367 lines
12 KiB
Diff
367 lines
12 KiB
Diff
|
From 6aef90100bebe2b00d4edffe59fb9c43643816de Mon Sep 17 00:00:00 2001
|
||
|
From: Phil Sutter <phil@nwl.cc>
|
||
|
Date: Tue, 10 Nov 2020 14:50:46 +0100
|
||
|
Subject: [PATCH] tests/shell: Add test for bitwise avoidance fixes
|
||
|
|
||
|
Masked address matching was recently improved to avoid bitwise
|
||
|
expression if the given mask covers full bytes. Make use of nft netlink
|
||
|
debug output to assert iptables-nft generates the right bytecode for
|
||
|
each situation.
|
||
|
|
||
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||
|
(cherry picked from commit 81a2e128512837b53e5b9ea501b6c8dc64eeca78)
|
||
|
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||
|
---
|
||
|
.../nft-only/0009-needless-bitwise_0 | 339 ++++++++++++++++++
|
||
|
1 file changed, 339 insertions(+)
|
||
|
create mode 100755 iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0
|
||
|
|
||
|
diff --git a/iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0 b/iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0
|
||
|
new file mode 100755
|
||
|
index 0000000000000..c5c6e706a1029
|
||
|
--- /dev/null
|
||
|
+++ b/iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0
|
||
|
@@ -0,0 +1,339 @@
|
||
|
+#!/bin/bash -x
|
||
|
+
|
||
|
+[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
|
||
|
+set -e
|
||
|
+
|
||
|
+nft flush ruleset
|
||
|
+
|
||
|
+(
|
||
|
+ echo "*filter"
|
||
|
+ for plen in "" 32 30 24 16 8 0; do
|
||
|
+ addr="10.1.2.3${plen:+/}$plen"
|
||
|
+ echo "-A OUTPUT -d $addr"
|
||
|
+ done
|
||
|
+ echo "COMMIT"
|
||
|
+) | $XT_MULTI iptables-restore
|
||
|
+
|
||
|
+(
|
||
|
+ echo "*filter"
|
||
|
+ for plen in "" 128 124 120 112 88 80 64 48 16 8 0; do
|
||
|
+ addr="feed:c0ff:ee00:0102:0304:0506:0708:090A${plen:+/}$plen"
|
||
|
+ echo "-A OUTPUT -d $addr"
|
||
|
+ done
|
||
|
+ echo "COMMIT"
|
||
|
+) | $XT_MULTI ip6tables-restore
|
||
|
+
|
||
|
+masks="
|
||
|
+ff:ff:ff:ff:ff:ff
|
||
|
+ff:ff:ff:ff:ff:f0
|
||
|
+ff:ff:ff:ff:ff:00
|
||
|
+ff:ff:ff:ff:00:00
|
||
|
+ff:ff:ff:00:00:00
|
||
|
+ff:ff:00:00:00:00
|
||
|
+ff:00:00:00:00:00
|
||
|
+"
|
||
|
+(
|
||
|
+ echo "*filter"
|
||
|
+ for plen in "" 32 30 24 16 8 0; do
|
||
|
+ addr="10.1.2.3${plen:+/}$plen"
|
||
|
+ echo "-A OUTPUT -d $addr"
|
||
|
+ done
|
||
|
+ for mask in $masks; do
|
||
|
+ echo "-A OUTPUT --destination-mac fe:ed:00:c0:ff:ee/$mask"
|
||
|
+ done
|
||
|
+ echo "COMMIT"
|
||
|
+) | $XT_MULTI arptables-restore
|
||
|
+
|
||
|
+(
|
||
|
+ echo "*filter"
|
||
|
+ for mask in $masks; do
|
||
|
+ echo "-A OUTPUT -d fe:ed:00:c0:ff:ee/$mask"
|
||
|
+ done
|
||
|
+ echo "COMMIT"
|
||
|
+) | $XT_MULTI ebtables-restore
|
||
|
+
|
||
|
+EXPECT="ip filter OUTPUT 4
|
||
|
+ [ payload load 4b @ network header + 16 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x0302010a ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+ip filter OUTPUT 5 4
|
||
|
+ [ payload load 4b @ network header + 16 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x0302010a ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+ip filter OUTPUT 6 5
|
||
|
+ [ payload load 4b @ network header + 16 => reg 1 ]
|
||
|
+ [ bitwise reg 1 = (reg=1 & 0xfcffffff ) ^ 0x00000000 ]
|
||
|
+ [ cmp eq reg 1 0x0002010a ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+ip filter OUTPUT 7 6
|
||
|
+ [ payload load 3b @ network header + 16 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x0002010a ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+ip filter OUTPUT 8 7
|
||
|
+ [ payload load 2b @ network header + 16 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x0000010a ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+ip filter OUTPUT 9 8
|
||
|
+ [ payload load 1b @ network header + 16 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x0000000a ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+ip filter OUTPUT 10 9
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+ip6 filter OUTPUT 4
|
||
|
+ [ payload load 16b @ network header + 24 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x0a090807 ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+ip6 filter OUTPUT 5 4
|
||
|
+ [ payload load 16b @ network header + 24 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x0a090807 ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+ip6 filter OUTPUT 6 5
|
||
|
+ [ payload load 16b @ network header + 24 => reg 1 ]
|
||
|
+ [ bitwise reg 1 = (reg=1 & 0xffffffff 0xffffffff 0xffffffff 0xf0ffffff ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ]
|
||
|
+ [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x00090807 ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+ip6 filter OUTPUT 7 6
|
||
|
+ [ payload load 15b @ network header + 24 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x00090807 ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+ip6 filter OUTPUT 8 7
|
||
|
+ [ payload load 14b @ network header + 24 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x00000807 ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+ip6 filter OUTPUT 9 8
|
||
|
+ [ payload load 11b @ network header + 24 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x00050403 ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+ip6 filter OUTPUT 10 9
|
||
|
+ [ payload load 10b @ network header + 24 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x00000403 ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+ip6 filter OUTPUT 11 10
|
||
|
+ [ payload load 8b @ network header + 24 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0xffc0edfe 0x020100ee ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+ip6 filter OUTPUT 12 11
|
||
|
+ [ payload load 6b @ network header + 24 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0xffc0edfe 0x000000ee ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+ip6 filter OUTPUT 13 12
|
||
|
+ [ payload load 2b @ network header + 24 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x0000edfe ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+ip6 filter OUTPUT 14 13
|
||
|
+ [ payload load 1b @ network header + 24 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x000000fe ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+ip6 filter OUTPUT 15 14
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+arp filter OUTPUT 3
|
||
|
+ [ payload load 2b @ network header + 0 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000100 ]
|
||
|
+ [ payload load 1b @ network header + 4 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000006 ]
|
||
|
+ [ payload load 1b @ network header + 5 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000004 ]
|
||
|
+ [ payload load 4b @ network header + 24 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x0302010a ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+arp filter OUTPUT 4 3
|
||
|
+ [ payload load 2b @ network header + 0 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000100 ]
|
||
|
+ [ payload load 1b @ network header + 4 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000006 ]
|
||
|
+ [ payload load 1b @ network header + 5 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000004 ]
|
||
|
+ [ payload load 4b @ network header + 24 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x0302010a ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+arp filter OUTPUT 5 4
|
||
|
+ [ payload load 2b @ network header + 0 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000100 ]
|
||
|
+ [ payload load 1b @ network header + 4 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000006 ]
|
||
|
+ [ payload load 1b @ network header + 5 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000004 ]
|
||
|
+ [ payload load 4b @ network header + 24 => reg 1 ]
|
||
|
+ [ bitwise reg 1 = (reg=1 & 0xfcffffff ) ^ 0x00000000 ]
|
||
|
+ [ cmp eq reg 1 0x0002010a ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+arp filter OUTPUT 6 5
|
||
|
+ [ payload load 2b @ network header + 0 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000100 ]
|
||
|
+ [ payload load 1b @ network header + 4 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000006 ]
|
||
|
+ [ payload load 1b @ network header + 5 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000004 ]
|
||
|
+ [ payload load 3b @ network header + 24 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x0002010a ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+arp filter OUTPUT 7 6
|
||
|
+ [ payload load 2b @ network header + 0 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000100 ]
|
||
|
+ [ payload load 1b @ network header + 4 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000006 ]
|
||
|
+ [ payload load 1b @ network header + 5 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000004 ]
|
||
|
+ [ payload load 2b @ network header + 24 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x0000010a ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+arp filter OUTPUT 8 7
|
||
|
+ [ payload load 2b @ network header + 0 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000100 ]
|
||
|
+ [ payload load 1b @ network header + 4 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000006 ]
|
||
|
+ [ payload load 1b @ network header + 5 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000004 ]
|
||
|
+ [ payload load 1b @ network header + 24 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x0000000a ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+arp filter OUTPUT 9 8
|
||
|
+ [ payload load 2b @ network header + 0 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000100 ]
|
||
|
+ [ payload load 1b @ network header + 4 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000006 ]
|
||
|
+ [ payload load 1b @ network header + 5 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000004 ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+arp filter OUTPUT 10 9
|
||
|
+ [ payload load 2b @ network header + 0 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000100 ]
|
||
|
+ [ payload load 1b @ network header + 4 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000006 ]
|
||
|
+ [ payload load 1b @ network header + 5 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000004 ]
|
||
|
+ [ payload load 6b @ network header + 18 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0xc000edfe 0x0000eeff ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+arp filter OUTPUT 11 10
|
||
|
+ [ payload load 2b @ network header + 0 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000100 ]
|
||
|
+ [ payload load 1b @ network header + 4 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000006 ]
|
||
|
+ [ payload load 1b @ network header + 5 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000004 ]
|
||
|
+ [ payload load 6b @ network header + 18 => reg 1 ]
|
||
|
+ [ bitwise reg 1 = (reg=1 & 0xffffffff 0x0000f0ff ) ^ 0x00000000 0x00000000 ]
|
||
|
+ [ cmp eq reg 1 0xc000edfe 0x0000e0ff ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+arp filter OUTPUT 12 11
|
||
|
+ [ payload load 2b @ network header + 0 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000100 ]
|
||
|
+ [ payload load 1b @ network header + 4 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000006 ]
|
||
|
+ [ payload load 1b @ network header + 5 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000004 ]
|
||
|
+ [ payload load 5b @ network header + 18 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0xc000edfe 0x000000ff ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+arp filter OUTPUT 13 12
|
||
|
+ [ payload load 2b @ network header + 0 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000100 ]
|
||
|
+ [ payload load 1b @ network header + 4 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000006 ]
|
||
|
+ [ payload load 1b @ network header + 5 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000004 ]
|
||
|
+ [ payload load 4b @ network header + 18 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0xc000edfe ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+arp filter OUTPUT 14 13
|
||
|
+ [ payload load 2b @ network header + 0 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000100 ]
|
||
|
+ [ payload load 1b @ network header + 4 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000006 ]
|
||
|
+ [ payload load 1b @ network header + 5 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000004 ]
|
||
|
+ [ payload load 3b @ network header + 18 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x0000edfe ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+arp filter OUTPUT 15 14
|
||
|
+ [ payload load 2b @ network header + 0 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000100 ]
|
||
|
+ [ payload load 1b @ network header + 4 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000006 ]
|
||
|
+ [ payload load 1b @ network header + 5 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000004 ]
|
||
|
+ [ payload load 2b @ network header + 18 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x0000edfe ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+arp filter OUTPUT 16 15
|
||
|
+ [ payload load 2b @ network header + 0 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000100 ]
|
||
|
+ [ payload load 1b @ network header + 4 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000006 ]
|
||
|
+ [ payload load 1b @ network header + 5 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x00000004 ]
|
||
|
+ [ payload load 1b @ network header + 18 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x000000fe ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+bridge filter OUTPUT 4
|
||
|
+ [ payload load 6b @ link header + 0 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0xc000edfe 0x0000eeff ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+bridge filter OUTPUT 5 4
|
||
|
+ [ payload load 6b @ link header + 0 => reg 1 ]
|
||
|
+ [ bitwise reg 1 = (reg=1 & 0xffffffff 0x0000f0ff ) ^ 0x00000000 0x00000000 ]
|
||
|
+ [ cmp eq reg 1 0xc000edfe 0x0000e0ff ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+bridge filter OUTPUT 6 5
|
||
|
+ [ payload load 5b @ link header + 0 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0xc000edfe 0x000000ff ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+bridge filter OUTPUT 7 6
|
||
|
+ [ payload load 4b @ link header + 0 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0xc000edfe ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+bridge filter OUTPUT 8 7
|
||
|
+ [ payload load 3b @ link header + 0 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x0000edfe ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+bridge filter OUTPUT 9 8
|
||
|
+ [ payload load 2b @ link header + 0 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x0000edfe ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+
|
||
|
+bridge filter OUTPUT 10 9
|
||
|
+ [ payload load 1b @ link header + 0 => reg 1 ]
|
||
|
+ [ cmp eq reg 1 0x000000fe ]
|
||
|
+ [ counter pkts 0 bytes 0 ]
|
||
|
+"
|
||
|
+
|
||
|
+diff -u -Z <(echo "$EXPECT") <(nft --debug=netlink list ruleset | awk '/^table/{exit} {print}')
|
||
|
--
|
||
|
2.28.0
|
||
|
|