diff options
| author | Jeremy Sowden <jeremy@azazel.net> | 2024-11-19 00:18:28 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2024-12-04 15:35:55 +0100 |
| commit | 54bfc38c522babe709e951f1fd128ff725b36704 (patch) | |
| tree | 4432fccc08834428082c176fab42cbb3e880e819 /tests/shell | |
| parent | bc0311378285d41850e3508df905d75959ba4239 (diff) | |
src: allow binop expressions with variable right-hand operands
Hitherto, the kernel has required constant values for the `xor` and
`mask` attributes of boolean bitwise expressions. This has meant that
the right-hand operand of a boolean binop must be constant. Now the
kernel has support for AND, OR and XOR operations with right-hand
operands passed via registers, we can relax this restriction. Allow
non-constant right-hand operands if the left-hand operand is not
constant, e.g.:
ct mark & 0xffff0000 | meta mark & 0xffff
The kernel now supports performing AND, OR and XOR operations directly,
on one register and an immediate value or on two registers, so we need
to be able to generate and parse bitwise boolean expressions of this
form.
If a boolean operation has a constant RHS, we continue to send a
mask-and-xor expression to the kernel.
Add tests for {ct,meta} mark with variable RHS operands.
JSON support is also included.
This requires Linux kernel >= 6.13-rc.
[ Originally posted as patch 1/8 and 6/8 which has been collapsed and
simplified to focus on initial {ct,meta} mark support. Tests have
been extracted from 8/8 including a tests/py fix to payload output
due to incorrect output in original patchset. JSON support has been
extracted from patch 7/8 --pablo]
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/shell')
13 files changed, 119 insertions, 0 deletions
diff --git a/tests/shell/features/bitwise_multireg.nft b/tests/shell/features/bitwise_multireg.nft new file mode 100644 index 00000000..cfce5a39 --- /dev/null +++ b/tests/shell/features/bitwise_multireg.nft @@ -0,0 +1,5 @@ +table inet test { + chain y { + ct mark set ct mark | meta mark + } +} diff --git a/tests/shell/testcases/bitwise/0040mark_binop_10 b/tests/shell/testcases/bitwise/0040mark_binop_10 new file mode 100755 index 00000000..f523bd73 --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_10 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitwise_multireg) + +set -e + +RULESET=" + add table t + add chain t c { type filter hook output priority filter; } + add rule t c ct mark set ct mark and 0xffff0000 or meta mark and 0xffff +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0040mark_binop_11 b/tests/shell/testcases/bitwise/0040mark_binop_11 new file mode 100755 index 00000000..d6dfb3b8 --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_11 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitwise_multireg) + +set -e + +RULESET=" + add table t + add chain t c { type filter hook input priority filter; } + add rule t c meta mark set ct mark and 0xffff0000 or meta mark and 0xffff +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0040mark_binop_12 b/tests/shell/testcases/bitwise/0040mark_binop_12 new file mode 100755 index 00000000..bbddb55b --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_12 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitwise_multireg) + +set -e + +RULESET=" + add table ip6 t + add chain ip6 t c { type filter hook output priority filter; } + add rule ip6 t c ct mark set ct mark and 0xffff0000 or meta mark and 0xffff +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0040mark_binop_13 b/tests/shell/testcases/bitwise/0040mark_binop_13 new file mode 100755 index 00000000..769acb63 --- /dev/null +++ b/tests/shell/testcases/bitwise/0040mark_binop_13 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitwise_multireg) + +set -e + +RULESET=" + add table ip6 t + add chain ip6 t c { type filter hook input priority filter; } + add rule ip6 t c meta mark set ct mark and 0xffff0000 or meta mark and 0xffff +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0044payload_binop_2 b/tests/shell/testcases/bitwise/0044payload_binop_2 new file mode 100755 index 00000000..13c4acef --- /dev/null +++ b/tests/shell/testcases/bitwise/0044payload_binop_2 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitwise_multireg) + +set -e + +RULESET=" + add table t + add chain t c { type filter hook output priority filter; } + add rule t c ct mark set ct mark | ip dscp | 0x200 counter +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/0044payload_binop_5 b/tests/shell/testcases/bitwise/0044payload_binop_5 new file mode 100755 index 00000000..7e8095c8 --- /dev/null +++ b/tests/shell/testcases/bitwise/0044payload_binop_5 @@ -0,0 +1,13 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitwise_multireg) + +set -e + +RULESET=" + add table ip6 t + add chain ip6 t c { type filter hook output priority filter; } + add rule ip6 t c ct mark set ct mark | ip6 dscp | 0x200 counter +" + +$NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_10.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_10.nft new file mode 100644 index 00000000..5566f729 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_10.nft @@ -0,0 +1,6 @@ +table ip t { + chain c { + type filter hook output priority filter; policy accept; + ct mark set ct mark & 0xffff0000 | meta mark & 0x0000ffff + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_11.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_11.nft new file mode 100644 index 00000000..719980d5 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_11.nft @@ -0,0 +1,6 @@ +table ip t { + chain c { + type filter hook input priority filter; policy accept; + meta mark set ct mark & 0xffff0000 | meta mark & 0x0000ffff + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_12.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_12.nft new file mode 100644 index 00000000..bd589fe5 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_12.nft @@ -0,0 +1,6 @@ +table ip6 t { + chain c { + type filter hook output priority filter; policy accept; + ct mark set ct mark & 0xffff0000 | meta mark & 0x0000ffff + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_13.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_13.nft new file mode 100644 index 00000000..2b046b12 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_13.nft @@ -0,0 +1,6 @@ +table ip6 t { + chain c { + type filter hook input priority filter; policy accept; + meta mark set ct mark & 0xffff0000 | meta mark & 0x0000ffff + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0044payload_binop_2.nft b/tests/shell/testcases/bitwise/dumps/0044payload_binop_2.nft new file mode 100644 index 00000000..ed347bb2 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0044payload_binop_2.nft @@ -0,0 +1,6 @@ +table ip t { + chain c { + type filter hook output priority filter; policy accept; + ct mark set ct mark | ip dscp | 0x00000200 counter packets 0 bytes 0 + } +} diff --git a/tests/shell/testcases/bitwise/dumps/0044payload_binop_5.nft b/tests/shell/testcases/bitwise/dumps/0044payload_binop_5.nft new file mode 100644 index 00000000..ccdb93d7 --- /dev/null +++ b/tests/shell/testcases/bitwise/dumps/0044payload_binop_5.nft @@ -0,0 +1,6 @@ +table ip6 t { + chain c { + type filter hook output priority filter; policy accept; + ct mark set ct mark | ip6 dscp | 0x00000200 counter packets 0 bytes 0 + } +} |