diff options
author | Florian Westphal <fw@strlen.de> | 2023-09-28 23:27:55 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-11-03 12:24:21 +0100 |
commit | dc36708b9b209823f3ee8912f1d72c272bbd36da (patch) | |
tree | adfb72a46bd3c3ab2036a210007ea87b0e1cc0a6 | |
parent | fba8fbeb18225f9d4952fa61fb5a263ae07a26ee (diff) |
rule: never merge across non-expression statements
commit 99ab1b8feb16741a83fb8b887bacae8fa07d29a2 upstream.
The existing logic can merge across non-expression statements,
if there is only one payload expression.
Example:
ether saddr 00:11:22:33:44:55 counter ether type 8021q
is turned into
counter ether saddr 00:11:22:33:44:55 ether type 8021q
which isn't the same thing.
Fix this up and add test cases for adjacent vlan and ip header
fields. 'Counter' serves as a non-merge fence.
Signed-off-by: Florian Westphal <fw@strlen.de>
-rw-r--r-- | src/rule.c | 6 | ||||
-rw-r--r-- | tests/py/bridge/vlan.t | 2 | ||||
-rw-r--r-- | tests/py/bridge/vlan.t.payload | 8 | ||||
-rw-r--r-- | tests/py/bridge/vlan.t.payload.netdev | 10 | ||||
-rw-r--r-- | tests/py/ip/ip.t | 3 | ||||
-rw-r--r-- | tests/py/ip/ip.t.payload | 15 |
6 files changed, 40 insertions, 4 deletions
@@ -2893,10 +2893,8 @@ static void stmt_reduce(const struct rule *rule) /* Must not merge across other statements */ if (stmt->ops->type != STMT_EXPRESSION) { - if (idx < 2) - continue; - - payload_do_merge(sa, idx); + if (idx >= 2) + payload_do_merge(sa, idx); idx = 0; continue; } diff --git a/tests/py/bridge/vlan.t b/tests/py/bridge/vlan.t index 95bdff4f..8fa90dac 100644 --- a/tests/py/bridge/vlan.t +++ b/tests/py/bridge/vlan.t @@ -52,3 +52,5 @@ ether saddr 00:01:02:03:04:05 vlan id 1;ok vlan id 2 ether saddr 0:1:2:3:4:6;ok;ether saddr 00:01:02:03:04:06 vlan id 2 ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 };ok + +ether saddr 00:11:22:33:44:55 counter ether type 8021q;ok diff --git a/tests/py/bridge/vlan.t.payload b/tests/py/bridge/vlan.t.payload index 62e4b89b..2592bb96 100644 --- a/tests/py/bridge/vlan.t.payload +++ b/tests/py/bridge/vlan.t.payload @@ -304,3 +304,11 @@ bridge test-bridge input [ payload load 2b @ link header + 14 => reg 10 ] [ bitwise reg 10 = ( reg 10 & 0x0000ff0f ) ^ 0x00000000 ] [ lookup reg 1 set __set%d ] + +# ether saddr 00:11:22:33:44:55 counter ether type 8021q +bridge test-bridge input + [ payload load 6b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0x33221100 0x00005544 ] + [ counter pkts 0 bytes 0 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] diff --git a/tests/py/bridge/vlan.t.payload.netdev b/tests/py/bridge/vlan.t.payload.netdev index 1018d4c6..f3341947 100644 --- a/tests/py/bridge/vlan.t.payload.netdev +++ b/tests/py/bridge/vlan.t.payload.netdev @@ -356,3 +356,13 @@ netdev test-netdev ingress [ payload load 2b @ link header + 14 => reg 10 ] [ bitwise reg 10 = ( reg 10 & 0x0000ff0f ) ^ 0x00000000 ] [ lookup reg 1 set __set%d ] + +# ether saddr 00:11:22:33:44:55 counter ether type 8021q +bridge test-bridge input + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 6b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0x33221100 0x00005544 ] + [ counter pkts 0 bytes 0 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] diff --git a/tests/py/ip/ip.t b/tests/py/ip/ip.t index d5a4d8a5..1338a909 100644 --- a/tests/py/ip/ip.t +++ b/tests/py/ip/ip.t @@ -127,3 +127,6 @@ iif "lo" ip dscp set cs0;ok ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 };ok ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept };ok + +ip saddr 1.2.3.4 ip daddr 3.4.5.6;ok +ip saddr 1.2.3.4 counter ip daddr 3.4.5.6;ok diff --git a/tests/py/ip/ip.t.payload b/tests/py/ip/ip.t.payload index b9fcb515..4d34f989 100644 --- a/tests/py/ip/ip.t.payload +++ b/tests/py/ip/ip.t.payload @@ -523,3 +523,18 @@ ip [ payload load 4b @ network header + 12 => reg 1 ] [ payload load 4b @ network header + 16 => reg 9 ] [ lookup reg 1 set __map%d dreg 0 ] + +# ip saddr 1.2.3.4 ip daddr 3.4.5.6 +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] + +# ip saddr 1.2.3.4 counter ip daddr 3.4.5.6 +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ counter pkts 0 bytes 0 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x06050403 ] |