This patch-set adds support for new bitwise boolean operations to nftables, and uses this to extend the types of value which can be assigned to packet marks and payload fields. The original motivation for these changes was Kevin Darbyshire-Bryant's wish to be able to set the conntrack mark to a bitwise expression derived from a DSCP value: https://lore.kernel.org/netfilter-devel/20191203160652.44396-1-ldir@xxxxxxxxxxxxxxxxxxxxxxx/#r For example: nft add rule t c ct mark set ip dscp lshift 26 or 0x10 Examples like this could be implemented solely by changes to user space. However, other examples came up in later discussion, such as: nft add rule t c ct mark set ct mark and 0xffff0000 or meta mark and 0xffff and most recently: nft add rule t c ct mark set ct mark or ip dscp or 0x200 which require boolean bitwise operations with two variable operands. Hitherto, the kernel has required that AND, OR and XOR operations be converted in user space to mask-and-xor operations on one register and two immediate values. The related kernel space patch-set, however, adds support for performing these operations directly on one register and an immediate value, or on two registers. This patch-set extends nftables to make use of this functionality. The previous version of this series also included a few small changes to make it easier to add debug output and changes to support the assign- ments which did not require binops on two registers. The former have been dropped and the latter were reworked and applied by Pablo. The following remain. * Patch 1 adds support for linearizing and delinearizing the new operations. * Patches 2-7 add support for using them in payload and mark assignments. * Patch 8 adds tests for the new assignments. Jeremy Sowden (8): netlink: support (de)linearization of new bitwise boolean operations netlink_delinearize: refactor stmt_payload_binop_postprocess netlink_delinearize: add support for processing variable payload statement arguments evaluate: prevent nested byte-order conversions evaluate: preserve existing binop properties evaluate: allow binop expressions with variable right-hand operands parser_json: allow RHS mark and payload expressions tests: add tests for binops with variable RHS operands include/linux/netfilter/nf_tables.h | 19 +- src/evaluate.c | 67 ++-- src/netlink_delinearize.c | 335 ++++++++++++------ src/netlink_linearize.c | 62 +++- src/parser_json.c | 8 +- tests/py/any/ct.t | 1 + tests/py/any/ct.t.json | 37 ++ tests/py/any/ct.t.payload | 9 + tests/py/inet/meta.t | 2 + tests/py/inet/meta.t.json | 37 ++ tests/py/inet/meta.t.payload | 9 + tests/py/ip/ct.t | 1 + tests/py/ip/ct.t.json | 36 ++ tests/py/ip/ct.t.payload | 11 + tests/py/ip/ip.t | 2 + tests/py/ip/ip.t.json | 77 +++- tests/py/ip/ip.t.payload | 28 ++ tests/py/ip/ip.t.payload.bridge | 32 ++ tests/py/ip/ip.t.payload.inet | 32 ++ tests/py/ip/ip.t.payload.netdev | 32 ++ tests/py/ip6/ct.t | 1 + tests/py/ip6/ct.t.json | 36 ++ tests/py/ip6/ct.t.payload | 12 + tests/py/ip6/ip6.t | 2 + tests/py/ip6/ip6.t.json | 76 ++++ tests/py/ip6/ip6.t.payload.inet | 36 ++ tests/py/ip6/ip6.t.payload.ip6 | 32 ++ .../shell/testcases/bitwise/0040mark_binop_10 | 11 + .../shell/testcases/bitwise/0040mark_binop_11 | 11 + .../shell/testcases/bitwise/0040mark_binop_12 | 11 + .../shell/testcases/bitwise/0040mark_binop_13 | 11 + .../testcases/bitwise/0044payload_binop_0 | 11 + .../testcases/bitwise/0044payload_binop_1 | 11 + .../testcases/bitwise/0044payload_binop_2 | 11 + .../testcases/bitwise/0044payload_binop_3 | 11 + .../testcases/bitwise/0044payload_binop_4 | 11 + .../testcases/bitwise/0044payload_binop_5 | 11 + .../bitwise/dumps/0040mark_binop_10.nft | 6 + .../bitwise/dumps/0040mark_binop_11.nft | 6 + .../bitwise/dumps/0040mark_binop_12.nft | 6 + .../bitwise/dumps/0040mark_binop_13.nft | 6 + .../bitwise/dumps/0044payload_binop_0.nft | 6 + .../bitwise/dumps/0044payload_binop_1.nft | 6 + .../bitwise/dumps/0044payload_binop_2.nft | 6 + .../bitwise/dumps/0044payload_binop_3.nft | 6 + .../bitwise/dumps/0044payload_binop_4.nft | 6 + .../bitwise/dumps/0044payload_binop_5.nft | 6 + 47 files changed, 1062 insertions(+), 140 deletions(-) create mode 100755 tests/shell/testcases/bitwise/0040mark_binop_10 create mode 100755 tests/shell/testcases/bitwise/0040mark_binop_11 create mode 100755 tests/shell/testcases/bitwise/0040mark_binop_12 create mode 100755 tests/shell/testcases/bitwise/0040mark_binop_13 create mode 100755 tests/shell/testcases/bitwise/0044payload_binop_0 create mode 100755 tests/shell/testcases/bitwise/0044payload_binop_1 create mode 100755 tests/shell/testcases/bitwise/0044payload_binop_2 create mode 100755 tests/shell/testcases/bitwise/0044payload_binop_3 create mode 100755 tests/shell/testcases/bitwise/0044payload_binop_4 create mode 100755 tests/shell/testcases/bitwise/0044payload_binop_5 create mode 100644 tests/shell/testcases/bitwise/dumps/0040mark_binop_10.nft create mode 100644 tests/shell/testcases/bitwise/dumps/0040mark_binop_11.nft create mode 100644 tests/shell/testcases/bitwise/dumps/0040mark_binop_12.nft create mode 100644 tests/shell/testcases/bitwise/dumps/0040mark_binop_13.nft create mode 100644 tests/shell/testcases/bitwise/dumps/0044payload_binop_0.nft create mode 100644 tests/shell/testcases/bitwise/dumps/0044payload_binop_1.nft create mode 100644 tests/shell/testcases/bitwise/dumps/0044payload_binop_2.nft create mode 100644 tests/shell/testcases/bitwise/dumps/0044payload_binop_3.nft create mode 100644 tests/shell/testcases/bitwise/dumps/0044payload_binop_4.nft create mode 100644 tests/shell/testcases/bitwise/dumps/0044payload_binop_5.nft -- 2.39.2
