On 2020-03-02, at 22:19:09 +0000, Jeremy Sowden wrote: > In this example: > > nft --debug=netlink add rule ip t c ip dscp set ip dscp > ip t c > [ payload load 2b @ network header + 0 => reg 1 ] > [ bitwise reg 1 = (reg=1 & 0x000003ff ) ^ 0x00000000 ] > [ payload load 1b @ network header + 1 => reg 2 ] > [ bitwise reg 2 = (reg=2 & 0x0000003c ) ^ 0x00000000 ] > [ bitwise reg 2 = ( reg 2 >> 0x00000002 ) ] > [ bitwise reg 2 = ( reg 2 << 0x00000002 ) ] > [ bitwise reg 1 = (reg=1 & 0x0000ffff ) ^ reg 2 ] > [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] > > The mask at line 4 should be 0xfc, not 0x3c. > > Evaluation of the payload expression munges it from `ip dscp` to > `(ip dscp & 0xfc) >> 2`. When this AND expression is evaluated, its > length is set to 6, the length of `ip dscp`. When the bitwise netlink > expression is generated, the length of the AND is used to generate the > mask, 0x3f, used in combining the binop's. The upshot of this is that > the original mask gets mangled to 0x3c. We can fix this by rounding > the length of the mask to the nearest byte. This is the wrong solution. J.
Attachment:
signature.asc
Description: PGP signature
