All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH nft 1/2] netlink_delinearize: complete payload expression in payload statement
@ 2022-10-31 11:16 Pablo Neira Ayuso
  2022-10-31 11:16 ` [PATCH nft 2/2] payload: do not kill dependency for proto_unknown Pablo Neira Ayuso
  0 siblings, 1 reply; 3+ messages in thread
From: Pablo Neira Ayuso @ 2022-10-31 11:16 UTC (permalink / raw)
  To: netfilter-devel

Call payload_expr_complete() to complete payload expression in payload
statement, otherwise expr->payload.desc is set to proto_unknown.

Call stmt_payload_binop_postprocess() introduced by 50ca788ca4d0
("netlink: decode payload statment") if payload_expr_complete() fails to
provide a protocol description (eg. ip dscp).

Follow up patch do not allow to remove redundant payload dependency if
proto_unknown is set to deal with the raw payload expression case.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/netlink_delinearize.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 828ad12d7536..0b6cf1072294 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -2995,15 +2995,16 @@ static void stmt_payload_postprocess(struct rule_pp_ctx *ctx)
 {
 	struct stmt *stmt = ctx->stmt;
 
+	payload_expr_complete(stmt->payload.expr, &ctx->pctx);
+	if (!payload_is_known(stmt->payload.expr))
+		stmt_payload_binop_postprocess(ctx);
+
 	expr_postprocess(ctx, &stmt->payload.expr);
 
 	expr_set_type(stmt->payload.val,
 		      stmt->payload.expr->dtype,
 		      stmt->payload.expr->byteorder);
 
-	if (!payload_is_known(stmt->payload.expr))
-		stmt_payload_binop_postprocess(ctx);
-
 	expr_postprocess(ctx, &stmt->payload.val);
 }
 
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [PATCH nft 2/2] payload: do not kill dependency for proto_unknown
  2022-10-31 11:16 [PATCH nft 1/2] netlink_delinearize: complete payload expression in payload statement Pablo Neira Ayuso
@ 2022-10-31 11:16 ` Pablo Neira Ayuso
  2022-10-31 11:33   ` Florian Westphal
  0 siblings, 1 reply; 3+ messages in thread
From: Pablo Neira Ayuso @ 2022-10-31 11:16 UTC (permalink / raw)
  To: netfilter-devel

Unsupported meta match on layer 4 protocol sets on protocol context to
proto_unknown, handle anything coming after it as a raw expression in
payload_expr_expand().

Moreover, payload_dependency_kill() skips dependency removal if protocol
is unknown, so raw payload expression leaves meta layer 4 protocol
remains in place.

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1641
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/payload.c                     |  6 ++++--
 tests/py/any/rawpayload.t         |  2 ++
 tests/py/any/rawpayload.t.json    | 31 +++++++++++++++++++++++++++++++
 tests/py/any/rawpayload.t.payload |  8 ++++++++
 4 files changed, 45 insertions(+), 2 deletions(-)

diff --git a/src/payload.c b/src/payload.c
index 2c0d0ac9e8ae..101bfbda5878 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -848,7 +848,8 @@ static bool payload_may_dependency_kill(struct payload_dep_ctx *ctx,
 void payload_dependency_kill(struct payload_dep_ctx *ctx, struct expr *expr,
 			     unsigned int family)
 {
-	if (payload_dependency_exists(ctx, expr->payload.base) &&
+	if (expr->payload.desc != &proto_unknown &&
+	    payload_dependency_exists(ctx, expr->payload.base) &&
 	    payload_may_dependency_kill(ctx, family, expr))
 		payload_dependency_release(ctx, expr->payload.base);
 }
@@ -1058,8 +1059,9 @@ void payload_expr_expand(struct list_head *list, struct expr *expr,
 	assert(expr->etype == EXPR_PAYLOAD);
 
 	desc = ctx->protocol[expr->payload.base].desc;
-	if (desc == NULL)
+	if (desc == NULL || desc == &proto_unknown)
 		goto raw;
+
 	assert(desc->base == expr->payload.base);
 
 	desc = get_stacked_desc(ctx, desc, expr, &total);
diff --git a/tests/py/any/rawpayload.t b/tests/py/any/rawpayload.t
index 128e8088c4e5..5bc9d35f7465 100644
--- a/tests/py/any/rawpayload.t
+++ b/tests/py/any/rawpayload.t
@@ -19,4 +19,6 @@ meta l4proto tcp @th,16,16 { 22, 23, 80};ok;tcp dport { 22, 23, 80}
 @ll,0,8 & 0x80 == 0x80;ok
 @ll,0,128 0xfedcba987654321001234567890abcde;ok
 
+meta l4proto 91 @th,400,16 0x0 accept;ok
+
 @ih,32,32 0x14000000;ok
diff --git a/tests/py/any/rawpayload.t.json b/tests/py/any/rawpayload.t.json
index b5115e0ddacf..4cae4d493da3 100644
--- a/tests/py/any/rawpayload.t.json
+++ b/tests/py/any/rawpayload.t.json
@@ -156,6 +156,37 @@
     }
 ]
 
+# meta l4proto 91 @th,400,16 0x0 accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": 91
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "base": "th",
+                    "len": 16,
+                    "offset": 400
+                }
+            },
+            "op": "==",
+            "right": 0
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
 # @ih,32,32 0x14000000
 [
     {
diff --git a/tests/py/any/rawpayload.t.payload b/tests/py/any/rawpayload.t.payload
index 61c41cb976d6..fe2377e65a77 100644
--- a/tests/py/any/rawpayload.t.payload
+++ b/tests/py/any/rawpayload.t.payload
@@ -48,6 +48,14 @@ inet test-inet input
   [ payload load 16b @ link header + 0 => reg 1 ]
   [ cmp eq reg 1 0x98badcfe 0x10325476 0x67452301 0xdebc0a89 ]
 
+# meta l4proto 91 @th,400,16 0x0 accept
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000005b ]
+  [ payload load 2b @ transport header + 50 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+  [ immediate reg 0 accept ]
+
 # @ih,32,32 0x14000000
 inet test-inet input
   [ payload load 4b @ inner header + 4 => reg 1 ]
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH nft 2/2] payload: do not kill dependency for proto_unknown
  2022-10-31 11:16 ` [PATCH nft 2/2] payload: do not kill dependency for proto_unknown Pablo Neira Ayuso
@ 2022-10-31 11:33   ` Florian Westphal
  0 siblings, 0 replies; 3+ messages in thread
From: Florian Westphal @ 2022-10-31 11:33 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> Unsupported meta match on layer 4 protocol sets on protocol context to
> proto_unknown, handle anything coming after it as a raw expression in
> payload_expr_expand().
> 
> Moreover, payload_dependency_kill() skips dependency removal if protocol
> is unknown, so raw payload expression leaves meta layer 4 protocol
> remains in place.
> 
> Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1641
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
>  src/payload.c                     |  6 ++++--
>  tests/py/any/rawpayload.t         |  2 ++
>  tests/py/any/rawpayload.t.json    | 31 +++++++++++++++++++++++++++++++
>  tests/py/any/rawpayload.t.payload |  8 ++++++++

LGTM, thanks for including testcases!


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-10-31 11:33 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-31 11:16 [PATCH nft 1/2] netlink_delinearize: complete payload expression in payload statement Pablo Neira Ayuso
2022-10-31 11:16 ` [PATCH nft 2/2] payload: do not kill dependency for proto_unknown Pablo Neira Ayuso
2022-10-31 11:33   ` Florian Westphal

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.