[libnftnl PATCH v2 0/9] bitwise: support for boolean operations with variable RHS operands

[libnftnl PATCH v2 0/9] bitwise: support for boolean operations with variable RHS operands

[Jeremy Sowden]

Hitherto, the kernel has required that AND, OR and XOR operations be
converted in user space to mask-and-xor operations on one register and
two immediate values.  Now, however, it has support for performing these
operations directly on one register and an immediate value, or on two
registers.  Support has also been added for keeping track of the
bit-length of boolean expressions since this can be useful to user space
during delinearization.  This patch-set makes this new functionality
available to user space.

* Patch 1 updates kernel UAPI header to 5.17-rc7.
* Patches 2 & 3 add support for keeping track of the bit-length of
  boolean expressions.
* Patches 4-7 implement the new operations.
* Patches 8 & 9 refactor the existing bitwise tests and add new ones.

Changes since v1

  * Patches 1-3 are new.
  * In v1, boolean operations were still converted to mask-and-xor form,
    but the mask and xor values were allowed to be passed in registers.

Jeremy Sowden (9):
  include: update nf_tables.h
  include: add new bitwise bit-length attribute to nf_tables.h
  expr: bitwise: pass bit-length to and from the kernel
  include: add new bitwise boolean attributes to nf_tables.h
  expr: bitwise: fix a couple of white-space mistakes
  expr: bitwise: rename some boolean operation functions
  expr: bitwise: add support for kernel space AND, OR and XOR operations
  tests: bitwise: refactor shift tests
  tests: bitwise: add tests for new boolean operations

 include/libnftnl/expr.h             |   2 +
 include/linux/netfilter/nf_tables.h |  27 +++-
 src/expr/bitwise.c                  |  86 ++++++++++-
 tests/nft-expr_bitwise-test.c       | 230 +++++++++++++++++-----------
 4 files changed, 244 insertions(+), 101 deletions(-)

-- 
2.35.1

[libnftnl PATCH v2 1/9] include: update nf_tables.h

[Jeremy Sowden]

Bump it to 5.17-rc7.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 include/linux/netfilter/nf_tables.h | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 0ae912054cf1..466fd3f4447c 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -753,7 +753,7 @@ enum nft_dynset_attributes {
  * @NFT_PAYLOAD_LL_HEADER: link layer header
  * @NFT_PAYLOAD_NETWORK_HEADER: network header
  * @NFT_PAYLOAD_TRANSPORT_HEADER: transport header
- * @NFT_PAYLOAD_INNER_HEADER: inner header
+ * @NFT_PAYLOAD_INNER_HEADER: inner header / payload
  */
 enum nft_payload_bases {
 	NFT_PAYLOAD_LL_HEADER,
@@ -898,7 +898,8 @@ enum nft_meta_keys {
 	NFT_META_OIF,
 	NFT_META_IIFNAME,
 	NFT_META_OIFNAME,
-	NFT_META_IIFTYPE,
+	NFT_META_IFTYPE,
+#define NFT_META_IIFTYPE	NFT_META_IFTYPE
 	NFT_META_OIFTYPE,
 	NFT_META_SKUID,
 	NFT_META_SKGID,
@@ -925,6 +926,7 @@ enum nft_meta_keys {
 	NFT_META_TIME_HOUR,
 	NFT_META_SDIF,
 	NFT_META_SDIFNAME,
+	__NFT_META_IIFTYPE,
 };
 
 /**
-- 
2.35.1

[libnftnl PATCH v2 2/9] include: add new bitwise bit-length attribute to nf_tables.h

[Jeremy Sowden]

The kernel can now keep track of the bit-length of boolean expressions.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 include/linux/netfilter/nf_tables.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 466fd3f4447c..f3dcc4a34ff1 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -561,6 +561,7 @@ enum nft_bitwise_ops {
  * @NFTA_BITWISE_OP: type of operation (NLA_U32: nft_bitwise_ops)
  * @NFTA_BITWISE_DATA: argument for non-boolean operations
  *                     (NLA_NESTED: nft_data_attributes)
+ * @NFTA_BITWISE_NBITS: length of operation in bits (NLA_U32)
  *
  * The bitwise expression supports boolean and shift operations.  It implements
  * the boolean operations by performing the following operation:
@@ -584,6 +585,7 @@ enum nft_bitwise_attributes {
 	NFTA_BITWISE_XOR,
 	NFTA_BITWISE_OP,
 	NFTA_BITWISE_DATA,
+	NFTA_BITWISE_NBITS,
 	__NFTA_BITWISE_MAX
 };
 #define NFTA_BITWISE_MAX	(__NFTA_BITWISE_MAX - 1)
-- 
2.35.1

[libnftnl PATCH v2 3/9] expr: bitwise: pass bit-length to and from the kernel

[Jeremy Sowden]

The kernel can now keep track of the bit-length of bitwise operations in
order to help user space eliminate generated operations during
delinearization.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 include/libnftnl/expr.h       |  1 +
 src/expr/bitwise.c            | 15 +++++++++++++++
 tests/nft-expr_bitwise-test.c | 12 ++++++++++++
 3 files changed, 28 insertions(+)

diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h
index 00c63ab9d19b..6adad4c222a6 100644
--- a/include/libnftnl/expr.h
+++ b/include/libnftnl/expr.h
@@ -128,6 +128,7 @@ enum {
 	NFTNL_EXPR_BITWISE_XOR,
 	NFTNL_EXPR_BITWISE_OP,
 	NFTNL_EXPR_BITWISE_DATA,
+	NFTNL_EXPR_BITWISE_NBITS,
 };
 
 enum {
diff --git a/src/expr/bitwise.c b/src/expr/bitwise.c
index d0c7827eacec..3fa627d7905d 100644
--- a/src/expr/bitwise.c
+++ b/src/expr/bitwise.c
@@ -29,6 +29,7 @@ struct nftnl_expr_bitwise {
 	union nftnl_data_reg	mask;
 	union nftnl_data_reg	xor;
 	union nftnl_data_reg	data;
+	unsigned int		nbits;
 };
 
 static int
@@ -62,6 +63,9 @@ nftnl_expr_bitwise_set(struct nftnl_expr *e, uint16_t type,
 		memcpy(&bitwise->data.val, data, data_len);
 		bitwise->data.len = data_len;
 		break;
+	case NFTNL_EXPR_BITWISE_NBITS:
+		memcpy(&bitwise->nbits, data, sizeof(bitwise->nbits));
+		break;
 	default:
 		return -1;
 	}
@@ -96,6 +100,9 @@ nftnl_expr_bitwise_get(const struct nftnl_expr *e, uint16_t type,
 	case NFTNL_EXPR_BITWISE_DATA:
 		*data_len = bitwise->data.len;
 		return &bitwise->data.val;
+	case NFTNL_EXPR_BITWISE_NBITS:
+		*data_len = sizeof(bitwise->nbits);
+		return &bitwise->nbits;
 	}
 	return NULL;
 }
@@ -113,6 +120,7 @@ static int nftnl_expr_bitwise_cb(const struct nlattr *attr, void *data)
 	case NFTA_BITWISE_DREG:
 	case NFTA_BITWISE_OP:
 	case NFTA_BITWISE_LEN:
+	case NFTA_BITWISE_NBITS:
 		if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
 			abi_breakage();
 		break;
@@ -141,6 +149,9 @@ nftnl_expr_bitwise_build(struct nlmsghdr *nlh, const struct nftnl_expr *e)
 		mnl_attr_put_u32(nlh, NFTA_BITWISE_OP, htonl(bitwise->op));
 	if (e->flags & (1 << NFTNL_EXPR_BITWISE_LEN))
 		mnl_attr_put_u32(nlh, NFTA_BITWISE_LEN, htonl(bitwise->len));
+	if (e->flags & (1 << NFTNL_EXPR_BITWISE_NBITS))
+		mnl_attr_put_u32(nlh, NFTA_BITWISE_NBITS,
+				 htonl(bitwise->nbits));
 	if (e->flags & (1 << NFTNL_EXPR_BITWISE_MASK)) {
 		struct nlattr *nest;
 
@@ -205,6 +216,10 @@ nftnl_expr_bitwise_parse(struct nftnl_expr *e, struct nlattr *attr)
 		ret = nftnl_parse_data(&bitwise->data, tb[NFTA_BITWISE_DATA], NULL);
 		e->flags |= (1 << NFTNL_EXPR_BITWISE_DATA);
 	}
+	if (tb[NFTA_BITWISE_NBITS]) {
+		bitwise->nbits = ntohl(mnl_attr_get_u32(tb[NFTA_BITWISE_NBITS]));
+		e->flags |= (1 << NFTNL_EXPR_BITWISE_NBITS);
+	}
 
 	return ret;
 }
diff --git a/tests/nft-expr_bitwise-test.c b/tests/nft-expr_bitwise-test.c
index f134728fdd86..9d01376a69bd 100644
--- a/tests/nft-expr_bitwise-test.c
+++ b/tests/nft-expr_bitwise-test.c
@@ -45,6 +45,9 @@ static void cmp_nftnl_expr_bool(struct nftnl_expr *rule_a,
 	if (nftnl_expr_get_u16(rule_a, NFTNL_EXPR_BITWISE_LEN) !=
 	    nftnl_expr_get_u16(rule_b, NFTNL_EXPR_BITWISE_LEN))
 		print_err("bool", "Expr BITWISE_LEN mismatches");
+	if (nftnl_expr_get_u16(rule_a, NFTNL_EXPR_BITWISE_NBITS) !=
+	    nftnl_expr_get_u16(rule_b, NFTNL_EXPR_BITWISE_NBITS))
+		print_err("bool", "Expr BITWISE_NBITS mismatches");
 	nftnl_expr_get(rule_a, NFTNL_EXPR_BITWISE_MASK, &maska);
 	nftnl_expr_get(rule_b, NFTNL_EXPR_BITWISE_MASK, &maskb);
 	if (maska != maskb)
@@ -72,6 +75,9 @@ static void cmp_nftnl_expr_lshift(struct nftnl_expr *rule_a,
 	if (nftnl_expr_get_u16(rule_a, NFTNL_EXPR_BITWISE_LEN) !=
 	    nftnl_expr_get_u16(rule_b, NFTNL_EXPR_BITWISE_LEN))
 		print_err("lshift", "Expr BITWISE_LEN mismatches");
+	if (nftnl_expr_get_u16(rule_a, NFTNL_EXPR_BITWISE_NBITS) !=
+	    nftnl_expr_get_u16(rule_b, NFTNL_EXPR_BITWISE_NBITS))
+		print_err("lshift", "Expr BITWISE_NBITS mismatches");
 	nftnl_expr_get(rule_a, NFTNL_EXPR_BITWISE_DATA, &data_a);
 	nftnl_expr_get(rule_b, NFTNL_EXPR_BITWISE_DATA, &data_b);
 	if (data_a != data_b)
@@ -95,6 +101,9 @@ static void cmp_nftnl_expr_rshift(struct nftnl_expr *rule_a,
 	if (nftnl_expr_get_u16(rule_a, NFTNL_EXPR_BITWISE_LEN) !=
 	    nftnl_expr_get_u16(rule_b, NFTNL_EXPR_BITWISE_LEN))
 		print_err("rshift", "Expr BITWISE_LEN mismatches");
+	if (nftnl_expr_get_u16(rule_a, NFTNL_EXPR_BITWISE_NBITS) !=
+	    nftnl_expr_get_u16(rule_b, NFTNL_EXPR_BITWISE_NBITS))
+		print_err("rshift", "Expr BITWISE_NBITS mismatches");
 	nftnl_expr_get(rule_a, NFTNL_EXPR_BITWISE_DATA, &data_a);
 	nftnl_expr_get(rule_b, NFTNL_EXPR_BITWISE_DATA, &data_b);
 	if (data_a != data_b)
@@ -124,6 +133,7 @@ static void test_bool(void)
 	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_DREG, 0x78123456);
 	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_OP, NFT_BITWISE_BOOL);
 	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_LEN, 0x56781234);
+	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_NBITS, 0x11223344);
 	nftnl_expr_set(ex, NFTNL_EXPR_BITWISE_MASK, &mask, sizeof(mask));
 	nftnl_expr_set(ex, NFTNL_EXPR_BITWISE_XOR, &xor, sizeof(xor));
 
@@ -179,6 +189,7 @@ static void test_lshift(void)
 	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_DREG, 0x78123456);
 	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_OP, NFT_BITWISE_LSHIFT);
 	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_LEN, 0x56781234);
+	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_NBITS, 0x11223344);
 	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_DATA, 13);
 
 	nftnl_rule_add_expr(a, ex);
@@ -233,6 +244,7 @@ static void test_rshift(void)
 	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_DREG, 0x78123456);
 	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_OP, NFT_BITWISE_RSHIFT);
 	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_LEN, 0x56781234);
+	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_NBITS, 0x11223344);
 	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_DATA, 17);
 
 	nftnl_rule_add_expr(a, ex);
-- 
2.35.1

[libnftnl PATCH v2 4/9] include: add new bitwise boolean attributes to nf_tables.h

[Jeremy Sowden]

The kernel now has native support for AND, OR and XOR bitwise
operations.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 include/linux/netfilter/nf_tables.h | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index f3dcc4a34ff1..cd3e9e4ac646 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -539,16 +539,27 @@ enum nft_immediate_attributes {
 /**
  * enum nft_bitwise_ops - nf_tables bitwise operations
  *
- * @NFT_BITWISE_BOOL: mask-and-xor operation used to implement NOT, AND, OR and
- *                    XOR boolean operations
+ * @NFT_BITWISE_MASK_XOR: mask-and-xor operation used to implement NOT, AND, OR
+ *                        and XOR boolean operations
  * @NFT_BITWISE_LSHIFT: left-shift operation
  * @NFT_BITWISE_RSHIFT: right-shift operation
+ * @NFT_BITWISE_AND: and operation
+ * @NFT_BITWISE_OR: or operation
+ * @NFT_BITWISE_XOR: xor operation
  */
 enum nft_bitwise_ops {
-	NFT_BITWISE_BOOL,
+	NFT_BITWISE_MASK_XOR,
 	NFT_BITWISE_LSHIFT,
 	NFT_BITWISE_RSHIFT,
+	NFT_BITWISE_AND,
+	NFT_BITWISE_OR,
+	NFT_BITWISE_XOR,
 };
+/*
+ * Old name for NFT_BITWISE_MASK_XOR, predating the addition of NFT_BITWISE_AND,
+ * NFT_BITWISE_OR and NFT_BITWISE_XOR.  Retained for backwards-compatibility.
+ */
+#define NFT_BITWISE_BOOL NFT_BITWISE_MASK_XOR
 
 /**
  * enum nft_bitwise_attributes - nf_tables bitwise expression netlink attributes
@@ -562,6 +573,7 @@ enum nft_bitwise_ops {
  * @NFTA_BITWISE_DATA: argument for non-boolean operations
  *                     (NLA_NESTED: nft_data_attributes)
  * @NFTA_BITWISE_NBITS: length of operation in bits (NLA_U32)
+ * @NFTA_BITWISE_SREG2: second source register (NLA_U32: nft_registers)
  *
  * The bitwise expression supports boolean and shift operations.  It implements
  * the boolean operations by performing the following operation:
@@ -586,6 +598,7 @@ enum nft_bitwise_attributes {
 	NFTA_BITWISE_OP,
 	NFTA_BITWISE_DATA,
 	NFTA_BITWISE_NBITS,
+	NFTA_BITWISE_SREG2,
 	__NFTA_BITWISE_MAX
 };
 #define NFTA_BITWISE_MAX	(__NFTA_BITWISE_MAX - 1)
-- 
2.35.1

[libnftnl PATCH v2 5/9] expr: bitwise: fix a couple of white-space mistakes

[Jeremy Sowden]

Add spaces round an operator, and break a couple of long lines.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 src/expr/bitwise.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/expr/bitwise.c b/src/expr/bitwise.c
index 3fa627d7905d..d695cb1cc3a9 100644
--- a/src/expr/bitwise.c
+++ b/src/expr/bitwise.c
@@ -182,7 +182,7 @@ static int
 nftnl_expr_bitwise_parse(struct nftnl_expr *e, struct nlattr *attr)
 {
 	struct nftnl_expr_bitwise *bitwise = nftnl_expr_data(e);
-	struct nlattr *tb[NFTA_BITWISE_MAX+1] = {};
+	struct nlattr *tb[NFTA_BITWISE_MAX + 1] = {};
 	int ret = 0;
 
 	if (mnl_attr_parse_nested(attr, nftnl_expr_bitwise_cb, tb) < 0)
@@ -279,10 +279,12 @@ nftnl_expr_bitwise_snprintf(char *buf, size_t size,
 		err = nftnl_expr_bitwise_snprintf_bool(buf, size, bitwise);
 		break;
 	case NFT_BITWISE_LSHIFT:
-		err = nftnl_expr_bitwise_snprintf_shift(buf, size, "<<", bitwise);
+		err = nftnl_expr_bitwise_snprintf_shift(buf, size, "<<",
+							bitwise);
 		break;
 	case NFT_BITWISE_RSHIFT:
-		err = nftnl_expr_bitwise_snprintf_shift(buf, size, ">>", bitwise);
+		err = nftnl_expr_bitwise_snprintf_shift(buf, size, ">>",
+							bitwise);
 		break;
 	}
 
-- 
2.35.1

[libnftnl PATCH v2 6/9] expr: bitwise: rename some boolean operation functions

[Jeremy Sowden]

In the next patch we add support for doing AND, OR and XOR operations
directly in the kernel, so rename some functions and an enum constant
related to mask-and-xor boolean operations.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 src/expr/bitwise.c            |  8 ++++----
 tests/nft-expr_bitwise-test.c | 36 +++++++++++++++++------------------
 2 files changed, 22 insertions(+), 22 deletions(-)

diff --git a/src/expr/bitwise.c b/src/expr/bitwise.c
index d695cb1cc3a9..c7428af6adf8 100644
--- a/src/expr/bitwise.c
+++ b/src/expr/bitwise.c
@@ -225,8 +225,8 @@ nftnl_expr_bitwise_parse(struct nftnl_expr *e, struct nlattr *attr)
 }
 
 static int
-nftnl_expr_bitwise_snprintf_bool(char *buf, size_t remain,
-				 const struct nftnl_expr_bitwise *bitwise)
+nftnl_expr_bitwise_snprintf_mask_xor(char *buf, size_t remain,
+				     const struct nftnl_expr_bitwise *bitwise)
 {
 	int offset = 0, ret;
 
@@ -275,8 +275,8 @@ nftnl_expr_bitwise_snprintf(char *buf, size_t size,
 	int err = -1;
 
 	switch (bitwise->op) {
-	case NFT_BITWISE_BOOL:
-		err = nftnl_expr_bitwise_snprintf_bool(buf, size, bitwise);
+	case NFT_BITWISE_MASK_XOR:
+		err = nftnl_expr_bitwise_snprintf_mask_xor(buf, size, bitwise);
 		break;
 	case NFT_BITWISE_LSHIFT:
 		err = nftnl_expr_bitwise_snprintf_shift(buf, size, "<<",
diff --git a/tests/nft-expr_bitwise-test.c b/tests/nft-expr_bitwise-test.c
index 9d01376a69bd..96298a4a97d2 100644
--- a/tests/nft-expr_bitwise-test.c
+++ b/tests/nft-expr_bitwise-test.c
@@ -27,35 +27,35 @@ static void print_err(const char *test, const char *msg)
 	printf("\033[31mERROR:\e[0m [%s] %s\n", test, msg);
 }
 
-static void cmp_nftnl_expr_bool(struct nftnl_expr *rule_a,
-				struct nftnl_expr *rule_b)
+static void cmp_nftnl_expr_mask_xor(struct nftnl_expr *rule_a,
+				    struct nftnl_expr *rule_b)
 {
 	uint32_t maska, maskb;
 	uint32_t xora, xorb;
 
 	if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_DREG) !=
 	    nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_DREG))
-		print_err("bool", "Expr BITWISE_DREG mismatches");
+		print_err("mask & xor", "Expr BITWISE_DREG mismatches");
 	if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_SREG) !=
 	    nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_SREG))
-		print_err("bool", "Expr BITWISE_SREG mismatches");
+		print_err("mask & xor", "Expr BITWISE_SREG mismatches");
 	if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_OP) !=
 	    nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_OP))
-		print_err("bool", "Expr BITWISE_OP mismatches");
+		print_err("mask & xor", "Expr BITWISE_OP mismatches");
 	if (nftnl_expr_get_u16(rule_a, NFTNL_EXPR_BITWISE_LEN) !=
 	    nftnl_expr_get_u16(rule_b, NFTNL_EXPR_BITWISE_LEN))
-		print_err("bool", "Expr BITWISE_LEN mismatches");
+		print_err("mask & xor", "Expr BITWISE_LEN mismatches");
 	if (nftnl_expr_get_u16(rule_a, NFTNL_EXPR_BITWISE_NBITS) !=
 	    nftnl_expr_get_u16(rule_b, NFTNL_EXPR_BITWISE_NBITS))
-		print_err("bool", "Expr BITWISE_NBITS mismatches");
+		print_err("mask & xor", "Expr BITWISE_NBITS mismatches");
 	nftnl_expr_get(rule_a, NFTNL_EXPR_BITWISE_MASK, &maska);
 	nftnl_expr_get(rule_b, NFTNL_EXPR_BITWISE_MASK, &maskb);
 	if (maska != maskb)
-		print_err("bool", "Size of BITWISE_MASK mismatches");
+		print_err("mask & xor", "Size of BITWISE_MASK mismatches");
 	nftnl_expr_get(rule_a, NFTNL_EXPR_BITWISE_XOR, &xora);
 	nftnl_expr_get(rule_b, NFTNL_EXPR_BITWISE_XOR, &xorb);
 	if (xora != xorb)
-		print_err("bool", "Size of BITWISE_XOR mismatches");
+		print_err("mask & xor", "Size of BITWISE_XOR mismatches");
 }
 
 static void cmp_nftnl_expr_lshift(struct nftnl_expr *rule_a,
@@ -110,7 +110,7 @@ static void cmp_nftnl_expr_rshift(struct nftnl_expr *rule_a,
 		print_err("rshift", "Expr BITWISE_DATA mismatches");
 }
 
-static void test_bool(void)
+static void test_mask_xor(void)
 {
 	struct nftnl_rule *a, *b = NULL;
 	struct nftnl_expr *ex = NULL;
@@ -124,10 +124,10 @@ static void test_bool(void)
 	a = nftnl_rule_alloc();
 	b = nftnl_rule_alloc();
 	if (a == NULL || b == NULL)
-		print_err("bool", "OOM");
+		print_err("mask & xor", "OOM");
 	ex = nftnl_expr_alloc("bitwise");
 	if (ex == NULL)
-		print_err("bool", "OOM");
+		print_err("mask & xor", "OOM");
 
 	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_SREG, 0x12345678);
 	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_DREG, 0x78123456);
@@ -143,26 +143,26 @@ static void test_bool(void)
 	nftnl_rule_nlmsg_build_payload(nlh, a);
 
 	if (nftnl_rule_nlmsg_parse(nlh, b) < 0)
-		print_err("bool", "parsing problems");
+		print_err("mask & xor", "parsing problems");
 
 	iter_a = nftnl_expr_iter_create(a);
 	iter_b = nftnl_expr_iter_create(b);
 	if (iter_a == NULL || iter_b == NULL)
-		print_err("bool", "OOM");
+		print_err("mask & xor", "OOM");
 
 	rule_a = nftnl_expr_iter_next(iter_a);
 	rule_b = nftnl_expr_iter_next(iter_b);
 	if (rule_a == NULL || rule_b == NULL)
-		print_err("bool", "OOM");
+		print_err("mask & xor", "OOM");
 
 	if (nftnl_expr_iter_next(iter_a) != NULL ||
 	    nftnl_expr_iter_next(iter_b) != NULL)
-		print_err("bool", "More 1 expr.");
+		print_err("mask & xor", "More 1 expr.");
 
 	nftnl_expr_iter_destroy(iter_a);
 	nftnl_expr_iter_destroy(iter_b);
 
-	cmp_nftnl_expr_bool(rule_a,rule_b);
+	cmp_nftnl_expr_mask_xor(rule_a,rule_b);
 
 	nftnl_rule_free(a);
 	nftnl_rule_free(b);
@@ -280,7 +280,7 @@ static void test_rshift(void)
 
 int main(int argc, char *argv[])
 {
-	test_bool();
+	test_mask_xor();
 	if (!test_ok)
 		exit(EXIT_FAILURE);
 
-- 
2.35.1

[libnftnl PATCH v2 7/9] expr: bitwise: add support for kernel space AND, OR and XOR operations

[Jeremy Sowden]

Hitherto, the kernel has only supported boolean operations of the form:

  dst = (src & mask) ^ xor

where `src` is held in a register, and `mask` and `xor` are immediate
values.  User space has converted AND, OR and XOR operations to this
form, and so one operand has had to be immediate.  The kernel now
supports performing AND, OR and XOR operations directly, on one register
and an immediate value or on two registers, so we make that support
available to user space.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 include/libnftnl/expr.h |  1 +
 src/expr/bitwise.c      | 55 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+)

diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h
index 6adad4c222a6..be91e2dc58ca 100644
--- a/include/libnftnl/expr.h
+++ b/include/libnftnl/expr.h
@@ -129,6 +129,7 @@ enum {
 	NFTNL_EXPR_BITWISE_OP,
 	NFTNL_EXPR_BITWISE_DATA,
 	NFTNL_EXPR_BITWISE_NBITS,
+	NFTNL_EXPR_BITWISE_SREG2,
 };
 
 enum {
diff --git a/src/expr/bitwise.c b/src/expr/bitwise.c
index c7428af6adf8..e2ebd83fee0e 100644
--- a/src/expr/bitwise.c
+++ b/src/expr/bitwise.c
@@ -23,6 +23,7 @@
 
 struct nftnl_expr_bitwise {
 	enum nft_registers	sreg;
+	enum nft_registers	sreg2;
 	enum nft_registers	dreg;
 	enum nft_bitwise_ops	op;
 	unsigned int		len;
@@ -42,6 +43,11 @@ nftnl_expr_bitwise_set(struct nftnl_expr *e, uint16_t type,
 	case NFTNL_EXPR_BITWISE_SREG:
 		memcpy(&bitwise->sreg, data, sizeof(bitwise->sreg));
 		break;
+	case NFTNL_EXPR_BITWISE_SREG2:
+		if (e->flags & (1 << NFTNL_EXPR_BITWISE_DATA))
+			return -1;
+		memcpy(&bitwise->sreg2, data, sizeof(bitwise->sreg2));
+		break;
 	case NFTNL_EXPR_BITWISE_DREG:
 		memcpy(&bitwise->dreg, data, sizeof(bitwise->dreg));
 		break;
@@ -60,6 +66,8 @@ nftnl_expr_bitwise_set(struct nftnl_expr *e, uint16_t type,
 		bitwise->xor.len = data_len;
 		break;
 	case NFTNL_EXPR_BITWISE_DATA:
+		if (e->flags & (1 << NFTNL_EXPR_BITWISE_SREG2))
+			return -1;
 		memcpy(&bitwise->data.val, data, data_len);
 		bitwise->data.len = data_len;
 		break;
@@ -82,6 +90,9 @@ nftnl_expr_bitwise_get(const struct nftnl_expr *e, uint16_t type,
 	case NFTNL_EXPR_BITWISE_SREG:
 		*data_len = sizeof(bitwise->sreg);
 		return &bitwise->sreg;
+	case NFTNL_EXPR_BITWISE_SREG2:
+		*data_len = sizeof(bitwise->sreg2);
+		return &bitwise->sreg2;
 	case NFTNL_EXPR_BITWISE_DREG:
 		*data_len = sizeof(bitwise->dreg);
 		return &bitwise->dreg;
@@ -117,6 +128,7 @@ static int nftnl_expr_bitwise_cb(const struct nlattr *attr, void *data)
 
 	switch(type) {
 	case NFTA_BITWISE_SREG:
+	case NFTA_BITWISE_SREG2:
 	case NFTA_BITWISE_DREG:
 	case NFTA_BITWISE_OP:
 	case NFTA_BITWISE_LEN:
@@ -143,6 +155,8 @@ nftnl_expr_bitwise_build(struct nlmsghdr *nlh, const struct nftnl_expr *e)
 
 	if (e->flags & (1 << NFTNL_EXPR_BITWISE_SREG))
 		mnl_attr_put_u32(nlh, NFTA_BITWISE_SREG, htonl(bitwise->sreg));
+	if (e->flags & (1 << NFTNL_EXPR_BITWISE_SREG2))
+		mnl_attr_put_u32(nlh, NFTA_BITWISE_SREG2, htonl(bitwise->sreg2));
 	if (e->flags & (1 << NFTNL_EXPR_BITWISE_DREG))
 		mnl_attr_put_u32(nlh, NFTA_BITWISE_DREG, htonl(bitwise->dreg));
 	if (e->flags & (1 << NFTNL_EXPR_BITWISE_OP))
@@ -192,6 +206,10 @@ nftnl_expr_bitwise_parse(struct nftnl_expr *e, struct nlattr *attr)
 		bitwise->sreg = ntohl(mnl_attr_get_u32(tb[NFTA_BITWISE_SREG]));
 		e->flags |= (1 << NFTNL_EXPR_BITWISE_SREG);
 	}
+	if (tb[NFTA_BITWISE_SREG2]) {
+		bitwise->sreg2 = ntohl(mnl_attr_get_u32(tb[NFTA_BITWISE_SREG2]));
+		e->flags |= (1 << NFTNL_EXPR_BITWISE_SREG2);
+	}
 	if (tb[NFTA_BITWISE_DREG]) {
 		bitwise->dreg = ntohl(mnl_attr_get_u32(tb[NFTA_BITWISE_DREG]));
 		e->flags |= (1 << NFTNL_EXPR_BITWISE_DREG);
@@ -267,6 +285,31 @@ nftnl_expr_bitwise_snprintf_shift(char *buf, size_t remain, const char *op,
 	return offset;
 }
 
+static int
+nftnl_expr_bitwise_snprintf_bool(char *buf, size_t remain, const char *op,
+				 const struct nftnl_expr *e,
+				 const struct nftnl_expr_bitwise *bitwise)
+{
+	int offset = 0, ret;
+
+	ret = snprintf(buf, remain, "reg %u = ( reg %u %s ",
+		       bitwise->dreg, bitwise->sreg, op);
+	SNPRINTF_BUFFER_SIZE(ret, remain, offset);
+
+	if (e->flags & (1 << NFTNL_EXPR_BITWISE_SREG2))
+		ret = snprintf(buf + offset, remain, "reg %u ", bitwise->sreg2);
+	else
+		ret = nftnl_data_reg_snprintf(buf + offset, remain,
+					      &bitwise->data,
+					      0, DATA_VALUE);
+	SNPRINTF_BUFFER_SIZE(ret, remain, offset);
+
+	ret = snprintf(buf + offset, remain, ") ");
+	SNPRINTF_BUFFER_SIZE(ret, remain, offset);
+
+	return offset;
+}
+
 static int
 nftnl_expr_bitwise_snprintf(char *buf, size_t size,
 			    uint32_t flags, const struct nftnl_expr *e)
@@ -286,6 +329,18 @@ nftnl_expr_bitwise_snprintf(char *buf, size_t size,
 		err = nftnl_expr_bitwise_snprintf_shift(buf, size, ">>",
 							bitwise);
 		break;
+	case NFT_BITWISE_AND:
+		err = nftnl_expr_bitwise_snprintf_bool(buf, size, "&", e,
+						       bitwise);
+		break;
+	case NFT_BITWISE_OR:
+		err = nftnl_expr_bitwise_snprintf_bool(buf, size, "|", e,
+						       bitwise);
+		break;
+	case NFT_BITWISE_XOR:
+		err = nftnl_expr_bitwise_snprintf_bool(buf, size, "^", e,
+						       bitwise);
+		break;
 	}
 
 	return err;
-- 
2.35.1

[libnftnl PATCH v2 8/9] tests: bitwise: refactor shift tests

[Jeremy Sowden]

Deduplicate shift tests: instead of having separate implementations
for left- and right-shifts, have one and pass the operation to it.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 tests/nft-expr_bitwise-test.c | 163 ++++++++++------------------------
 1 file changed, 47 insertions(+), 116 deletions(-)

diff --git a/tests/nft-expr_bitwise-test.c b/tests/nft-expr_bitwise-test.c
index 96298a4a97d2..5e7e277a5081 100644
--- a/tests/nft-expr_bitwise-test.c
+++ b/tests/nft-expr_bitwise-test.c
@@ -58,58 +58,6 @@ static void cmp_nftnl_expr_mask_xor(struct nftnl_expr *rule_a,
 		print_err("mask & xor", "Size of BITWISE_XOR mismatches");
 }
 
-static void cmp_nftnl_expr_lshift(struct nftnl_expr *rule_a,
-				  struct nftnl_expr *rule_b)
-{
-	uint32_t data_a, data_b;
-
-	if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_DREG) !=
-	    nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_DREG))
-		print_err("lshift", "Expr BITWISE_DREG mismatches");
-	if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_SREG) !=
-	    nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_SREG))
-		print_err("lshift", "Expr BITWISE_SREG mismatches");
-	if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_OP) !=
-	    nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_OP))
-		print_err("lshift", "Expr BITWISE_OP mismatches");
-	if (nftnl_expr_get_u16(rule_a, NFTNL_EXPR_BITWISE_LEN) !=
-	    nftnl_expr_get_u16(rule_b, NFTNL_EXPR_BITWISE_LEN))
-		print_err("lshift", "Expr BITWISE_LEN mismatches");
-	if (nftnl_expr_get_u16(rule_a, NFTNL_EXPR_BITWISE_NBITS) !=
-	    nftnl_expr_get_u16(rule_b, NFTNL_EXPR_BITWISE_NBITS))
-		print_err("lshift", "Expr BITWISE_NBITS mismatches");
-	nftnl_expr_get(rule_a, NFTNL_EXPR_BITWISE_DATA, &data_a);
-	nftnl_expr_get(rule_b, NFTNL_EXPR_BITWISE_DATA, &data_b);
-	if (data_a != data_b)
-		print_err("lshift", "Expr BITWISE_DATA mismatches");
-}
-
-static void cmp_nftnl_expr_rshift(struct nftnl_expr *rule_a,
-				  struct nftnl_expr *rule_b)
-{
-	uint32_t data_a, data_b;
-
-	if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_DREG) !=
-	    nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_DREG))
-		print_err("rshift", "Expr BITWISE_DREG mismatches");
-	if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_SREG) !=
-	    nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_SREG))
-		print_err("rshift", "Expr BITWISE_SREG mismatches");
-	if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_OP) !=
-	    nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_OP))
-		print_err("rshift", "Expr BITWISE_OP mismatches");
-	if (nftnl_expr_get_u16(rule_a, NFTNL_EXPR_BITWISE_LEN) !=
-	    nftnl_expr_get_u16(rule_b, NFTNL_EXPR_BITWISE_LEN))
-		print_err("rshift", "Expr BITWISE_LEN mismatches");
-	if (nftnl_expr_get_u16(rule_a, NFTNL_EXPR_BITWISE_NBITS) !=
-	    nftnl_expr_get_u16(rule_b, NFTNL_EXPR_BITWISE_NBITS))
-		print_err("rshift", "Expr BITWISE_NBITS mismatches");
-	nftnl_expr_get(rule_a, NFTNL_EXPR_BITWISE_DATA, &data_a);
-	nftnl_expr_get(rule_b, NFTNL_EXPR_BITWISE_DATA, &data_b);
-	if (data_a != data_b)
-		print_err("rshift", "Expr BITWISE_DATA mismatches");
-}
-
 static void test_mask_xor(void)
 {
 	struct nftnl_rule *a, *b = NULL;
@@ -168,26 +116,54 @@ static void test_mask_xor(void)
 	nftnl_rule_free(b);
 }
 
-static void test_lshift(void)
+static void cmp_nftnl_expr_shift(const char *opname,
+				 const struct nftnl_expr *rule_a,
+				 const struct nftnl_expr *rule_b)
 {
-	struct nftnl_rule *a, *b = NULL;
-	struct nftnl_expr *ex = NULL;
+	uint32_t data_a, data_b;
+
+	if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_DREG) !=
+	    nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_DREG))
+		print_err(opname, "Expr BITWISE_DREG mismatches");
+	if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_SREG) !=
+	    nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_SREG))
+		print_err(opname, "Expr BITWISE_SREG mismatches");
+	if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_OP) !=
+	    nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_OP))
+		print_err(opname, "Expr BITWISE_OP mismatches");
+	if (nftnl_expr_get_u16(rule_a, NFTNL_EXPR_BITWISE_LEN) !=
+	    nftnl_expr_get_u16(rule_b, NFTNL_EXPR_BITWISE_LEN))
+		print_err(opname, "Expr BITWISE_LEN mismatches");
+	if (nftnl_expr_get_u16(rule_a, NFTNL_EXPR_BITWISE_NBITS) !=
+	    nftnl_expr_get_u16(rule_b, NFTNL_EXPR_BITWISE_NBITS))
+		print_err(opname, "Expr BITWISE_NBITS mismatches");
+	nftnl_expr_get(rule_a, NFTNL_EXPR_BITWISE_DATA, &data_a);
+	nftnl_expr_get(rule_b, NFTNL_EXPR_BITWISE_DATA, &data_b);
+	if (data_a != data_b)
+		print_err(opname, "Expr BITWISE_DATA mismatches");
+}
+
+static void test_shift(enum nft_bitwise_ops op)
+{
+	struct nftnl_rule *a, *b;
+	struct nftnl_expr *ex;
 	struct nlmsghdr *nlh;
 	char buf[4096];
-	struct nftnl_expr_iter *iter_a, *iter_b = NULL;
-	struct nftnl_expr *rule_a, *rule_b = NULL;
+	struct nftnl_expr_iter *iter_a, *iter_b;
+	struct nftnl_expr *rule_a, *rule_b;
+	const char *opname = op == NFT_BITWISE_LSHIFT ? "lshift" : "rshift";
 
 	a = nftnl_rule_alloc();
 	b = nftnl_rule_alloc();
 	if (a == NULL || b == NULL)
-		print_err("lshift", "OOM");
+		print_err(opname, "OOM");
 	ex = nftnl_expr_alloc("bitwise");
 	if (ex == NULL)
-		print_err("lshift", "OOM");
+		print_err(opname, "OOM");
 
 	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_SREG, 0x12345678);
 	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_DREG, 0x78123456);
-	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_OP, NFT_BITWISE_LSHIFT);
+	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_OP, op);
 	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_LEN, 0x56781234);
 	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_NBITS, 0x11223344);
 	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_DATA, 13);
@@ -198,84 +174,39 @@ static void test_lshift(void)
 	nftnl_rule_nlmsg_build_payload(nlh, a);
 
 	if (nftnl_rule_nlmsg_parse(nlh, b) < 0)
-		print_err("lshift", "parsing problems");
+		print_err(opname, "parsing problems");
 
 	iter_a = nftnl_expr_iter_create(a);
 	iter_b = nftnl_expr_iter_create(b);
 	if (iter_a == NULL || iter_b == NULL)
-		print_err("lshift", "OOM");
+		print_err(opname, "OOM");
 
 	rule_a = nftnl_expr_iter_next(iter_a);
 	rule_b = nftnl_expr_iter_next(iter_b);
 	if (rule_a == NULL || rule_b == NULL)
-		print_err("lshift", "OOM");
+		print_err(opname, "OOM");
 
 	if (nftnl_expr_iter_next(iter_a) != NULL ||
 	    nftnl_expr_iter_next(iter_b) != NULL)
-		print_err("lshift", "More 1 expr.");
+		print_err(opname, "More 1 expr.");
 
 	nftnl_expr_iter_destroy(iter_a);
 	nftnl_expr_iter_destroy(iter_b);
 
-	cmp_nftnl_expr_lshift(rule_a,rule_b);
+	cmp_nftnl_expr_shift(opname, rule_a, rule_b);
 
 	nftnl_rule_free(a);
 	nftnl_rule_free(b);
 }
 
-static void test_rshift(void)
+static void test_lshift(void)
 {
-	struct nftnl_rule *a, *b = NULL;
-	struct nftnl_expr *ex = NULL;
-	struct nlmsghdr *nlh;
-	char buf[4096];
-	struct nftnl_expr_iter *iter_a, *iter_b = NULL;
-	struct nftnl_expr *rule_a, *rule_b = NULL;
-
-	a = nftnl_rule_alloc();
-	b = nftnl_rule_alloc();
-	if (a == NULL || b == NULL)
-		print_err("rshift", "OOM");
-	ex = nftnl_expr_alloc("bitwise");
-	if (ex == NULL)
-		print_err("rshift", "OOM");
-
-	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_SREG, 0x12345678);
-	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_DREG, 0x78123456);
-	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_OP, NFT_BITWISE_RSHIFT);
-	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_LEN, 0x56781234);
-	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_NBITS, 0x11223344);
-	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_DATA, 17);
-
-	nftnl_rule_add_expr(a, ex);
-
-	nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234);
-	nftnl_rule_nlmsg_build_payload(nlh, a);
-
-	if (nftnl_rule_nlmsg_parse(nlh, b) < 0)
-		print_err("rshift", "parsing problems");
-
-	iter_a = nftnl_expr_iter_create(a);
-	iter_b = nftnl_expr_iter_create(b);
-	if (iter_a == NULL || iter_b == NULL)
-		print_err("rshift", "OOM");
-
-	rule_a = nftnl_expr_iter_next(iter_a);
-	rule_b = nftnl_expr_iter_next(iter_b);
-	if (rule_a == NULL || rule_b == NULL)
-		print_err("rshift", "OOM");
-
-	if (nftnl_expr_iter_next(iter_a) != NULL ||
-	    nftnl_expr_iter_next(iter_b) != NULL)
-		print_err("rshift", "More 1 expr.");
-
-	nftnl_expr_iter_destroy(iter_a);
-	nftnl_expr_iter_destroy(iter_b);
-
-	cmp_nftnl_expr_rshift(rule_a,rule_b);
+	test_shift(NFT_BITWISE_LSHIFT);
+}
 
-	nftnl_rule_free(a);
-	nftnl_rule_free(b);
+static void test_rshift(void)
+{
+	test_shift(NFT_BITWISE_RSHIFT);
 }
 
 int main(int argc, char *argv[])
-- 
2.35.1

[libnftnl PATCH v2 9/9] tests: bitwise: add tests for new boolean operations

[Jeremy Sowden]

We already have tests for mask-and-xor operations with constant RHS
operands.  Add tests for new operations with variable RHS operands.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 tests/nft-expr_bitwise-test.c | 109 ++++++++++++++++++++++++++++++++++
 1 file changed, 109 insertions(+)

diff --git a/tests/nft-expr_bitwise-test.c b/tests/nft-expr_bitwise-test.c
index 5e7e277a5081..b613d7d70d49 100644
--- a/tests/nft-expr_bitwise-test.c
+++ b/tests/nft-expr_bitwise-test.c
@@ -209,6 +209,103 @@ static void test_rshift(void)
 	test_shift(NFT_BITWISE_RSHIFT);
 }
 
+static void cmp_nftnl_expr_bool(const char *opname,
+				const struct nftnl_expr *rule_a,
+				const struct nftnl_expr *rule_b)
+{
+	if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_DREG) !=
+	    nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_DREG))
+		print_err(opname, "Expr BITWISE_DREG mismatches");
+	if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_SREG) !=
+	    nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_SREG))
+		print_err(opname, "Expr BITWISE_SREG mismatches");
+	if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_SREG2) !=
+	    nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_SREG2))
+		print_err(opname, "Expr BITWISE_SREG2 mismatches");
+	if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_OP) !=
+	    nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_OP))
+		print_err(opname, "Expr BITWISE_OP mismatches");
+	if (nftnl_expr_get_u16(rule_a, NFTNL_EXPR_BITWISE_LEN) !=
+	    nftnl_expr_get_u16(rule_b, NFTNL_EXPR_BITWISE_LEN))
+		print_err(opname, "Expr BITWISE_LEN mismatches");
+	if (nftnl_expr_get_u16(rule_a, NFTNL_EXPR_BITWISE_NBITS) !=
+	    nftnl_expr_get_u16(rule_b, NFTNL_EXPR_BITWISE_NBITS))
+		print_err(opname, "Expr BITWISE_NBITS mismatches");
+}
+
+static void test_bool(enum nft_bitwise_ops op)
+{
+	struct nftnl_rule *a, *b;
+	struct nftnl_expr *ex;
+	struct nlmsghdr *nlh;
+	char buf[4096];
+	struct nftnl_expr_iter *iter_a, *iter_b;
+	struct nftnl_expr *rule_a, *rule_b;
+	const char *opname =
+		op == NFT_BITWISE_AND ? "and" :
+		op == NFT_BITWISE_OR  ? "or"  : "xor";
+
+	a = nftnl_rule_alloc();
+	b = nftnl_rule_alloc();
+	if (a == NULL || b == NULL)
+		print_err(opname, "OOM");
+	ex = nftnl_expr_alloc("bitwise");
+	if (ex == NULL)
+		print_err(opname, "OOM");
+
+	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_SREG, 0x12345678);
+	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_SREG2, 0x90abcdef);
+	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_DREG, 0x78123456);
+	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_OP, op);
+	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_LEN, 0x56781234);
+	nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_NBITS, 0x11223344);
+
+	nftnl_rule_add_expr(a, ex);
+
+	nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234);
+	nftnl_rule_nlmsg_build_payload(nlh, a);
+
+	if (nftnl_rule_nlmsg_parse(nlh, b) < 0)
+		print_err(opname, "parsing problems");
+
+	iter_a = nftnl_expr_iter_create(a);
+	iter_b = nftnl_expr_iter_create(b);
+	if (iter_a == NULL || iter_b == NULL)
+		print_err(opname, "OOM");
+
+	rule_a = nftnl_expr_iter_next(iter_a);
+	rule_b = nftnl_expr_iter_next(iter_b);
+	if (rule_a == NULL || rule_b == NULL)
+		print_err(opname, "OOM");
+
+	if (nftnl_expr_iter_next(iter_a) != NULL ||
+	    nftnl_expr_iter_next(iter_b) != NULL)
+		print_err(opname, "More 1 expr.");
+
+	nftnl_expr_iter_destroy(iter_a);
+	nftnl_expr_iter_destroy(iter_b);
+
+	cmp_nftnl_expr_bool(opname, rule_a, rule_b);
+
+	nftnl_rule_free(a);
+	nftnl_rule_free(b);
+}
+
+static void test_and(void)
+{
+	test_bool(NFT_BITWISE_AND);
+}
+
+static void test_or(void)
+{
+	test_bool(NFT_BITWISE_OR);
+}
+
+static void test_xor(void)
+{
+	test_bool(NFT_BITWISE_XOR);
+}
+
 int main(int argc, char *argv[])
 {
 	test_mask_xor();
@@ -223,6 +320,18 @@ int main(int argc, char *argv[])
 	if (!test_ok)
 		exit(EXIT_FAILURE);
 
+	test_and();
+	if (!test_ok)
+		exit(EXIT_FAILURE);
+
+	test_or();
+	if (!test_ok)
+		exit(EXIT_FAILURE);
+
+	test_xor();
+	if (!test_ok)
+		exit(EXIT_FAILURE);
+
 	printf("%s: \033[32mOK\e[0m\n", argv[0]);
 	return EXIT_SUCCESS;
 }
-- 
2.35.1