diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-03-17 10:16:46 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-03-28 10:26:34 +0200 |
| commit | 5d8e33ddb1125ccdc258c01d2d869be6eb9ed3a9 (patch) | |
| tree | 067ebcc2d13386f7cda2939a6f1043571e11408e /tests/py | |
| parent | 6bea6864b799905c8cc5f7a3f9488c88e219c481 (diff) | |
evaluate: relax type-checking for integer arguments in mark statements
In order to be able to set ct and meta marks to values derived from
payload expressions, we need to relax the requirement that the type of
the statement argument must match that of the statement key. Instead,
we require that the base-type of the argument is integer and that the
argument is small enough to fit.
Moreover, swap expression byteorder before to make it compatible with
the statement byteorder, to ensure rulesets are portable.
# nft --debug=netlink add rule ip t c 'meta mark set ip saddr'
ip t c
[ payload load 4b @ network header + 12 => reg 1 ]
[ byteorder reg 1 = ntoh(reg 1, 4, 4) ] <----------- byteorder swap
[ meta set mark with reg 1 ]
Based on original work from Jeremy Sowden.
The following patches are required for this to work:
evaluate: get length from statement instead of lhs expression
evaluate: don't eval unary arguments
evaluate: support shifts larger than the width of the left operand
netlink_delinearize: correct type and byte-order of shifts
evaluate: insert byte-order conversions for expressions between 9 and 15 bits
Add one testcase for tests/py.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/py')
| -rw-r--r-- | tests/py/ip/meta.t | 2 | ||||
| -rw-r--r-- | tests/py/ip/meta.t.json | 20 | ||||
| -rw-r--r-- | tests/py/ip/meta.t.payload | 8 |
3 files changed, 30 insertions, 0 deletions
diff --git a/tests/py/ip/meta.t b/tests/py/ip/meta.t index 5a05923a..85eaf54c 100644 --- a/tests/py/ip/meta.t +++ b/tests/py/ip/meta.t @@ -15,3 +15,5 @@ meta obrname "br0";fail meta sdif "lo" accept;ok meta sdifname != "vrf1" accept;ok + +meta mark set ip dscp;ok diff --git a/tests/py/ip/meta.t.json b/tests/py/ip/meta.t.json index 3df31ce3..a93d7e78 100644 --- a/tests/py/ip/meta.t.json +++ b/tests/py/ip/meta.t.json @@ -156,3 +156,23 @@ } } ] + +# meta mark set ip dscp +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "payload": { + "field": "dscp", + "protocol": "ip" + } + } + } + } +] + diff --git a/tests/py/ip/meta.t.payload b/tests/py/ip/meta.t.payload index afde5cc1..1aa8d003 100644 --- a/tests/py/ip/meta.t.payload +++ b/tests/py/ip/meta.t.payload @@ -51,3 +51,11 @@ ip test-ip4 input [ cmp eq reg 1 0x00000011 ] [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x00004300 ] + +# meta mark set ip dscp +ip test-ip4 input + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ meta set mark with reg 1 ] + |