git.ipfire.org Git - thirdparty/nftables.git/commit

author	Jeremy Sowden <jeremy@azazel.net>
	Mon, 18 Nov 2024 23:18:28 +0000 (00:18 +0100)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Wed, 4 Dec 2024 14:35:55 +0000 (15:35 +0100)
commit	54bfc38c522babe709e951f1fd128ff725b36704
tree	4432fccc08834428082c176fab42cbb3e880e819	tree \| snapshot
parent	bc0311378285d41850e3508df905d75959ba4239	commit \| diff

src: allow binop expressions with variable right-hand operands

Hitherto, the kernel has required constant values for the `xor` and
`mask` attributes of boolean bitwise expressions.  This has meant that
the right-hand operand of a boolean binop must be constant.  Now the
kernel has support for AND, OR and XOR operations with right-hand
operands passed via registers, we can relax this restriction.  Allow
non-constant right-hand operands if the left-hand operand is not
constant, e.g.:

  ct mark & 0xffff0000 | meta mark & 0xffff

The kernel now supports performing AND, OR and XOR operations directly,
on one register and an immediate value or on two registers, so we need
to be able to generate and parse bitwise boolean expressions of this
form.

If a boolean operation has a constant RHS, we continue to send a
mask-and-xor expression to the kernel.

Add tests for {ct,meta} mark with variable RHS operands.

JSON support is also included.

This requires Linux kernel >= 6.13-rc.

[ Originally posted as patch 1/8 and 6/8 which has been collapsed and
  simplified to focus on initial {ct,meta} mark support. Tests have
  been extracted from 8/8 including a tests/py fix to payload output
  due to incorrect output in original patchset. JSON support has been
  extracted from patch 7/8 --pablo]

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/linux/netfilter/nf_tables.h		diff \| blob \| blame \| history
src/evaluate.c		diff \| blob \| blame \| history
src/netlink_delinearize.c		diff \| blob \| blame \| history
src/netlink_linearize.c		diff \| blob \| blame \| history
src/parser_json.c		diff \| blob \| blame \| history
tests/py/any/ct.t		diff \| blob \| blame \| history
tests/py/any/ct.t.json		diff \| blob \| blame \| history
tests/py/any/ct.t.payload		diff \| blob \| blame \| history
tests/py/inet/meta.t		diff \| blob \| blame \| history
tests/py/inet/meta.t.json		diff \| blob \| blame \| history
tests/py/inet/meta.t.payload		diff \| blob \| blame \| history
tests/py/ip/ct.t		diff \| blob \| blame \| history
tests/py/ip/ct.t.json		diff \| blob \| blame \| history
tests/py/ip/ct.t.payload		diff \| blob \| blame \| history
tests/py/ip6/ct.t		diff \| blob \| blame \| history
tests/py/ip6/ct.t.json		diff \| blob \| blame \| history
tests/py/ip6/ct.t.payload		diff \| blob \| blame \| history
tests/shell/features/bitwise_multireg.nft	[new file with mode: 0644]	blob
tests/shell/testcases/bitwise/0040mark_binop_10	[new file with mode: 0755]	blob
tests/shell/testcases/bitwise/0040mark_binop_11	[new file with mode: 0755]	blob
tests/shell/testcases/bitwise/0040mark_binop_12	[new file with mode: 0755]	blob
tests/shell/testcases/bitwise/0040mark_binop_13	[new file with mode: 0755]	blob
tests/shell/testcases/bitwise/0044payload_binop_2	[new file with mode: 0755]	blob
tests/shell/testcases/bitwise/0044payload_binop_5	[new file with mode: 0755]	blob
tests/shell/testcases/bitwise/dumps/0040mark_binop_10.nft	[new file with mode: 0644]	blob
tests/shell/testcases/bitwise/dumps/0040mark_binop_11.nft	[new file with mode: 0644]	blob
tests/shell/testcases/bitwise/dumps/0040mark_binop_12.nft	[new file with mode: 0644]	blob
tests/shell/testcases/bitwise/dumps/0040mark_binop_13.nft	[new file with mode: 0644]	blob
tests/shell/testcases/bitwise/dumps/0044payload_binop_2.nft	[new file with mode: 0644]	blob
tests/shell/testcases/bitwise/dumps/0044payload_binop_5.nft	[new file with mode: 0644]	blob