From 6aef90100bebe2b00d4edffe59fb9c43643816de Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Tue, 10 Nov 2020 14:50:46 +0100 Subject: [PATCH] tests/shell: Add test for bitwise avoidance fixes Masked address matching was recently improved to avoid bitwise expression if the given mask covers full bytes. Make use of nft netlink debug output to assert iptables-nft generates the right bytecode for each situation. Signed-off-by: Phil Sutter (cherry picked from commit 81a2e128512837b53e5b9ea501b6c8dc64eeca78) Signed-off-by: Phil Sutter --- .../nft-only/0009-needless-bitwise_0 | 339 ++++++++++++++++++ 1 file changed, 339 insertions(+) create mode 100755 iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0 diff --git a/iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0 b/iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0 new file mode 100755 index 0000000000000..c5c6e706a1029 --- /dev/null +++ b/iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0 @@ -0,0 +1,339 @@ +#!/bin/bash -x + +[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } +set -e + +nft flush ruleset + +( + echo "*filter" + for plen in "" 32 30 24 16 8 0; do + addr="10.1.2.3${plen:+/}$plen" + echo "-A OUTPUT -d $addr" + done + echo "COMMIT" +) | $XT_MULTI iptables-restore + +( + echo "*filter" + for plen in "" 128 124 120 112 88 80 64 48 16 8 0; do + addr="feed:c0ff:ee00:0102:0304:0506:0708:090A${plen:+/}$plen" + echo "-A OUTPUT -d $addr" + done + echo "COMMIT" +) | $XT_MULTI ip6tables-restore + +masks=" +ff:ff:ff:ff:ff:ff +ff:ff:ff:ff:ff:f0 +ff:ff:ff:ff:ff:00 +ff:ff:ff:ff:00:00 +ff:ff:ff:00:00:00 +ff:ff:00:00:00:00 +ff:00:00:00:00:00 +" +( + echo "*filter" + for plen in "" 32 30 24 16 8 0; do + addr="10.1.2.3${plen:+/}$plen" + echo "-A OUTPUT -d $addr" + done + for mask in $masks; do + echo "-A OUTPUT --destination-mac fe:ed:00:c0:ff:ee/$mask" + done + echo "COMMIT" +) | $XT_MULTI arptables-restore + +( + echo "*filter" + for mask in $masks; do + echo "-A OUTPUT -d fe:ed:00:c0:ff:ee/$mask" + done + echo "COMMIT" +) | $XT_MULTI ebtables-restore + +EXPECT="ip filter OUTPUT 4 + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0302010a ] + [ counter pkts 0 bytes 0 ] + +ip filter OUTPUT 5 4 + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0302010a ] + [ counter pkts 0 bytes 0 ] + +ip filter OUTPUT 6 5 + [ payload load 4b @ network header + 16 => reg 1 ] + [ bitwise reg 1 = (reg=1 & 0xfcffffff ) ^ 0x00000000 ] + [ cmp eq reg 1 0x0002010a ] + [ counter pkts 0 bytes 0 ] + +ip filter OUTPUT 7 6 + [ payload load 3b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0002010a ] + [ counter pkts 0 bytes 0 ] + +ip filter OUTPUT 8 7 + [ payload load 2b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0000010a ] + [ counter pkts 0 bytes 0 ] + +ip filter OUTPUT 9 8 + [ payload load 1b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ counter pkts 0 bytes 0 ] + +ip filter OUTPUT 10 9 + [ counter pkts 0 bytes 0 ] + +ip6 filter OUTPUT 4 + [ payload load 16b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x0a090807 ] + [ counter pkts 0 bytes 0 ] + +ip6 filter OUTPUT 5 4 + [ payload load 16b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x0a090807 ] + [ counter pkts 0 bytes 0 ] + +ip6 filter OUTPUT 6 5 + [ payload load 16b @ network header + 24 => reg 1 ] + [ bitwise reg 1 = (reg=1 & 0xffffffff 0xffffffff 0xffffffff 0xf0ffffff ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ] + [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x00090807 ] + [ counter pkts 0 bytes 0 ] + +ip6 filter OUTPUT 7 6 + [ payload load 15b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x00090807 ] + [ counter pkts 0 bytes 0 ] + +ip6 filter OUTPUT 8 7 + [ payload load 14b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x00000807 ] + [ counter pkts 0 bytes 0 ] + +ip6 filter OUTPUT 9 8 + [ payload load 11b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x00050403 ] + [ counter pkts 0 bytes 0 ] + +ip6 filter OUTPUT 10 9 + [ payload load 10b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x00000403 ] + [ counter pkts 0 bytes 0 ] + +ip6 filter OUTPUT 11 10 + [ payload load 8b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0xffc0edfe 0x020100ee ] + [ counter pkts 0 bytes 0 ] + +ip6 filter OUTPUT 12 11 + [ payload load 6b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0xffc0edfe 0x000000ee ] + [ counter pkts 0 bytes 0 ] + +ip6 filter OUTPUT 13 12 + [ payload load 2b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0x0000edfe ] + [ counter pkts 0 bytes 0 ] + +ip6 filter OUTPUT 14 13 + [ payload load 1b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0x000000fe ] + [ counter pkts 0 bytes 0 ] + +ip6 filter OUTPUT 15 14 + [ counter pkts 0 bytes 0 ] + +arp filter OUTPUT 3 + [ payload load 2b @ network header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 1b @ network header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ network header + 5 => reg 1 ] + [ cmp eq reg 1 0x00000004 ] + [ payload load 4b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0x0302010a ] + [ counter pkts 0 bytes 0 ] + +arp filter OUTPUT 4 3 + [ payload load 2b @ network header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 1b @ network header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ network header + 5 => reg 1 ] + [ cmp eq reg 1 0x00000004 ] + [ payload load 4b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0x0302010a ] + [ counter pkts 0 bytes 0 ] + +arp filter OUTPUT 5 4 + [ payload load 2b @ network header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 1b @ network header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ network header + 5 => reg 1 ] + [ cmp eq reg 1 0x00000004 ] + [ payload load 4b @ network header + 24 => reg 1 ] + [ bitwise reg 1 = (reg=1 & 0xfcffffff ) ^ 0x00000000 ] + [ cmp eq reg 1 0x0002010a ] + [ counter pkts 0 bytes 0 ] + +arp filter OUTPUT 6 5 + [ payload load 2b @ network header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 1b @ network header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ network header + 5 => reg 1 ] + [ cmp eq reg 1 0x00000004 ] + [ payload load 3b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0x0002010a ] + [ counter pkts 0 bytes 0 ] + +arp filter OUTPUT 7 6 + [ payload load 2b @ network header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 1b @ network header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ network header + 5 => reg 1 ] + [ cmp eq reg 1 0x00000004 ] + [ payload load 2b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0x0000010a ] + [ counter pkts 0 bytes 0 ] + +arp filter OUTPUT 8 7 + [ payload load 2b @ network header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 1b @ network header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ network header + 5 => reg 1 ] + [ cmp eq reg 1 0x00000004 ] + [ payload load 1b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ counter pkts 0 bytes 0 ] + +arp filter OUTPUT 9 8 + [ payload load 2b @ network header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 1b @ network header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ network header + 5 => reg 1 ] + [ cmp eq reg 1 0x00000004 ] + [ counter pkts 0 bytes 0 ] + +arp filter OUTPUT 10 9 + [ payload load 2b @ network header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 1b @ network header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ network header + 5 => reg 1 ] + [ cmp eq reg 1 0x00000004 ] + [ payload load 6b @ network header + 18 => reg 1 ] + [ cmp eq reg 1 0xc000edfe 0x0000eeff ] + [ counter pkts 0 bytes 0 ] + +arp filter OUTPUT 11 10 + [ payload load 2b @ network header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 1b @ network header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ network header + 5 => reg 1 ] + [ cmp eq reg 1 0x00000004 ] + [ payload load 6b @ network header + 18 => reg 1 ] + [ bitwise reg 1 = (reg=1 & 0xffffffff 0x0000f0ff ) ^ 0x00000000 0x00000000 ] + [ cmp eq reg 1 0xc000edfe 0x0000e0ff ] + [ counter pkts 0 bytes 0 ] + +arp filter OUTPUT 12 11 + [ payload load 2b @ network header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 1b @ network header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ network header + 5 => reg 1 ] + [ cmp eq reg 1 0x00000004 ] + [ payload load 5b @ network header + 18 => reg 1 ] + [ cmp eq reg 1 0xc000edfe 0x000000ff ] + [ counter pkts 0 bytes 0 ] + +arp filter OUTPUT 13 12 + [ payload load 2b @ network header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 1b @ network header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ network header + 5 => reg 1 ] + [ cmp eq reg 1 0x00000004 ] + [ payload load 4b @ network header + 18 => reg 1 ] + [ cmp eq reg 1 0xc000edfe ] + [ counter pkts 0 bytes 0 ] + +arp filter OUTPUT 14 13 + [ payload load 2b @ network header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 1b @ network header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ network header + 5 => reg 1 ] + [ cmp eq reg 1 0x00000004 ] + [ payload load 3b @ network header + 18 => reg 1 ] + [ cmp eq reg 1 0x0000edfe ] + [ counter pkts 0 bytes 0 ] + +arp filter OUTPUT 15 14 + [ payload load 2b @ network header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 1b @ network header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ network header + 5 => reg 1 ] + [ cmp eq reg 1 0x00000004 ] + [ payload load 2b @ network header + 18 => reg 1 ] + [ cmp eq reg 1 0x0000edfe ] + [ counter pkts 0 bytes 0 ] + +arp filter OUTPUT 16 15 + [ payload load 2b @ network header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000100 ] + [ payload load 1b @ network header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ network header + 5 => reg 1 ] + [ cmp eq reg 1 0x00000004 ] + [ payload load 1b @ network header + 18 => reg 1 ] + [ cmp eq reg 1 0x000000fe ] + [ counter pkts 0 bytes 0 ] + +bridge filter OUTPUT 4 + [ payload load 6b @ link header + 0 => reg 1 ] + [ cmp eq reg 1 0xc000edfe 0x0000eeff ] + [ counter pkts 0 bytes 0 ] + +bridge filter OUTPUT 5 4 + [ payload load 6b @ link header + 0 => reg 1 ] + [ bitwise reg 1 = (reg=1 & 0xffffffff 0x0000f0ff ) ^ 0x00000000 0x00000000 ] + [ cmp eq reg 1 0xc000edfe 0x0000e0ff ] + [ counter pkts 0 bytes 0 ] + +bridge filter OUTPUT 6 5 + [ payload load 5b @ link header + 0 => reg 1 ] + [ cmp eq reg 1 0xc000edfe 0x000000ff ] + [ counter pkts 0 bytes 0 ] + +bridge filter OUTPUT 7 6 + [ payload load 4b @ link header + 0 => reg 1 ] + [ cmp eq reg 1 0xc000edfe ] + [ counter pkts 0 bytes 0 ] + +bridge filter OUTPUT 8 7 + [ payload load 3b @ link header + 0 => reg 1 ] + [ cmp eq reg 1 0x0000edfe ] + [ counter pkts 0 bytes 0 ] + +bridge filter OUTPUT 9 8 + [ payload load 2b @ link header + 0 => reg 1 ] + [ cmp eq reg 1 0x0000edfe ] + [ counter pkts 0 bytes 0 ] + +bridge filter OUTPUT 10 9 + [ payload load 1b @ link header + 0 => reg 1 ] + [ cmp eq reg 1 0x000000fe ] + [ counter pkts 0 bytes 0 ] +" + +diff -u -Z <(echo "$EXPECT") <(nft --debug=netlink list ruleset | awk '/^table/{exit} {print}') -- 2.28.0