evaluate: place byteorder conversion before rshift in payload expressions

Use the key from the evaluation context to perform the byteorder conversion in case that this expression is used for lookups and updates on explicit sets. # nft --debug=netlink add rule ip6 t output ip6 dscp @mapv6 ip6 t output [ payload load 2b @ network header + 0 => reg 1 ] [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] <-------------- this was missing! [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] [ lookup reg 1 set mapv6 ] Also with set statements (updates from packet path): # nft --debug=netlink add rule ip6 t output update @mapv6 { ip6 dscp } ip6 t output [ payload load 2b @ network header + 0 => reg 1 ] [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] <------------- also here! [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] [ dynset update reg_key 1 set mapv6 ] Simple matches on values and implicit sets rely on the binary transfer mechanism to propagate the shift to the constant, no explicit byteorder is required in such case. Fixes: 668c18f67203 ("evaluate: place byteorder conversion before rshift in payload statement") Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2023-11-05 21:54:25 +0100
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2023-11-06 12:29:22 +0100
commit: cb9b72a43c5684379c027908d9f332170bf8dd15 (patch)
tree: 56eb594412a9d0f5debfd08b89389a7504034dd9 /tests/py/ip6/ip6.t.payload.inet
parent: 57f092a87fc4bc61e29cff31dfff976e1f2005ab (diff)
1 files changed, 21 insertions, 0 deletions
diff --git a/tests/py/ip6/ip6.t.payload.inet b/tests/py/ip6/ip6.t.payload.inet
index 214a0ed9..dbb430af 100644
--- a/tests/py/ip6/ip6.t.payload.inet
+++ b/tests/py/ip6/ip6.t.payload.inet
@@ -76,6 +76,27 @@ inet test-inet input
   [ lookup reg 1 set map2 dreg 1 ]
   [ meta set mark with reg 1 ]
 
+# ip6 dscp @map3
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
+  [ byteorder reg 1 = ntoh(reg 1, 2, 2) ]
+  [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ]
+  [ lookup reg 1 set map3 ]
+
+# ip6 dscp . ip6 daddr @map4
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
+  [ byteorder reg 1 = ntoh(reg 1, 2, 2) ]
+  [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ]
+  [ payload load 16b @ network header + 24 => reg 9 ]
+  [ lookup reg 1 set map4 ]
+
 # ip6 flowlabel 22
 inet test-inet input
   [ meta load nfproto => reg 1 ]
author	Pablo Neira Ayuso <pablo@netfilter.org>	2023-11-05 21:54:25 +0100
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2023-11-06 12:29:22 +0100
commit	cb9b72a43c5684379c027908d9f332170bf8dd15 (patch)
tree	56eb594412a9d0f5debfd08b89389a7504034dd9 /tests/py/ip6/ip6.t.payload.inet
parent	57f092a87fc4bc61e29cff31dfff976e1f2005ab (diff)