meta: stash context statement length when generating payload/meta dependency

... meta mark set ip dscp generates an implicit dependency from the inet family to match on meta nfproto ip. The length of this implicit expression is incorrectly adjusted to the statement length, ie. relational to compare meta nfproto takes 4 bytes instead of 1 byte. The evaluation of 'ip dscp' under the meta mark statement triggers this implicit dependency which should not consider the context statement length since it is added before the statement itself. This problem shows when listing the ruleset, since netlink_parse_cmp() where left->len < right->len, hence handling the implicit dependency as a concatenation, but it is actually a bug in the evaluation step that leads to incorrect bytecode. Fixes: 3c64ea7995cb ("evaluate: honor statement length in integer evaluation") Fixes: edecd58755a8 ("evaluate: support shifts larger than the width of the left operand") Tested-by: Brian Davidson <davidson.brian@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2023-07-18 23:10:01 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2023-07-19 20:06:34 +0200
commit: 5f1676ac9f1aeb36d7695c3c354dade013a1e4f3 (patch)
tree: 35af0d12e861771e2f30107f1c79ed78c6dd9ce3 /tests/py/inet/meta.t.json
parent: ae1f506b5b0925dfe07215876f010dd087785ca9 (diff)
1 files changed, 86 insertions, 0 deletions
diff --git a/tests/py/inet/meta.t.json b/tests/py/inet/meta.t.json
index 92a1f9bf..3ba0fd1d 100644
--- a/tests/py/inet/meta.t.json
+++ b/tests/py/inet/meta.t.json
@@ -440,3 +440,89 @@
     }
 ]
 
+# meta mark set ip dscp
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip"
+                }
+            }
+        }
+    }
+]
+
+# meta mark set ip dscp | 0x40
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "|": [
+                    {
+                        "payload": {
+                            "field": "dscp",
+                            "protocol": "ip"
+                        }
+                    },
+                    64
+                ]
+            }
+        }
+    }
+]
+
+# meta mark set ip6 dscp
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip6"
+                }
+            }
+        }
+    }
+]
+
+# meta mark set ip6 dscp | 0x40
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "|": [
+                    {
+                        "payload": {
+                            "field": "dscp",
+                            "protocol": "ip6"
+                        }
+                    },
+                    64
+                ]
+            }
+        }
+    }
+]
+
author	Pablo Neira Ayuso <pablo@netfilter.org>	2023-07-18 23:10:01 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2023-07-19 20:06:34 +0200
commit	5f1676ac9f1aeb36d7695c3c354dade013a1e4f3 (patch)
tree	35af0d12e861771e2f30107f1c79ed78c6dd9ce3 /tests/py/inet/meta.t.json
parent	ae1f506b5b0925dfe07215876f010dd087785ca9 (diff)