Blame SOURCES/0034-tests-shell-Add-test-for-bitwise-avoidance-fixes.patch

b144b7
From 6aef90100bebe2b00d4edffe59fb9c43643816de Mon Sep 17 00:00:00 2001
6ef880
From: Phil Sutter <phil@nwl.cc>
6ef880
Date: Tue, 10 Nov 2020 14:50:46 +0100
6ef880
Subject: [PATCH] tests/shell: Add test for bitwise avoidance fixes
6ef880
6ef880
Masked address matching was recently improved to avoid bitwise
6ef880
expression if the given mask covers full bytes. Make use of nft netlink
6ef880
debug output to assert iptables-nft generates the right bytecode for
6ef880
each situation.
6ef880
6ef880
Signed-off-by: Phil Sutter <phil@nwl.cc>
6ef880
(cherry picked from commit 81a2e128512837b53e5b9ea501b6c8dc64eeca78)
6ef880
Signed-off-by: Phil Sutter <psutter@redhat.com>
6ef880
---
6ef880
 .../nft-only/0009-needless-bitwise_0          | 339 ++++++++++++++++++
6ef880
 1 file changed, 339 insertions(+)
6ef880
 create mode 100755 iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0
6ef880
6ef880
diff --git a/iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0 b/iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0
6ef880
new file mode 100755
6ef880
index 0000000000000..c5c6e706a1029
6ef880
--- /dev/null
6ef880
+++ b/iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0
6ef880
@@ -0,0 +1,339 @@
6ef880
+#!/bin/bash -x
6ef880
+
6ef880
+[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
6ef880
+set -e
6ef880
+
6ef880
+nft flush ruleset
6ef880
+
6ef880
+(
6ef880
+	echo "*filter"
6ef880
+	for plen in "" 32 30 24 16 8 0; do
6ef880
+		addr="10.1.2.3${plen:+/}$plen"
6ef880
+		echo "-A OUTPUT -d $addr"
6ef880
+	done
6ef880
+	echo "COMMIT"
6ef880
+) | $XT_MULTI iptables-restore
6ef880
+
6ef880
+(
6ef880
+	echo "*filter"
6ef880
+	for plen in "" 128 124 120 112 88 80 64 48 16 8 0; do
6ef880
+		addr="feed:c0ff:ee00:0102:0304:0506:0708:090A${plen:+/}$plen"
6ef880
+		echo "-A OUTPUT -d $addr"
6ef880
+	done
6ef880
+	echo "COMMIT"
6ef880
+) | $XT_MULTI ip6tables-restore
6ef880
+
6ef880
+masks="
6ef880
+ff:ff:ff:ff:ff:ff
6ef880
+ff:ff:ff:ff:ff:f0
6ef880
+ff:ff:ff:ff:ff:00
6ef880
+ff:ff:ff:ff:00:00
6ef880
+ff:ff:ff:00:00:00
6ef880
+ff:ff:00:00:00:00
6ef880
+ff:00:00:00:00:00
6ef880
+"
6ef880
+(
6ef880
+	echo "*filter"
6ef880
+	for plen in "" 32 30 24 16 8 0; do
6ef880
+		addr="10.1.2.3${plen:+/}$plen"
6ef880
+		echo "-A OUTPUT -d $addr"
6ef880
+	done
6ef880
+	for mask in $masks; do
6ef880
+		echo "-A OUTPUT --destination-mac fe:ed:00:c0:ff:ee/$mask"
6ef880
+	done
6ef880
+	echo "COMMIT"
6ef880
+) | $XT_MULTI arptables-restore
6ef880
+
6ef880
+(
6ef880
+	echo "*filter"
6ef880
+	for mask in $masks; do
6ef880
+		echo "-A OUTPUT -d fe:ed:00:c0:ff:ee/$mask"
6ef880
+	done
6ef880
+	echo "COMMIT"
6ef880
+) | $XT_MULTI ebtables-restore
6ef880
+
6ef880
+EXPECT="ip filter OUTPUT 4
6ef880
+  [ payload load 4b @ network header + 16 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x0302010a ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+ip filter OUTPUT 5 4
6ef880
+  [ payload load 4b @ network header + 16 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x0302010a ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+ip filter OUTPUT 6 5
6ef880
+  [ payload load 4b @ network header + 16 => reg 1 ]
6ef880
+  [ bitwise reg 1 = (reg=1 & 0xfcffffff ) ^ 0x00000000 ]
6ef880
+  [ cmp eq reg 1 0x0002010a ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+ip filter OUTPUT 7 6
6ef880
+  [ payload load 3b @ network header + 16 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x0002010a ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+ip filter OUTPUT 8 7
6ef880
+  [ payload load 2b @ network header + 16 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x0000010a ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+ip filter OUTPUT 9 8
6ef880
+  [ payload load 1b @ network header + 16 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x0000000a ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+ip filter OUTPUT 10 9
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+ip6 filter OUTPUT 4
6ef880
+  [ payload load 16b @ network header + 24 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x0a090807 ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+ip6 filter OUTPUT 5 4
6ef880
+  [ payload load 16b @ network header + 24 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x0a090807 ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+ip6 filter OUTPUT 6 5
6ef880
+  [ payload load 16b @ network header + 24 => reg 1 ]
6ef880
+  [ bitwise reg 1 = (reg=1 & 0xffffffff 0xffffffff 0xffffffff 0xf0ffffff ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ]
6ef880
+  [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x00090807 ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+ip6 filter OUTPUT 7 6
6ef880
+  [ payload load 15b @ network header + 24 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x00090807 ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+ip6 filter OUTPUT 8 7
6ef880
+  [ payload load 14b @ network header + 24 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x00000807 ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+ip6 filter OUTPUT 9 8
6ef880
+  [ payload load 11b @ network header + 24 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x00050403 ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+ip6 filter OUTPUT 10 9
6ef880
+  [ payload load 10b @ network header + 24 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x00000403 ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+ip6 filter OUTPUT 11 10
6ef880
+  [ payload load 8b @ network header + 24 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0xffc0edfe 0x020100ee ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+ip6 filter OUTPUT 12 11
6ef880
+  [ payload load 6b @ network header + 24 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0xffc0edfe 0x000000ee ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+ip6 filter OUTPUT 13 12
6ef880
+  [ payload load 2b @ network header + 24 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x0000edfe ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+ip6 filter OUTPUT 14 13
6ef880
+  [ payload load 1b @ network header + 24 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x000000fe ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+ip6 filter OUTPUT 15 14
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+arp filter OUTPUT 3
6ef880
+  [ payload load 2b @ network header + 0 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000100 ]
6ef880
+  [ payload load 1b @ network header + 4 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000006 ]
6ef880
+  [ payload load 1b @ network header + 5 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000004 ]
6ef880
+  [ payload load 4b @ network header + 24 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x0302010a ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+arp filter OUTPUT 4 3
6ef880
+  [ payload load 2b @ network header + 0 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000100 ]
6ef880
+  [ payload load 1b @ network header + 4 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000006 ]
6ef880
+  [ payload load 1b @ network header + 5 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000004 ]
6ef880
+  [ payload load 4b @ network header + 24 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x0302010a ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+arp filter OUTPUT 5 4
6ef880
+  [ payload load 2b @ network header + 0 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000100 ]
6ef880
+  [ payload load 1b @ network header + 4 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000006 ]
6ef880
+  [ payload load 1b @ network header + 5 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000004 ]
6ef880
+  [ payload load 4b @ network header + 24 => reg 1 ]
6ef880
+  [ bitwise reg 1 = (reg=1 & 0xfcffffff ) ^ 0x00000000 ]
6ef880
+  [ cmp eq reg 1 0x0002010a ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+arp filter OUTPUT 6 5
6ef880
+  [ payload load 2b @ network header + 0 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000100 ]
6ef880
+  [ payload load 1b @ network header + 4 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000006 ]
6ef880
+  [ payload load 1b @ network header + 5 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000004 ]
6ef880
+  [ payload load 3b @ network header + 24 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x0002010a ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+arp filter OUTPUT 7 6
6ef880
+  [ payload load 2b @ network header + 0 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000100 ]
6ef880
+  [ payload load 1b @ network header + 4 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000006 ]
6ef880
+  [ payload load 1b @ network header + 5 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000004 ]
6ef880
+  [ payload load 2b @ network header + 24 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x0000010a ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+arp filter OUTPUT 8 7
6ef880
+  [ payload load 2b @ network header + 0 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000100 ]
6ef880
+  [ payload load 1b @ network header + 4 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000006 ]
6ef880
+  [ payload load 1b @ network header + 5 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000004 ]
6ef880
+  [ payload load 1b @ network header + 24 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x0000000a ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+arp filter OUTPUT 9 8
6ef880
+  [ payload load 2b @ network header + 0 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000100 ]
6ef880
+  [ payload load 1b @ network header + 4 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000006 ]
6ef880
+  [ payload load 1b @ network header + 5 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000004 ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+arp filter OUTPUT 10 9
6ef880
+  [ payload load 2b @ network header + 0 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000100 ]
6ef880
+  [ payload load 1b @ network header + 4 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000006 ]
6ef880
+  [ payload load 1b @ network header + 5 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000004 ]
6ef880
+  [ payload load 6b @ network header + 18 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0xc000edfe 0x0000eeff ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+arp filter OUTPUT 11 10
6ef880
+  [ payload load 2b @ network header + 0 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000100 ]
6ef880
+  [ payload load 1b @ network header + 4 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000006 ]
6ef880
+  [ payload load 1b @ network header + 5 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000004 ]
6ef880
+  [ payload load 6b @ network header + 18 => reg 1 ]
6ef880
+  [ bitwise reg 1 = (reg=1 & 0xffffffff 0x0000f0ff ) ^ 0x00000000 0x00000000 ]
6ef880
+  [ cmp eq reg 1 0xc000edfe 0x0000e0ff ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+arp filter OUTPUT 12 11
6ef880
+  [ payload load 2b @ network header + 0 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000100 ]
6ef880
+  [ payload load 1b @ network header + 4 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000006 ]
6ef880
+  [ payload load 1b @ network header + 5 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000004 ]
6ef880
+  [ payload load 5b @ network header + 18 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0xc000edfe 0x000000ff ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+arp filter OUTPUT 13 12
6ef880
+  [ payload load 2b @ network header + 0 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000100 ]
6ef880
+  [ payload load 1b @ network header + 4 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000006 ]
6ef880
+  [ payload load 1b @ network header + 5 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000004 ]
6ef880
+  [ payload load 4b @ network header + 18 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0xc000edfe ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+arp filter OUTPUT 14 13
6ef880
+  [ payload load 2b @ network header + 0 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000100 ]
6ef880
+  [ payload load 1b @ network header + 4 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000006 ]
6ef880
+  [ payload load 1b @ network header + 5 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000004 ]
6ef880
+  [ payload load 3b @ network header + 18 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x0000edfe ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+arp filter OUTPUT 15 14
6ef880
+  [ payload load 2b @ network header + 0 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000100 ]
6ef880
+  [ payload load 1b @ network header + 4 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000006 ]
6ef880
+  [ payload load 1b @ network header + 5 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000004 ]
6ef880
+  [ payload load 2b @ network header + 18 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x0000edfe ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+arp filter OUTPUT 16 15
6ef880
+  [ payload load 2b @ network header + 0 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000100 ]
6ef880
+  [ payload load 1b @ network header + 4 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000006 ]
6ef880
+  [ payload load 1b @ network header + 5 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x00000004 ]
6ef880
+  [ payload load 1b @ network header + 18 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x000000fe ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+bridge filter OUTPUT 4
6ef880
+  [ payload load 6b @ link header + 0 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0xc000edfe 0x0000eeff ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+bridge filter OUTPUT 5 4
6ef880
+  [ payload load 6b @ link header + 0 => reg 1 ]
6ef880
+  [ bitwise reg 1 = (reg=1 & 0xffffffff 0x0000f0ff ) ^ 0x00000000 0x00000000 ]
6ef880
+  [ cmp eq reg 1 0xc000edfe 0x0000e0ff ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+bridge filter OUTPUT 6 5
6ef880
+  [ payload load 5b @ link header + 0 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0xc000edfe 0x000000ff ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+bridge filter OUTPUT 7 6
6ef880
+  [ payload load 4b @ link header + 0 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0xc000edfe ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+bridge filter OUTPUT 8 7
6ef880
+  [ payload load 3b @ link header + 0 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x0000edfe ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+bridge filter OUTPUT 9 8
6ef880
+  [ payload load 2b @ link header + 0 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x0000edfe ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+
6ef880
+bridge filter OUTPUT 10 9
6ef880
+  [ payload load 1b @ link header + 0 => reg 1 ]
6ef880
+  [ cmp eq reg 1 0x000000fe ]
6ef880
+  [ counter pkts 0 bytes 0 ]
6ef880
+"
6ef880
+
6ef880
+diff -u -Z <(echo "$EXPECT") <(nft --debug=netlink list ruleset | awk '/^table/{exit} {print}')
6ef880
-- 
6ef880
2.28.0
6ef880