[nft] src: perform sub-byte length matching from the evaluation step

On 28.11, Pablo Neira Ayuso wrote:
> This patch reworks c3f0501 ("src: netlink_linearize: handle sub-byte lengths")
> to perform the required sub-byte transformations from the evaluation step.
> 
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
> @Patrick, @Florian: It seems we're falling into subbyte handling
> problems from different fronts, I just hit this while further testing of
> my dscp patch.
> 
> I'm sending this because I think it's sort of ready so we avoid overlap.
> 
> I'm working on a follow up patch (almost done here) to cover another
> corner case that we don't handle correctly, which is basically this:
> 
>     4 bits    6 bits
>    +-+-+-+-+-+-+-+-+-+-+
>    | vers  |   dscp    |
>    +-+-+-+-+-+-+-+-+-+-+
>                    ^
>                    |
>                    byte boundary
> 
> To match dscp in IPv6, we have to fetch 2 bytes from offset 0 via
> payload expression and the bitmask must be 00ffc000.
> 
> I got the code generation correctly, but I'm adjusting the
> payload_expr_trim() function now.
> 
> So I'm basically working on the netlink code generation part.

Some comments below.

> I'm not working on the protocol definition problem:
> http://marc.info/?l=netfilter-devel&m=144862242521205&w=2, but I also
> need this gets fixed. Let me know if you will be looking into this, just
> to avoid overlap.

It kinds of depends on the sub-byte handling, so we should get this done
first. 

> -static int expr_evaluate_payload(struct eval_ctx *ctx, struct expr **expr)
> +static void expr_evaluate_payload_subbyte(struct eval_ctx *ctx,
> +					  struct expr **exprp)
>  {
> -	if (__expr_evaluate_payload(ctx, *expr) < 0)
> +	struct expr *expr = *exprp, *and, *mask;
> +	unsigned int shift, masklen;
> +	mpz_t bitmask;
> +
> +	shift = expr->payload.offset % BITS_PER_BYTE;
> +	masklen = expr->len + shift;
> +
> +	if (masklen > 128)
> +		BUG("expr mask length is %u (len %u, shift %u)\n",
> +		    masklen, expr->len, shift);
> +
> +	mpz_init2(bitmask, masklen);
> +	mpz_bitmask(bitmask, expr->len);
> +	if (shift)
> +		mpz_lshift_ui(bitmask, shift);
> +
> +	mask = constant_expr_alloc(&expr->location, expr_basetype(expr),
> +				   BYTEORDER_HOST_ENDIAN, masklen, NULL);
> +	mpz_set(mask->value, bitmask);
> +
> +	and = binop_expr_alloc(&expr->location, OP_AND, expr, mask);
> +	and->dtype	= expr->dtype;
> +	and->byteorder	= expr->byteorder;
> +	and->len	= masklen;
> +
> +	*exprp = and;
> +
> +	ctx->ectx.shift = shift;
> +}
> +
> +static int expr_evaluate_payload(struct eval_ctx *ctx, struct expr **exprp)
> +{
> +	struct expr *expr = *exprp;
> +
> +	if (__expr_evaluate_payload(ctx, expr) < 0)
>  		return -1;
>  
> -	return expr_evaluate_primary(ctx, expr);
> +	if (expr->len % BITS_PER_BYTE)
> +		expr_evaluate_payload_subbyte(ctx, exprp);
> +
> +	return expr_evaluate_primary(ctx, &expr);
>  }

From my previous work on this I still have this patch, which allows you to
generate an rshift to get the payload to offset 0, then transfers it to the
LHS during binop simplification if its used in a relational expression.

The upside is that is generic and reuses what we already have.

The load masking should IMO not be done in eval but netlink_linearize. We
don't even know yet if the payload expression is actually used in a relational
expression or f.i. in a statement, where handling needs to be different.
commit 6f2b9db5d2f2e48e80cdb31a9d792871b75a7f94
Author: Patrick McHardy <kaber@trash.net>
Date:   Sat Jun 13 14:51:20 2015 +0200

    evaluate: transfer right shifts to constant side
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>

On Sat, Nov 28, 2015 at 01:20:23PM +0000, Patrick McHardy wrote:
> On 28.11, Pablo Neira Ayuso wrote:
> > I'm not working on the protocol definition problem:
> > http://marc.info/?l=netfilter-devel&m=144862242521205&w=2, but I also
> > need this gets fixed. Let me know if you will be looking into this, just
> > to avoid overlap.
> 
> It kinds of depends on the sub-byte handling, so we should get this done
> first.

Looking into this.

> From my previous work on this I still have this patch, which allows you to
> generate an rshift to get the payload to offset 0, then transfers it to the
> LHS during binop simplification if its used in a relational expression.
> 
> The upside is that is generic and reuses what we already have.

I like the shift approach based on binop transfer.

But I think this will not to cover this case, on IPv6 the DSCP field
is split between two bytes.

     4 bits    6 bits
    +-+-+-+-+-+-+-+-+-+-+
    | vers  |   dscp    |
    +-+-+-+-+-+-+-+-+-+-+
                    |
       1st bytes    | 2nd byte

So 4 bit are on the 1st byte and 2 bit are placed on the second byte.

I think this needs a binary-and to get rid of the bits that we dont
need from the 1st and 2nd byte, in this case I'm not sure we can use
your transfer trick.

> The load masking should IMO not be done in eval but netlink_linearize.

I think we can't handle the following case with this approach, eg.

        ip dscp & 0xf == 0xf

then we get two bitwise in the code generation:

        payload
        bitwise
        bitwise
        cmp

If we perform that transformation from the evaluation step, we can
merge those two bitwise into one.

> We don't even know yet if the payload expression is actually used in
> a relational expression or f.i. in a statement, where handling needs
> to be different.

But these two cases, payload expression and statement, I think they
need different handling both for evaluation and code generation.

For payload statements, the bitwise will need to be retain the bits
that we don't want to mangle, then inclusive-OR them with the value
that we want to set, ie.

r1 = payload(offset, base, len)
r1 = bitwise(r1, AND, mask)
r1 = bitwise(r1, OR, r2)
payload_set(r1, ...)

Cheers,
Pablo
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html