reg 1 0x00002d00 ]
# icmpv6 id != 33-45
+__set%d test-ip6 3
+__set%d test-ip6 0
+ element 00000080 : 0 [end] element 00000081 : 0 [end]
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
[ payload load 2b @ transport header + 4 => reg 1 ]
[ range neq reg 1 0x00002100 0x00002d00 ]
# icmpv6 id {33, 55, 67, 88}
__set%d test-ip6 3
+__set%d test-ip6 0
+ element 00000080 : 0 [end] element 00000081 : 0 [end]
+__set%d test-ip6 3
__set%d test-ip6 0
element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
[ payload load 2b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d ]
# icmpv6 id != {33, 55, 67, 88}
__set%d test-ip6 3
+__set%d test-ip6 0
+ element 00000080 : 0 [end] element 00000081 : 0 [end]
+__set%d test-ip6 3
__set%d test-ip6 0
element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
[ payload load 2b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
# icmpv6 id {33-55}
+__set%d test-ip6 3
+__set%d test-ip6 0
+ element 00000080 : 0 [end] element 00000081 : 0 [end]
__set%d test-ip6 7
__set%d test-ip6 0
element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
[ payload load 2b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d ]
# icmpv6 id != {33-55}
+__set%d test-ip6 3
+__set%d test-ip6 0
+ element 00000080 : 0 [end] element 00000081 : 0 [end]
__set%d test-ip6 7
__set%d test-ip6 0
element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
[ payload load 2b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
# icmpv6 sequence 2
+__set%d test-ip6 3
+__set%d test-ip6 0
+ element 00000080 : 0 [end] element 00000081 : 0 [end]
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ cmp eq reg 1 0x00000200 ]
# icmpv6 sequence {3, 4, 5, 6, 7} accept
__set%d test-ip6 3
__set%d test-ip6 0
- element 00000300 : 0 [end] element 00000400 : 0 [end] element 00000500 : 0 [end] element 00000600 : 0 [end] element 00000700 : 0 [end]
-ip6 test-ip6 input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x0000003a ]
- [ payload load 2b @ transport header + 6 => reg 1 ]
- [ lookup reg 1 set __set%d ]
- [ immediate reg 0 accept ]
-
-# icmpv6 sequence != {3, 4, 5, 6, 7} accept
+ element 00000080 : 0 [end] element 00000081 : 0 [end]
__set%d test-ip6 3
__set%d test-ip6 0
element 00000300 : 0 [end] element 00000400 : 0 [end] element 00000500 : 0 [end] element 00000600 : 0 [end] element 00000700 : 0 [end]
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
[ payload load 2b @ transport header + 6 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
+ [ lookup reg 1 set __set%d ]
[ immediate reg 0 accept ]
# icmpv6 sequence {2, 4}
__set%d test-ip6 3
+__set%d test-ip6 0
+ element 00000080 : 0 [end] element 00000081 : 0 [end]
+__set%d test-ip6 3
__set%d test-ip6 0
element 00000200 : 0 [end] element 00000400 : 0 [end]
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ lookup reg 1 set __set%d ]
# icmpv6 sequence != {2, 4}
__set%d test-ip6 3
+__set%d test-ip6 0
+ element 00000080 : 0 [end] element 00000081 : 0 [end]
+__set%d test-ip6 3
__set%d test-ip6 0
element 00000200 : 0 [end] element 00000400 : 0 [end]
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
# icmpv6 sequence 2-4
+__set%d test-ip6 3
+__set%d test-ip6 0
+ element 00000080 : 0 [end] element 00000081 : 0 [end]
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ cmp gte reg 1 0x00000200 ]
[ cmp lte reg 1 0x00000400 ]
# icmpv6 sequence != 2-4
+__set%d test-ip6 3
+__set%d test-ip6 0
+ element 00000080 : 0 [end] element 00000081 : 0 [end]
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ range neq reg 1 0x00000200 0x00000400 ]
# icmpv6 sequence { 2-4}
+__set%d test-ip6 3
+__set%d test-ip6 0
+ element 00000080 : 0 [end] element 00000081 : 0 [end]
__set%d test-ip6 7
__set%d test-ip6 0
element 00000000 : 1 [end] element 00000200 : 0 [end] element 00000500 : 1 [end]
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ lookup reg 1 set __set%d ]
# icmpv6 sequence != { 2-4}
+__set%d test-ip6 3
+__set%d test-ip6 0
+ element 00000080 : 0 [end] element 00000081 : 0 [end]
__set%d test-ip6 7
__set%d test-ip6 0
element 00000000 : 1 [end] element 00000200 : 0 [end] element 00000500 : 1 [end]
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
[ payload load 2b @ transport header + 6 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
@@ -535,6 +610,8 @@ ip6 test-ip6 input
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000082 ]
[ payload load 2b @ transport header + 4 => reg 1 ]
[ cmp gte reg 1 0x00002100 ]
[ cmp lte reg 1 0x00002d00 ]
@@ -543,6 +620,8 @@ ip6 test-ip6 input
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000082 ]
[ payload load 2b @ transport header + 4 => reg 1 ]
[ range neq reg 1 0x00002100 0x00002d00 ]
@@ -553,6 +632,8 @@ __set%d test-ip6 0
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000082 ]
[ payload load 2b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d ]
@@ -563,6 +644,8 @@ __set%d test-ip6 0
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000082 ]
[ payload load 2b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
@@ -573,6 +656,8 @@ __set%d test-ip6 0
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000082 ]
[ payload load 2b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d ]
@@ -583,6 +668,8 @@ __set%d test-ip6 0
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000082 ]
[ payload load 2b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
--
2.26.2
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH nft 07/10] payload: auto-remove simple icmp/icmpv6 dependency expressions
2020-12-09 17:49 [PATCH nft 0/10] nft: add automatic icmp/icmpv6 dependencies Florian Westphal
` (5 preceding siblings ...)
2020-12-09 17:49 ` [PATCH nft 06/10] tests: fix exepcted payload of icmpv6 expressions Florian Westphal
@ 2020-12-09 17:49 ` Florian Westphal
2020-12-09 17:49 ` [PATCH nft 08/10] tests: icmp, icmpv6: avoid remaining warnings Florian Westphal
` (3 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Florian Westphal @ 2020-12-09 17:49 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
Instead of:
icmpv6 type packet-too-big icmpv6 mtu 1280
display just
icmpv6 mtu 1280
The dependency added for id/sequence is still kept, its handled
by a anon set instead to cover both the echo 'request' and 'reply' cases.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/payload.h | 4 +++-
src/netlink_delinearize.c | 3 +++
src/payload.c | 50 ++++++++++++++++++++++++++++++++++++---
3 files changed, 53 insertions(+), 4 deletions(-)
diff --git a/include/payload.h b/include/payload.h
index 7bbb19b936a9..8bc3fb9a8a54 100644
--- a/include/payload.h
+++ b/include/payload.h
@@ -26,11 +26,13 @@ extern int exthdr_gen_dependency(struct eval_ctx *ctx, const struct expr *expr,
* struct payload_dep_ctx - payload protocol dependency tracking
*
* @pbase: protocol base of last dependency match
+ * @icmp_type: extra info for icmp(6) decoding
* @pdep: last dependency match
* @prev: previous statement
*/
struct payload_dep_ctx {
- enum proto_bases pbase;
+ enum proto_bases pbase:8;
+ uint8_t icmp_type;
struct stmt *pdep;
struct stmt *prev;
};
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 9faddde63974..8b06c4c0985f 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -1771,6 +1771,9 @@ static void payload_match_expand(struct rule_pp_ctx *ctx,
enum proto_bases base = left->payload.base;
bool stacked;
+ if (ctx->pdctx.icmp_type)
+ ctx->pctx.th_dep.icmp.type = ctx->pdctx.icmp_type;
+
payload_expr_expand(&list, left, &ctx->pctx);
list_for_each_entry(left, &list, list) {
diff --git a/src/payload.c b/src/payload.c
index 7cfa530c06c6..48529bcf5c51 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -98,7 +98,7 @@ static void payload_expr_pctx_update(struct proto_ctx *ctx,
desc = proto_find_upper(base, proto);
if (!desc) {
- if (base == &proto_icmp) {
+ if (base == &proto_icmp || base == &proto_icmp6) {
/* proto 0 is ECHOREPLY, just pretend its ECHO.
* Not doing this would need an additional marker
* bit to tell when icmp.type was set.
@@ -554,6 +554,35 @@ void payload_dependency_reset(struct payload_dep_ctx *ctx)
memset(ctx, 0, sizeof(*ctx));
}
+static uint8_t icmp_get_type(const struct proto_desc *desc, uint8_t value)
+{
+ if (desc == &proto_icmp && value == 0)
+ return ICMP_ECHO;
+
+ return value;
+}
+
+static uint8_t icmp_get_dep_type(const struct proto_desc *desc, struct expr *right)
+{
+ if (right->etype == EXPR_VALUE && right->len == BITS_PER_BYTE)
+ return icmp_get_type(desc, mpz_get_uint8(right->value));
+
+ return 0;
+}
+
+static void payload_dependency_store_icmp_type(struct payload_dep_ctx *ctx)
+{
+ struct expr *dep = ctx->pdep->expr;
+ const struct proto_desc *desc;
+
+ if (dep->left->etype != EXPR_PAYLOAD)
+ return;
+
+ desc = dep->left->payload.desc;
+ if (desc == &proto_icmp || desc == &proto_icmp6)
+ ctx->icmp_type = icmp_get_dep_type(dep->left->payload.desc, dep->right);
+}
+
/**
* payload_dependency_store - store a possibly redundant protocol match
*
@@ -566,6 +595,8 @@ void payload_dependency_store(struct payload_dep_ctx *ctx,
{
ctx->pbase = base + 1;
ctx->pdep = stmt;
+
+ payload_dependency_store_icmp_type(ctx);
}
/**
@@ -581,8 +612,8 @@ bool payload_dependency_exists(const struct payload_dep_ctx *ctx,
enum proto_bases base)
{
return ctx->pbase != PROTO_BASE_INVALID &&
- ctx->pbase == base &&
- ctx->pdep != NULL;
+ ctx->pdep != NULL &&
+ (ctx->pbase == base || (base == PROTO_BASE_TRANSPORT_HDR && ctx->pbase == base + 1));
}
void payload_dependency_release(struct payload_dep_ctx *ctx)
@@ -649,6 +680,10 @@ void payload_dependency_kill(struct payload_dep_ctx *ctx, struct expr *expr,
if (payload_dependency_exists(ctx, expr->payload.base) &&
payload_may_dependency_kill(ctx, family, expr))
payload_dependency_release(ctx);
+ else if (ctx->icmp_type && ctx->pdep) {
+ fprintf(stderr, "Did not kill \n");
+ payload_dependency_release(ctx);
+ }
}
void exthdr_dependency_kill(struct payload_dep_ctx *ctx, struct expr *expr,
@@ -716,6 +751,11 @@ void payload_expr_complete(struct expr *expr, const struct proto_ctx *ctx)
if (tmpl->offset != expr->payload.offset ||
tmpl->len != expr->len)
continue;
+
+ if (tmpl->icmp_dep && ctx->th_dep.icmp.type &&
+ ctx->th_dep.icmp.type != icmp_dep_to_type(tmpl->icmp_dep))
+ continue;
+
expr->dtype = tmpl->dtype;
expr->payload.desc = desc;
expr->payload.tmpl = tmpl;
@@ -842,6 +882,10 @@ void payload_expr_expand(struct list_head *list, struct expr *expr,
if (tmpl->offset != expr->payload.offset)
continue;
+ if (tmpl->icmp_dep && ctx->th_dep.icmp.type &&
+ ctx->th_dep.icmp.type != icmp_dep_to_type(tmpl->icmp_dep))
+ continue;
+
if (tmpl->len <= expr->len) {
new = payload_expr_alloc(&expr->location, desc, i);
list_add_tail(&new->list, list);
--
2.26.2
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH nft 08/10] tests: icmp, icmpv6: avoid remaining warnings
2020-12-09 17:49 [PATCH nft 0/10] nft: add automatic icmp/icmpv6 dependencies Florian Westphal
` (6 preceding siblings ...)
2020-12-09 17:49 ` [PATCH nft 07/10] payload: auto-remove simple icmp/icmpv6 dependency expressions Florian Westphal
@ 2020-12-09 17:49 ` Florian Westphal
2020-12-09 17:49 ` [PATCH nft 09/10] tests: ip: add one test case to cover both id and sequence Florian Westphal
` (2 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Florian Westphal @ 2020-12-09 17:49 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
In case of id/sequence, both 'reply' and 'request' are valid types.
nft currently does not remove dependencies that don't have
a fixed rhs constant.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
tests/py/ip/icmp.t | 35 ++++++++++++++++++-----------------
tests/py/ip6/icmpv6.t | 41 ++++++++++++++++-------------------------
2 files changed, 34 insertions(+), 42 deletions(-)
diff --git a/tests/py/ip/icmp.t b/tests/py/ip/icmp.t
index cb3b3e356964..e81aeca76088 100644
--- a/tests/py/ip/icmp.t
+++ b/tests/py/ip/icmp.t
@@ -40,24 +40,25 @@ icmp checksum != { 11-343} accept;ok
icmp checksum { 1111, 222, 343} accept;ok
icmp checksum != { 1111, 222, 343} accept;ok
-icmp id 1245 log;ok
-icmp id 22;ok
-icmp id != 233;ok
-icmp id 33-45;ok
-icmp id != 33-45;ok
-icmp id { 33-55};ok
-icmp id != { 33-55};ok
-icmp id { 22, 34, 333};ok
-icmp id != { 22, 34, 333};ok
+icmp id 1245 log;ok;icmp type { echo-reply, echo-request} icmp id 1245 log
+icmp id 22;ok;icmp type { echo-reply, echo-request} icmp id 22
+icmp id != 233;ok;icmp type { echo-reply, echo-request} icmp id != 233
+icmp id 33-45;ok;icmp type { echo-reply, echo-request} icmp id 33-45
+icmp id != 33-45;ok;icmp type { echo-reply, echo-request} icmp id != 33-45
+icmp id { 33-55};ok;icmp type { echo-reply, echo-request} icmp id { 33-55}
+icmp id != { 33-55};ok;icmp type { echo-reply, echo-request} icmp id != { 33-55}
-icmp sequence 22;ok
-icmp sequence != 233;ok
-icmp sequence 33-45;ok
-icmp sequence != 33-45;ok
-icmp sequence { 33, 55, 67, 88};ok
-icmp sequence != { 33, 55, 67, 88};ok
-icmp sequence { 33-55};ok
-icmp sequence != { 33-55};ok
+icmp id { 22, 34, 333};ok;icmp type { echo-request, echo-reply} icmp id { 22, 34, 333}
+icmp id != { 22, 34, 333};ok;icmp type { echo-request, echo-reply} icmp id != { 22, 34, 333}
+
+icmp sequence 22;ok;icmp type { echo-reply, echo-request} icmp sequence 22
+icmp sequence != 233;ok;icmp type { echo-reply, echo-request} icmp sequence != 233
+icmp sequence 33-45;ok;icmp type { echo-reply, echo-request} icmp sequence 33-45
+icmp sequence != 33-45;ok;icmp type { echo-reply, echo-request} icmp sequence != 33-45
+icmp sequence { 33, 55, 67, 88};ok;icmp type { echo-request, echo-reply} icmp sequence { 33, 55, 67, 88}
+icmp sequence != { 33, 55, 67, 88};ok;icmp type { echo-request, echo-reply} icmp sequence != { 33, 55, 67, 88}
+icmp sequence { 33-55};ok;icmp type { echo-request, echo-reply} icmp sequence { 33-55}
+icmp sequence != { 33-55};ok;icmp type { echo-request, echo-reply} icmp sequence != { 33-55}
icmp mtu 33;ok
icmp mtu 22-33;ok
diff --git a/tests/py/ip6/icmpv6.t b/tests/py/ip6/icmpv6.t
index 8d794115d51e..67fa6ca8490f 100644
--- a/tests/py/ip6/icmpv6.t
+++ b/tests/py/ip6/icmpv6.t
@@ -44,9 +44,8 @@ icmpv6 checksum != { 222, 226};ok
icmpv6 checksum { 222-226};ok
icmpv6 checksum != { 222-226};ok
-# BUG: icmpv6 parameter-problem, pptr, mtu, packet-too-big
+# BUG: icmpv6 parameter-problem, pptr
# [ICMP6HDR_PPTR] = ICMP6HDR_FIELD("parameter-problem", icmp6_pptr),
-# [ICMP6HDR_MTU] = ICMP6HDR_FIELD("packet-too-big", icmp6_mtu),
# $ sudo nft add rule ip6 test6 input icmpv6 parameter-problem 35
# <cmdline>:1:53-53: Error: syntax error, unexpected end of file
# add rule ip6 test6 input icmpv6 parameter-problem 35
@@ -59,11 +58,6 @@ icmpv6 checksum != { 222-226};ok
# <cmdline>:1:54-54: Error: syntax error, unexpected end of file
# add rule ip6 test6 input icmpv6 parameter-problem 2-4
-# BUG: packet-too-big
-# $ sudo nft add rule ip6 test6 input icmpv6 packet-too-big 34
-# <cmdline>:1:50-50: Error: syntax error, unexpected end of file
-# add rule ip6 test6 input icmpv6 packet-too-big 34
-
icmpv6 mtu 22;ok
icmpv6 mtu != 233;ok
icmpv6 mtu 33-45;ok
@@ -73,27 +67,24 @@ icmpv6 mtu != {33, 55, 67, 88};ok
icmpv6 mtu {33-55};ok
icmpv6 mtu != {33-55};ok
-- icmpv6 id 2;ok
-- icmpv6 id != 233;ok
-icmpv6 id 33-45;ok
-icmpv6 id != 33-45;ok
-icmpv6 id {33, 55, 67, 88};ok
-icmpv6 id != {33, 55, 67, 88};ok
-icmpv6 id {33-55};ok
-icmpv6 id != {33-55};ok
+icmpv6 id 33-45;ok;icmpv6 type { echo-request, echo-reply} icmpv6 id 33-45
+icmpv6 id != 33-45;ok;icmpv6 type { echo-request, echo-reply} icmpv6 id != 33-45
+icmpv6 id {33, 55, 67, 88};ok;icmpv6 type { echo-request, echo-reply} icmpv6 id { 33, 55, 67, 88}
+icmpv6 id != {33, 55, 67, 88};ok;icmpv6 type { echo-request, echo-reply} icmpv6 id != { 33, 55, 67, 88}
+icmpv6 id {33-55};ok;icmpv6 type { echo-request, echo-reply} icmpv6 id { 33-55}
+icmpv6 id != {33-55};ok;icmpv6 type { echo-request, echo-reply} icmpv6 id != { 33-55}
+
+icmpv6 sequence 2;ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence 2
+icmpv6 sequence {3, 4, 5, 6, 7} accept;ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence { 3, 4, 5, 6, 7} accept
-icmpv6 sequence 2;ok
-icmpv6 sequence {3, 4, 5, 6, 7} accept;ok
-icmpv6 sequence {2, 4};ok
-icmpv6 sequence != {2, 4};ok
-icmpv6 sequence 2-4;ok
-icmpv6 sequence != 2-4;ok
-icmpv6 sequence { 2-4};ok
-icmpv6 sequence != { 2-4};ok
+icmpv6 sequence {2, 4};ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence { 2, 4}
+icmpv6 sequence != {2, 4};ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence != { 2, 4}
+icmpv6 sequence 2-4;ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence 2-4
+icmpv6 sequence != 2-4;ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence != 2-4
+icmpv6 sequence { 2-4};ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence { 2-4}
+icmpv6 sequence != { 2-4};ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence != { 2-4}
-- icmpv6 max-delay 22;ok
-- icmpv6 max-delay != 233;ok
icmpv6 max-delay 33-45;ok
icmpv6 max-delay != 33-45;ok
icmpv6 max-delay {33, 55, 67, 88};ok
--
2.26.2
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH nft 09/10] tests: ip: add one test case to cover both id and sequence
2020-12-09 17:49 [PATCH nft 0/10] nft: add automatic icmp/icmpv6 dependencies Florian Westphal
` (7 preceding siblings ...)
2020-12-09 17:49 ` [PATCH nft 08/10] tests: icmp, icmpv6: avoid remaining warnings Florian Westphal
@ 2020-12-09 17:49 ` Florian Westphal
2020-12-09 17:49 ` [PATCH nft 10/10] tests: icmp, icmpv6: check we don't add second dependency Florian Westphal
2020-12-11 14:30 ` [PATCH nft 0/10] nft: add automatic icmp/icmpv6 dependencies Phil Sutter
10 siblings, 0 replies; 12+ messages in thread
From: Florian Westphal @ 2020-12-09 17:49 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
These are two 2-byte matches, so nft will merge the accesses to
a single 4-byte load+compare.
Check this is properly demangled.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
tests/py/ip/icmp.t | 2 ++
tests/py/ip/icmp.t.payload.ip | 12 ++++++++++++
2 files changed, 14 insertions(+)
diff --git a/tests/py/ip/icmp.t b/tests/py/ip/icmp.t
index e81aeca76088..996e1fc321e4 100644
--- a/tests/py/ip/icmp.t
+++ b/tests/py/ip/icmp.t
@@ -59,6 +59,7 @@ icmp sequence { 33, 55, 67, 88};ok;icmp type { echo-request, echo-reply} icmp se
icmp sequence != { 33, 55, 67, 88};ok;icmp type { echo-request, echo-reply} icmp sequence != { 33, 55, 67, 88}
icmp sequence { 33-55};ok;icmp type { echo-request, echo-reply} icmp sequence { 33-55}
icmp sequence != { 33-55};ok;icmp type { echo-request, echo-reply} icmp sequence != { 33-55}
+icmp id 1 icmp sequence 2;ok;icmp type { echo-reply, echo-request} icmp id 1 icmp sequence 2
icmp mtu 33;ok
icmp mtu 22-33;ok
@@ -83,3 +84,4 @@ icmp gateway { 33-55};ok
icmp gateway != { 33-55};ok
icmp gateway != 34;ok
icmp gateway != { 333, 334};ok
+
diff --git a/tests/py/ip/icmp.t.payload.ip b/tests/py/ip/icmp.t.payload.ip
index 6ed4dff86d10..e238c4bb142c 100644
--- a/tests/py/ip/icmp.t.payload.ip
+++ b/tests/py/ip/icmp.t.payload.ip
@@ -502,6 +502,18 @@ ip test-ip4 input
[ payload load 2b @ transport header + 6 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# icmp id 1 icmp sequence 2
+__set%d test-ip4 3
+__set%d test-ip4 0
+ element 00000008 : 0 [end] element 00000000 : 0 [end]
+ip
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ cmp eq reg 1 0x02000100 ]
+
# icmp mtu 33
ip test-ip4 input
[ meta load l4proto => reg 1 ]
--
2.26.2
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH nft 10/10] tests: icmp, icmpv6: check we don't add second dependency
2020-12-09 17:49 [PATCH nft 0/10] nft: add automatic icmp/icmpv6 dependencies Florian Westphal
` (8 preceding siblings ...)
2020-12-09 17:49 ` [PATCH nft 09/10] tests: ip: add one test case to cover both id and sequence Florian Westphal
@ 2020-12-09 17:49 ` Florian Westphal
2020-12-11 14:30 ` [PATCH nft 0/10] nft: add automatic icmp/icmpv6 dependencies Phil Sutter
10 siblings, 0 replies; 12+ messages in thread
From: Florian Westphal @ 2020-12-09 17:49 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
If dependency is already fulfilled, do not add another one.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
tests/py/ip/icmp.t | 1 +
tests/py/ip/icmp.t.payload.ip | 12 ++++++++++++
tests/py/ip6/icmpv6.t | 1 +
tests/py/ip6/icmpv6.t.payload.ip6 | 9 +++++++++
4 files changed, 23 insertions(+)
diff --git a/tests/py/ip/icmp.t b/tests/py/ip/icmp.t
index 996e1fc321e4..c22b55eb1e3f 100644
--- a/tests/py/ip/icmp.t
+++ b/tests/py/ip/icmp.t
@@ -60,6 +60,7 @@ icmp sequence != { 33, 55, 67, 88};ok;icmp type { echo-request, echo-reply} icmp
icmp sequence { 33-55};ok;icmp type { echo-request, echo-reply} icmp sequence { 33-55}
icmp sequence != { 33-55};ok;icmp type { echo-request, echo-reply} icmp sequence != { 33-55}
icmp id 1 icmp sequence 2;ok;icmp type { echo-reply, echo-request} icmp id 1 icmp sequence 2
+icmp type { echo-reply, echo-request} icmp id 1 icmp sequence 2;ok
icmp mtu 33;ok
icmp mtu 22-33;ok
diff --git a/tests/py/ip/icmp.t.payload.ip b/tests/py/ip/icmp.t.payload.ip
index e238c4bb142c..d75d12a06125 100644
--- a/tests/py/ip/icmp.t.payload.ip
+++ b/tests/py/ip/icmp.t.payload.ip
@@ -514,6 +514,18 @@ ip
[ payload load 4b @ transport header + 4 => reg 1 ]
[ cmp eq reg 1 0x02000100 ]
+# icmp type { echo-reply, echo-request} icmp id 1 icmp sequence 2
+__set%d test-ip4 3
+__set%d test-ip4 0
+ element 00000000 : 0 [end] element 00000008 : 0 [end]
+ip
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ cmp eq reg 1 0x02000100 ]
+
# icmp mtu 33
ip test-ip4 input
[ meta load l4proto => reg 1 ]
diff --git a/tests/py/ip6/icmpv6.t b/tests/py/ip6/icmpv6.t
index 67fa6ca8490f..8b411a8bf439 100644
--- a/tests/py/ip6/icmpv6.t
+++ b/tests/py/ip6/icmpv6.t
@@ -66,6 +66,7 @@ icmpv6 mtu {33, 55, 67, 88};ok
icmpv6 mtu != {33, 55, 67, 88};ok
icmpv6 mtu {33-55};ok
icmpv6 mtu != {33-55};ok
+icmpv6 type packet-too-big icmpv6 mtu 1280;ok;icmpv6 mtu 1280
icmpv6 id 33-45;ok;icmpv6 type { echo-request, echo-reply} icmpv6 id 33-45
icmpv6 id != 33-45;ok;icmpv6 type { echo-request, echo-reply} icmpv6 id != 33-45
diff --git a/tests/py/ip6/icmpv6.t.payload.ip6 b/tests/py/ip6/icmpv6.t.payload.ip6
index 406bdd6dab93..171b7eade6d3 100644
--- a/tests/py/ip6/icmpv6.t.payload.ip6
+++ b/tests/py/ip6/icmpv6.t.payload.ip6
@@ -408,6 +408,15 @@ ip6 test-ip6 input
[ payload load 4b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# icmpv6 type packet-too-big icmpv6 mtu 1280
+ip6
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ cmp eq reg 1 0x00050000 ]
+
# icmpv6 id 33-45
__set%d test-ip6 3
__set%d test-ip6 0
--
2.26.2
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [PATCH nft 0/10] nft: add automatic icmp/icmpv6 dependencies
2020-12-09 17:49 [PATCH nft 0/10] nft: add automatic icmp/icmpv6 dependencies Florian Westphal
` (9 preceding siblings ...)
2020-12-09 17:49 ` [PATCH nft 10/10] tests: icmp, icmpv6: check we don't add second dependency Florian Westphal
@ 2020-12-11 14:30 ` Phil Sutter
10 siblings, 0 replies; 12+ messages in thread
From: Phil Sutter @ 2020-12-11 14:30 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
Hi Florian,
On Wed, Dec 09, 2020 at 06:49:14PM +0100, Florian Westphal wrote:
> This series allows nft to automatically add the dependency so that
> the type-dependant field is not evaluated for any type.
Great work, thanks for taking care of this long-standing issue!
Thanks, Phil
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2020-12-11 14:58 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-09 17:49 [PATCH nft 0/10] nft: add automatic icmp/icmpv6 dependencies Florian Westphal
2020-12-09 17:49 ` [PATCH nft 01/10] exthdr: remove unused proto_key member from struct Florian Westphal
2020-12-09 17:49 ` [PATCH nft 02/10] proto: reduce size of proto_desc structure Florian Westphal
2020-12-09 17:49 ` [PATCH nft 03/10] src: add auto-dependencies for ipv4 icmp Florian Westphal
2020-12-09 17:49 ` [PATCH nft 04/10] tests: fix exepcted payload of icmp expressions Florian Westphal
2020-12-09 17:49 ` [PATCH nft 05/10] src: add auto-dependencies for ipv6 icmp6 Florian Westphal
2020-12-09 17:49 ` [PATCH nft 06/10] tests: fix exepcted payload of icmpv6 expressions Florian Westphal
2020-12-09 17:49 ` [PATCH nft 07/10] payload: auto-remove simple icmp/icmpv6 dependency expressions Florian Westphal
2020-12-09 17:49 ` [PATCH nft 08/10] tests: icmp, icmpv6: avoid remaining warnings Florian Westphal
2020-12-09 17:49 ` [PATCH nft 09/10] tests: ip: add one test case to cover both id and sequence Florian Westphal
2020-12-09 17:49 ` [PATCH nft 10/10] tests: icmp, icmpv6: check we don't add second dependency Florian Westphal
2020-12-11 14:30 ` [PATCH nft 0/10] nft: add automatic icmp/icmpv6 dependencies Phil Sutter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.