On 4. August 2014 17:00:11 GMT+01:00, Alvaro Neira Ayuso <alvaroneay@xxxxxxxxx> wrote:
>In some rules if we use sets, we don't convert the values inside the
>set.
>Usually, rule like the datatype is integer_type. For example:
>
>nft add rule filter input tcp checksum {22-55}
>
>set%d filter 7
>set%d filter 0
>element 00000000:1 [end] element 00000016: 0 [end] element 00000038 :
>1 [end]
>ip filter input
>[ payload load 1b @ network header + 9 => reg 1 ]
>[ cmp eq reg 1 0x00000006 ]
>[ payload load 2b @ transport header + 16 => reg 1 ]
>[ lookup reg 1 set set%d ]
>
>Currently, we are going to do the byteorder conversion the values
>inside the set
>like:
>
>set%d filter 7
>set%d filter 0
>element 00000000 : 1 [end] element 00001600 : 0 [end] element 00003701:
>1 [end]
>ip filter input
>[ payload load 1b @ network header + 9 => reg 1 ]
>[ cmp eq reg 1 0x00000006 ]
>[ payload load 2b @ transport header + 16 => reg 1 ]
>[ lookup reg 1 set set%d ]
>
>Signed-off-by: Alvaro Neira Ayuso <alvaroneay@xxxxxxxxx>
>---
>[changes in v2]
>* Changed the solution for big endian and host endian cases.
I don't unterstand the problem, you seem to be converting values independently of wether we have a range lookup or not.
Could you please specify a case where we are currently not converting values when necessary?
> src/evaluate.c | 32 +++++++++++++++++++++++++++-----
> src/netlink_delinearize.c | 12 ++++++++++++
> 2 files changed, 39 insertions(+), 5 deletions(-)
>
>diff --git a/src/evaluate.c b/src/evaluate.c
>index 8aaf1bf..d973cb8 100644
>--- a/src/evaluate.c
>+++ b/src/evaluate.c
>@@ -670,6 +670,29 @@ static int expr_evaluate_list(struct eval_ctx
>*ctx, struct expr **expr)
> return 0;
> }
>
>+static int expr_evaluate_set_elem(struct eval_ctx *ctx, struct expr
>*expr)
>+{
>+ switch (expr->ops->type) {
>+ case EXPR_VALUE:
>+ if (byteorder_conversion(ctx, &expr,
>+ BYTEORDER_BIG_ENDIAN) < 0)
>+ return -1;
>+ break;
>+ case EXPR_RANGE:
>+ if (byteorder_conversion(ctx, &expr->right,
>+ BYTEORDER_BIG_ENDIAN) < 0)
>+ return -1;
>+ if (byteorder_conversion(ctx, &expr->left,
>+ BYTEORDER_BIG_ENDIAN) < 0)
>+ return -1;
>+ break;
>+ default:
>+ break;
>+ }
>+
>+ return 0;
>+}
>+
> static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr)
> {
> struct expr *set = *expr, *i, *next;
>@@ -691,6 +714,10 @@ static int expr_evaluate_set(struct eval_ctx *ctx,
>struct expr **expr)
> expr_free(i);
> } else if (!expr_is_singleton(i))
> set->set_flags |= SET_F_INTERVAL;
>+
>+ /* Byteorder conversion of the set elements */
>+ if (i->ops->type != EXPR_SET)
>+ expr_evaluate_set_elem(ctx, i);
> }
>
> set->dtype = ctx->ectx.dtype;
>@@ -927,11 +954,6 @@ static int expr_evaluate_relational(struct
>eval_ctx *ctx, struct expr **expr)
> left->dtype->desc,
> right->dtype->desc);
>
>- /* Data for range lookups needs to be in big endian order */
>- if (right->set->flags & SET_F_INTERVAL &&
>- byteorder_conversion(ctx, &rel->left,
>- BYTEORDER_BIG_ENDIAN) < 0)
>- return -1;
> left = rel->left;
> break;
> case OP_EQ:
>diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
>index af18dcc..f7961ad 100644
>--- a/src/netlink_delinearize.c
>+++ b/src/netlink_delinearize.c
>@@ -629,10 +629,20 @@ static void payload_dependency_store(struct
>rule_pp_ctx *ctx,
>
> static void payload_elem_postprocess(struct expr *expr)
> {
>+ struct expr *i;
>+
> switch (expr->ops->type) {
> case EXPR_VALUE:
> expr_switch_byteorder(expr);
> break;
>+ case EXPR_SET_REF:
>+ list_for_each_entry(i, &expr->set->init->expressions, list)
>+ payload_elem_postprocess(i);
>+ break;
>+ case EXPR_RANGE:
>+ payload_elem_postprocess(expr->right);
>+ payload_elem_postprocess(expr->left);
>+ break;
> default:
> break;
> }
>@@ -889,6 +899,8 @@ static void expr_postprocess(struct rule_pp_ctx
>*ctx,
> expr_postprocess(ctx, stmt, &expr->right);
> break;
> case EXPR_SET_REF:
>+ expr_postprocess(ctx, stmt, &expr->set->init);
>+ break;
> case EXPR_EXTHDR:
> case EXPR_META:
> case EXPR_CT:
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
