git.ipfire.org Git - thirdparty/nftables.git/commit

author	Florian Westphal <fw@strlen.de>
	Mon, 1 Aug 2016 15:11:41 +0000 (17:11 +0200)
committer	Florian Westphal <fw@strlen.de>
	Mon, 1 Aug 2016 15:11:41 +0000 (17:11 +0200)
commit	78936d50f306c826b0c31d93743c4daec7104858
tree	7196a7b2da222d438338344b96b67bff423e867c	tree
parent	fc2f5c4418283dbfc2e008bc4268e9d3b6f313ba	commit \| diff

evaluate: add support to set IPv6 non-byte header fields

'ip6 ecn set 1' will generate a zero-sized write operation.
Just like when matching on bit-sized header fields we need to
round up to a byte-sized quantity and add a mask to retain those
bits outside of the header bits that we want to change.

Example:

ip6 ecn set ce
  [ payload load 1b @ network header + 1 => reg 1 ]
  [ bitwise reg 1 = (reg=1 & 0x000000cf ) ^ 0x00000030 ]
  [ payload write reg 1 => 1b @ network header + 1 csum_type 0 csum_off 0 ]

1. Load the full byte containing the ecn bits
2. Mask out everything *BUT* the ecn bits
3. Set the CE mark

This patch only works if the protocol doesn't need a checksum fixup.
Will address this in a followup patch.

This also doesn't yet include the needed reverse translation.

Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>