|
|
911625 |
From 2e7cb6c2d46d9b8b91ff4b5d6797b7544c23ba44 Mon Sep 17 00:00:00 2001
|
|
|
911625 |
From: Phil Sutter <psutter@redhat.com>
|
|
|
911625 |
Date: Mon, 13 Jan 2020 16:58:57 +0100
|
|
|
911625 |
Subject: [PATCH] monitor: Fix output for ranges in anonymous sets
|
|
|
911625 |
|
|
|
911625 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1774742
|
|
|
911625 |
Upstream Status: nftables commit ddbacd70d061e
|
|
|
911625 |
|
|
|
911625 |
commit ddbacd70d061eb1b6808f501969809bfb5d03001
|
|
|
911625 |
Author: Phil Sutter <phil@nwl.cc>
|
|
|
911625 |
Date: Mon Jan 13 14:53:24 2020 +0100
|
|
|
911625 |
|
|
|
911625 |
monitor: Fix output for ranges in anonymous sets
|
|
|
911625 |
|
|
|
911625 |
Previous fix for named interval sets was simply wrong: Instead of
|
|
|
911625 |
limiting decomposing to anonymous interval sets, it effectively disabled
|
|
|
911625 |
it entirely.
|
|
|
911625 |
|
|
|
911625 |
Since code needs to check for both interval and anonymous bits
|
|
|
911625 |
separately, introduce set_is_interval() helper to keep the code
|
|
|
911625 |
readable.
|
|
|
911625 |
|
|
|
911625 |
Also extend test case to assert ranges in anonymous sets are correctly
|
|
|
911625 |
printed by echo or monitor modes. Without this fix, range boundaries are
|
|
|
911625 |
printed as individual set elements.
|
|
|
911625 |
|
|
|
911625 |
Fixes: 5d57fa3e99bb9 ("monitor: Do not decompose non-anonymous sets")
|
|
|
911625 |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
911625 |
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
911625 |
---
|
|
|
911625 |
include/rule.h | 5 +++++
|
|
|
911625 |
src/monitor.c | 2 +-
|
|
|
911625 |
tests/monitor/testcases/set-interval.t | 5 +++++
|
|
|
911625 |
3 files changed, 11 insertions(+), 1 deletion(-)
|
|
|
911625 |
|
|
|
911625 |
diff --git a/include/rule.h b/include/rule.h
|
|
|
911625 |
index 0b2eba3..47eb29f 100644
|
|
|
911625 |
--- a/include/rule.h
|
|
|
911625 |
+++ b/include/rule.h
|
|
|
911625 |
@@ -363,6 +363,11 @@ static inline bool set_is_meter(uint32_t set_flags)
|
|
|
911625 |
return set_is_anonymous(set_flags) && (set_flags & NFT_SET_EVAL);
|
|
|
911625 |
}
|
|
|
911625 |
|
|
|
911625 |
+static inline bool set_is_interval(uint32_t set_flags)
|
|
|
911625 |
+{
|
|
|
911625 |
+ return set_flags & NFT_SET_INTERVAL;
|
|
|
911625 |
+}
|
|
|
911625 |
+
|
|
|
911625 |
#include <statement.h>
|
|
|
911625 |
|
|
|
911625 |
struct counter {
|
|
|
911625 |
diff --git a/src/monitor.c b/src/monitor.c
|
|
|
911625 |
index 0da9858..fb803cf 100644
|
|
|
911625 |
--- a/src/monitor.c
|
|
|
911625 |
+++ b/src/monitor.c
|
|
|
911625 |
@@ -500,7 +500,7 @@ static int netlink_events_obj_cb(const struct nlmsghdr *nlh, int type,
|
|
|
911625 |
|
|
|
911625 |
static void rule_map_decompose_cb(struct set *s, void *data)
|
|
|
911625 |
{
|
|
|
911625 |
- if (s->flags & (NFT_SET_INTERVAL & NFT_SET_ANONYMOUS))
|
|
|
911625 |
+ if (set_is_interval(s->flags) && set_is_anonymous(s->flags))
|
|
|
911625 |
interval_map_decompose(s->init);
|
|
|
911625 |
}
|
|
|
911625 |
|
|
|
911625 |
diff --git a/tests/monitor/testcases/set-interval.t b/tests/monitor/testcases/set-interval.t
|
|
|
911625 |
index 59930c5..1fbcfe2 100644
|
|
|
911625 |
--- a/tests/monitor/testcases/set-interval.t
|
|
|
911625 |
+++ b/tests/monitor/testcases/set-interval.t
|
|
|
911625 |
@@ -18,3 +18,8 @@ J {"add": {"element": {"family": "ip", "table": "t", "name": "s", "elem": {"set"
|
|
|
911625 |
I add rule ip t c tcp dport @s
|
|
|
911625 |
O -
|
|
|
911625 |
J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": "@s"}}]}}}
|
|
|
911625 |
+
|
|
|
911625 |
+# test anonymous interval sets as well
|
|
|
911625 |
+I add rule ip t c tcp dport { 20, 30-40 }
|
|
|
911625 |
+O -
|
|
|
911625 |
+J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": {"set": [20, {"range": [30, 40]}]}}}]}}}
|
|
|
911625 |
--
|
|
|
8ff5ad |
2.31.1
|
|
|
911625 |
|