git.ipfire.org Git - thirdparty/nftables.git/commit

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Fri, 17 Mar 2023 09:16:46 +0000 (10:16 +0100)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Tue, 28 Mar 2023 08:26:34 +0000 (10:26 +0200)
commit	5d8e33ddb1125ccdc258c01d2d869be6eb9ed3a9
tree	067ebcc2d13386f7cda2939a6f1043571e11408e	tree
parent	6bea6864b799905c8cc5f7a3f9488c88e219c481	commit \| diff

evaluate: relax type-checking for integer arguments in mark statements

In order to be able to set ct and meta marks to values derived from
payload expressions, we need to relax the requirement that the type of
the statement argument must match that of the statement key.  Instead,
we require that the base-type of the argument is integer and that the
argument is small enough to fit.

Moreover, swap expression byteorder before to make it compatible with
the statement byteorder, to ensure rulesets are portable.

# nft --debug=netlink add rule ip t c 'meta mark set ip saddr'
ip t c
  [ payload load 4b @ network header + 12 => reg 1 ]
  [ byteorder reg 1 = ntoh(reg 1, 4, 4) ] <----------- byteorder swap
  [ meta set mark with reg 1 ]

Based on original work from Jeremy Sowden.

The following patches are required for this to work:

evaluate: get length from statement instead of lhs expression
evaluate: don't eval unary arguments
evaluate: support shifts larger than the width of the left operand
netlink_delinearize: correct type and byte-order of shifts
evaluate: insert byte-order conversions for expressions between 9 and 15 bits

Add one testcase for tests/py.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

src/evaluate.c		diff \| blob \| blame \| history
tests/py/ip/meta.t		diff \| blob \| blame \| history
tests/py/ip/meta.t.json		diff \| blob \| blame \| history
tests/py/ip/meta.t.payload		diff \| blob \| blame \| history