[nft PATCH 4/4] src: fix byteorder conversions in sets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Currently, we have wrong byteorder conversions if we want to use
set some nft rules or in some case errors. I have designed a solution for the
different kind of rules with different byteorder:

* For rules with big endian value:

  nft add rule filter input tcp dport {22-25}

  set%d filter 7
  set%d filter 0
  element 00000000 : 1 [end] element 00001600 : 0 [end] element 00001901 : 1 [end]
  ip filter input
  [ payload load 1b @ network header + 9 => reg 1 ]
  [ cmp eq reg 1 0x00000006 ]
  [ payload load 2b @ transport header + 2 => reg 1 ]
  [ lookup reg 1 set set%d ]

  In that case, we are going to change it the values inside of the set to big
  endian byteorder.

* For rules with invalid byteorder:

  nft add rule filter input tcp checksum {22-25}

  set%d filter 7
  set%d filter 0
  element 00000000 :1 [end] element 00000016 :0 [end] element 0000001a : 1 [end]
  ip filter input
  [ payload load 1b @ network header + 9 => reg 1 ]
  [ cmp eq reg 1 0x00000006 ]
  [ payload load 2b @ transport header + 16 => reg 1 ]
  [ byteorder reg 1 = hton(reg 1, 2, 2) ]
  [ lookup reg 1 set set%d ]

  In that case, we are going to add a unary expression for changing the register
  previously to comparing it with the values inside of our set.

Signed-off-by: Alvaro Neira Ayuso <alvaroneay@xxxxxxxxx>
---
 src/evaluate.c            |   12 ++++++++----
 src/netlink_delinearize.c |   12 ++++++++++++
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index d09cb27..4521b92 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -934,11 +934,15 @@ static int expr_evaluate_relational(struct eval_ctx *ctx, struct expr **expr)
 						 left->dtype->desc,
 						 right->dtype->desc);
 
-		/* Data for range lookups needs to be in big endian order */
+		/* Data for range with invalid byteorder, we must to add
+		 * a unary expression for changing the register for comparing it
+		 */
 		if (right->set->flags & SET_F_INTERVAL &&
-		    byteorder_conversion(ctx, &rel->left,
-					 BYTEORDER_BIG_ENDIAN) < 0)
-			return -1;
+		    rel->left->byteorder == BYTEORDER_INVALID) {
+			if (byteorder_conversion(ctx, &rel->left,
+						 BYTEORDER_HOST_ENDIAN) < 0)
+				return -1;
+		}
 		left = rel->left;
 		break;
 	case OP_EQ:
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 015c211..1b2ffa6 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -629,11 +629,21 @@ static void payload_dependency_store(struct rule_pp_ctx *ctx,
 
 static void expr_payload_elem_postprocess(struct expr *expr)
 {
+	struct expr *i;
+
 	switch (expr->ops->type) {
 	case EXPR_VALUE:
 		if (expr->dtype->byteorder == BYTEORDER_BIG_ENDIAN)
 			mpz_switch_expr_byteorder(expr);
 		break;
+	case EXPR_SET_REF:
+		list_for_each_entry(i, &expr->set->init->expressions, list)
+			expr_payload_elem_postprocess(i);
+		break;
+	case EXPR_RANGE:
+		expr_payload_elem_postprocess(expr->right);
+		expr_payload_elem_postprocess(expr->left);
+		break;
 	default:
 		break;
 	}
@@ -891,6 +901,8 @@ static void expr_postprocess(struct rule_pp_ctx *ctx,
 		expr_postprocess(ctx, stmt, &expr->right);
 		break;
 	case EXPR_SET_REF:
+		expr_postprocess(ctx, stmt, &expr->set->init);
+		break;
 	case EXPR_EXTHDR:
 	case EXPR_META:
 	case EXPR_CT:
-- 
1.7.10.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux