From 5bedf4a11e2118841598623ad4bedb6cbb23994f Mon Sep 17 00:00:00 2001 From: Jorge Ortiz Date: Mon, 28 Aug 2023 21:09:10 +0200 Subject: evaluate: place byteorder conversion after numgen for IP address datatypes The numgen extension generates numbers in little-endian. This can be very tricky when trying to combine it with IP addresses, which use big endian. This change adds a new byteorder operation to convert data type endianness. Before this patch: $ sudo nft -d netlink add rule nat snat_chain snat to numgen inc mod 7 offset 0x0a000001 ip nat snat_chain [ numgen reg 1 = inc mod 7 offset 167772161 ] [ nat snat ip addr_min reg 1 ] After this patch: $ sudo nft -d netlink add rule nat snat_chain snat to numgen inc mod 7 offset 0x0a000001 ip nat snat_chain [ numgen reg 1 = inc mod 7 offset 167772161 ] [ byteorder reg 1 = hton(reg 1, 4, 4) ] [ nat snat ip addr_min reg 1 ] Regression tests have been modified to include these new cases. Signed-off-by: Jorge Ortiz Escribano Signed-off-by: Pablo Neira Ayuso --- src/evaluate.c | 4 ++++ tests/py/ip/numgen.t | 2 ++ tests/py/ip/numgen.t.json | 30 ++++++++++++++++++++++++++++++ tests/py/ip/numgen.t.json.output | 30 ++++++++++++++++++++++++++++++ tests/py/ip/numgen.t.payload | 11 +++++++++++ 5 files changed, 77 insertions(+) diff --git a/src/evaluate.c b/src/evaluate.c index 4c23bba3..a7725f4e 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -2832,6 +2832,10 @@ static int __stmt_evaluate_arg(struct eval_ctx *ctx, struct stmt *stmt, return byteorder_conversion(ctx, expr, byteorder); case EXPR_PREFIX: return stmt_prefix_conversion(ctx, expr, byteorder); + case EXPR_NUMGEN: + if (dtype->type == TYPE_IPADDR) + return byteorder_conversion(ctx, expr, byteorder); + break; default: break; } diff --git a/tests/py/ip/numgen.t b/tests/py/ip/numgen.t index 29a6a105..2a881460 100644 --- a/tests/py/ip/numgen.t +++ b/tests/py/ip/numgen.t @@ -5,3 +5,5 @@ ct mark set numgen inc mod 2;ok ct mark set numgen inc mod 2 offset 100;ok dnat to numgen inc mod 2 map { 0 : 192.168.10.100, 1 : 192.168.20.200 };ok dnat to numgen inc mod 10 map { 0-5 : 192.168.10.100, 6-9 : 192.168.20.200};ok +dnat to numgen inc mod 7 offset 167772161;ok +dnat to numgen inc mod 255 offset 167772161;ok diff --git a/tests/py/ip/numgen.t.json b/tests/py/ip/numgen.t.json index 9902c2cf..6cf66041 100644 --- a/tests/py/ip/numgen.t.json +++ b/tests/py/ip/numgen.t.json @@ -97,3 +97,33 @@ } ] +# dnat to numgen inc mod 7 offset 167772161 +[ + { + "dnat": { + "addr": { + "numgen": { + "mod": 7, + "mode": "inc", + "offset": 167772161 + } + } + } + } +] + +# dnat to numgen inc mod 255 offset 167772161 +[ + { + "dnat": { + "addr": { + "numgen": { + "mod": 255, + "mode": "inc", + "offset": 167772161 + } + } + } + } +] + diff --git a/tests/py/ip/numgen.t.json.output b/tests/py/ip/numgen.t.json.output index b54121ca..06ad1ecc 100644 --- a/tests/py/ip/numgen.t.json.output +++ b/tests/py/ip/numgen.t.json.output @@ -80,3 +80,33 @@ } ] +# dnat to numgen inc mod 7 offset 167772161 +[ + { + "dnat": { + "addr": { + "numgen": { + "mod": 7, + "mode": "inc", + "offset": 167772161 + } + } + } + } +] + +# dnat to numgen inc mod 255 offset 167772161 +[ + { + "dnat": { + "addr": { + "numgen": { + "mod": 255, + "mode": "inc", + "offset": 167772161 + } + } + } + } +] + diff --git a/tests/py/ip/numgen.t.payload b/tests/py/ip/numgen.t.payload index 3349c68b..b4eadf85 100644 --- a/tests/py/ip/numgen.t.payload +++ b/tests/py/ip/numgen.t.payload @@ -27,3 +27,14 @@ ip test-ip4 pre [ numgen reg 1 = inc mod 2 offset 100 ] [ ct set mark with reg 1 ] +# dnat to numgen inc mod 7 offset 167772161 +ip test-ip4 pre + [ numgen reg 1 = inc mod 7 offset 167772161 ] + [ byteorder reg 1 = hton(reg 1, 4, 4) ] + [ nat dnat ip addr_min reg 1 ] + +# dnat to numgen inc mod 255 offset 167772161 +ip test-ip4 pre + [ numgen reg 1 = inc mod 255 offset 167772161 ] + [ byteorder reg 1 = hton(reg 1, 4, 4) ] + [ nat dnat ip addr_min reg 1 ] -- cgit v1.2.3