Netfilter-Devel Archive on lore.kernel.org
 help / color / Atom feed
* [nft PATCH] monitor: Fix output for ranges in anonymous sets
@ 2020-01-13 13:59 Phil Sutter
  2020-01-13 15:23 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 2+ messages in thread
From: Phil Sutter @ 2020-01-13 13:59 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

Previous fix for named interval sets was simply wrong: Instead of
limiting decomposing to anonymous interval sets, it effectively disabled
it entirely.

Since code needs to check for both interval and anonymous bits
separately, introduce set_is_interval() helper to keep the code
readable.

Also extend test case to assert ranges in anonymous sets are correctly
printed by echo or monitor modes. Without this fix, range boundaries are
printed as individual set elements.

Fixes: 5d57fa3e99bb9 ("monitor: Do not decompose non-anonymous sets")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 include/rule.h                         | 5 +++++
 src/monitor.c                          | 2 +-
 tests/monitor/testcases/set-interval.t | 5 +++++
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/include/rule.h b/include/rule.h
index 6301fe35b591e..d5b31765612ec 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -363,6 +363,11 @@ static inline bool set_is_meter(uint32_t set_flags)
 	return set_is_anonymous(set_flags) && (set_flags & NFT_SET_EVAL);
 }
 
+static inline bool set_is_interval(uint32_t set_flags)
+{
+	return set_flags & NFT_SET_INTERVAL;
+}
+
 #include <statement.h>
 
 struct counter {
diff --git a/src/monitor.c b/src/monitor.c
index 53a8bcd4641d1..142cc929664fa 100644
--- a/src/monitor.c
+++ b/src/monitor.c
@@ -501,7 +501,7 @@ static int netlink_events_obj_cb(const struct nlmsghdr *nlh, int type,
 
 static void rule_map_decompose_cb(struct set *s, void *data)
 {
-	if (s->flags & (NFT_SET_INTERVAL & NFT_SET_ANONYMOUS))
+	if (set_is_interval(s->flags) && set_is_anonymous(s->flags))
 		interval_map_decompose(s->init);
 }
 
diff --git a/tests/monitor/testcases/set-interval.t b/tests/monitor/testcases/set-interval.t
index 59930c58243d8..1fbcfe222a2b0 100644
--- a/tests/monitor/testcases/set-interval.t
+++ b/tests/monitor/testcases/set-interval.t
@@ -18,3 +18,8 @@ J {"add": {"element": {"family": "ip", "table": "t", "name": "s", "elem": {"set"
 I add rule ip t c tcp dport @s
 O -
 J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": "@s"}}]}}}
+
+# test anonymous interval sets as well
+I add rule ip t c tcp dport { 20, 30-40 }
+O -
+J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": {"set": [20, {"range": [30, 40]}]}}}]}}}
-- 
2.24.1


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [nft PATCH] monitor: Fix output for ranges in anonymous sets
  2020-01-13 13:59 [nft PATCH] monitor: Fix output for ranges in anonymous sets Phil Sutter
@ 2020-01-13 15:23 ` Pablo Neira Ayuso
  0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2020-01-13 15:23 UTC (permalink / raw)
  To: Phil Sutter; +Cc: netfilter-devel

On Mon, Jan 13, 2020 at 02:59:11PM +0100, Phil Sutter wrote:
> Previous fix for named interval sets was simply wrong: Instead of
> limiting decomposing to anonymous interval sets, it effectively disabled
> it entirely.
> 
> Since code needs to check for both interval and anonymous bits
> separately, introduce set_is_interval() helper to keep the code
> readable.
> 
> Also extend test case to assert ranges in anonymous sets are correctly
> printed by echo or monitor modes. Without this fix, range boundaries are
> printed as individual set elements.
> 
> Fixes: 5d57fa3e99bb9 ("monitor: Do not decompose non-anonymous sets")
> Signed-off-by: Phil Sutter <phil@nwl.cc>

Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-13 13:59 [nft PATCH] monitor: Fix output for ranges in anonymous sets Phil Sutter
2020-01-13 15:23 ` Pablo Neira Ayuso

Netfilter-Devel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netfilter-devel/0 netfilter-devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netfilter-devel netfilter-devel/ https://lore.kernel.org/netfilter-devel \
		netfilter-devel@vger.kernel.org
	public-inbox-index netfilter-devel

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netfilter-devel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git