Re: [PATCH nf-next v4 00/10] netfilter: nft_bitwise: shift support

Jeremy Sowden <jeremy@xxxxxxxxxx> · Thu, 16 Jan 2020 08:51:33 +0000

On 2020-01-15, at 21:32:06 +0000, Jeremy Sowden wrote:
> The connmark xtables extension supports bit-shifts.  Add support for
> shifts to nft_bitwise in order to allow nftables to do likewise, e.g.:
>
>   nft add rule t c oif lo ct mark set meta mark << 8 | 0xab
>   nft add rule t c iif lo meta mark & 0xff 0xab ct mark set meta mark >> 8
>
> Changes since v3:
>
>   * the length of shift values sent by nft may be less than sizeof(u32).

Actually, having thought about this some more, I believe I had it right
in v3.  The difference between v3 and v4 is this:

  @@ -146,7 +146,7 @@ static int nft_bitwise_init_shift(struct nft_bitwise *priv,
                              tb[NFTA_BITWISE_DATA]);
          if (err < 0)
                  return err;
  -       if (d.type != NFT_DATA_VALUE || d.len != sizeof(u32) ||
  +       if (d.type != NFT_DATA_VALUE || d.len > sizeof(u32) ||
              priv->data.data[0] >= BITS_PER_TYPE(u32)) {
                  nft_data_release(&priv->data, d.type);
                  return -EINVAL;

However, I now think the problem is in userspace and nft should always
send four bytes.  If it sends fewer, it makes it more complicated to get
the endianness right.

Unless you think there are other changes needed that will required a v5,
shall we just ignore v4 and stick with v3?

> Changes since v2:
>
>   * convert NFTA_BITWISE_DATA from u32 to nft_data;
>   * add check that shift value is not too large;
>   * use BITS_PER_TYPE to get the size of u32, rather than hard-coding it
>     when evaluating shifts.
>
> Changes since v1:
>
>   * more white-space fixes;
>   * move bitwise op enum to UAPI;
>   * add NFTA_BITWISE_OP and NFTA_BITWISE_DATA;
>   * remove NFTA_BITWISE_LSHIFT and NFTA_BITWISE_RSHIFT;
>   * add helpers for initializaing, evaluating and dumping different
>     types of operation.
>
> Jeremy Sowden (10):
>   netfilter: nf_tables: white-space fixes.
>   netfilter: bitwise: remove NULL comparisons from attribute checks.
>   netfilter: bitwise: replace gotos with returns.
>   netfilter: bitwise: add NFTA_BITWISE_OP attribute.
>   netfilter: bitwise: add helper for initializing boolean operations.
>   netfilter: bitwise: add helper for evaluating boolean operations.
>   netfilter: bitwise: add helper for dumping boolean operations.
>   netfilter: bitwise: only offload boolean operations.
>   netfilter: bitwise: add NFTA_BITWISE_DATA attribute.
>   netfilter: bitwise: add support for shifts.
>
>  include/uapi/linux/netfilter/nf_tables.h |  24 ++-
>  net/netfilter/nft_bitwise.c              | 217 ++++++++++++++++++-----
>  net/netfilter/nft_set_bitmap.c           |   4 +-
>  net/netfilter/nft_set_hash.c             |   2 +-
>  4 files changed, 200 insertions(+), 47 deletions(-)
>
> --
> 2.24.1

J.
Attachment:
signature.asc

Description: PGP signature