Kernel support for passing mask and xor values for bitwise boolean
operations via registers allows us to support boolean binop's with
variable RHS operands: XOR expressions pass the xor value in a register;
AND expressions pass the mask value in a register; OR expressions pass
both mask and xor values in registers.
NB, OR expressions are converted to `(a & (b ^ 1)) ^ b` during
linearization (in patch 9), because it makes both linearization and
delinearization a lot simpler. However, it involves rearranging and
allocating expressions after the evaluation phase. Since nothing else
does this, AFAICS, I'm not sure whether it's the right thing to do.
The patch-set comprises four parts:
1 - 7: some tidying and bug-fixes;
8 - 10: support for variable RHS operands;
11 - 15: updates to linearization and delinearization of payload
expressions to work correctly with variable RHS operands;
16 - 18: some new shell and Python test-cases.
Changes since v1:
* patch 05 updated to treat short values as constant, rather than
doing nothing with them.
Jeremy Sowden (18):
evaluate: add separate variables for lshift and xor binops.
evaluate: simplify calculation of payload size.
evaluate: don't evaluate payloads twice.
evaluate: convert the byte-order of payload statement arguments.
evaluate: no need to swap byte-order for values of fewer than 16 bits.
netlink_delinearize: set shift RHS byte-order.
src: fix leaks.
include: update nf_tables.h.
src: support (de)linearization of bitwise op's with variable right
operands.
evaluate: allow boolean binop expressions with variable righthand
arguments.
netlink_linearize: round binop bitmask length up.
netlink_delinearize: fix typo.
netlink_delinearize: refactor stmt_payload_binop_postprocess.
netlink_delinearize: add support for processing variable payload
statement arguments.
netlink_delinearize: add postprocessing for payload binops.
tests: shell: remove stray debug flag.
tests: shell: add variable binop RHS tests.
tests: py: add variable binop RHS tests.
include/expression.h | 1 +
include/linux/netfilter/nf_tables.h | 4 +
src/evaluate.c | 75 ++--
src/netlink_delinearize.c | 370 +++++++++++++-----
src/netlink_linearize.c | 97 ++++-
tests/py/any/ct.t | 1 +
tests/py/any/ct.t.json | 37 ++
tests/py/any/ct.t.payload | 33 ++
tests/py/any/meta.t.payload | 4 -
tests/py/inet/tcp.t | 2 +
tests/py/inet/tcp.t.json | 46 ++-
tests/py/inet/tcp.t.payload | 68 ++++
tests/py/ip/ip.t | 3 +
tests/py/ip/ip.t.json | 66 ++++
tests/py/ip/ip.t.payload | 26 ++
tests/py/ip/ip.t.payload.bridge | 30 ++
tests/py/ip/ip.t.payload.inet | 30 ++
tests/py/ip/ip.t.payload.netdev | 30 ++
tests/shell/testcases/chains/0040mark_shift_0 | 2 +-
tests/shell/testcases/chains/0040mark_shift_2 | 11 +
.../testcases/chains/0041payload_variable_0 | 11 +
.../testcases/chains/0041payload_variable_1 | 11 +
.../testcases/chains/0041payload_variable_2 | 11 +
.../testcases/chains/0041payload_variable_3 | 11 +
.../chains/dumps/0040mark_shift_2.nft | 6 +
.../chains/dumps/0041payload_variable_0.nft | 6 +
.../chains/dumps/0041payload_variable_1.nft | 6 +
.../chains/dumps/0041payload_variable_2.nft | 6 +
.../chains/dumps/0041payload_variable_3.nft | 6 +
29 files changed, 873 insertions(+), 137 deletions(-)
create mode 100755 tests/shell/testcases/chains/0040mark_shift_2
create mode 100755 tests/shell/testcases/chains/0041payload_variable_0
create mode 100755 tests/shell/testcases/chains/0041payload_variable_1
create mode 100755 tests/shell/testcases/chains/0041payload_variable_2
create mode 100755 tests/shell/testcases/chains/0041payload_variable_3
create mode 100644 tests/shell/testcases/chains/dumps/0040mark_shift_2.nft
create mode 100644 tests/shell/testcases/chains/dumps/0041payload_variable_0.nft
create mode 100644 tests/shell/testcases/chains/dumps/0041payload_variable_1.nft
create mode 100644 tests/shell/testcases/chains/dumps/0041payload_variable_2.nft
create mode 100644 tests/shell/testcases/chains/dumps/0041payload_variable_3.nft
--
2.25.1
