Blame SOURCES/0034-tests-shell-Add-test-for-bitwise-avoidance-fixes.patch

9c35a8
From 6aef90100bebe2b00d4edffe59fb9c43643816de Mon Sep 17 00:00:00 2001
9c35a8
From: Phil Sutter <phil@nwl.cc>
9c35a8
Date: Tue, 10 Nov 2020 14:50:46 +0100
9c35a8
Subject: [PATCH] tests/shell: Add test for bitwise avoidance fixes
9c35a8
9c35a8
Masked address matching was recently improved to avoid bitwise
9c35a8
expression if the given mask covers full bytes. Make use of nft netlink
9c35a8
debug output to assert iptables-nft generates the right bytecode for
9c35a8
each situation.
9c35a8
9c35a8
Signed-off-by: Phil Sutter <phil@nwl.cc>
9c35a8
(cherry picked from commit 81a2e128512837b53e5b9ea501b6c8dc64eeca78)
9c35a8
Signed-off-by: Phil Sutter <psutter@redhat.com>
9c35a8
---
9c35a8
 .../nft-only/0009-needless-bitwise_0          | 339 ++++++++++++++++++
9c35a8
 1 file changed, 339 insertions(+)
9c35a8
 create mode 100755 iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0
9c35a8
9c35a8
diff --git a/iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0 b/iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0
9c35a8
new file mode 100755
9c35a8
index 0000000000000..c5c6e706a1029
9c35a8
--- /dev/null
9c35a8
+++ b/iptables/tests/shell/testcases/nft-only/0009-needless-bitwise_0
9c35a8
@@ -0,0 +1,339 @@
9c35a8
+#!/bin/bash -x
9c35a8
+
9c35a8
+[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
9c35a8
+set -e
9c35a8
+
9c35a8
+nft flush ruleset
9c35a8
+
9c35a8
+(
9c35a8
+	echo "*filter"
9c35a8
+	for plen in "" 32 30 24 16 8 0; do
9c35a8
+		addr="10.1.2.3${plen:+/}$plen"
9c35a8
+		echo "-A OUTPUT -d $addr"
9c35a8
+	done
9c35a8
+	echo "COMMIT"
9c35a8
+) | $XT_MULTI iptables-restore
9c35a8
+
9c35a8
+(
9c35a8
+	echo "*filter"
9c35a8
+	for plen in "" 128 124 120 112 88 80 64 48 16 8 0; do
9c35a8
+		addr="feed:c0ff:ee00:0102:0304:0506:0708:090A${plen:+/}$plen"
9c35a8
+		echo "-A OUTPUT -d $addr"
9c35a8
+	done
9c35a8
+	echo "COMMIT"
9c35a8
+) | $XT_MULTI ip6tables-restore
9c35a8
+
9c35a8
+masks="
9c35a8
+ff:ff:ff:ff:ff:ff
9c35a8
+ff:ff:ff:ff:ff:f0
9c35a8
+ff:ff:ff:ff:ff:00
9c35a8
+ff:ff:ff:ff:00:00
9c35a8
+ff:ff:ff:00:00:00
9c35a8
+ff:ff:00:00:00:00
9c35a8
+ff:00:00:00:00:00
9c35a8
+"
9c35a8
+(
9c35a8
+	echo "*filter"
9c35a8
+	for plen in "" 32 30 24 16 8 0; do
9c35a8
+		addr="10.1.2.3${plen:+/}$plen"
9c35a8
+		echo "-A OUTPUT -d $addr"
9c35a8
+	done
9c35a8
+	for mask in $masks; do
9c35a8
+		echo "-A OUTPUT --destination-mac fe:ed:00:c0:ff:ee/$mask"
9c35a8
+	done
9c35a8
+	echo "COMMIT"
9c35a8
+) | $XT_MULTI arptables-restore
9c35a8
+
9c35a8
+(
9c35a8
+	echo "*filter"
9c35a8
+	for mask in $masks; do
9c35a8
+		echo "-A OUTPUT -d fe:ed:00:c0:ff:ee/$mask"
9c35a8
+	done
9c35a8
+	echo "COMMIT"
9c35a8
+) | $XT_MULTI ebtables-restore
9c35a8
+
9c35a8
+EXPECT="ip filter OUTPUT 4
9c35a8
+  [ payload load 4b @ network header + 16 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x0302010a ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+ip filter OUTPUT 5 4
9c35a8
+  [ payload load 4b @ network header + 16 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x0302010a ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+ip filter OUTPUT 6 5
9c35a8
+  [ payload load 4b @ network header + 16 => reg 1 ]
9c35a8
+  [ bitwise reg 1 = (reg=1 & 0xfcffffff ) ^ 0x00000000 ]
9c35a8
+  [ cmp eq reg 1 0x0002010a ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+ip filter OUTPUT 7 6
9c35a8
+  [ payload load 3b @ network header + 16 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x0002010a ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+ip filter OUTPUT 8 7
9c35a8
+  [ payload load 2b @ network header + 16 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x0000010a ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+ip filter OUTPUT 9 8
9c35a8
+  [ payload load 1b @ network header + 16 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x0000000a ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+ip filter OUTPUT 10 9
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+ip6 filter OUTPUT 4
9c35a8
+  [ payload load 16b @ network header + 24 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x0a090807 ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+ip6 filter OUTPUT 5 4
9c35a8
+  [ payload load 16b @ network header + 24 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x0a090807 ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+ip6 filter OUTPUT 6 5
9c35a8
+  [ payload load 16b @ network header + 24 => reg 1 ]
9c35a8
+  [ bitwise reg 1 = (reg=1 & 0xffffffff 0xffffffff 0xffffffff 0xf0ffffff ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ]
9c35a8
+  [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x00090807 ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+ip6 filter OUTPUT 7 6
9c35a8
+  [ payload load 15b @ network header + 24 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x00090807 ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+ip6 filter OUTPUT 8 7
9c35a8
+  [ payload load 14b @ network header + 24 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x06050403 0x00000807 ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+ip6 filter OUTPUT 9 8
9c35a8
+  [ payload load 11b @ network header + 24 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x00050403 ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+ip6 filter OUTPUT 10 9
9c35a8
+  [ payload load 10b @ network header + 24 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0xffc0edfe 0x020100ee 0x00000403 ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+ip6 filter OUTPUT 11 10
9c35a8
+  [ payload load 8b @ network header + 24 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0xffc0edfe 0x020100ee ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+ip6 filter OUTPUT 12 11
9c35a8
+  [ payload load 6b @ network header + 24 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0xffc0edfe 0x000000ee ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+ip6 filter OUTPUT 13 12
9c35a8
+  [ payload load 2b @ network header + 24 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x0000edfe ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+ip6 filter OUTPUT 14 13
9c35a8
+  [ payload load 1b @ network header + 24 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x000000fe ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+ip6 filter OUTPUT 15 14
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+arp filter OUTPUT 3
9c35a8
+  [ payload load 2b @ network header + 0 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000100 ]
9c35a8
+  [ payload load 1b @ network header + 4 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000006 ]
9c35a8
+  [ payload load 1b @ network header + 5 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000004 ]
9c35a8
+  [ payload load 4b @ network header + 24 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x0302010a ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+arp filter OUTPUT 4 3
9c35a8
+  [ payload load 2b @ network header + 0 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000100 ]
9c35a8
+  [ payload load 1b @ network header + 4 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000006 ]
9c35a8
+  [ payload load 1b @ network header + 5 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000004 ]
9c35a8
+  [ payload load 4b @ network header + 24 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x0302010a ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+arp filter OUTPUT 5 4
9c35a8
+  [ payload load 2b @ network header + 0 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000100 ]
9c35a8
+  [ payload load 1b @ network header + 4 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000006 ]
9c35a8
+  [ payload load 1b @ network header + 5 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000004 ]
9c35a8
+  [ payload load 4b @ network header + 24 => reg 1 ]
9c35a8
+  [ bitwise reg 1 = (reg=1 & 0xfcffffff ) ^ 0x00000000 ]
9c35a8
+  [ cmp eq reg 1 0x0002010a ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+arp filter OUTPUT 6 5
9c35a8
+  [ payload load 2b @ network header + 0 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000100 ]
9c35a8
+  [ payload load 1b @ network header + 4 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000006 ]
9c35a8
+  [ payload load 1b @ network header + 5 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000004 ]
9c35a8
+  [ payload load 3b @ network header + 24 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x0002010a ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+arp filter OUTPUT 7 6
9c35a8
+  [ payload load 2b @ network header + 0 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000100 ]
9c35a8
+  [ payload load 1b @ network header + 4 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000006 ]
9c35a8
+  [ payload load 1b @ network header + 5 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000004 ]
9c35a8
+  [ payload load 2b @ network header + 24 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x0000010a ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+arp filter OUTPUT 8 7
9c35a8
+  [ payload load 2b @ network header + 0 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000100 ]
9c35a8
+  [ payload load 1b @ network header + 4 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000006 ]
9c35a8
+  [ payload load 1b @ network header + 5 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000004 ]
9c35a8
+  [ payload load 1b @ network header + 24 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x0000000a ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+arp filter OUTPUT 9 8
9c35a8
+  [ payload load 2b @ network header + 0 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000100 ]
9c35a8
+  [ payload load 1b @ network header + 4 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000006 ]
9c35a8
+  [ payload load 1b @ network header + 5 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000004 ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+arp filter OUTPUT 10 9
9c35a8
+  [ payload load 2b @ network header + 0 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000100 ]
9c35a8
+  [ payload load 1b @ network header + 4 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000006 ]
9c35a8
+  [ payload load 1b @ network header + 5 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000004 ]
9c35a8
+  [ payload load 6b @ network header + 18 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0xc000edfe 0x0000eeff ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+arp filter OUTPUT 11 10
9c35a8
+  [ payload load 2b @ network header + 0 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000100 ]
9c35a8
+  [ payload load 1b @ network header + 4 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000006 ]
9c35a8
+  [ payload load 1b @ network header + 5 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000004 ]
9c35a8
+  [ payload load 6b @ network header + 18 => reg 1 ]
9c35a8
+  [ bitwise reg 1 = (reg=1 & 0xffffffff 0x0000f0ff ) ^ 0x00000000 0x00000000 ]
9c35a8
+  [ cmp eq reg 1 0xc000edfe 0x0000e0ff ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+arp filter OUTPUT 12 11
9c35a8
+  [ payload load 2b @ network header + 0 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000100 ]
9c35a8
+  [ payload load 1b @ network header + 4 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000006 ]
9c35a8
+  [ payload load 1b @ network header + 5 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000004 ]
9c35a8
+  [ payload load 5b @ network header + 18 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0xc000edfe 0x000000ff ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+arp filter OUTPUT 13 12
9c35a8
+  [ payload load 2b @ network header + 0 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000100 ]
9c35a8
+  [ payload load 1b @ network header + 4 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000006 ]
9c35a8
+  [ payload load 1b @ network header + 5 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000004 ]
9c35a8
+  [ payload load 4b @ network header + 18 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0xc000edfe ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+arp filter OUTPUT 14 13
9c35a8
+  [ payload load 2b @ network header + 0 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000100 ]
9c35a8
+  [ payload load 1b @ network header + 4 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000006 ]
9c35a8
+  [ payload load 1b @ network header + 5 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000004 ]
9c35a8
+  [ payload load 3b @ network header + 18 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x0000edfe ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+arp filter OUTPUT 15 14
9c35a8
+  [ payload load 2b @ network header + 0 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000100 ]
9c35a8
+  [ payload load 1b @ network header + 4 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000006 ]
9c35a8
+  [ payload load 1b @ network header + 5 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000004 ]
9c35a8
+  [ payload load 2b @ network header + 18 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x0000edfe ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+arp filter OUTPUT 16 15
9c35a8
+  [ payload load 2b @ network header + 0 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000100 ]
9c35a8
+  [ payload load 1b @ network header + 4 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000006 ]
9c35a8
+  [ payload load 1b @ network header + 5 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x00000004 ]
9c35a8
+  [ payload load 1b @ network header + 18 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x000000fe ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+bridge filter OUTPUT 4
9c35a8
+  [ payload load 6b @ link header + 0 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0xc000edfe 0x0000eeff ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+bridge filter OUTPUT 5 4
9c35a8
+  [ payload load 6b @ link header + 0 => reg 1 ]
9c35a8
+  [ bitwise reg 1 = (reg=1 & 0xffffffff 0x0000f0ff ) ^ 0x00000000 0x00000000 ]
9c35a8
+  [ cmp eq reg 1 0xc000edfe 0x0000e0ff ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+bridge filter OUTPUT 6 5
9c35a8
+  [ payload load 5b @ link header + 0 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0xc000edfe 0x000000ff ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+bridge filter OUTPUT 7 6
9c35a8
+  [ payload load 4b @ link header + 0 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0xc000edfe ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+bridge filter OUTPUT 8 7
9c35a8
+  [ payload load 3b @ link header + 0 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x0000edfe ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+bridge filter OUTPUT 9 8
9c35a8
+  [ payload load 2b @ link header + 0 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x0000edfe ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+
9c35a8
+bridge filter OUTPUT 10 9
9c35a8
+  [ payload load 1b @ link header + 0 => reg 1 ]
9c35a8
+  [ cmp eq reg 1 0x000000fe ]
9c35a8
+  [ counter pkts 0 bytes 0 ]
9c35a8
+"
9c35a8
+
9c35a8
+diff -u -Z <(echo "$EXPECT") <(nft --debug=netlink list ruleset | awk '/^table/{exit} {print}')
9c35a8
-- 
9c35a8
2.28.0
9c35a8