diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-11-23 17:59:21 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-11-30 12:50:00 +0100 |
| commit | 1017d323cafa6d4df34b9a2d0bea505e5253bc2b (patch) | |
| tree | 56215f9c59d06c8e27691f6a3a015c32ad442b73 /tests/shell/testcases/maps | |
| parent | c327e9331e50d7b4d6cfd0a82fb38bec73703bfb (diff) | |
src: support for selectors with different byteorder with interval concatenations
Assuming the following interval set with concatenation:
set test {
typeof ip saddr . meta mark
flags interval
}
then, the following rule:
ip saddr . meta mark @test
requires bytecode that swaps the byteorder for the meta mark selector in
case the set contains intervals and concatenations.
inet x y
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x00000002 ]
[ payload load 4b @ network header + 12 => reg 1 ]
[ meta load mark => reg 9 ]
[ byteorder reg 9 = hton(reg 9, 4, 4) ] <----- this is required !
[ lookup reg 1 set test dreg 0 ]
This patch updates byteorder_conversion() to add the unary expression
that introduces the byteorder expression.
Moreover, store the meta mark range component of the element tuple in
the set in big endian as it is required for the range comparisons. Undo
the byteorder swap in the netlink delinearize path to listing the meta
mark values accordingly.
Update tests/py to validate that byteorder expression is emitted in the
bytecode. Update tests/shell to validate insertion and listing of a
named map declaration.
A similar commit 806ab081dc9a ("netlink: swap byteorder for
host-endian concat data") already exists in the tree to handle this for
strings with prefix (e.g. eth*).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/shell/testcases/maps')
| -rwxr-xr-x | tests/shell/testcases/maps/0012map_0 | 19 | ||||
| -rw-r--r-- | tests/shell/testcases/maps/dumps/0012map_0.nft | 13 |
2 files changed, 32 insertions, 0 deletions
diff --git a/tests/shell/testcases/maps/0012map_0 b/tests/shell/testcases/maps/0012map_0 index dd93c482..49e51b75 100755 --- a/tests/shell/testcases/maps/0012map_0 +++ b/tests/shell/testcases/maps/0012map_0 @@ -15,3 +15,22 @@ table ip x { }" $NFT -f - <<< "$EXPECTED" + +EXPECTED="table ip x { + map w { + typeof ip saddr . meta mark : verdict + flags interval + counter + elements = { + 127.0.0.1-127.0.0.4 . 0x123434-0xb00122 : accept, + } + } + + chain k { + type filter hook input priority filter + 1; policy accept; + meta mark set 0x123434 + ip saddr . meta mark vmap @w + } +}" + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/maps/dumps/0012map_0.nft b/tests/shell/testcases/maps/dumps/0012map_0.nft index e734fc1c..895490cf 100644 --- a/tests/shell/testcases/maps/dumps/0012map_0.nft +++ b/tests/shell/testcases/maps/dumps/0012map_0.nft @@ -6,7 +6,20 @@ table ip x { "eth1" : drop } } + map w { + typeof ip saddr . meta mark : verdict + flags interval + counter + elements = { 127.0.0.1-127.0.0.4 . 0x00123434-0x00b00122 counter packets 0 bytes 0 : accept } + } + chain y { iifname vmap { "lo" : accept, "eth0" : drop, "eth1" : drop } } + + chain k { + type filter hook input priority filter + 1; policy accept; + meta mark set 0x00123434 + ip saddr . meta mark vmap @w + } } |