From patchwork Mon Feb 26 14:42:43 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Westphal X-Patchwork-Id: 877921 X-Patchwork-Delegate: fw@strlen.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=strlen.de Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zql9z308Pz9s1b for ; Tue, 27 Feb 2018 01:50:31 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754015AbeBZOua (ORCPT ); Mon, 26 Feb 2018 09:50:30 -0500 Received: from Chamillionaire.breakpoint.cc ([146.0.238.67]:58764 "EHLO Chamillionaire.breakpoint.cc" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754060AbeBZOuN (ORCPT ); Mon, 26 Feb 2018 09:50:13 -0500 Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.84_2) (envelope-from ) id 1eqK33-0002dC-Df; Mon, 26 Feb 2018 15:46:37 +0100 From: Florian Westphal To: Cc: Florian Westphal Subject: [PATCH nft 1/5] payload: use integer_type when initializing a raw expression Date: Mon, 26 Feb 2018 15:42:43 +0100 Message-Id: <20180226144247.12257-2-fw@strlen.de> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180226144247.12257-1-fw@strlen.de> References: <20180226144247.12257-1-fw@strlen.de> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org The invalid type prints prominent "[invalid]", so prefer integer type in raw expressions. Signed-off-by: Florian Westphal --- src/payload.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/payload.c b/src/payload.c index 7ca170edbb6d..a1e7e77ed5c5 100644 --- a/src/payload.c +++ b/src/payload.c @@ -172,6 +172,7 @@ void payload_init_raw(struct expr *expr, enum proto_bases base, expr->payload.base = base; expr->payload.offset = offset; expr->len = len; + expr->dtype = &integer_type; } unsigned int payload_hdr_field(const struct expr *expr) From patchwork Mon Feb 26 14:42:44 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Westphal X-Patchwork-Id: 877917 X-Patchwork-Delegate: fw@strlen.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=strlen.de Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zql9n1YX4z9s19 for ; Tue, 27 Feb 2018 01:50:21 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754074AbeBZOuS (ORCPT ); Mon, 26 Feb 2018 09:50:18 -0500 Received: from Chamillionaire.breakpoint.cc ([146.0.238.67]:58768 "EHLO Chamillionaire.breakpoint.cc" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753988AbeBZOuQ (ORCPT ); Mon, 26 Feb 2018 09:50:16 -0500 Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.84_2) (envelope-from ) id 1eqK37-0002dK-3R; Mon, 26 Feb 2018 15:46:41 +0100 From: Florian Westphal To: Cc: Florian Westphal Subject: [PATCH nft 2/5] payload: don't resolve expressions using the inet pseudoheader Date: Mon, 26 Feb 2018 15:42:44 +0100 Message-Id: <20180226144247.12257-3-fw@strlen.de> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180226144247.12257-1-fw@strlen.de> References: <20180226144247.12257-1-fw@strlen.de> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Else, '@ll,0,8' will be mapped to 'inet nfproto', but thats not correct (inet is a pseudo header). Signed-off-by: Florian Westphal --- src/payload.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/payload.c b/src/payload.c index a1e7e77ed5c5..ef437b440b28 100644 --- a/src/payload.c +++ b/src/payload.c @@ -535,7 +535,7 @@ void payload_expr_complete(struct expr *expr, const struct proto_ctx *ctx) assert(expr->ops->type == EXPR_PAYLOAD); desc = ctx->protocol[expr->payload.base].desc; - if (desc == NULL) + if (desc == NULL || desc == &proto_inet) return; assert(desc->base == expr->payload.base); From patchwork Mon Feb 26 14:42:45 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Westphal X-Patchwork-Id: 877918 X-Patchwork-Delegate: fw@strlen.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=strlen.de Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zql9q4v3cz9s19 for ; Tue, 27 Feb 2018 01:50:23 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754013AbeBZOuW (ORCPT ); Mon, 26 Feb 2018 09:50:22 -0500 Received: from Chamillionaire.breakpoint.cc ([146.0.238.67]:58772 "EHLO Chamillionaire.breakpoint.cc" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753978AbeBZOuT (ORCPT ); Mon, 26 Feb 2018 09:50:19 -0500 Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.84_2) (envelope-from ) id 1eqK3A-0002db-F9; Mon, 26 Feb 2018 15:46:44 +0100 From: Florian Westphal To: Cc: Florian Westphal Subject: [PATCH nft 3/5] src: make raw payloads work Date: Mon, 26 Feb 2018 15:42:45 +0100 Message-Id: <20180226144247.12257-4-fw@strlen.de> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180226144247.12257-1-fw@strlen.de> References: <20180226144247.12257-1-fw@strlen.de> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org make syntax consistent between print and parse. No dependency handling -- once you use raw expression, you need to make sure the raw expression only sees the packets that you'd want it to see. based on an earlier patch from Laurent Fasnacht . Laurents patch added a different syntax: @,,,, data_type is useful to make nftables not err when asking for "@payload,32,32 192.168.0.1", this patch still requires conversion to big-endian hex notation. data_type should probably be added later by adding an explicit cast expression, independent of the raw payload syntax. Signed-off-by: Florian Westphal --- include/expression.h | 1 + src/evaluate.c | 3 +++ src/parser_bison.y | 3 +++ src/payload.c | 2 +- 4 files changed, 8 insertions(+), 1 deletion(-) diff --git a/include/expression.h b/include/expression.h index 0a0e178fe468..26182120f63d 100644 --- a/include/expression.h +++ b/include/expression.h @@ -279,6 +279,7 @@ struct expr { const struct proto_hdr_template *tmpl; enum proto_bases base; unsigned int offset; + bool is_raw; } payload; struct { /* EXPR_EXTHDR */ diff --git a/src/evaluate.c b/src/evaluate.c index c98749d92a21..6be3bf031f58 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -609,6 +609,9 @@ static int __expr_evaluate_payload(struct eval_ctx *ctx, struct expr *expr) struct stmt *nstmt; int err; + if (expr->ops->type == EXPR_PAYLOAD && expr->payload.is_raw) + return 0; + desc = ctx->pctx.protocol[base].desc; if (desc == NULL) { if (payload_gen_dependency(ctx, payload, &nstmt) < 0) diff --git a/src/parser_bison.y b/src/parser_bison.y index 563411155bf4..ec8b0dd894fe 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -3465,6 +3465,9 @@ payload_raw_expr : AT payload_base_spec COMMA NUM COMMA NUM $$->payload.offset = $4; $$->len = $6; $$->dtype = &integer_type; + $$->byteorder = BYTEORDER_BIG_ENDIAN; + $$->payload.is_raw = true; + $$->flags = 0; } ; diff --git a/src/payload.c b/src/payload.c index ef437b440b28..09665a0e8156 100644 --- a/src/payload.c +++ b/src/payload.c @@ -48,7 +48,7 @@ static void payload_expr_print(const struct expr *expr, struct output_ctx *octx) if (payload_is_known(expr)) nft_print(octx, "%s %s", desc->name, tmpl->token); else - nft_print(octx, "payload @%s,%u,%u", + nft_print(octx, "@%s,%u,%u", proto_base_tokens[expr->payload.base], expr->payload.offset, expr->len); } From patchwork Mon Feb 26 14:42:46 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Westphal X-Patchwork-Id: 877919 X-Patchwork-Delegate: fw@strlen.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=strlen.de Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zql9s14JTz9s19 for ; Tue, 27 Feb 2018 01:50:25 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753991AbeBZOuY (ORCPT ); Mon, 26 Feb 2018 09:50:24 -0500 Received: from Chamillionaire.breakpoint.cc ([146.0.238.67]:58774 "EHLO Chamillionaire.breakpoint.cc" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753978AbeBZOuW (ORCPT ); Mon, 26 Feb 2018 09:50:22 -0500 Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.84_2) (envelope-from ) id 1eqK3D-0002dj-P6; Mon, 26 Feb 2018 15:46:47 +0100 From: Florian Westphal To: Cc: Florian Westphal Subject: [PATCH nft 4/5] doc: document raw protocol expression Date: Mon, 26 Feb 2018 15:42:46 +0100 Message-Id: <20180226144247.12257-5-fw@strlen.de> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180226144247.12257-1-fw@strlen.de> References: <20180226144247.12257-1-fw@strlen.de> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Signed-off-by: Florian Westphal --- doc/nft.xml | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/doc/nft.xml b/doc/nft.xml index 6748265c8ae8..bddc527f19a7 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -3757,6 +3757,65 @@ inet filter output rt ip6 nexthop fd00::1 + + Raw payload expression + + + @ + base,offset,length + + + + The raw payload expression instructs to load lengthbits starting at offsetbits. + Bit 0 refers the the very first bit -- in the C programming language, this corresponds to the topmost bit, i.e. 0x80 in case of an octet. + They are useful to match headers that do not have a human-readable template expression yet. + Note that nft will not add dependencies for Raw payload expressions. + If you e.g. want to match protocol fields of a transport header with protocol number 5, you need to manually + exclude packets that have a different transport header, for instance my using meta l4proto 5 before + the raw expression. + + + Supported payload protocol bases + + + + + + Base + Description + + + + + ll + Link layer, for example the ethernet header + + + nh + Network header, for example IPv4 or IPv6 + + + th + Transport Header, for example TCP + + + +
+ + + Matching destination port of both UDP and TCP + +inet filter input meta l4proto {tcp, udp} @th,16,16 { dns, http } + + + + Rewrite arp packet target hardware address if target protocol address matches a given address + +input meta iifname enp2s0 arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566 accept + + + + Extension header expressions From patchwork Mon Feb 26 14:42:47 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Westphal X-Patchwork-Id: 877920 X-Patchwork-Delegate: fw@strlen.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=strlen.de Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zql9y5WJGz9s19 for ; Tue, 27 Feb 2018 01:50:30 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753978AbeBZOua (ORCPT ); Mon, 26 Feb 2018 09:50:30 -0500 Received: from Chamillionaire.breakpoint.cc ([146.0.238.67]:58778 "EHLO Chamillionaire.breakpoint.cc" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753961AbeBZOu0 (ORCPT ); Mon, 26 Feb 2018 09:50:26 -0500 Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.84_2) (envelope-from ) id 1eqK3H-0002dv-1u; Mon, 26 Feb 2018 15:46:51 +0100 From: Florian Westphal To: Cc: Florian Westphal Subject: [PATCH nft 5/5] tests: add raw payload test cases. Date: Mon, 26 Feb 2018 15:42:47 +0100 Message-Id: <20180226144247.12257-6-fw@strlen.de> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180226144247.12257-1-fw@strlen.de> References: <20180226144247.12257-1-fw@strlen.de> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Signed-off-by: Florian Westphal --- tests/py/any/rawpayload.t | 19 +++++++++++++++ tests/py/any/rawpayload.t.payload | 49 +++++++++++++++++++++++++++++++++++++++ tests/py/arp/arp.t | 2 ++ tests/py/arp/arp.t.payload | 10 ++++++++ tests/py/arp/arp.t.payload.netdev | 13 +++++++++++ 5 files changed, 93 insertions(+) create mode 100644 tests/py/any/rawpayload.t create mode 100644 tests/py/any/rawpayload.t.payload diff --git a/tests/py/any/rawpayload.t b/tests/py/any/rawpayload.t new file mode 100644 index 000000000000..9a3402f1a406 --- /dev/null +++ b/tests/py/any/rawpayload.t @@ -0,0 +1,19 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 + +*inet;test-inet;input +*netdev;test-netdev;ingress + +meta l4proto { tcp, udp, sctp} @th,16,16 { 22, 23, 80 };ok;meta l4proto { 6, 17, 132} @th,16,16 { 22, 23, 80} +meta l4proto tcp @th,16,16 { 22, 23, 80};ok;tcp dport { 22, 23, 80} +@nh,8,8 255;ok +@nh,8,16 0;ok + +# out of range (0-1) +@th,16,1 2;fail + +@ll,0,0 2;fail +@ll,0,1;fail +@ll,0,1 1;ok;@ll,0,8 & 128 == 128 +@ll,0,8 and 0x80 eq 0x80;ok;@ll,0,8 & 128 == 128 +@ll,0,128 0xfedcba987654321001234567890abcde;ok;@ll,0,128 338770000845734292516042252062074518750 diff --git a/tests/py/any/rawpayload.t.payload b/tests/py/any/rawpayload.t.payload new file mode 100644 index 000000000000..a2cc663568e0 --- /dev/null +++ b/tests/py/any/rawpayload.t.payload @@ -0,0 +1,49 @@ +# meta l4proto { tcp, udp, sctp} @th,16,16 { 22, 23, 80 } +__set%d test-inet 3 size 3 +__set%d test-inet 0 + element 00000006 : 0 [end] element 00000011 : 0 [end] element 00000084 : 0 [end] +__set%d test-inet 3 size 3 +__set%d test-inet 0 + element 00001600 : 0 [end] element 00001700 : 0 [end] element 00005000 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ lookup reg 1 set __set%d ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# meta l4proto tcp @th,16,16 { 22, 23, 80} +__set%d test-inet 3 size 3 +__set%d test-inet 0 + element 00001600 : 0 [end] element 00001700 : 0 [end] element 00005000 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# @nh,8,8 255 +inet test-inet input + [ payload load 1b @ network header + 1 => reg 1 ] + [ cmp eq reg 1 0x000000ff ] + +# @nh,8,16 0 +inet test-inet input + [ payload load 2b @ network header + 1 => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + +# @ll,0,1 1 +inet test-inet input + [ payload load 1b @ link header + 0 => reg 1 ] + [ bitwise reg 1 = (reg=1 & 0x00000080 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000080 ] + +# @ll,0,8 and 0x80 eq 0x80 +inet test-inet input + [ payload load 1b @ link header + 0 => reg 1 ] + [ bitwise reg 1 = (reg=1 & 0x00000080 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000080 ] + +# @ll,0,128 0xfedcba987654321001234567890abcde +inet test-inet input + [ payload load 16b @ link header + 0 => reg 1 ] + [ cmp eq reg 1 0x98badcfe 0x10325476 0x67452301 0xdebc0a89 ] diff --git a/tests/py/arp/arp.t b/tests/py/arp/arp.t index 94ab4a50d0b8..36c7f1964841 100644 --- a/tests/py/arp/arp.t +++ b/tests/py/arp/arp.t @@ -54,3 +54,5 @@ arp operation != inrequest;ok arp operation != inreply;ok arp operation != nak;ok arp operation != reply;ok + +meta iifname \"invalid\" arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566;ok;iifname "invalid" arp htype 1 arp ptype ip arp hlen 6 arp plen 4 @nh,192,32 3232272144 @nh,144,48 set 18838586676582 diff --git a/tests/py/arp/arp.t.payload b/tests/py/arp/arp.t.payload index ea778b2d0296..34ae24144806 100644 --- a/tests/py/arp/arp.t.payload +++ b/tests/py/arp/arp.t.payload @@ -268,3 +268,13 @@ arp test-arp input [ payload load 2b @ network header + 6 => reg 1 ] [ cmp neq reg 1 0x00000200 ] +# meta iifname \"invalid\" arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566 +arp test-arp input + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x61766e69 0x0064696c 0x00000000 0x00000000 ] + [ payload load 6b @ network header + 0 => reg 1 ] + [ cmp eq reg 1 0x00080100 0x00000406 ] + [ payload load 4b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0x108fa8c0 ] + [ immediate reg 1 0x44332211 0x00006655 ] + [ payload write reg 1 => 6b @ network header + 18 csum_type 0 csum_off 0 csum_flags 0x0 ] diff --git a/tests/py/arp/arp.t.payload.netdev b/tests/py/arp/arp.t.payload.netdev index acf9eb1ca5ff..21818ba2f2db 100644 --- a/tests/py/arp/arp.t.payload.netdev +++ b/tests/py/arp/arp.t.payload.netdev @@ -358,3 +358,16 @@ netdev test-netdev ingress [ payload load 2b @ network header + 6 => reg 1 ] [ cmp neq reg 1 0x00000200 ] +# meta iifname \"invalid\" arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566 +netdev test-netdev ingress + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x61766e69 0x0064696c 0x00000000 0x00000000 ] + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000608 ] + [ payload load 6b @ network header + 0 => reg 1 ] + [ cmp eq reg 1 0x00080100 0x00000406 ] + [ payload load 4b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0x108fa8c0 ] + [ immediate reg 1 0x44332211 0x00006655 ] + [ payload write reg 1 => 6b @ network header + 18 csum_type 0 csum_off 0 csum_flags 0x0 ] +