git.ipfire.org Git - thirdparty/nftables.git/commit

author	Florian Westphal <fw@strlen.de>
	Thu, 30 Jan 2025 17:47:13 +0000 (18:47 +0100)
committer	Florian Westphal <fw@strlen.de>
	Fri, 7 Feb 2025 10:44:20 +0000 (11:44 +0100)
commit	4f046ae450cbe2567022575c11dd65a9d9ea272d
tree	9cd9ec0a542b32af97b937fd2fd5d084e409d05e	tree
parent	44c803015a1e0bca54fb7b92fdc154d162f9dbfd	commit \| diff

src: add and use payload_expr_trim_force

Previous commit fixed erroneous handling of raw expressions when RHS sets
a zero value.

Input: @ih,58,6 set 0 @ih,86,6 set 0 @ih,170,22 set 0
Output:@ih,48,16 set @ih,48,16 & 0xffc0 @ih,80,16 set \
@ih,80,16 & 0xfc0f @ih,160,32 set @ih,160,32 & 0xffc00000

After this patch, this will instead display:

@ih,58,6 set 0x0 @ih,86,6 set 0x0 @ih,170,22 set 0x0

payload_expr_trim_force() only works when the payload has no known
protocol (template) attached, i.e. will be printed as raw payload syntax.

It performs sanity checks on @mask and then adjusts the payload expression
length and offset according to the mask.

Also add this check in __binop_postprocess() so we can also discard masks
when matching, e.g.

'@ih,7,5 2' becomes '@ih,7,5 0x2', not '@ih,0,16 & 0xffc0 == 0x20'.

binop_postprocess now returns if it performed an action or not; if this
returns true then arguments might have been freed so callers must no longer
refer to any of the expressions attached to the binop.

Next patch adds test cases for this.

Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/payload.h		diff \| blob \| blame \| history
src/netlink_delinearize.c		diff \| blob \| blame \| history
src/payload.c		diff \| blob \| blame \| history