From patchwork Fri Mar 17 09:58:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 1758180 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4PdKMp2wgKz247R for ; Fri, 17 Mar 2023 20:58:46 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229974AbjCQJ6p (ORCPT ); Fri, 17 Mar 2023 05:58:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55310 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229948AbjCQJ6n (ORCPT ); Fri, 17 Mar 2023 05:58:43 -0400 Received: from mail.netfilter.org (mail.netfilter.org [217.70.188.207]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 9AD7219117 for ; Fri, 17 Mar 2023 02:58:41 -0700 (PDT) From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Subject: [PATCH nft 6/9] evaluate: relax type-checking for integer arguments in mark statements Date: Fri, 17 Mar 2023 10:58:30 +0100 Message-Id: <20230317095833.1225401-7-pablo@netfilter.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230317095833.1225401-1-pablo@netfilter.org> References: <20230317095833.1225401-1-pablo@netfilter.org> MIME-Version: 1.0 X-Spam-Status: No, score=-0.6 required=5.0 tests=BAYES_00, RCVD_IN_VALIDITY_RPBL,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org In order to be able to set ct and meta marks to values derived from payload expressions, we need to relax the requirement that the type of the statement argument must match that of the statement key. Instead, we require that the base-type of the argument is integer and that the argument is small enough to fit. Moreover, swap expression byteorder before to make it compatible with the statement byteorder, to ensure rulesets are portable. # nft --debug=netlink add rule ip t c 'meta mark set ip saddr' ip t c [ payload load 4b @ network header + 12 => reg 1 ] [ byteorder reg 1 = ntoh(reg 1, 4, 4) ] <----------- byteorder swap [ meta set mark with reg 1 ] The following patches are required for this to work: evaluate: get length from statement instead of lhs expression evaluate: don't eval unary arguments evaluate: support shifts larger than the width of the left operand netlink_delinearize: correct type and byte-order of shifts evaluate: insert byte-order conversions for expressions between 9 and 15 bits Add one testcase for tests/py. Signed-off-by: Jeremy Sowden Signed-off-by: Pablo Neira Ayuso --- src/evaluate.c | 13 +++++++++++-- tests/py/ip/meta.t | 2 ++ tests/py/ip/meta.t.json | 20 ++++++++++++++++++++ tests/py/ip/meta.t.payload | 8 ++++++++ 4 files changed, 41 insertions(+), 2 deletions(-) diff --git a/src/evaluate.c b/src/evaluate.c index 2a679c90a3ac..22f3f1e8160f 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -2736,13 +2736,22 @@ static int __stmt_evaluate_arg(struct eval_ctx *ctx, struct stmt *stmt, "expression has type %s with length %d", dtype->desc, (*expr)->dtype->desc, (*expr)->len); - else if ((*expr)->dtype->type != TYPE_INTEGER && - !datatype_equal((*expr)->dtype, dtype)) + + if ((dtype->type == TYPE_MARK && + !datatype_equal(datatype_basetype(dtype), datatype_basetype((*expr)->dtype))) || + (dtype->type != TYPE_MARK && + (*expr)->dtype->type != TYPE_INTEGER && + !datatype_equal((*expr)->dtype, dtype))) return stmt_binary_error(ctx, *expr, stmt, /* verdict vs invalid? */ "datatype mismatch: expected %s, " "expression has type %s", dtype->desc, (*expr)->dtype->desc); + if (dtype->type == TYPE_MARK && + datatype_equal(datatype_basetype(dtype), datatype_basetype((*expr)->dtype)) && + !expr_is_constant(*expr)) + return byteorder_conversion(ctx, expr, byteorder); + /* we are setting a value, we can't use a set */ switch ((*expr)->etype) { case EXPR_SET: diff --git a/tests/py/ip/meta.t b/tests/py/ip/meta.t index 5a05923a1ce1..85eaf54ce723 100644 --- a/tests/py/ip/meta.t +++ b/tests/py/ip/meta.t @@ -15,3 +15,5 @@ meta obrname "br0";fail meta sdif "lo" accept;ok meta sdifname != "vrf1" accept;ok + +meta mark set ip dscp;ok diff --git a/tests/py/ip/meta.t.json b/tests/py/ip/meta.t.json index 3df31ce381fc..a93d7e781ce1 100644 --- a/tests/py/ip/meta.t.json +++ b/tests/py/ip/meta.t.json @@ -156,3 +156,23 @@ } } ] + +# meta mark set ip dscp +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "payload": { + "field": "dscp", + "protocol": "ip" + } + } + } + } +] + diff --git a/tests/py/ip/meta.t.payload b/tests/py/ip/meta.t.payload index afde5cc13ac5..1aa8d003b1d4 100644 --- a/tests/py/ip/meta.t.payload +++ b/tests/py/ip/meta.t.payload @@ -51,3 +51,11 @@ ip test-ip4 input [ cmp eq reg 1 0x00000011 ] [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x00004300 ] + +# meta mark set ip dscp +ip test-ip4 input + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ meta set mark with reg 1 ] +