[nft PATCH 1/3] meta: Reject zero ifindex values

[nft PATCH 1/3] meta: Reject zero ifindex values

[Phil Sutter]

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 src/meta.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/meta.c b/src/meta.c
index 1e8964eb48c4d..b12340991f35a 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -155,7 +155,7 @@ static struct error_record *ifindex_type_parse(const struct expr *sym,
 		errno = 0;
 		res = strtol(sym->identifier, &end, 10);
 
-		if (res < 0 || res > INT_MAX || *end || errno)
+		if (res <= 0 || res > INT_MAX || *end || errno)
 			return error(&sym->location, "Interface does not exist");
 
 		ifindex = (int)res;
-- 
2.22.0

[nft PATCH 2/3] meta: Reject nfproto value 0xffff

[Phil Sutter]

Since parsing of arphrd_type happens via sym_tbl, there is no dedicated
parser function to perform the check in. So instead make use of maxval
in expr_ctx to reject the value.

While being at it, introduce a switch() to check for meta.key value in a
single place.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 src/evaluate.c | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index 55cd9d00d274c..ff52aefc669e0 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -23,6 +23,7 @@
 #include <netinet/icmp6.h>
 #include <net/ethernet.h>
 #include <net/if.h>
+#include <net/if_arp.h>
 #include <errno.h>
 
 #include <expression.h>
@@ -1795,14 +1796,25 @@ static int expr_evaluate_fib(struct eval_ctx *ctx, struct expr **exprp)
 static int expr_evaluate_meta(struct eval_ctx *ctx, struct expr **exprp)
 {
 	struct expr *meta = *exprp;
+	unsigned int maxval = 0;
 
-	if (ctx->pctx.family != NFPROTO_INET &&
-	    meta->flags & EXPR_F_PROTOCOL &&
-	    meta->meta.key == NFT_META_NFPROTO)
+	switch (meta->meta.key) {
+	case NFT_META_NFPROTO:
+		if (ctx->pctx.family == NFPROTO_INET ||
+		    !(meta->flags & EXPR_F_PROTOCOL))
+			break;
 		return expr_error(ctx->msgs, meta,
-					  "meta nfproto is only useful in the inet family");
-
-	return expr_evaluate_primary(ctx, exprp);
+				  "meta nfproto is only useful in the inet family");
+	case NFT_META_IIFTYPE:
+	case NFT_META_OIFTYPE:
+		maxval = ARPHRD_VOID - 1;
+		break;
+	default:
+		break;
+	}
+	__expr_set_context(&ctx->ectx, (*exprp)->dtype, (*exprp)->byteorder,
+			   (*exprp)->len, maxval);
+	return 0;
 }
 
 static int expr_evaluate_socket(struct eval_ctx *ctx, struct expr **expr)
-- 
2.22.0

[nft PATCH 3/3] tests/py: Add missing meta tests

[Phil Sutter]

Ensure invalid values are rejected. Also add basic positive tests for
{i,o}ifkind.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 tests/py/any/meta.t         | 10 ++++++++++
 tests/py/any/meta.t.json    | 30 ++++++++++++++++++++++++++++++
 tests/py/any/meta.t.payload | 10 ++++++++++
 3 files changed, 50 insertions(+)

diff --git a/tests/py/any/meta.t b/tests/py/any/meta.t
index 4b3c604de110d..9771d9dd585a3 100644
--- a/tests/py/any/meta.t
+++ b/tests/py/any/meta.t
@@ -63,6 +63,7 @@ meta mark xor 0x03 != 0x01;ok;meta mark != 0x00000002
 
 meta iif "lo" accept;ok;iif "lo" accept
 meta iif != "lo" accept;ok;iif != "lo" accept
+meta iif 0;fail
 
 meta iifname "dummy0";ok;iifname "dummy0"
 meta iifname != "dummy0";ok;iifname != "dummy0"
@@ -78,9 +79,14 @@ meta iiftype != ether;ok
 meta iiftype ether;ok
 meta iiftype != ppp;ok
 meta iiftype ppp;ok
+meta iiftype 0xffff;fail
+
+meta iifkind "bond";ok
+meta iifkind "";fail
 
 meta oif "lo" accept;ok;oif "lo" accept
 meta oif != "lo" accept;ok;oif != "lo" accept
+meta oif 0;fail
 
 meta oifname "dummy0";ok;oifname "dummy0"
 meta oifname != "dummy0";ok;oifname != "dummy0"
@@ -93,6 +99,10 @@ meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre};ok
 meta oiftype != {ether, ppp, ipip, ipip6, loopback, sit, ipgre};ok
 meta oiftype != ether;ok
 meta oiftype ether;ok
+meta oiftype 0xffff;fail
+
+meta oifkind "bond";ok
+meta oifkind "";fail
 
 meta skuid {"bin", "root", "daemon"} accept;ok;meta skuid { 0, 1, 2} accept
 meta skuid != {"bin", "root", "daemon"} accept;ok;meta skuid != { 1, 0, 2} accept
diff --git a/tests/py/any/meta.t.json b/tests/py/any/meta.t.json
index 447e553f8ba78..cff557f48a3ab 100644
--- a/tests/py/any/meta.t.json
+++ b/tests/py/any/meta.t.json
@@ -952,6 +952,21 @@
     }
 ]
 
+# meta iifkind "bond"
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "iifkind"
+                }
+            },
+            "op": "==",
+            "right": "bond"
+        }
+    }
+]
+
 # meta oif "lo" accept
 [
     {
@@ -1113,6 +1128,21 @@
     }
 ]
 
+# meta oifkind "bond"
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "oifkind"
+                }
+            },
+            "op": "==",
+            "right": "bond"
+        }
+    }
+]
+
 # meta oiftype ether
 [
     {
diff --git a/tests/py/any/meta.t.payload b/tests/py/any/meta.t.payload
index 1d8426de9632d..915101b3f70c4 100644
--- a/tests/py/any/meta.t.payload
+++ b/tests/py/any/meta.t.payload
@@ -263,6 +263,11 @@ ip test-ip4 input
   [ meta load iiftype => reg 1 ]
   [ cmp eq reg 1 0x00000200 ]
 
+# meta iifkind "bond"
+ip test-ip4 input 
+  [ meta load iifkind => reg 1 ]
+  [ cmp eq reg 1 0x646e6f62 0x00000000 0x00000000 0x00000000 ]
+
 # meta oif "lo" accept
 ip test-ip4 input
   [ meta load oif => reg 1 ]
@@ -329,6 +334,11 @@ ip test-ip4 input
   [ meta load oiftype => reg 1 ]
   [ cmp eq reg 1 0x00000001 ]
 
+# meta oifkind "bond"
+ip test-ip4 input 
+  [ meta load oifkind => reg 1 ]
+  [ cmp eq reg 1 0x646e6f62 0x00000000 0x00000000 0x00000000 ]
+
 # meta skuid {"bin", "root", "daemon"} accept
 __set%d test-ip4 3
 __set%d test-ip4 0
-- 
2.22.0