Currently, we have wrong byteorder conversions if we want to use
set some nft rules or in some case errors. I have designed a solution for the
different kind of rules with different byteorder:
* For rules with big endian value:
nft add rule filter input tcp dport {22-25}
set%d filter 7
set%d filter 0
element 00000000 : 1 [end] element 00001600 : 0 [end] element 00001901 : 1 [end]
ip filter input
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ lookup reg 1 set set%d ]
In that case, we are going to change it the values inside of the set to big
endian byteorder.
* For rules with invalid byteorder:
nft add rule filter input tcp checksum {22-25}
set%d filter 7
set%d filter 0
element 00000000 :1 [end] element 00000016 :0 [end] element 0000001a : 1 [end]
ip filter input
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 2b @ transport header + 16 => reg 1 ]
[ byteorder reg 1 = hton(reg 1, 2, 2) ]
[ lookup reg 1 set set%d ]
In that case, we are going to add a unary expression for changing the register
previously to comparing it with the values inside of our set.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@xxxxxxxxx>
---
src/evaluate.c | 12 ++++++++----
src/netlink_delinearize.c | 12 ++++++++++++
2 files changed, 20 insertions(+), 4 deletions(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index d09cb27..4521b92 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -934,11 +934,15 @@ static int expr_evaluate_relational(struct eval_ctx *ctx, struct expr **expr)
left->dtype->desc,
right->dtype->desc);
- /* Data for range lookups needs to be in big endian order */
+ /* Data for range with invalid byteorder, we must to add
+ * a unary expression for changing the register for comparing it
+ */
if (right->set->flags & SET_F_INTERVAL &&
- byteorder_conversion(ctx, &rel->left,
- BYTEORDER_BIG_ENDIAN) < 0)
- return -1;
+ rel->left->byteorder == BYTEORDER_INVALID) {
+ if (byteorder_conversion(ctx, &rel->left,
+ BYTEORDER_HOST_ENDIAN) < 0)
+ return -1;
+ }
left = rel->left;
break;
case OP_EQ:
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 015c211..1b2ffa6 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -629,11 +629,21 @@ static void payload_dependency_store(struct rule_pp_ctx *ctx,
static void expr_payload_elem_postprocess(struct expr *expr)
{
+ struct expr *i;
+
switch (expr->ops->type) {
case EXPR_VALUE:
if (expr->dtype->byteorder == BYTEORDER_BIG_ENDIAN)
mpz_switch_expr_byteorder(expr);
break;
+ case EXPR_SET_REF:
+ list_for_each_entry(i, &expr->set->init->expressions, list)
+ expr_payload_elem_postprocess(i);
+ break;
+ case EXPR_RANGE:
+ expr_payload_elem_postprocess(expr->right);
+ expr_payload_elem_postprocess(expr->left);
+ break;
default:
break;
}
@@ -891,6 +901,8 @@ static void expr_postprocess(struct rule_pp_ctx *ctx,
expr_postprocess(ctx, stmt, &expr->right);
break;
case EXPR_SET_REF:
+ expr_postprocess(ctx, stmt, &expr->set->init);
+ break;
case EXPR_EXTHDR:
case EXPR_META:
case EXPR_CT:
--
1.7.10.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
