From 54bfc38c522babe709e951f1fd128ff725b36704 Mon Sep 17 00:00:00 2001
From: Jeremy Sowden <jeremy@azazel.net>
Date: Tue, 19 Nov 2024 00:18:28 +0100
Subject: src: allow binop expressions with variable right-hand operands

Hitherto, the kernel has required constant values for the `xor` and
`mask` attributes of boolean bitwise expressions.  This has meant that
the right-hand operand of a boolean binop must be constant.  Now the
kernel has support for AND, OR and XOR operations with right-hand
operands passed via registers, we can relax this restriction.  Allow
non-constant right-hand operands if the left-hand operand is not
constant, e.g.:

  ct mark & 0xffff0000 | meta mark & 0xffff

The kernel now supports performing AND, OR and XOR operations directly,
on one register and an immediate value or on two registers, so we need
to be able to generate and parse bitwise boolean expressions of this
form.

If a boolean operation has a constant RHS, we continue to send a
mask-and-xor expression to the kernel.

Add tests for {ct,meta} mark with variable RHS operands.

JSON support is also included.

This requires Linux kernel >= 6.13-rc.

[ Originally posted as patch 1/8 and 6/8 which has been collapsed and
  simplified to focus on initial {ct,meta} mark support. Tests have
  been extracted from 8/8 including a tests/py fix to payload output
  due to incorrect output in original patchset. JSON support has been
  extracted from patch 7/8 --pablo]

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 tests/py/ip6/ct.t.payload | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'tests/py/ip6/ct.t.payload')

diff --git a/tests/py/ip6/ct.t.payload b/tests/py/ip6/ct.t.payload
index 944208f2..a7a56d4b 100644
--- a/tests/py/ip6/ct.t.payload
+++ b/tests/py/ip6/ct.t.payload
@@ -44,3 +44,15 @@ ip6 test-ip6 output
   [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ]
   [ bitwise reg 1 = ( reg 1 & 0x0000003c ) ^ 0x00000000 ]
   [ ct set mark with reg 1 ]
+
+# ct mark set ct mark | ip6 dscp | 0x200 counter
+ip6 test-ip6 output
+  [ ct load mark => reg 1 ]
+  [ payload load 2b @ network header + 0 => reg 2 ]
+  [ bitwise reg 2 = ( reg 2 & 0x0000c00f ) ^ 0x00000000 ]
+  [ byteorder reg 2 = ntoh(reg 2, 2, 2) ]
+  [ bitwise reg 2 = ( reg 2 >> 0x00000006 ) ]
+  [ bitwise reg 1 = ( reg 1 | reg 2 ) ]
+  [ bitwise reg 1 = ( reg 1 & 0xfffffdff ) ^ 0x00000200 ]
+  [ ct set mark with reg 1 ]
+  [ counter pkts 0 bytes 0 ]
-- 
cgit v1.2.3