git.ipfire.org Git - thirdparty/nftables.git/commit

author	Florian Westphal <fw@strlen.de>
	Fri, 15 Apr 2016 13:09:39 +0000 (15:09 +0200)
committer	Florian Westphal <fw@strlen.de>
	Tue, 19 Apr 2016 13:23:20 +0000 (15:23 +0200)
commit	e20eac092725c982387181f3df557877b02eb345
tree	bad4c5ba92918e470ea775692260fe772db5057e	tree \| snapshot
parent	c30fc3d731b711847fce7910e95d1c217886cb09	commit \| diff

payload: only merge if adjacent and combined size fits into a register

add rule ip6 filter input ip6 saddr ::1/128 ip6 daddr ::1/128 fails,
we ask to compare a 32byte immediate which is not supported:

  [ payload load 32b @ network header + 8 => reg 1 ]
  [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x01000000 0x00000000 0x00000000 0x00000000 0x02000000 ]

We would need to use two cmps in this case, i.e.:

  [ payload load 32b @ network header + 8 => reg 1 ]
  [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x01000000 ]
  [ cmp eq reg 2 0x00000000 0x00000000 0x00000000 0x02000000 ]

Seems however that this requires a bit more changes to how nft
handles register allocations, we'd also need to undo the constant merge.

Lets disable merging for now so that we generate

  [ payload load 16b @ network header + 8 => reg 1 ]
  [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x01000000 ]
  [ payload load 16b @ network header + 24 => reg 1 ]
  [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x02000000 ]

... if merge would bring us over the 128 bit register size.

Closes: http://bugzilla.netfilter.org/show_bug.cgi?id=1032
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/payload.h		diff \| blob \| blame \| history
src/payload.c		diff \| blob \| blame \| history
src/rule.c		diff \| blob \| blame \| history
tests/py/ip6/ip6.t		diff \| blob \| blame \| history
tests/py/ip6/ip6.t.payload.inet		diff \| blob \| blame \| history
tests/py/ip6/ip6.t.payload.ip6		diff \| blob \| blame \| history