diff --git a/SOURCES/0001-src-use-new-range-expression-for-a-b-intervals.patch b/SOURCES/0001-src-use-new-range-expression-for-a-b-intervals.patch new file mode 100644 index 0000000..794b03e --- /dev/null +++ b/SOURCES/0001-src-use-new-range-expression-for-a-b-intervals.patch @@ -0,0 +1,2446 @@ +From 0c88dfebed17ad23e25e53740872a2c825c68e9d Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 24 Feb 2017 17:01:36 +0100 +Subject: [PATCH] src: use new range expression for != [a,b] intervals + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1358705 +Upstream Status: nftables commit 3ed932917cc74 +Conflicts: +* Context change in nf_tables.h due to missing inverted lookup matching + support. +* Adjusted test case changes to missing commit 82dfc87c85f00 ("datatype: + time_type should send milliseconds to userspace"). + +commit 3ed932917cc744b489bd2706a55a1778b0b50c0e +Author: Pablo Neira Ayuso +Date: Tue Sep 20 19:25:25 2016 +0200 + + src: use new range expression for != [a,b] intervals + + Use new range expression in the kernel to fix wrong bytecode generation. + This patch also adjust tests so we don't hit problems there. + + Signed-off-by: Pablo Neira Ayuso +--- + include/linux/netfilter/nf_tables.h | 29 +++++++++++++++++++++ + src/netlink_delinearize.c | 45 +++++++++++++++++++++++++++++++++ + src/netlink_linearize.c | 46 ++++++++++++++++------------------ + tests/py/any/ct.t.payload | 6 ++--- + tests/py/any/meta.t.payload | 18 +++++-------- + tests/py/arp/arp.t.payload | 9 +++---- + tests/py/arp/arp.t.payload.netdev | 9 +++---- + tests/py/inet/ah.t.payload.inet | 12 +++------ + tests/py/inet/ah.t.payload.ip | 12 +++------ + tests/py/inet/ah.t.payload.ip6 | 12 +++------ + tests/py/inet/ah.t.payload.netdev | 12 +++------ + tests/py/inet/comp.t.payload.inet | 6 ++--- + tests/py/inet/comp.t.payload.ip | 6 ++--- + tests/py/inet/comp.t.payload.ip6 | 6 ++--- + tests/py/inet/comp.t.payload.netdev | 6 ++--- + tests/py/inet/dccp.t.payload.inet | 3 +-- + tests/py/inet/dccp.t.payload.ip | 3 +-- + tests/py/inet/dccp.t.payload.ip6 | 3 +-- + tests/py/inet/dccp.t.payload.netdev | 3 +-- + tests/py/inet/esp.t.payload.inet | 6 ++--- + tests/py/inet/esp.t.payload.ip | 6 ++--- + tests/py/inet/esp.t.payload.ip6 | 6 ++--- + tests/py/inet/esp.t.payload.netdev | 6 ++--- + tests/py/inet/sctp.t.payload.inet | 12 +++------ + tests/py/inet/sctp.t.payload.ip | 12 +++------ + tests/py/inet/sctp.t.payload.ip6 | 12 +++------ + tests/py/inet/sctp.t.payload.netdev | 12 +++------ + tests/py/inet/tcp.t.payload.inet | 21 ++++++---------- + tests/py/inet/tcp.t.payload.ip | 21 ++++++---------- + tests/py/inet/tcp.t.payload.ip6 | 21 ++++++---------- + tests/py/inet/tcp.t.payload.netdev | 21 ++++++---------- + tests/py/inet/udp.t.payload.inet | 12 +++------ + tests/py/inet/udp.t.payload.ip | 12 +++------ + tests/py/inet/udp.t.payload.ip6 | 12 +++------ + tests/py/inet/udp.t.payload.netdev | 12 +++------ + tests/py/inet/udplite.t.payload.inet | 9 +++---- + tests/py/inet/udplite.t.payload.ip | 9 +++---- + tests/py/inet/udplite.t.payload.ip6 | 9 +++---- + tests/py/inet/udplite.t.payload.netdev | 9 +++---- + tests/py/ip/dnat.t.payload.ip | 6 ++--- + tests/py/ip/icmp.t.payload.ip | 18 +++++-------- + tests/py/ip/ip.t.payload | 24 ++++++------------ + tests/py/ip/ip.t.payload.inet | 24 ++++++------------ + tests/py/ip/ip.t.payload.netdev | 24 ++++++------------ + tests/py/ip/snat.t.payload | 6 ++--- + tests/py/ip6/dst.t.payload.inet | 6 ++--- + tests/py/ip6/dst.t.payload.ip6 | 6 ++--- + tests/py/ip6/frag.t.payload.inet | 9 +++---- + tests/py/ip6/frag.t.payload.ip6 | 9 +++---- + tests/py/ip6/hbh.t.payload.inet | 6 ++--- + tests/py/ip6/hbh.t.payload.ip6 | 6 ++--- + tests/py/ip6/icmpv6.t.payload.ip6 | 9 +++---- + tests/py/ip6/ip6.t.payload.inet | 12 +++------ + tests/py/ip6/ip6.t.payload.ip6 | 12 +++------ + tests/py/ip6/mh.t.payload.inet | 12 +++------ + tests/py/ip6/mh.t.payload.ip6 | 12 +++------ + tests/py/ip6/rt.t.payload.inet | 12 +++------ + tests/py/ip6/rt.t.payload.ip6 | 12 +++------ + 58 files changed, 292 insertions(+), 419 deletions(-) + +diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h +index eeffde1..0df2ccc 100644 +--- a/include/linux/netfilter/nf_tables.h ++++ b/include/linux/netfilter/nf_tables.h +@@ -542,6 +542,35 @@ enum nft_cmp_attributes { + #define NFTA_CMP_MAX (__NFTA_CMP_MAX - 1) + + /** ++ * enum nft_range_ops - nf_tables range operator ++ * ++ * @NFT_RANGE_EQ: equal ++ * @NFT_RANGE_NEQ: not equal ++ */ ++enum nft_range_ops { ++ NFT_RANGE_EQ, ++ NFT_RANGE_NEQ, ++}; ++ ++/** ++ * enum nft_range_attributes - nf_tables range expression netlink attributes ++ * ++ * @NFTA_RANGE_SREG: source register of data to compare (NLA_U32: nft_registers) ++ * @NFTA_RANGE_OP: cmp operation (NLA_U32: nft_cmp_ops) ++ * @NFTA_RANGE_FROM_DATA: data range from (NLA_NESTED: nft_data_attributes) ++ * @NFTA_RANGE_TO_DATA: data range to (NLA_NESTED: nft_data_attributes) ++ */ ++enum nft_range_attributes { ++ NFTA_RANGE_UNSPEC, ++ NFTA_RANGE_SREG, ++ NFTA_RANGE_OP, ++ NFTA_RANGE_FROM_DATA, ++ NFTA_RANGE_TO_DATA, ++ __NFTA_RANGE_MAX ++}; ++#define NFTA_RANGE_MAX (__NFTA_RANGE_MAX - 1) ++ ++/** + * enum nft_lookup_attributes - nf_tables set lookup expression netlink attributes + * + * @NFTA_LOOKUP_SET: name of the set where to look for (NLA_STRING) +diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c +index 9e26078..c3f0773 100644 +--- a/src/netlink_delinearize.c ++++ b/src/netlink_delinearize.c +@@ -193,6 +193,46 @@ static void netlink_parse_immediate(struct netlink_parse_ctx *ctx, + netlink_set_register(ctx, dreg, expr); + } + ++static enum ops netlink_parse_range_op(const struct nftnl_expr *nle) ++{ ++ switch (nftnl_expr_get_u32(nle, NFTNL_EXPR_RANGE_OP)) { ++ case NFT_RANGE_EQ: ++ return OP_EQ; ++ case NFT_RANGE_NEQ: ++ return OP_NEQ; ++ default: ++ return OP_INVALID; ++ } ++} ++ ++static void netlink_parse_range(struct netlink_parse_ctx *ctx, ++ const struct location *loc, ++ const struct nftnl_expr *nle) ++{ ++ struct expr *expr, *left, *right, *from, *to; ++ struct nft_data_delinearize nld; ++ enum nft_registers sreg; ++ enum ops op; ++ ++ sreg = netlink_parse_register(nle, NFTNL_EXPR_RANGE_SREG); ++ left = netlink_get_register(ctx, loc, sreg); ++ if (left == NULL) ++ return netlink_error(ctx, loc, ++ "Relational expression has no left hand side"); ++ ++ op = netlink_parse_range_op(nle); ++ ++ nld.value = nftnl_expr_get(nle, NFTNL_EXPR_RANGE_FROM_DATA, &nld.len); ++ from = netlink_alloc_value(loc, &nld); ++ ++ nld.value = nftnl_expr_get(nle, NFTNL_EXPR_RANGE_TO_DATA, &nld.len); ++ to = netlink_alloc_value(loc, &nld); ++ ++ right = range_expr_alloc(loc, from, to); ++ expr = relational_expr_alloc(loc, op, left, right); ++ ctx->stmt = expr_stmt_alloc(loc, expr); ++} ++ + static enum ops netlink_parse_cmp_op(const struct nftnl_expr *nle) + { + switch (nftnl_expr_get_u32(nle, NFTNL_EXPR_CMP_OP)) { +@@ -986,6 +1026,7 @@ static const struct { + { .name = "counter", .parse = netlink_parse_counter }, + { .name = "log", .parse = netlink_parse_log }, + { .name = "limit", .parse = netlink_parse_limit }, ++ { .name = "range", .parse = netlink_parse_range }, + { .name = "reject", .parse = netlink_parse_reject }, + { .name = "nat", .parse = netlink_parse_nat }, + { .name = "masq", .parse = netlink_parse_masq }, +@@ -1303,6 +1344,10 @@ static void binop_adjust(struct expr *expr, unsigned int shift) + } + } + break; ++ case EXPR_RANGE: ++ binop_adjust_one(binop, right->left, shift); ++ binop_adjust_one(binop, right->right, shift); ++ break; + default: + BUG("unknown expression type %s\n", expr->ops->name); + break; +diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c +index 98c22d8..ffc3f57 100644 +--- a/src/netlink_linearize.c ++++ b/src/netlink_linearize.c +@@ -334,45 +334,41 @@ static void netlink_gen_range(struct netlink_linearize_ctx *ctx, + sreg = get_register(ctx, expr->left); + netlink_gen_expr(ctx, expr->left, sreg); + +- nle = alloc_nft_expr("cmp"); +- netlink_put_register(nle, NFTNL_EXPR_CMP_SREG, sreg); + switch (expr->op) { + case OP_NEQ: +- nftnl_expr_set_u32(nle, NFTNL_EXPR_CMP_OP, +- netlink_gen_cmp_op(OP_LT)); ++ nle = alloc_nft_expr("range"); ++ netlink_put_register(nle, NFTNL_EXPR_RANGE_SREG, sreg); ++ nftnl_expr_set_u32(nle, NFTNL_EXPR_RANGE_OP, NFT_RANGE_NEQ); ++ netlink_gen_data(range->left, &nld); ++ nftnl_expr_set(nle, NFTNL_EXPR_RANGE_FROM_DATA, ++ nld.value, nld.len); ++ netlink_gen_data(range->right, &nld); ++ nftnl_expr_set(nle, NFTNL_EXPR_RANGE_TO_DATA, ++ nld.value, nld.len); ++ nftnl_rule_add_expr(ctx->nlr, nle); + break; + case OP_RANGE: + case OP_EQ: ++ nle = alloc_nft_expr("cmp"); ++ netlink_put_register(nle, NFTNL_EXPR_CMP_SREG, sreg); + nftnl_expr_set_u32(nle, NFTNL_EXPR_CMP_OP, + netlink_gen_cmp_op(OP_GTE)); +- break; +- default: +- BUG("invalid range operation %u\n", expr->op); +- } +- +- netlink_gen_data(range->left, &nld); +- nftnl_expr_set(nle, NFTNL_EXPR_CMP_DATA, nld.value, nld.len); +- nftnl_rule_add_expr(ctx->nlr, nle); ++ netlink_gen_data(range->left, &nld); ++ nftnl_expr_set(nle, NFTNL_EXPR_CMP_DATA, nld.value, nld.len); ++ nftnl_rule_add_expr(ctx->nlr, nle); + +- nle = alloc_nft_expr("cmp"); +- netlink_put_register(nle, NFTNL_EXPR_CMP_SREG, sreg); +- switch (expr->op) { +- case OP_NEQ: +- nftnl_expr_set_u32(nle, NFTNL_EXPR_CMP_OP, +- netlink_gen_cmp_op(OP_GT)); +- break; +- case OP_RANGE: +- case OP_EQ: ++ nle = alloc_nft_expr("cmp"); ++ netlink_put_register(nle, NFTNL_EXPR_CMP_SREG, sreg); + nftnl_expr_set_u32(nle, NFTNL_EXPR_CMP_OP, + netlink_gen_cmp_op(OP_LTE)); ++ netlink_gen_data(range->right, &nld); ++ nftnl_expr_set(nle, NFTNL_EXPR_CMP_DATA, nld.value, nld.len); ++ nftnl_rule_add_expr(ctx->nlr, nle); + break; + default: + BUG("invalid range operation %u\n", expr->op); +- } + +- netlink_gen_data(range->right, &nld); +- nftnl_expr_set(nle, NFTNL_EXPR_CMP_DATA, nld.value, nld.len); +- nftnl_rule_add_expr(ctx->nlr, nle); ++ } + + release_register(ctx, expr->left); + } +diff --git a/tests/py/any/ct.t.payload b/tests/py/any/ct.t.payload +index 7ed3338..26bcf26 100644 +--- a/tests/py/any/ct.t.payload ++++ b/tests/py/any/ct.t.payload +@@ -155,8 +155,7 @@ ip test-ip4 output + ip test-ip4 output + [ ct load mark => reg 1 ] + [ byteorder reg 1 = hton(reg 1, 4, 4) ] +- [ cmp lt reg 1 0x32000000 ] +- [ cmp gt reg 1 0x45000000 ] ++ [ range neq reg 1 0x32000000 0x45000000 ] + + # ct mark {0x32, 0x2222, 0x42de3} + __set%d test-ip4 3 +@@ -221,8 +220,7 @@ ip test-ip4 output + ip test-ip4 output + [ ct load expiration => reg 1 ] + [ byteorder reg 1 = hton(reg 1, 4, 4) ] +- [ cmp lt reg 1 0x21000000 ] +- [ cmp gt reg 1 0x2d000000 ] ++ [ range neq reg 1 0x21000000 0x2d000000 ] + + # ct expiration {33, 55, 67, 88} + __set%d test-ip4 3 +diff --git a/tests/py/any/meta.t.payload b/tests/py/any/meta.t.payload +index d584873..00a2f20 100644 +--- a/tests/py/any/meta.t.payload ++++ b/tests/py/any/meta.t.payload +@@ -24,8 +24,7 @@ ip test-ip4 input + ip test-ip4 input + [ meta load len => reg 1 ] + [ byteorder reg 1 = hton(reg 1, 4, 4) ] +- [ cmp lt reg 1 0x21000000 ] +- [ cmp gt reg 1 0x2d000000 ] ++ [ range neq reg 1 0x21000000 0x2d000000 ] + + # meta length { 33, 55, 67, 88} + __set%d test-ip4 3 +@@ -119,8 +118,7 @@ ip test-ip4 input + ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ byteorder reg 1 = hton(reg 1, 2, 1) ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x0000002d ] ++ [ range neq reg 1 0x00000021 0x0000002d ] + + # meta l4proto { 33, 55, 67, 88} + __set%d test-ip4 3 +@@ -391,8 +389,7 @@ ip test-ip4 input + ip test-ip4 input + [ meta load skuid => reg 1 ] + [ byteorder reg 1 = hton(reg 1, 4, 4) ] +- [ cmp lt reg 1 0xd1070000 ] +- [ cmp gt reg 1 0xd5070000 ] ++ [ range neq reg 1 0xd1070000 0xd5070000 ] + [ immediate reg 0 accept ] + + # meta skuid { 2001-2005} accept +@@ -456,8 +453,7 @@ ip test-ip4 input + ip test-ip4 input + [ meta load skgid => reg 1 ] + [ byteorder reg 1 = hton(reg 1, 4, 4) ] +- [ cmp lt reg 1 0xd1070000 ] +- [ cmp gt reg 1 0xd5070000 ] ++ [ range neq reg 1 0xd1070000 0xd5070000 ] + [ immediate reg 0 accept ] + + # meta skgid { 2001-2005} accept +@@ -601,8 +597,7 @@ ip test-ip4 input + ip test-ip4 input + [ meta load cpu => reg 1 ] + [ byteorder reg 1 = hton(reg 1, 4, 4) ] +- [ cmp lt reg 1 0x01000000 ] +- [ cmp gt reg 1 0x02000000 ] ++ [ range neq reg 1 0x01000000 0x02000000 ] + + # meta cpu { 2,3} + __set%d test-ip4 3 +@@ -740,8 +735,7 @@ ip test-ip4 input + ip test-ip4 input + [ meta load cgroup => reg 1 ] + [ byteorder reg 1 = hton(reg 1, 4, 4) ] +- [ cmp lt reg 1 0x01001000 ] +- [ cmp gt reg 1 0x02001000 ] ++ [ range neq reg 1 0x01001000 0x02001000 ] + + # meta cgroup {1048577-1048578} + __set%d test-ip4 7 +diff --git a/tests/py/arp/arp.t.payload b/tests/py/arp/arp.t.payload +index 31c3024..5b8f8d5 100644 +--- a/tests/py/arp/arp.t.payload ++++ b/tests/py/arp/arp.t.payload +@@ -27,8 +27,7 @@ arp test-arp input + # arp htype != 33-45 + arp test-arp input + [ payload load 2b @ network header + 0 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # arp htype { 33, 55, 67, 88} + __set%d test-arp 3 +@@ -70,8 +69,7 @@ arp test-arp input + # arp hlen != 33-45 + arp test-arp input + [ payload load 1b @ network header + 4 => reg 1 ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x0000002d ] ++ [ range neq reg 1 0x00000021 0x0000002d ] + + # arp hlen { 33, 55, 67, 88} + __set%d test-arp 3 +@@ -108,8 +106,7 @@ arp test-arp input + # arp plen != 33-45 + arp test-arp input + [ payload load 1b @ network header + 5 => reg 1 ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x0000002d ] ++ [ range neq reg 1 0x00000021 0x0000002d ] + + # arp plen { 33, 55, 67, 88} + __set%d test-arp 3 +diff --git a/tests/py/arp/arp.t.payload.netdev b/tests/py/arp/arp.t.payload.netdev +index a64ebea..5188ed7 100644 +--- a/tests/py/arp/arp.t.payload.netdev ++++ b/tests/py/arp/arp.t.payload.netdev +@@ -39,8 +39,7 @@ netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000608 ] + [ payload load 2b @ network header + 0 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # arp htype { 33, 55, 67, 88} + __set%d test-netdev 3 +@@ -96,8 +95,7 @@ netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000608 ] + [ payload load 1b @ network header + 4 => reg 1 ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x0000002d ] ++ [ range neq reg 1 0x00000021 0x0000002d ] + + # arp hlen { 33, 55, 67, 88} + __set%d test-netdev 3 +@@ -146,8 +144,7 @@ netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000608 ] + [ payload load 1b @ network header + 5 => reg 1 ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x0000002d ] ++ [ range neq reg 1 0x00000021 0x0000002d ] + + # arp plen { 33, 55, 67, 88} + __set%d test-netdev 3 +diff --git a/tests/py/inet/ah.t.payload.inet b/tests/py/inet/ah.t.payload.inet +index 739386a..1e56797 100644 +--- a/tests/py/inet/ah.t.payload.inet ++++ b/tests/py/inet/ah.t.payload.inet +@@ -11,8 +11,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 1b @ transport header + 1 => reg 1 ] +- [ cmp lt reg 1 0x0000000b ] +- [ cmp gt reg 1 0x00000017 ] ++ [ range neq reg 1 0x0000000b 0x00000017 ] + + # ah hdrlength { 11-23} + __set%d test-inet 7 +@@ -61,8 +60,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 2b @ transport header + 2 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # ah reserved {23, 100} + __set%d test-inet 3 +@@ -111,8 +109,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 4b @ transport header + 4 => reg 1 ] +- [ cmp lt reg 1 0x6f000000 ] +- [ cmp gt reg 1 0xde000000 ] ++ [ range neq reg 1 0x6f000000 0xde000000 ] + + # ah spi {111, 122} + __set%d test-inet 3 +@@ -181,6 +178,5 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 4b @ transport header + 8 => reg 1 ] +- [ cmp lt reg 1 0x17000000 ] +- [ cmp gt reg 1 0x21000000 ] ++ [ range neq reg 1 0x17000000 0x21000000 ] + +diff --git a/tests/py/inet/ah.t.payload.ip b/tests/py/inet/ah.t.payload.ip +index b989948..5ad0041 100644 +--- a/tests/py/inet/ah.t.payload.ip ++++ b/tests/py/inet/ah.t.payload.ip +@@ -11,8 +11,7 @@ ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 1b @ transport header + 1 => reg 1 ] +- [ cmp lt reg 1 0x0000000b ] +- [ cmp gt reg 1 0x00000017 ] ++ [ range neq reg 1 0x0000000b 0x00000017 ] + + # ah hdrlength { 11-23} + __set%d test-ip4 7 +@@ -61,8 +60,7 @@ ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 2b @ transport header + 2 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # ah reserved {23, 100} + __set%d test-ip4 3 +@@ -111,8 +109,7 @@ ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 4b @ transport header + 4 => reg 1 ] +- [ cmp lt reg 1 0x6f000000 ] +- [ cmp gt reg 1 0xde000000 ] ++ [ range neq reg 1 0x6f000000 0xde000000 ] + + # ah spi {111, 122} + __set%d test-ip4 3 +@@ -181,6 +178,5 @@ ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 4b @ transport header + 8 => reg 1 ] +- [ cmp lt reg 1 0x17000000 ] +- [ cmp gt reg 1 0x21000000 ] ++ [ range neq reg 1 0x17000000 0x21000000 ] + +diff --git a/tests/py/inet/ah.t.payload.ip6 b/tests/py/inet/ah.t.payload.ip6 +index 95eae66..c57a28a 100644 +--- a/tests/py/inet/ah.t.payload.ip6 ++++ b/tests/py/inet/ah.t.payload.ip6 +@@ -11,8 +11,7 @@ ip6 test-ip6 input + [ payload load 1b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 1b @ transport header + 1 => reg 1 ] +- [ cmp lt reg 1 0x0000000b ] +- [ cmp gt reg 1 0x00000017 ] ++ [ range neq reg 1 0x0000000b 0x00000017 ] + + # ah hdrlength { 11-23} + __set%d test-ip6 7 +@@ -61,8 +60,7 @@ ip6 test-ip6 input + [ payload load 1b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 2b @ transport header + 2 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # ah reserved {23, 100} + __set%d test-ip6 3 +@@ -111,8 +109,7 @@ ip6 test-ip6 input + [ payload load 1b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 4b @ transport header + 4 => reg 1 ] +- [ cmp lt reg 1 0x6f000000 ] +- [ cmp gt reg 1 0xde000000 ] ++ [ range neq reg 1 0x6f000000 0xde000000 ] + + # ah spi {111, 122} + __set%d test-ip6 3 +@@ -181,6 +178,5 @@ ip6 test-ip6 input + [ payload load 1b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 4b @ transport header + 8 => reg 1 ] +- [ cmp lt reg 1 0x17000000 ] +- [ cmp gt reg 1 0x21000000 ] ++ [ range neq reg 1 0x17000000 0x21000000 ] + +diff --git a/tests/py/inet/ah.t.payload.netdev b/tests/py/inet/ah.t.payload.netdev +index 55eea13..e06811d 100644 +--- a/tests/py/inet/ah.t.payload.netdev ++++ b/tests/py/inet/ah.t.payload.netdev +@@ -11,8 +11,7 @@ netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 1b @ transport header + 1 => reg 1 ] +- [ cmp lt reg 1 0x0000000b ] +- [ cmp gt reg 1 0x00000017 ] ++ [ range neq reg 1 0x0000000b 0x00000017 ] + + # ah hdrlength { 11-23} + __set%d test-netdev 7 +@@ -61,8 +60,7 @@ netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 2b @ transport header + 2 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # ah reserved {23, 100} + __set%d test-netdev 3 +@@ -111,8 +109,7 @@ netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 4b @ transport header + 4 => reg 1 ] +- [ cmp lt reg 1 0x6f000000 ] +- [ cmp gt reg 1 0xde000000 ] ++ [ range neq reg 1 0x6f000000 0xde000000 ] + + # ah spi {111, 122} + __set%d test-netdev 3 +@@ -181,6 +178,5 @@ netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 4b @ transport header + 8 => reg 1 ] +- [ cmp lt reg 1 0x17000000 ] +- [ cmp gt reg 1 0x21000000 ] ++ [ range neq reg 1 0x17000000 0x21000000 ] + +diff --git a/tests/py/inet/comp.t.payload.inet b/tests/py/inet/comp.t.payload.inet +index eff32b7..cdeba2b 100644 +--- a/tests/py/inet/comp.t.payload.inet ++++ b/tests/py/inet/comp.t.payload.inet +@@ -32,8 +32,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000006c ] + [ payload load 1b @ transport header + 1 => reg 1 ] +- [ cmp lt reg 1 0x00000033 ] +- [ cmp gt reg 1 0x00000045 ] ++ [ range neq reg 1 0x00000033 0x00000045 ] + + # comp flags {0x33, 0x55, 0x67, 0x88} + __set%d test-inet 3 +@@ -82,8 +81,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000006c ] + [ payload load 2b @ transport header + 2 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # comp cpi {33, 55, 67, 88} + __set%d test-inet 3 +diff --git a/tests/py/inet/comp.t.payload.ip b/tests/py/inet/comp.t.payload.ip +index b2a8ab4..9da8f94 100644 +--- a/tests/py/inet/comp.t.payload.ip ++++ b/tests/py/inet/comp.t.payload.ip +@@ -32,8 +32,7 @@ ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x0000006c ] + [ payload load 1b @ transport header + 1 => reg 1 ] +- [ cmp lt reg 1 0x00000033 ] +- [ cmp gt reg 1 0x00000045 ] ++ [ range neq reg 1 0x00000033 0x00000045 ] + + # comp flags {0x33, 0x55, 0x67, 0x88} + __set%d test-ip4 3 +@@ -82,8 +81,7 @@ ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x0000006c ] + [ payload load 2b @ transport header + 2 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # comp cpi {33, 55, 67, 88} + __set%d test-ip4 3 +diff --git a/tests/py/inet/comp.t.payload.ip6 b/tests/py/inet/comp.t.payload.ip6 +index f179998..69a13ed 100644 +--- a/tests/py/inet/comp.t.payload.ip6 ++++ b/tests/py/inet/comp.t.payload.ip6 +@@ -32,8 +32,7 @@ ip6 test-ip6 input + [ payload load 1b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x0000006c ] + [ payload load 1b @ transport header + 1 => reg 1 ] +- [ cmp lt reg 1 0x00000033 ] +- [ cmp gt reg 1 0x00000045 ] ++ [ range neq reg 1 0x00000033 0x00000045 ] + + # comp flags {0x33, 0x55, 0x67, 0x88} + __set%d test-ip6 3 +@@ -82,8 +81,7 @@ ip6 test-ip6 input + [ payload load 1b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x0000006c ] + [ payload load 2b @ transport header + 2 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # comp cpi {33, 55, 67, 88} + __set%d test-ip6 3 +diff --git a/tests/py/inet/comp.t.payload.netdev b/tests/py/inet/comp.t.payload.netdev +index eff32b7..cdeba2b 100644 +--- a/tests/py/inet/comp.t.payload.netdev ++++ b/tests/py/inet/comp.t.payload.netdev +@@ -32,8 +32,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000006c ] + [ payload load 1b @ transport header + 1 => reg 1 ] +- [ cmp lt reg 1 0x00000033 ] +- [ cmp gt reg 1 0x00000045 ] ++ [ range neq reg 1 0x00000033 0x00000045 ] + + # comp flags {0x33, 0x55, 0x67, 0x88} + __set%d test-inet 3 +@@ -82,8 +81,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000006c ] + [ payload load 2b @ transport header + 2 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # comp cpi {33, 55, 67, 88} + __set%d test-inet 3 +diff --git a/tests/py/inet/dccp.t.payload.inet b/tests/py/inet/dccp.t.payload.inet +index f5aacf6..ccba6d0 100644 +--- a/tests/py/inet/dccp.t.payload.inet ++++ b/tests/py/inet/dccp.t.payload.inet +@@ -11,8 +11,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000021 ] + [ payload load 2b @ transport header + 0 => reg 1 ] +- [ cmp lt reg 1 0x00001500 ] +- [ cmp gt reg 1 0x00002300 ] ++ [ range neq reg 1 0x00001500 0x00002300 ] + + # dccp sport {23, 24, 25} + __set%d test-inet 3 +diff --git a/tests/py/inet/dccp.t.payload.ip b/tests/py/inet/dccp.t.payload.ip +index bda8dfd..a02247f 100644 +--- a/tests/py/inet/dccp.t.payload.ip ++++ b/tests/py/inet/dccp.t.payload.ip +@@ -11,8 +11,7 @@ ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000021 ] + [ payload load 2b @ transport header + 0 => reg 1 ] +- [ cmp lt reg 1 0x00001500 ] +- [ cmp gt reg 1 0x00002300 ] ++ [ range neq reg 1 0x00001500 0x00002300 ] + + # dccp sport {23, 24, 25} + __set%d test-ip4 3 +diff --git a/tests/py/inet/dccp.t.payload.ip6 b/tests/py/inet/dccp.t.payload.ip6 +index f78f983..c81a3a0 100644 +--- a/tests/py/inet/dccp.t.payload.ip6 ++++ b/tests/py/inet/dccp.t.payload.ip6 +@@ -11,8 +11,7 @@ ip6 test-ip6 input + [ payload load 1b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x00000021 ] + [ payload load 2b @ transport header + 0 => reg 1 ] +- [ cmp lt reg 1 0x00001500 ] +- [ cmp gt reg 1 0x00002300 ] ++ [ range neq reg 1 0x00001500 0x00002300 ] + + # dccp sport {23, 24, 25} + __set%d test-ip4 3 +diff --git a/tests/py/inet/dccp.t.payload.netdev b/tests/py/inet/dccp.t.payload.netdev +index abed6b2..abb1fb9 100644 +--- a/tests/py/inet/dccp.t.payload.netdev ++++ b/tests/py/inet/dccp.t.payload.netdev +@@ -11,8 +11,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000021 ] + [ payload load 2b @ transport header + 0 => reg 1 ] +- [ cmp lt reg 1 0x00001500 ] +- [ cmp gt reg 1 0x00002300 ] ++ [ range neq reg 1 0x00001500 0x00002300 ] + + # dccp sport {23, 24, 25} + __set%d test-inet 3 +diff --git a/tests/py/inet/esp.t.payload.inet b/tests/py/inet/esp.t.payload.inet +index 5f3a0da..d41f766 100644 +--- a/tests/py/inet/esp.t.payload.inet ++++ b/tests/py/inet/esp.t.payload.inet +@@ -25,8 +25,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000032 ] + [ payload load 4b @ transport header + 0 => reg 1 ] +- [ cmp lt reg 1 0x6f000000 ] +- [ cmp gt reg 1 0xde000000 ] ++ [ range neq reg 1 0x6f000000 0xde000000 ] + + # esp spi { 100, 102} + __set%d test-inet 3 +@@ -68,8 +67,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000032 ] + [ payload load 4b @ transport header + 4 => reg 1 ] +- [ cmp lt reg 1 0x16000000 ] +- [ cmp gt reg 1 0x18000000 ] ++ [ range neq reg 1 0x16000000 0x18000000 ] + + # esp sequence { 22, 24} + __set%d test-inet 3 +diff --git a/tests/py/inet/esp.t.payload.ip b/tests/py/inet/esp.t.payload.ip +index cf52678..5de41ae 100644 +--- a/tests/py/inet/esp.t.payload.ip ++++ b/tests/py/inet/esp.t.payload.ip +@@ -25,8 +25,7 @@ ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000032 ] + [ payload load 4b @ transport header + 0 => reg 1 ] +- [ cmp lt reg 1 0x6f000000 ] +- [ cmp gt reg 1 0xde000000 ] ++ [ range neq reg 1 0x6f000000 0xde000000 ] + + # esp spi { 100, 102} + __set%d test-ip4 3 +@@ -68,8 +67,7 @@ ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000032 ] + [ payload load 4b @ transport header + 4 => reg 1 ] +- [ cmp lt reg 1 0x16000000 ] +- [ cmp gt reg 1 0x18000000 ] ++ [ range neq reg 1 0x16000000 0x18000000 ] + + # esp sequence { 22, 24} + __set%d test-ip4 3 +diff --git a/tests/py/inet/esp.t.payload.ip6 b/tests/py/inet/esp.t.payload.ip6 +index 982412d..0bc2e70 100644 +--- a/tests/py/inet/esp.t.payload.ip6 ++++ b/tests/py/inet/esp.t.payload.ip6 +@@ -25,8 +25,7 @@ ip6 test-ip6 input + [ payload load 1b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x00000032 ] + [ payload load 4b @ transport header + 0 => reg 1 ] +- [ cmp lt reg 1 0x6f000000 ] +- [ cmp gt reg 1 0xde000000 ] ++ [ range neq reg 1 0x6f000000 0xde000000 ] + + # esp spi { 100, 102} + __set%d test-ip6 3 +@@ -68,8 +67,7 @@ ip6 test-ip6 input + [ payload load 1b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x00000032 ] + [ payload load 4b @ transport header + 4 => reg 1 ] +- [ cmp lt reg 1 0x16000000 ] +- [ cmp gt reg 1 0x18000000 ] ++ [ range neq reg 1 0x16000000 0x18000000 ] + + # esp sequence { 22, 24} + __set%d test-ip6 3 +diff --git a/tests/py/inet/esp.t.payload.netdev b/tests/py/inet/esp.t.payload.netdev +index 5f3a0da..d41f766 100644 +--- a/tests/py/inet/esp.t.payload.netdev ++++ b/tests/py/inet/esp.t.payload.netdev +@@ -25,8 +25,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000032 ] + [ payload load 4b @ transport header + 0 => reg 1 ] +- [ cmp lt reg 1 0x6f000000 ] +- [ cmp gt reg 1 0xde000000 ] ++ [ range neq reg 1 0x6f000000 0xde000000 ] + + # esp spi { 100, 102} + __set%d test-inet 3 +@@ -68,8 +67,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000032 ] + [ payload load 4b @ transport header + 4 => reg 1 ] +- [ cmp lt reg 1 0x16000000 ] +- [ cmp gt reg 1 0x18000000 ] ++ [ range neq reg 1 0x16000000 0x18000000 ] + + # esp sequence { 22, 24} + __set%d test-inet 3 +diff --git a/tests/py/inet/sctp.t.payload.inet b/tests/py/inet/sctp.t.payload.inet +index 9c68a8c..bc7fe7c 100644 +--- a/tests/py/inet/sctp.t.payload.inet ++++ b/tests/py/inet/sctp.t.payload.inet +@@ -25,8 +25,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 2b @ transport header + 0 => reg 1 ] +- [ cmp lt reg 1 0x00001700 ] +- [ cmp gt reg 1 0x00002c00 ] ++ [ range neq reg 1 0x00001700 0x00002c00 ] + + # sctp sport { 23, 24, 25} + __set%d test-inet 3 +@@ -75,8 +74,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 2b @ transport header + 2 => reg 1 ] +- [ cmp lt reg 1 0x00001700 ] +- [ cmp gt reg 1 0x00002c00 ] ++ [ range neq reg 1 0x00001700 0x00002c00 ] + + # sctp dport { 23, 24, 25} + __set%d test-inet 3 +@@ -125,8 +123,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 4b @ transport header + 8 => reg 1 ] +- [ cmp lt reg 1 0x20000000 ] +- [ cmp gt reg 1 0x6f000000 ] ++ [ range neq reg 1 0x20000000 0x6f000000 ] + + # sctp checksum { 22, 33, 44} + __set%d test-inet 3 +@@ -175,8 +172,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 4b @ transport header + 4 => reg 1 ] +- [ cmp lt reg 1 0x21000000 ] +- [ cmp gt reg 1 0x2d000000 ] ++ [ range neq reg 1 0x21000000 0x2d000000 ] + + # sctp vtag {33, 55, 67, 88} + __set%d test-inet 3 +diff --git a/tests/py/inet/sctp.t.payload.ip b/tests/py/inet/sctp.t.payload.ip +index 6e07a4c..fa6ea43 100644 +--- a/tests/py/inet/sctp.t.payload.ip ++++ b/tests/py/inet/sctp.t.payload.ip +@@ -25,8 +25,7 @@ ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 2b @ transport header + 0 => reg 1 ] +- [ cmp lt reg 1 0x00001700 ] +- [ cmp gt reg 1 0x00002c00 ] ++ [ range neq reg 1 0x00001700 0x00002c00 ] + + # sctp sport { 23, 24, 25} + __set%d test-ip4 3 +@@ -75,8 +74,7 @@ ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 2b @ transport header + 2 => reg 1 ] +- [ cmp lt reg 1 0x00001700 ] +- [ cmp gt reg 1 0x00002c00 ] ++ [ range neq reg 1 0x00001700 0x00002c00 ] + + # sctp dport { 23, 24, 25} + __set%d test-ip4 3 +@@ -125,8 +123,7 @@ ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 4b @ transport header + 8 => reg 1 ] +- [ cmp lt reg 1 0x20000000 ] +- [ cmp gt reg 1 0x6f000000 ] ++ [ range neq reg 1 0x20000000 0x6f000000 ] + + # sctp checksum { 22, 33, 44} + __set%d test-ip4 3 +@@ -175,8 +172,7 @@ ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 4b @ transport header + 4 => reg 1 ] +- [ cmp lt reg 1 0x21000000 ] +- [ cmp gt reg 1 0x2d000000 ] ++ [ range neq reg 1 0x21000000 0x2d000000 ] + + # sctp vtag {33, 55, 67, 88} + __set%d test-ip4 3 +diff --git a/tests/py/inet/sctp.t.payload.ip6 b/tests/py/inet/sctp.t.payload.ip6 +index 579609b..5d11369 100644 +--- a/tests/py/inet/sctp.t.payload.ip6 ++++ b/tests/py/inet/sctp.t.payload.ip6 +@@ -25,8 +25,7 @@ ip6 test-ip6 input + [ payload load 1b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 2b @ transport header + 0 => reg 1 ] +- [ cmp lt reg 1 0x00001700 ] +- [ cmp gt reg 1 0x00002c00 ] ++ [ range neq reg 1 0x00001700 0x00002c00 ] + + # sctp sport { 23, 24, 25} + __set%d test-ip6 3 +@@ -75,8 +74,7 @@ ip6 test-ip6 input + [ payload load 1b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 2b @ transport header + 2 => reg 1 ] +- [ cmp lt reg 1 0x00001700 ] +- [ cmp gt reg 1 0x00002c00 ] ++ [ range neq reg 1 0x00001700 0x00002c00 ] + + # sctp dport { 23, 24, 25} + __set%d test-ip6 3 +@@ -125,8 +123,7 @@ ip6 test-ip6 input + [ payload load 1b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 4b @ transport header + 8 => reg 1 ] +- [ cmp lt reg 1 0x20000000 ] +- [ cmp gt reg 1 0x6f000000 ] ++ [ range neq reg 1 0x20000000 0x6f000000 ] + + # sctp checksum { 22, 33, 44} + __set%d test-ip6 3 +@@ -175,8 +172,7 @@ ip6 test-ip6 input + [ payload load 1b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 4b @ transport header + 4 => reg 1 ] +- [ cmp lt reg 1 0x21000000 ] +- [ cmp gt reg 1 0x2d000000 ] ++ [ range neq reg 1 0x21000000 0x2d000000 ] + + # sctp vtag {33, 55, 67, 88} + __set%d test-ip6 3 +diff --git a/tests/py/inet/sctp.t.payload.netdev b/tests/py/inet/sctp.t.payload.netdev +index 9c68a8c..bc7fe7c 100644 +--- a/tests/py/inet/sctp.t.payload.netdev ++++ b/tests/py/inet/sctp.t.payload.netdev +@@ -25,8 +25,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 2b @ transport header + 0 => reg 1 ] +- [ cmp lt reg 1 0x00001700 ] +- [ cmp gt reg 1 0x00002c00 ] ++ [ range neq reg 1 0x00001700 0x00002c00 ] + + # sctp sport { 23, 24, 25} + __set%d test-inet 3 +@@ -75,8 +74,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 2b @ transport header + 2 => reg 1 ] +- [ cmp lt reg 1 0x00001700 ] +- [ cmp gt reg 1 0x00002c00 ] ++ [ range neq reg 1 0x00001700 0x00002c00 ] + + # sctp dport { 23, 24, 25} + __set%d test-inet 3 +@@ -125,8 +123,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 4b @ transport header + 8 => reg 1 ] +- [ cmp lt reg 1 0x20000000 ] +- [ cmp gt reg 1 0x6f000000 ] ++ [ range neq reg 1 0x20000000 0x6f000000 ] + + # sctp checksum { 22, 33, 44} + __set%d test-inet 3 +@@ -175,8 +172,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 4b @ transport header + 4 => reg 1 ] +- [ cmp lt reg 1 0x21000000 ] +- [ cmp gt reg 1 0x2d000000 ] ++ [ range neq reg 1 0x21000000 0x2d000000 ] + + # sctp vtag {33, 55, 67, 88} + __set%d test-inet 3 +diff --git a/tests/py/inet/tcp.t.payload.inet b/tests/py/inet/tcp.t.payload.inet +index 9c3fbbf..354d013 100644 +--- a/tests/py/inet/tcp.t.payload.inet ++++ b/tests/py/inet/tcp.t.payload.inet +@@ -25,8 +25,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # tcp dport { 33, 55, 67, 88} + __set%d test-inet 3 +@@ -116,8 +115,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # tcp sport { 33, 55, 67, 88} + __set%d test-inet 3 +@@ -217,8 +215,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ transport header + 4 => reg 1 ] +- [ cmp lt reg 1 0x21000000 ] +- [ cmp gt reg 1 0x2d000000 ] ++ [ range neq reg 1 0x21000000 0x2d000000 ] + + # tcp sequence { 33, 55, 67, 88} + __set%d test-inet 3 +@@ -275,8 +272,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ transport header + 8 => reg 1 ] +- [ cmp lt reg 1 0x21000000 ] +- [ cmp gt reg 1 0x2d000000 ] ++ [ range neq reg 1 0x21000000 0x2d000000 ] + + # tcp ackseq { 33, 55, 67, 88} + __set%d test-inet 3 +@@ -358,8 +354,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 14 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # tcp window { 33, 55, 67, 88} + __set%d test-inet 3 +@@ -408,8 +403,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 16 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # tcp checksum { 33, 55, 67, 88} + __set%d test-inet 3 +@@ -466,8 +460,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 18 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # tcp urgptr { 33, 55, 67, 88} + __set%d test-inet 3 +diff --git a/tests/py/inet/tcp.t.payload.ip b/tests/py/inet/tcp.t.payload.ip +index 75cbe70..d70a176 100644 +--- a/tests/py/inet/tcp.t.payload.ip ++++ b/tests/py/inet/tcp.t.payload.ip +@@ -25,8 +25,7 @@ ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # tcp dport { 33, 55, 67, 88} + __set%d test-ip4 3 +@@ -116,8 +115,7 @@ ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # tcp sport { 33, 55, 67, 88} + __set%d test-ip4 3 +@@ -217,8 +215,7 @@ ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ transport header + 4 => reg 1 ] +- [ cmp lt reg 1 0x21000000 ] +- [ cmp gt reg 1 0x2d000000 ] ++ [ range neq reg 1 0x21000000 0x2d000000 ] + + # tcp sequence { 33, 55, 67, 88} + __set%d test-ip4 3 +@@ -275,8 +272,7 @@ ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ transport header + 8 => reg 1 ] +- [ cmp lt reg 1 0x21000000 ] +- [ cmp gt reg 1 0x2d000000 ] ++ [ range neq reg 1 0x21000000 0x2d000000 ] + + # tcp ackseq { 33, 55, 67, 88} + __set%d test-ip4 3 +@@ -358,8 +354,7 @@ ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 14 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # tcp window { 33, 55, 67, 88} + __set%d test-ip4 3 +@@ -408,8 +403,7 @@ ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 16 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # tcp checksum { 33, 55, 67, 88} + __set%d test-ip4 3 +@@ -466,8 +460,7 @@ ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 18 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # tcp urgptr { 33, 55, 67, 88} + __set%d test-ip4 3 +diff --git a/tests/py/inet/tcp.t.payload.ip6 b/tests/py/inet/tcp.t.payload.ip6 +index f65f9b8..4e9c413 100644 +--- a/tests/py/inet/tcp.t.payload.ip6 ++++ b/tests/py/inet/tcp.t.payload.ip6 +@@ -25,8 +25,7 @@ ip6 test-ip6 input + [ payload load 1b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # tcp dport { 33, 55, 67, 88} + __set%d test-ip6 3 +@@ -116,8 +115,7 @@ ip6 test-ip6 input + [ payload load 1b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # tcp sport { 33, 55, 67, 88} + __set%d test-ip6 3 +@@ -217,8 +215,7 @@ ip6 test-ip6 input + [ payload load 1b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ transport header + 4 => reg 1 ] +- [ cmp lt reg 1 0x21000000 ] +- [ cmp gt reg 1 0x2d000000 ] ++ [ range neq reg 1 0x21000000 0x2d000000 ] + + # tcp sequence { 33, 55, 67, 88} + __set%d test-ip6 3 +@@ -275,8 +272,7 @@ ip6 test-ip6 input + [ payload load 1b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ transport header + 8 => reg 1 ] +- [ cmp lt reg 1 0x21000000 ] +- [ cmp gt reg 1 0x2d000000 ] ++ [ range neq reg 1 0x21000000 0x2d000000 ] + + # tcp ackseq { 33, 55, 67, 88} + __set%d test-ip6 3 +@@ -358,8 +354,7 @@ ip6 test-ip6 input + [ payload load 1b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 14 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # tcp window { 33, 55, 67, 88} + __set%d test-ip6 3 +@@ -408,8 +403,7 @@ ip6 test-ip6 input + [ payload load 1b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 16 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # tcp checksum { 33, 55, 67, 88} + __set%d test-ip6 3 +@@ -466,8 +460,7 @@ ip6 test-ip6 input + [ payload load 1b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 18 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # tcp urgptr { 33, 55, 67, 88} + __set%d test-ip6 3 +diff --git a/tests/py/inet/tcp.t.payload.netdev b/tests/py/inet/tcp.t.payload.netdev +index a554d07..854f4bb 100644 +--- a/tests/py/inet/tcp.t.payload.netdev ++++ b/tests/py/inet/tcp.t.payload.netdev +@@ -25,8 +25,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # tcp dport { 33, 55, 67, 88} + __set%d test-inet 3 +@@ -116,8 +115,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # tcp sport { 33, 55, 67, 88} + __set%d test-inet 3 +@@ -217,8 +215,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ transport header + 4 => reg 1 ] +- [ cmp lt reg 1 0x21000000 ] +- [ cmp gt reg 1 0x2d000000 ] ++ [ range neq reg 1 0x21000000 0x2d000000 ] + + # tcp sequence { 33, 55, 67, 88} + __set%d test-inet 3 +@@ -275,8 +272,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ transport header + 8 => reg 1 ] +- [ cmp lt reg 1 0x21000000 ] +- [ cmp gt reg 1 0x2d000000 ] ++ [ range neq reg 1 0x21000000 0x2d000000 ] + + # tcp ackseq { 33, 55, 67, 88} + __set%d test-inet 3 +@@ -358,8 +354,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 14 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # tcp window { 33, 55, 67, 88} + __set%d test-inet 3 +@@ -416,8 +411,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 16 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # tcp checksum { 33, 55, 67, 88} + __set%d test-inet 3 +@@ -474,8 +468,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 18 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # tcp urgptr { 33, 55, 67, 88} + __set%d test-inet 3 +diff --git a/tests/py/inet/udp.t.payload.inet b/tests/py/inet/udp.t.payload.inet +index 4ca9904..057b912 100644 +--- a/tests/py/inet/udp.t.payload.inet ++++ b/tests/py/inet/udp.t.payload.inet +@@ -28,8 +28,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 0 => reg 1 ] +- [ cmp lt reg 1 0x00003200 ] +- [ cmp gt reg 1 0x00003c00 ] ++ [ range neq reg 1 0x00003200 0x00003c00 ] + [ immediate reg 0 accept ] + + # udp sport { 49, 50} drop +@@ -83,8 +82,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] +- [ cmp lt reg 1 0x00003200 ] +- [ cmp gt reg 1 0x00003c00 ] ++ [ range neq reg 1 0x00003200 0x00003c00 ] + [ immediate reg 0 accept ] + + # udp dport { 49, 50} drop +@@ -137,8 +135,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 4 => reg 1 ] +- [ cmp lt reg 1 0x00003200 ] +- [ cmp gt reg 1 0x00004100 ] ++ [ range neq reg 1 0x00003200 0x00004100 ] + [ immediate reg 0 accept ] + + # udp length { 50, 65} accept +@@ -197,8 +194,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 6 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # udp checksum { 33, 55, 67, 88} + __set%d test-inet 3 +diff --git a/tests/py/inet/udp.t.payload.ip b/tests/py/inet/udp.t.payload.ip +index 56b6051..5fd279d 100644 +--- a/tests/py/inet/udp.t.payload.ip ++++ b/tests/py/inet/udp.t.payload.ip +@@ -28,8 +28,7 @@ ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 0 => reg 1 ] +- [ cmp lt reg 1 0x00003200 ] +- [ cmp gt reg 1 0x00003c00 ] ++ [ range neq reg 1 0x00003200 0x00003c00 ] + [ immediate reg 0 accept ] + + # udp sport { 49, 50} drop +@@ -83,8 +82,7 @@ ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] +- [ cmp lt reg 1 0x00003200 ] +- [ cmp gt reg 1 0x00003c00 ] ++ [ range neq reg 1 0x00003200 0x00003c00 ] + [ immediate reg 0 accept ] + + # udp dport { 49, 50} drop +@@ -137,8 +135,7 @@ ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 4 => reg 1 ] +- [ cmp lt reg 1 0x00003200 ] +- [ cmp gt reg 1 0x00004100 ] ++ [ range neq reg 1 0x00003200 0x00004100 ] + [ immediate reg 0 accept ] + + # udp length { 50, 65} accept +@@ -197,8 +194,7 @@ ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 6 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # udp checksum { 33, 55, 67, 88} + __set%d test-ip4 3 +diff --git a/tests/py/inet/udp.t.payload.ip6 b/tests/py/inet/udp.t.payload.ip6 +index 1f1df66..a7d12c8 100644 +--- a/tests/py/inet/udp.t.payload.ip6 ++++ b/tests/py/inet/udp.t.payload.ip6 +@@ -28,8 +28,7 @@ ip6 test-ip6 input + [ payload load 1b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 0 => reg 1 ] +- [ cmp lt reg 1 0x00003200 ] +- [ cmp gt reg 1 0x00003c00 ] ++ [ range neq reg 1 0x00003200 0x00003c00 ] + [ immediate reg 0 accept ] + + # udp sport { 49, 50} drop +@@ -83,8 +82,7 @@ ip6 test-ip6 input + [ payload load 1b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] +- [ cmp lt reg 1 0x00003200 ] +- [ cmp gt reg 1 0x00003c00 ] ++ [ range neq reg 1 0x00003200 0x00003c00 ] + [ immediate reg 0 accept ] + + # udp dport { 49, 50} drop +@@ -137,8 +135,7 @@ ip6 test-ip6 input + [ payload load 1b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 4 => reg 1 ] +- [ cmp lt reg 1 0x00003200 ] +- [ cmp gt reg 1 0x00004100 ] ++ [ range neq reg 1 0x00003200 0x00004100 ] + [ immediate reg 0 accept ] + + # udp length { 50, 65} accept +@@ -197,8 +194,7 @@ ip6 test-ip6 input + [ payload load 1b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 6 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # udp checksum { 33, 55, 67, 88} + __set%d test-ip6 3 +diff --git a/tests/py/inet/udp.t.payload.netdev b/tests/py/inet/udp.t.payload.netdev +index 4ca9904..057b912 100644 +--- a/tests/py/inet/udp.t.payload.netdev ++++ b/tests/py/inet/udp.t.payload.netdev +@@ -28,8 +28,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 0 => reg 1 ] +- [ cmp lt reg 1 0x00003200 ] +- [ cmp gt reg 1 0x00003c00 ] ++ [ range neq reg 1 0x00003200 0x00003c00 ] + [ immediate reg 0 accept ] + + # udp sport { 49, 50} drop +@@ -83,8 +82,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] +- [ cmp lt reg 1 0x00003200 ] +- [ cmp gt reg 1 0x00003c00 ] ++ [ range neq reg 1 0x00003200 0x00003c00 ] + [ immediate reg 0 accept ] + + # udp dport { 49, 50} drop +@@ -137,8 +135,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 4 => reg 1 ] +- [ cmp lt reg 1 0x00003200 ] +- [ cmp gt reg 1 0x00004100 ] ++ [ range neq reg 1 0x00003200 0x00004100 ] + [ immediate reg 0 accept ] + + # udp length { 50, 65} accept +@@ -197,8 +194,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 6 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # udp checksum { 33, 55, 67, 88} + __set%d test-inet 3 +diff --git a/tests/py/inet/udplite.t.payload.inet b/tests/py/inet/udplite.t.payload.inet +index 034c62d..ad2c970 100644 +--- a/tests/py/inet/udplite.t.payload.inet ++++ b/tests/py/inet/udplite.t.payload.inet +@@ -28,8 +28,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 2b @ transport header + 0 => reg 1 ] +- [ cmp lt reg 1 0x00003200 ] +- [ cmp gt reg 1 0x00003c00 ] ++ [ range neq reg 1 0x00003200 0x00003c00 ] + [ immediate reg 0 accept ] + + # udplite sport { 49, 50} drop +@@ -83,8 +82,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 2b @ transport header + 2 => reg 1 ] +- [ cmp lt reg 1 0x00003200 ] +- [ cmp gt reg 1 0x00003c00 ] ++ [ range neq reg 1 0x00003200 0x00003c00 ] + [ immediate reg 0 accept ] + + # udplite dport { 49, 50} drop +@@ -144,8 +142,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 2b @ transport header + 6 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # udplite checksum { 33, 55, 67, 88} + __set%d test-ip4 3 +diff --git a/tests/py/inet/udplite.t.payload.ip b/tests/py/inet/udplite.t.payload.ip +index 3da9e53..8321c23 100644 +--- a/tests/py/inet/udplite.t.payload.ip ++++ b/tests/py/inet/udplite.t.payload.ip +@@ -28,8 +28,7 @@ ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 2b @ transport header + 0 => reg 1 ] +- [ cmp lt reg 1 0x00003200 ] +- [ cmp gt reg 1 0x00003c00 ] ++ [ range neq reg 1 0x00003200 0x00003c00 ] + [ immediate reg 0 accept ] + + # udplite sport { 49, 50} drop +@@ -83,8 +82,7 @@ ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 2b @ transport header + 2 => reg 1 ] +- [ cmp lt reg 1 0x00003200 ] +- [ cmp gt reg 1 0x00003c00 ] ++ [ range neq reg 1 0x00003200 0x00003c00 ] + [ immediate reg 0 accept ] + + # udplite dport { 49, 50} drop +@@ -144,8 +142,7 @@ ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 2b @ transport header + 6 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # udplite checksum { 33, 55, 67, 88} + __set%d test-ip4 3 +diff --git a/tests/py/inet/udplite.t.payload.ip6 b/tests/py/inet/udplite.t.payload.ip6 +index 205ea21..dce215d 100644 +--- a/tests/py/inet/udplite.t.payload.ip6 ++++ b/tests/py/inet/udplite.t.payload.ip6 +@@ -28,8 +28,7 @@ ip6 test-ip6 input + [ payload load 1b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 2b @ transport header + 0 => reg 1 ] +- [ cmp lt reg 1 0x00003200 ] +- [ cmp gt reg 1 0x00003c00 ] ++ [ range neq reg 1 0x00003200 0x00003c00 ] + [ immediate reg 0 accept ] + + # udplite sport { 49, 50} drop +@@ -83,8 +82,7 @@ ip6 test-ip6 input + [ payload load 1b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 2b @ transport header + 2 => reg 1 ] +- [ cmp lt reg 1 0x00003200 ] +- [ cmp gt reg 1 0x00003c00 ] ++ [ range neq reg 1 0x00003200 0x00003c00 ] + [ immediate reg 0 accept ] + + # udplite dport { 49, 50} drop +@@ -144,8 +142,7 @@ ip6 test-ip6 input + [ payload load 1b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 2b @ transport header + 6 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # udplite checksum { 33, 55, 67, 88} + __set%d test-ip4 3 +diff --git a/tests/py/inet/udplite.t.payload.netdev b/tests/py/inet/udplite.t.payload.netdev +index 034c62d..ad2c970 100644 +--- a/tests/py/inet/udplite.t.payload.netdev ++++ b/tests/py/inet/udplite.t.payload.netdev +@@ -28,8 +28,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 2b @ transport header + 0 => reg 1 ] +- [ cmp lt reg 1 0x00003200 ] +- [ cmp gt reg 1 0x00003c00 ] ++ [ range neq reg 1 0x00003200 0x00003c00 ] + [ immediate reg 0 accept ] + + # udplite sport { 49, 50} drop +@@ -83,8 +82,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 2b @ transport header + 2 => reg 1 ] +- [ cmp lt reg 1 0x00003200 ] +- [ cmp gt reg 1 0x00003c00 ] ++ [ range neq reg 1 0x00003200 0x00003c00 ] + [ immediate reg 0 accept ] + + # udplite dport { 49, 50} drop +@@ -144,8 +142,7 @@ inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 2b @ transport header + 6 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # udplite checksum { 33, 55, 67, 88} + __set%d test-ip4 3 +diff --git a/tests/py/ip/dnat.t.payload.ip b/tests/py/ip/dnat.t.payload.ip +index bf972c6..c951f7c 100644 +--- a/tests/py/ip/dnat.t.payload.ip ++++ b/tests/py/ip/dnat.t.payload.ip +@@ -17,8 +17,7 @@ ip test-ip4 prerouting + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] +- [ cmp lt reg 1 0x00005000 ] +- [ cmp gt reg 1 0x00005a00 ] ++ [ range neq reg 1 0x00005000 0x00005a00 ] + [ immediate reg 1 0x0203a8c0 ] + [ nat dnat ip addr_min reg 1 addr_max reg 0 ] + +@@ -43,8 +42,7 @@ ip test-ip4 prerouting + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] +- [ cmp lt reg 1 0x00001700 ] +- [ cmp gt reg 1 0x00002200 ] ++ [ range neq reg 1 0x00001700 0x00002200 ] + [ immediate reg 1 0x0203a8c0 ] + [ nat dnat ip addr_min reg 1 addr_max reg 0 ] + +diff --git a/tests/py/ip/icmp.t.payload.ip b/tests/py/ip/icmp.t.payload.ip +index 32f2685..c7df75d 100644 +--- a/tests/py/ip/icmp.t.payload.ip ++++ b/tests/py/ip/icmp.t.payload.ip +@@ -142,8 +142,7 @@ ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 1 => reg 1 ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x00000037 ] ++ [ range neq reg 1 0x00000021 0x00000037 ] + + # icmp code { 33-55} + __set%d test-ip4 7 +@@ -195,8 +194,7 @@ ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ transport header + 2 => reg 1 ] +- [ cmp lt reg 1 0x00000b00 ] +- [ cmp gt reg 1 0x00005701 ] ++ [ range neq reg 1 0x00000b00 0x00005701 ] + [ immediate reg 0 accept ] + + # icmp checksum { 11-343} accept +@@ -256,8 +254,7 @@ ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ transport header + 4 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # icmp id { 33-55} + __set%d test-ip4 7 +@@ -306,8 +303,7 @@ ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ transport header + 6 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # icmp sequence { 33, 55, 67, 88} + __set%d test-ip4 3 +@@ -381,8 +377,7 @@ ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ transport header + 6 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # icmp mtu { 33, 55, 67, 88} + __set%d test-ip4 3 +@@ -431,8 +426,7 @@ ip test-ip4 input + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 4b @ transport header + 4 => reg 1 ] +- [ cmp lt reg 1 0x21000000 ] +- [ cmp gt reg 1 0x2d000000 ] ++ [ range neq reg 1 0x21000000 0x2d000000 ] + + # icmp gateway { 33, 55, 67, 88} + __set%d test-ip4 3 +diff --git a/tests/py/ip/ip.t.payload b/tests/py/ip/ip.t.payload +index 3bd3358..9ce5527 100644 +--- a/tests/py/ip/ip.t.payload ++++ b/tests/py/ip/ip.t.payload +@@ -50,8 +50,7 @@ ip test-ip4 input + # ip length != 333-453 + ip test-ip4 input + [ payload load 2b @ network header + 2 => reg 1 ] +- [ cmp lt reg 1 0x00004d01 ] +- [ cmp gt reg 1 0x0000c501 ] ++ [ range neq reg 1 0x00004d01 0x0000c501 ] + + # ip length { 333, 553, 673, 838} + __set%d test-ip4 3 +@@ -88,8 +87,7 @@ ip test-ip4 input + # ip id != 33-45 + ip test-ip4 input + [ payload load 2b @ network header + 4 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # ip id { 33, 55, 67, 88} + __set%d test-ip4 3 +@@ -127,8 +125,7 @@ ip test-ip4 input + # ip frag-off != 33-45 + ip test-ip4 input + [ payload load 2b @ network header + 6 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # ip frag-off { 33, 55, 67, 88} + __set%d test-ip4 3 +@@ -166,8 +163,7 @@ ip test-ip4 input + # ip ttl != 45-50 + ip test-ip4 input + [ payload load 1b @ network header + 8 => reg 1 ] +- [ cmp lt reg 1 0x0000002d ] +- [ cmp gt reg 1 0x00000032 ] ++ [ range neq reg 1 0x0000002d 0x00000032 ] + + # ip ttl {43, 53, 45 } + __set%d test-ip4 3 +@@ -229,8 +225,7 @@ ip test-ip4 input + # ip checksum != 33-45 + ip test-ip4 input + [ payload load 2b @ network header + 10 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # ip checksum { 33, 55, 67, 88} + __set%d test-ip4 3 +@@ -302,8 +297,7 @@ ip test-ip4 input + # ip daddr != 192.168.0.1-192.168.0.250 + ip test-ip4 input + [ payload load 4b @ network header + 16 => reg 1 ] +- [ cmp lt reg 1 0x0100a8c0 ] +- [ cmp gt reg 1 0xfa00a8c0 ] ++ [ range neq reg 1 0x0100a8c0 0xfa00a8c0 ] + + # ip daddr { 192.168.0.1-192.168.0.250} + __set%d test-ip4 7 +@@ -331,8 +325,7 @@ ip test-ip4 input + # ip daddr != 192.168.1.2-192.168.1.55 + ip test-ip4 input + [ payload load 4b @ network header + 16 => reg 1 ] +- [ cmp lt reg 1 0x0201a8c0 ] +- [ cmp gt reg 1 0x3701a8c0 ] ++ [ range neq reg 1 0x0201a8c0 0x3701a8c0 ] + + # ip saddr 192.168.1.3-192.168.33.55 + ip test-ip4 input +@@ -343,8 +336,7 @@ ip test-ip4 input + # ip saddr != 192.168.1.3-192.168.33.55 + ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] +- [ cmp lt reg 1 0x0301a8c0 ] +- [ cmp gt reg 1 0x3721a8c0 ] ++ [ range neq reg 1 0x0301a8c0 0x3721a8c0 ] + + # ip daddr 192.168.0.1 + ip test-ip4 input +diff --git a/tests/py/ip/ip.t.payload.inet b/tests/py/ip/ip.t.payload.inet +index ef4692e..cf41eb2 100644 +--- a/tests/py/ip/ip.t.payload.inet ++++ b/tests/py/ip/ip.t.payload.inet +@@ -68,8 +68,7 @@ inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 2 => reg 1 ] +- [ cmp lt reg 1 0x00004d01 ] +- [ cmp gt reg 1 0x0000c501 ] ++ [ range neq reg 1 0x00004d01 0x0000c501 ] + + # ip length { 333, 553, 673, 838} + __set%d test-inet 3 +@@ -118,8 +117,7 @@ inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 4 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # ip id { 33, 55, 67, 88} + __set%d test-inet 3 +@@ -169,8 +167,7 @@ inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 6 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # ip frag-off { 33, 55, 67, 88} + __set%d test-inet 3 +@@ -220,8 +217,7 @@ inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 8 => reg 1 ] +- [ cmp lt reg 1 0x0000002d ] +- [ cmp gt reg 1 0x00000032 ] ++ [ range neq reg 1 0x0000002d 0x00000032 ] + + # ip ttl {43, 53, 45 } + __set%d test-inet 3 +@@ -303,8 +299,7 @@ inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 2b @ network header + 10 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # ip checksum { 33, 55, 67, 88} + __set%d test-inet 3 +@@ -400,8 +395,7 @@ inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 16 => reg 1 ] +- [ cmp lt reg 1 0x0100a8c0 ] +- [ cmp gt reg 1 0xfa00a8c0 ] ++ [ range neq reg 1 0x0100a8c0 0xfa00a8c0 ] + + # ip daddr { 192.168.0.1-192.168.0.250} + __set%d test-inet 7 +@@ -437,8 +431,7 @@ inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 16 => reg 1 ] +- [ cmp lt reg 1 0x0201a8c0 ] +- [ cmp gt reg 1 0x3701a8c0 ] ++ [ range neq reg 1 0x0201a8c0 0x3701a8c0 ] + + # ip saddr 192.168.1.3-192.168.33.55 + inet test-inet input +@@ -453,8 +446,7 @@ inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] +- [ cmp lt reg 1 0x0301a8c0 ] +- [ cmp gt reg 1 0x3721a8c0 ] ++ [ range neq reg 1 0x0301a8c0 0x3721a8c0 ] + + # ip daddr 192.168.0.1 + inet test-inet input +diff --git a/tests/py/ip/ip.t.payload.netdev b/tests/py/ip/ip.t.payload.netdev +index 4feaa27..ae2a74b 100644 +--- a/tests/py/ip/ip.t.payload.netdev ++++ b/tests/py/ip/ip.t.payload.netdev +@@ -25,8 +25,7 @@ netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 2 => reg 1 ] +- [ cmp lt reg 1 0x00004d01 ] +- [ cmp gt reg 1 0x0000c501 ] ++ [ range neq reg 1 0x00004d01 0x0000c501 ] + + # ip length { 333, 553, 673, 838} + __set%d test-netdev 3 +@@ -75,8 +74,7 @@ netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 4 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # ip id { 33, 55, 67, 88} + __set%d test-netdev 3 +@@ -126,8 +124,7 @@ netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 6 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # ip frag-off { 33, 55, 67, 88} + __set%d test-netdev 3 +@@ -170,8 +167,7 @@ netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 8 => reg 1 ] +- [ cmp lt reg 1 0x0000002d ] +- [ cmp gt reg 1 0x00000032 ] ++ [ range neq reg 1 0x0000002d 0x00000032 ] + + # ip ttl {43, 53, 45 } + __set%d test-netdev 3 +@@ -239,8 +235,7 @@ netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 2b @ network header + 10 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # ip checksum { 33, 55, 67, 88} + __set%d test-netdev 3 +@@ -329,8 +324,7 @@ netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 16 => reg 1 ] +- [ cmp lt reg 1 0x0100a8c0 ] +- [ cmp gt reg 1 0xfa00a8c0 ] ++ [ range neq reg 1 0x0100a8c0 0xfa00a8c0 ] + + # ip daddr { 192.168.0.1-192.168.0.250} + __set%d test-netdev 7 +@@ -366,8 +360,7 @@ netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 16 => reg 1 ] +- [ cmp lt reg 1 0x0201a8c0 ] +- [ cmp gt reg 1 0x3701a8c0 ] ++ [ range neq reg 1 0x0201a8c0 0x3701a8c0 ] + + # ip saddr 192.168.1.3-192.168.33.55 + netdev test-netdev ingress +@@ -382,8 +375,7 @@ netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] +- [ cmp lt reg 1 0x0301a8c0 ] +- [ cmp gt reg 1 0x3721a8c0 ] ++ [ range neq reg 1 0x0301a8c0 0x3721a8c0 ] + + # ip daddr 192.168.0.1 + netdev test-netdev ingress +diff --git a/tests/py/ip/snat.t.payload b/tests/py/ip/snat.t.payload +index cbea641..40a2f4c 100644 +--- a/tests/py/ip/snat.t.payload ++++ b/tests/py/ip/snat.t.payload +@@ -17,8 +17,7 @@ ip test-ip4 postrouting + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] +- [ cmp lt reg 1 0x00005000 ] +- [ cmp gt reg 1 0x00005a00 ] ++ [ range neq reg 1 0x00005000 0x00005a00 ] + [ immediate reg 1 0x0203a8c0 ] + [ nat snat ip addr_min reg 1 addr_max reg 0 ] + +@@ -43,8 +42,7 @@ ip test-ip4 postrouting + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] +- [ cmp lt reg 1 0x00001700 ] +- [ cmp gt reg 1 0x00002200 ] ++ [ range neq reg 1 0x00001700 0x00002200 ] + [ immediate reg 1 0x0203a8c0 ] + [ nat snat ip addr_min reg 1 addr_max reg 0 ] + +diff --git a/tests/py/ip6/dst.t.payload.inet b/tests/py/ip6/dst.t.payload.inet +index 15914d9..62d1c5a 100644 +--- a/tests/py/ip6/dst.t.payload.inet ++++ b/tests/py/ip6/dst.t.payload.inet +@@ -25,8 +25,7 @@ inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ exthdr load 1b @ 60 + 0 => reg 1 ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x0000002d ] ++ [ range neq reg 1 0x00000021 0x0000002d ] + + # dst nexthdr { 33, 55, 67, 88} + __set%d test-inet 3 +@@ -99,8 +98,7 @@ ip6 test-ip6 input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ exthdr load 1b @ 60 + 1 => reg 1 ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x0000002d ] ++ [ range neq reg 1 0x00000021 0x0000002d ] + + # dst hdrlength { 33, 55, 67, 88} + __set%d test-ip6 3 +diff --git a/tests/py/ip6/dst.t.payload.ip6 b/tests/py/ip6/dst.t.payload.ip6 +index 3f6c8e1..c022c7f 100644 +--- a/tests/py/ip6/dst.t.payload.ip6 ++++ b/tests/py/ip6/dst.t.payload.ip6 +@@ -17,8 +17,7 @@ ip6 test-ip6 input + # dst nexthdr != 33-45 + ip6 test-ip6 input + [ exthdr load 1b @ 60 + 0 => reg 1 ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x0000002d ] ++ [ range neq reg 1 0x00000021 0x0000002d ] + + # dst nexthdr { 33, 55, 67, 88} + __set%d test-ip6 3 +@@ -73,8 +72,7 @@ ip6 test-ip6 input + # dst hdrlength != 33-45 + ip6 test-ip6 input + [ exthdr load 1b @ 60 + 1 => reg 1 ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x0000002d ] ++ [ range neq reg 1 0x00000021 0x0000002d ] + + # dst hdrlength { 33, 55, 67, 88} + __set%d test-ip6 3 +diff --git a/tests/py/ip6/frag.t.payload.inet b/tests/py/ip6/frag.t.payload.inet +index 387dbd6..bf57eca 100644 +--- a/tests/py/ip6/frag.t.payload.inet ++++ b/tests/py/ip6/frag.t.payload.inet +@@ -63,8 +63,7 @@ inet test-inet output + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ exthdr load 1b @ 44 + 1 => reg 1 ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x0000002d ] ++ [ range neq reg 1 0x00000021 0x0000002d ] + + # frag reserved { 33, 55, 67, 88} + __set%d test-inet 3 +@@ -117,8 +116,7 @@ inet test-inet output + [ cmp eq reg 1 0x0000000a ] + [ exthdr load 2b @ 44 + 2 => reg 1 ] + [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ] +- [ cmp lt reg 1 0x00000801 ] +- [ cmp gt reg 1 0x00006801 ] ++ [ range neq reg 1 0x00000801 0x00006801 ] + + # frag frag-off { 33, 55, 67, 88} + __set%d test-inet 3 +@@ -184,8 +182,7 @@ inet test-inet output + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ exthdr load 4b @ 44 + 4 => reg 1 ] +- [ cmp lt reg 1 0x21000000 ] +- [ cmp gt reg 1 0x2d000000 ] ++ [ range neq reg 1 0x21000000 0x2d000000 ] + + # frag id { 33, 55, 67, 88} + __set%d test-inet 3 +diff --git a/tests/py/ip6/frag.t.payload.ip6 b/tests/py/ip6/frag.t.payload.ip6 +index 1f27975..aa27005 100644 +--- a/tests/py/ip6/frag.t.payload.ip6 ++++ b/tests/py/ip6/frag.t.payload.ip6 +@@ -45,8 +45,7 @@ ip6 test-ip6 output + # frag reserved != 33-45 + ip6 test-ip6 output + [ exthdr load 1b @ 44 + 1 => reg 1 ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x0000002d ] ++ [ range neq reg 1 0x00000021 0x0000002d ] + + # frag reserved { 33, 55, 67, 88} + __set%d test-ip6 3 +@@ -87,8 +86,7 @@ ip6 test-ip6 output + ip6 test-ip6 output + [ exthdr load 2b @ 44 + 2 => reg 1 ] + [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ] +- [ cmp lt reg 1 0x00000801 ] +- [ cmp gt reg 1 0x00006801 ] ++ [ range neq reg 1 0x00000801 0x00006801 ] + + # frag frag-off { 33, 55, 67, 88} + __set%d test-ip6 3 +@@ -138,8 +136,7 @@ ip6 test-ip6 output + # frag id != 33-45 + ip6 test-ip6 output + [ exthdr load 4b @ 44 + 4 => reg 1 ] +- [ cmp lt reg 1 0x21000000 ] +- [ cmp gt reg 1 0x2d000000 ] ++ [ range neq reg 1 0x21000000 0x2d000000 ] + + # frag id { 33, 55, 67, 88} + __set%d test-ip6 3 +diff --git a/tests/py/ip6/hbh.t.payload.inet b/tests/py/ip6/hbh.t.payload.inet +index 5fcd2fd..7e0d079 100644 +--- a/tests/py/ip6/hbh.t.payload.inet ++++ b/tests/py/ip6/hbh.t.payload.inet +@@ -25,8 +25,7 @@ inet test-inet filter-input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ exthdr load 1b @ 0 + 1 => reg 1 ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x0000002d ] ++ [ range neq reg 1 0x00000021 0x0000002d ] + + # hbh hdrlength {33, 55, 67, 88} + __set%d test-inet 3 +@@ -85,8 +84,7 @@ inet test-inet filter-input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ exthdr load 1b @ 0 + 0 => reg 1 ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x0000002d ] ++ [ range neq reg 1 0x00000021 0x0000002d ] + + # hbh nexthdr {33, 55, 67, 88} + __set%d test-inet 3 +diff --git a/tests/py/ip6/hbh.t.payload.ip6 b/tests/py/ip6/hbh.t.payload.ip6 +index a2b4633..783fc6a 100644 +--- a/tests/py/ip6/hbh.t.payload.ip6 ++++ b/tests/py/ip6/hbh.t.payload.ip6 +@@ -17,8 +17,7 @@ ip6 test-ip6 filter-input + # hbh hdrlength != 33-45 + ip6 test-ip6 filter-input + [ exthdr load 1b @ 0 + 1 => reg 1 ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x0000002d ] ++ [ range neq reg 1 0x00000021 0x0000002d ] + + # hbh hdrlength {33, 55, 67, 88} + __set%d test-ip6 3 +@@ -63,8 +62,7 @@ ip6 test-ip6 filter-input + # hbh nexthdr != 33-45 + ip6 test-ip6 filter-input + [ exthdr load 1b @ 0 + 0 => reg 1 ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x0000002d ] ++ [ range neq reg 1 0x00000021 0x0000002d ] + + # hbh nexthdr {33, 55, 67, 88} + __set%d test-ip6 3 +diff --git a/tests/py/ip6/icmpv6.t.payload.ip6 b/tests/py/ip6/icmpv6.t.payload.ip6 +index 4b6f541..822db2d 100644 +--- a/tests/py/ip6/icmpv6.t.payload.ip6 ++++ b/tests/py/ip6/icmpv6.t.payload.ip6 +@@ -266,8 +266,7 @@ ip6 test-ip6 input + [ payload load 1b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ payload load 4b @ transport header + 4 => reg 1 ] +- [ cmp lt reg 1 0x21000000 ] +- [ cmp gt reg 1 0x2d000000 ] ++ [ range neq reg 1 0x21000000 0x2d000000 ] + + # icmpv6 mtu {33, 55, 67, 88} + __set%d test-ip6 3 +@@ -302,8 +301,7 @@ ip6 test-ip6 input + [ payload load 1b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ payload load 2b @ transport header + 4 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # icmpv6 id {33, 55, 67, 88} + __set%d test-ip6 3 +@@ -366,8 +364,7 @@ ip6 test-ip6 input + [ payload load 1b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ payload load 2b @ transport header + 6 => reg 1 ] +- [ cmp lt reg 1 0x00000200 ] +- [ cmp gt reg 1 0x00000400 ] ++ [ range neq reg 1 0x00000200 0x00000400 ] + + # icmpv6 sequence { 2-4} + __set%d test-ip6 7 +diff --git a/tests/py/ip6/ip6.t.payload.inet b/tests/py/ip6/ip6.t.payload.inet +index c29c5a3..f52376c 100644 +--- a/tests/py/ip6/ip6.t.payload.inet ++++ b/tests/py/ip6/ip6.t.payload.inet +@@ -106,8 +106,7 @@ inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 4 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # ip6 length { 33-55} + __set%d test-inet 7 +@@ -176,8 +175,7 @@ inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 1b @ network header + 6 => reg 1 ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x0000002c ] ++ [ range neq reg 1 0x00000021 0x0000002c ] + + # ip6 hoplimit 1 + inet test-inet input +@@ -206,8 +204,7 @@ inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 1b @ network header + 7 => reg 1 ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x0000002d ] ++ [ range neq reg 1 0x00000021 0x0000002d ] + + # ip6 hoplimit {33, 55, 67, 88} + __set%d test-inet 3 +@@ -510,6 +507,5 @@ inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 16b @ network header + 24 => reg 1 ] +- [ cmp lt reg 1 0x34120000 0x34123412 0x34123412 0x34123412 ] +- [ cmp gt reg 1 0x34123412 0x34120000 0x34123412 0x34123412 ] ++ [ range neq reg 1 0x34120000 0x34123412 0x34123412 0x34123412 0x34123412 0x34120000 0x34123412 0x34123412 ] + +diff --git a/tests/py/ip6/ip6.t.payload.ip6 b/tests/py/ip6/ip6.t.payload.ip6 +index c249923..e5eef5b 100644 +--- a/tests/py/ip6/ip6.t.payload.ip6 ++++ b/tests/py/ip6/ip6.t.payload.ip6 +@@ -80,8 +80,7 @@ ip6 test-ip6 input + # ip6 length != 33-45 + ip6 test-ip6 input + [ payload load 2b @ network header + 4 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # ip6 length { 33-55} + __set%d test-ip6 7 +@@ -134,8 +133,7 @@ ip6 test-ip6 input + # ip6 nexthdr != 33-44 + ip6 test-ip6 input + [ payload load 1b @ network header + 6 => reg 1 ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x0000002c ] ++ [ range neq reg 1 0x00000021 0x0000002c ] + + # ip6 hoplimit 1 + ip6 test-ip6 input +@@ -156,8 +154,7 @@ ip6 test-ip6 input + # ip6 hoplimit != 33-45 + ip6 test-ip6 input + [ payload load 1b @ network header + 7 => reg 1 ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x0000002d ] ++ [ range neq reg 1 0x00000021 0x0000002d ] + + # ip6 hoplimit {33, 55, 67, 88} + __set%d test-ip6 3 +@@ -376,6 +373,5 @@ ip6 test-ip6 input + # ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234 + ip6 test-ip6 input + [ payload load 16b @ network header + 24 => reg 1 ] +- [ cmp lt reg 1 0x34120000 0x34123412 0x34123412 0x34123412 ] +- [ cmp gt reg 1 0x34123412 0x34120000 0x34123412 0x34123412 ] ++ [ range neq reg 1 0x34120000 0x34123412 0x34123412 0x34123412 0x34123412 0x34120000 0x34123412 0x34123412 ] + +diff --git a/tests/py/ip6/mh.t.payload.inet b/tests/py/ip6/mh.t.payload.inet +index 5d06566..471af09 100644 +--- a/tests/py/ip6/mh.t.payload.inet ++++ b/tests/py/ip6/mh.t.payload.inet +@@ -63,8 +63,7 @@ inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ exthdr load 1b @ 135 + 0 => reg 1 ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x0000002d ] ++ [ range neq reg 1 0x00000021 0x0000002d ] + + # mh nexthdr { 33, 55, 67, 88 } + __set%d test-inet 3 +@@ -113,8 +112,7 @@ inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ exthdr load 1b @ 135 + 1 => reg 1 ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x0000002d ] ++ [ range neq reg 1 0x00000021 0x0000002d ] + + # mh hdrlength { 33, 55, 67, 88 } + __set%d test-inet 3 +@@ -187,8 +185,7 @@ inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ exthdr load 1b @ 135 + 3 => reg 1 ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x0000002d ] ++ [ range neq reg 1 0x00000021 0x0000002d ] + + # mh reserved { 33, 55, 67, 88} + __set%d test-inet 3 +@@ -237,8 +234,7 @@ inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ exthdr load 2b @ 135 + 4 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # mh checksum { 33, 55, 67, 88} + __set%d test-inet 3 +diff --git a/tests/py/ip6/mh.t.payload.ip6 b/tests/py/ip6/mh.t.payload.ip6 +index d5366a5..7a9aa35 100644 +--- a/tests/py/ip6/mh.t.payload.ip6 ++++ b/tests/py/ip6/mh.t.payload.ip6 +@@ -45,8 +45,7 @@ ip6 test-ip6 input + # mh nexthdr != 33-45 + ip6 test-ip6 input + [ exthdr load 1b @ 135 + 0 => reg 1 ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x0000002d ] ++ [ range neq reg 1 0x00000021 0x0000002d ] + + # mh nexthdr { 33, 55, 67, 88 } + __set%d test-ip6 3 +@@ -83,8 +82,7 @@ ip6 test-ip6 input + # mh hdrlength != 33-45 + ip6 test-ip6 input + [ exthdr load 1b @ 135 + 1 => reg 1 ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x0000002d ] ++ [ range neq reg 1 0x00000021 0x0000002d ] + + # mh hdrlength { 33, 55, 67, 88 } + __set%d test-ip6 3 +@@ -139,8 +137,7 @@ ip6 test-ip6 input + # mh reserved != 33-45 + ip6 test-ip6 input + [ exthdr load 1b @ 135 + 3 => reg 1 ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x0000002d ] ++ [ range neq reg 1 0x00000021 0x0000002d ] + + # mh reserved { 33, 55, 67, 88} + __set%d test-ip6 3 +@@ -177,8 +174,7 @@ ip6 test-ip6 input + # mh checksum != 33-45 + ip6 test-ip6 input + [ exthdr load 2b @ 135 + 4 => reg 1 ] +- [ cmp lt reg 1 0x00002100 ] +- [ cmp gt reg 1 0x00002d00 ] ++ [ range neq reg 1 0x00002100 0x00002d00 ] + + # mh checksum { 33, 55, 67, 88} + __set%d test-ip6 3 +diff --git a/tests/py/ip6/rt.t.payload.inet b/tests/py/ip6/rt.t.payload.inet +index 7d644fb..30e29a5 100644 +--- a/tests/py/ip6/rt.t.payload.inet ++++ b/tests/py/ip6/rt.t.payload.inet +@@ -63,8 +63,7 @@ inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ exthdr load 1b @ 43 + 0 => reg 1 ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x0000002d ] ++ [ range neq reg 1 0x00000021 0x0000002d ] + + # rt nexthdr { 33, 55, 67, 88} + __set%d test-inet 3 +@@ -113,8 +112,7 @@ inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ exthdr load 1b @ 43 + 1 => reg 1 ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x0000002d ] ++ [ range neq reg 1 0x00000021 0x0000002d ] + + # rt hdrlength { 33, 55, 67, 88} + __set%d test-inet 3 +@@ -163,8 +161,7 @@ inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ exthdr load 1b @ 43 + 2 => reg 1 ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x0000002d ] ++ [ range neq reg 1 0x00000021 0x0000002d ] + + # rt type { 33, 55, 67, 88} + __set%d test-inet 3 +@@ -213,8 +210,7 @@ inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ exthdr load 1b @ 43 + 3 => reg 1 ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x0000002d ] ++ [ range neq reg 1 0x00000021 0x0000002d ] + + # rt seg-left { 33, 55, 67, 88} + __set%d test-inet 3 +diff --git a/tests/py/ip6/rt.t.payload.ip6 b/tests/py/ip6/rt.t.payload.ip6 +index 3245725..b96980b 100644 +--- a/tests/py/ip6/rt.t.payload.ip6 ++++ b/tests/py/ip6/rt.t.payload.ip6 +@@ -45,8 +45,7 @@ ip6 test-ip6 input + # rt nexthdr != 33-45 + ip6 test-ip6 input + [ exthdr load 1b @ 43 + 0 => reg 1 ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x0000002d ] ++ [ range neq reg 1 0x00000021 0x0000002d ] + + # rt nexthdr { 33, 55, 67, 88} + __set%d test-ip6 3 +@@ -83,8 +82,7 @@ ip6 test-ip6 input + # rt hdrlength != 33-45 + ip6 test-ip6 input + [ exthdr load 1b @ 43 + 1 => reg 1 ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x0000002d ] ++ [ range neq reg 1 0x00000021 0x0000002d ] + + # rt hdrlength { 33, 55, 67, 88} + __set%d test-ip6 3 +@@ -121,8 +119,7 @@ ip6 test-ip6 input + # rt type != 33-45 + ip6 test-ip6 input + [ exthdr load 1b @ 43 + 2 => reg 1 ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x0000002d ] ++ [ range neq reg 1 0x00000021 0x0000002d ] + + # rt type { 33, 55, 67, 88} + __set%d test-ip6 3 +@@ -159,8 +156,7 @@ ip6 test-ip6 input + # rt seg-left != 33-45 + ip6 test-ip6 input + [ exthdr load 1b @ 43 + 3 => reg 1 ] +- [ cmp lt reg 1 0x00000021 ] +- [ cmp gt reg 1 0x0000002d ] ++ [ range neq reg 1 0x00000021 0x0000002d ] + + # rt seg-left { 33, 55, 67, 88} + __set%d test-ip6 3 +-- +1.8.3.1 + diff --git a/SOURCES/0002-netlink_delinearize-Avoid-potential-null-pointer-der.patch b/SOURCES/0002-netlink_delinearize-Avoid-potential-null-pointer-der.patch new file mode 100644 index 0000000..a8035cd --- /dev/null +++ b/SOURCES/0002-netlink_delinearize-Avoid-potential-null-pointer-der.patch @@ -0,0 +1,70 @@ +From 8180301a3aad23ccd2f81ddb8007efe8bef67892 Mon Sep 17 00:00:00 2001 +From: Timothy Redaelli +Date: Fri, 24 Feb 2017 11:35:32 +0100 +Subject: [PATCH] netlink_delinearize: Avoid potential null pointer deref + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1360257 +Upstream Status: nftables commit d975ab4 +Conflicts: Skipped a chunk due to missing commit + 34523621 ("src: add hash expression") + +commit d975ab412c33ddce2c39e0e86f87085d13b1aeca +Author: Pablo Neira Ayuso +Date: Mon Sep 5 18:52:43 2016 +0200 + + netlink_delinearize: Avoid potential null pointer deref + + Phil Sutter says: + + As netlink_get_register() may return NULL, we must not pass the returned + data unchecked to expr_set_type() as that will dereference it. Since the + parser has failed at that point anyway, by returning early we can skip + the useless statement allocation that follows in + netlink_parse_ct_stmt(). + + Signed-off-by: Pablo Neira Ayuso + Acked-by: Phil Sutter + +Signed-off-by: Timothy Redaelli +--- + src/netlink_delinearize.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c +index c3f0773..505516c 100644 +--- a/src/netlink_delinearize.c ++++ b/src/netlink_delinearize.c +@@ -475,6 +475,10 @@ static void netlink_parse_payload_stmt(struct netlink_parse_ctx *ctx, + + sreg = netlink_parse_register(nle, NFT_EXPR_PAYLOAD_SREG); + val = netlink_get_register(ctx, loc, sreg); ++ if (val == NULL) ++ return netlink_error(ctx, loc, ++ "payload statement has no expression"); ++ + stmt = payload_stmt_alloc(loc, expr, val); + + list_add_tail(&stmt->list, &ctx->rule->stmts); +@@ -536,6 +540,9 @@ static void netlink_parse_meta_stmt(struct netlink_parse_ctx *ctx, + + sreg = netlink_parse_register(nle, NFTNL_EXPR_META_SREG); + expr = netlink_get_register(ctx, loc, sreg); ++ if (expr == NULL) ++ return netlink_error(ctx, loc, ++ "meta statement has no expression"); + + key = nftnl_expr_get_u32(nle, NFTNL_EXPR_META_KEY); + stmt = meta_stmt_alloc(loc, key, expr); +@@ -565,6 +572,9 @@ static void netlink_parse_ct_stmt(struct netlink_parse_ctx *ctx, + + sreg = netlink_parse_register(nle, NFTNL_EXPR_CT_SREG); + expr = netlink_get_register(ctx, loc, sreg); ++ if (expr == NULL) ++ return netlink_error(ctx, loc, ++ "ct statement has no expression"); + + key = nftnl_expr_get_u32(nle, NFTNL_EXPR_CT_KEY); + stmt = ct_stmt_alloc(loc, key, expr); +-- +1.8.3.1 + diff --git a/SOURCES/0003-evaluate-Fix-datalen-checks-in-expr_evaluate_string.patch b/SOURCES/0003-evaluate-Fix-datalen-checks-in-expr_evaluate_string.patch new file mode 100644 index 0000000..51a7eb9 --- /dev/null +++ b/SOURCES/0003-evaluate-Fix-datalen-checks-in-expr_evaluate_string.patch @@ -0,0 +1,53 @@ +From 19c9a7bfb73f33f50675f31f3664556105a50086 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 28 Feb 2017 18:14:53 +0100 +Subject: [PATCH] evaluate: Fix datalen checks in expr_evaluate_string() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1360240 +Upstream Status: nftables commit 7a5b4c505e4d4 + +commit 7a5b4c505e4d460239ac8a36b4fbccf222cd6134 +Author: Phil Sutter +Date: Tue Aug 30 19:39:49 2016 +0200 + + evaluate: Fix datalen checks in expr_evaluate_string() + + I have been told that the flex scanner won't return empty strings, so + strlen(data) should always be greater 0. To avoid a hard to debug issue + though, add an assert() to make sure this is always the case before + risking an unsigned variable underrun. + + A real issue though is the check for 'datalen - 1 >= 0', which will + never fail due to datalen being unsigned. Fix this by incrementing both + sides by one, hence checking 'datalen >= 1'. + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso +--- + src/evaluate.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/evaluate.c b/src/evaluate.c +index f24e5f3..5e3c158 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -248,6 +248,7 @@ static int expr_evaluate_string(struct eval_ctx *ctx, struct expr **exprp) + memset(data + len, 0, data_len - len); + mpz_export_data(data, expr->value, BYTEORDER_HOST_ENDIAN, len); + ++ assert(strlen(data) > 0); + datalen = strlen(data) - 1; + if (data[datalen] != '*') { + /* We need to reallocate the constant expression with the right +@@ -261,7 +262,7 @@ static int expr_evaluate_string(struct eval_ctx *ctx, struct expr **exprp) + return 0; + } + +- if (datalen - 1 >= 0 && ++ if (datalen >= 1 && + data[datalen - 1] == '\\') { + char unescaped_str[data_len]; + +-- +1.8.3.1 + diff --git a/SOURCES/0004-evaluate-reject-Have-a-generic-fix-for-missing-netwo.patch b/SOURCES/0004-evaluate-reject-Have-a-generic-fix-for-missing-netwo.patch new file mode 100644 index 0000000..956404b --- /dev/null +++ b/SOURCES/0004-evaluate-reject-Have-a-generic-fix-for-missing-netwo.patch @@ -0,0 +1,54 @@ +From 7fb6387b3c00346a429d291dd057e47c9354e263 Mon Sep 17 00:00:00 2001 +From: Timothy Redaelli +Date: Fri, 24 Feb 2017 11:58:57 +0100 +Subject: [PATCH] evaluate: reject: Have a generic fix for missing network + context + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1360354 +Upstream Status: nftables commit 7241af3 + +commit 7241af302bbe56908fa87b17799048bfe884e35f +Author: Phil Sutter +Date: Tue Aug 30 19:39:51 2016 +0200 + + evaluate: reject: Have a generic fix for missing network context + + Commit 17b495957b29e ("evaluate: reject: fix crash if we have transport + protocol conflict from inet") took care of a crash when using inet or + bridge families, but since then netdev family has been added which also + does not implicitly define the network context. Therefore the crash can + be reproduced again using the following example: + + nft add rule netdev filter e1000-ingress \ + meta l4proto udp reject with tcp reset + + In order to fix this in a more generic way, have stmt_evaluate_reset() + fall back to the generic proto_inet_service irrespective of the actual + proto context. + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Timothy Redaelli +--- + src/evaluate.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/src/evaluate.c b/src/evaluate.c +index 5e3c158..1b8d565 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -2014,9 +2014,7 @@ static int stmt_evaluate_reset(struct eval_ctx *ctx, struct stmt *stmt) + return 0; + + base = pctx->protocol[PROTO_BASE_NETWORK_HDR].desc; +- if (base == NULL && +- (ctx->pctx.family == NFPROTO_INET || +- ctx->pctx.family == NFPROTO_BRIDGE)) ++ if (base == NULL) + base = &proto_inet_service; + + protonum = proto_find_num(base, desc); +-- +1.8.3.1 + diff --git a/SOURCES/0005-payload-don-t-update-protocol-context-if-we-can-t-fi.patch b/SOURCES/0005-payload-don-t-update-protocol-context-if-we-can-t-fi.patch new file mode 100644 index 0000000..3bc4f4d --- /dev/null +++ b/SOURCES/0005-payload-don-t-update-protocol-context-if-we-can-t-fi.patch @@ -0,0 +1,120 @@ +From 611c93ad808addc5e3f38c279de273d6419b5c6e Mon Sep 17 00:00:00 2001 +From: Timothy Redaelli +Date: Mon, 8 May 2017 18:43:32 +0200 +Subject: [PATCH] payload: don't update protocol context if we can't find a + description + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1446534 +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1399764 +Upstream Status: nftables commit 3503738 + +commit 3503738f77cdbe521da1054a37f59ac2e442b4cf +Author: Florian Westphal +Date: Mon Jun 6 21:52:28 2016 +0200 + + payload: don't update protocol context if we can't find a description + + Since commit + 20b1131c07acd2fc ("payload: fix stacked headers protocol context tracking") + we deref null pointer if we can't find a description for the desired + protocol, so "ip protocol 254" crashes while testing protocols 6 or 17 + (tcp, udp) works. + + Also add a test case for this. + + Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1072 + Signed-off-by: Florian Westphal + Acked-by: Pablo Neira Ayuso + +Signed-off-by: Timothy Redaelli +--- + src/payload.c | 3 +++ + tests/py/ip/ip.t | 3 +++ + tests/py/ip/ip.t.payload | 5 +++++ + tests/py/ip/ip.t.payload.inet | 7 +++++++ + tests/py/ip/ip.t.payload.netdev | 7 +++++++ + 5 files changed, 25 insertions(+) + +diff --git a/src/payload.c b/src/payload.c +index ac0e917..9ba980a 100644 +--- a/src/payload.c ++++ b/src/payload.c +@@ -85,6 +85,9 @@ static void payload_expr_pctx_update(struct proto_ctx *ctx, + base = ctx->protocol[left->payload.base].desc; + desc = proto_find_upper(base, proto); + ++ if (!desc) ++ return; ++ + assert(desc->base <= PROTO_BASE_MAX); + if (desc->base == base->base) { + assert(base->length > 0); +diff --git a/tests/py/ip/ip.t b/tests/py/ip/ip.t +index 594136c..a265b75 100644 +--- a/tests/py/ip/ip.t ++++ b/tests/py/ip/ip.t +@@ -75,6 +75,9 @@ ip protocol != tcp;ok;ip protocol != 6 + ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept;ok;ip protocol { 33, 136, 17, 51, 50, 6, 132, 1, 108} accept + - ip protocol != { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept;ok + ++ip protocol 255;ok ++ip protocol 256;fail ++ + ip checksum 13172 drop;ok + ip checksum 22;ok + ip checksum != 233;ok +diff --git a/tests/py/ip/ip.t.payload b/tests/py/ip/ip.t.payload +index 9ce5527..13df804 100644 +--- a/tests/py/ip/ip.t.payload ++++ b/tests/py/ip/ip.t.payload +@@ -200,6 +200,11 @@ ip test-ip4 input + [ lookup reg 1 set __set%d ] + [ immediate reg 0 accept ] + ++# ip protocol 255 ++ip test-ip4 input ++ [ payload load 1b @ network header + 9 => reg 1 ] ++ [ cmp eq reg 1 0x000000ff ] ++ + # ip checksum 13172 drop + ip test-ip4 input + [ payload load 2b @ network header + 10 => reg 1 ] +diff --git a/tests/py/ip/ip.t.payload.inet b/tests/py/ip/ip.t.payload.inet +index cf41eb2..34fca91 100644 +--- a/tests/py/ip/ip.t.payload.inet ++++ b/tests/py/ip/ip.t.payload.inet +@@ -264,6 +264,13 @@ inet test-inet input + [ lookup reg 1 set __set%d ] + [ immediate reg 0 accept ] + ++# ip protocol 255 ++ip test-ip4 input ++ [ meta load nfproto => reg 1 ] ++ [ cmp eq reg 1 0x00000002 ] ++ [ payload load 1b @ network header + 9 => reg 1 ] ++ [ cmp eq reg 1 0x000000ff ] ++ + # ip checksum 13172 drop + inet test-inet input + [ meta load nfproto => reg 1 ] +diff --git a/tests/py/ip/ip.t.payload.netdev b/tests/py/ip/ip.t.payload.netdev +index ae2a74b..b61fd1e 100644 +--- a/tests/py/ip/ip.t.payload.netdev ++++ b/tests/py/ip/ip.t.payload.netdev +@@ -200,6 +200,13 @@ netdev test-netdev ingress + [ lookup reg 1 set __set%d ] + [ immediate reg 0 accept ] + ++# ip protocol 255 ++ip test-ip4 input ++ [ meta load protocol => reg 1 ] ++ [ cmp eq reg 1 0x00000008 ] ++ [ payload load 1b @ network header + 9 => reg 1 ] ++ [ cmp eq reg 1 0x000000ff ] ++ + # ip checksum 13172 drop + netdev test-netdev ingress + [ meta load protocol => reg 1 ] +-- +1.8.3.1 + diff --git a/SOURCES/0006-src-rename-datatype-name-from-tc_handle-to-classid.patch b/SOURCES/0006-src-rename-datatype-name-from-tc_handle-to-classid.patch new file mode 100644 index 0000000..73770e0 --- /dev/null +++ b/SOURCES/0006-src-rename-datatype-name-from-tc_handle-to-classid.patch @@ -0,0 +1,62 @@ +From 174b2a34a7c6a2fcf75baefd2f96c78a60c5417f Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 12 May 2017 17:56:59 +0200 +Subject: [PATCH] src: rename datatype name from tc_handle to classid + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1380326 +Upstream Status: nftables commit 11b39df32835c + +commit 11b39df32835ce855e5c6b889fa2cbcefe517547 +Author: Pablo Neira Ayuso +Date: Fri Jul 22 16:43:13 2016 +0200 + + src: rename datatype name from tc_handle to classid + + Signed-off-by: Pablo Neira Ayuso +--- + include/datatype.h | 4 ++-- + src/meta.c | 6 +++--- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/include/datatype.h b/include/datatype.h +index c7e110f..f0e085b 100644 +--- a/include/datatype.h ++++ b/include/datatype.h +@@ -27,7 +27,7 @@ + * @TYPE_IFINDEX: interface index (integer subtype) + * @TYPE_ARPHRD: interface type (integer subtype) + * @TYPE_REALM: routing realm (integer subtype) +- * @TYPE_TC_HANDLE: TC handle (integer subtype) ++ * @TYPE_CLASSID: TC classid (integer subtype) + * @TYPE_UID: user ID (integer subtype) + * @TYPE_GID: group ID (integer subtype) + * @TYPE_CT_STATE: conntrack state (bitmask subtype) +@@ -66,7 +66,7 @@ enum datatypes { + TYPE_IFINDEX, + TYPE_ARPHRD, + TYPE_REALM, +- TYPE_TC_HANDLE, ++ TYPE_CLASSID, + TYPE_UID, + TYPE_GID, + TYPE_CT_STATE, +diff --git a/src/meta.c b/src/meta.c +index 75431a2..d912b4e 100644 +--- a/src/meta.c ++++ b/src/meta.c +@@ -127,9 +127,9 @@ err: + } + + static const struct datatype tchandle_type = { +- .type = TYPE_TC_HANDLE, +- .name = "tc_handle", +- .desc = "TC handle", ++ .type = TYPE_CLASSID, ++ .name = "classid", ++ .desc = "TC classid", + .byteorder = BYTEORDER_HOST_ENDIAN, + .size = 4 * BITS_PER_BYTE, + .basetype = &integer_type, +-- +1.8.3.1 + diff --git a/SOURCES/0007-src-simplify-classid-printing-using-x-instead-of-04x.patch b/SOURCES/0007-src-simplify-classid-printing-using-x-instead-of-04x.patch new file mode 100644 index 0000000..5187b32 --- /dev/null +++ b/SOURCES/0007-src-simplify-classid-printing-using-x-instead-of-04x.patch @@ -0,0 +1,47 @@ +From 0987bd768b0f9f8e3190fd955d01e54e0d4465e0 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 12 May 2017 17:56:59 +0200 +Subject: [PATCH] src: simplify classid printing using %x instead of %04x + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1380326 +Upstream Status: nftables commit 860979abdbe30 + +commit 860979abdbe3081c310a5acd9250abdfcb741ce4 +Author: Pablo Neira Ayuso +Date: Fri Jul 22 16:45:57 2016 +0200 + + src: simplify classid printing using %x instead of %04x + + No need to print this in iptables CLASSIFY target format, + eg. 0004:1230, this is innecessarily large. + + And always print major and minor numbers. + + Signed-off-by: Pablo Neira Ayuso +--- + src/meta.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/src/meta.c b/src/meta.c +index d912b4e..3a72d10 100644 +--- a/src/meta.c ++++ b/src/meta.c +@@ -80,14 +80,7 @@ static void tchandle_type_print(const struct expr *expr) + printf("none"); + break; + default: +- if (TC_H_MAJ(handle) == 0) +- printf(":%04x", TC_H_MIN(handle)); +- else if (TC_H_MIN(handle) == 0) +- printf("%04x:", TC_H_MAJ(handle) >> 16); +- else { +- printf("%04x:%04x", +- TC_H_MAJ(handle) >> 16, TC_H_MIN(handle)); +- } ++ printf("%0x:%0x", TC_H_MAJ(handle) >> 16, TC_H_MIN(handle)); + break; + } + } +-- +1.8.3.1 + diff --git a/SOURCES/0008-src-meta-priority-support-using-tc-classid.patch b/SOURCES/0008-src-meta-priority-support-using-tc-classid.patch new file mode 100644 index 0000000..b900561 --- /dev/null +++ b/SOURCES/0008-src-meta-priority-support-using-tc-classid.patch @@ -0,0 +1,356 @@ +From 3ce7e132a4828b707c94efb0cb5058067828353d Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 12 May 2017 17:56:59 +0200 +Subject: [PATCH] src: meta priority support using tc classid + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1380326 +Upstream Status: nftables commit 6f2eb8548e0d1 +Conflicts: Context change in tests due to missing meta random keyword. + +commit 6f2eb8548e0d18078989adec069b438b2f154767 +Author: Pablo Neira Ayuso +Date: Tue Aug 16 23:30:18 2016 +0200 + + src: meta priority support using tc classid + + This patch adds the missing bits to scan and parse the meta priority + handle as expressed by tc classid major:minor syntax. + + The :minor syntax is not support for two reason: major is always >= 1 + and this clashes with port syntax in nat. + + Here below, several example on how to match the packet priority field: + + nft add rule filter forward meta priority abcd:0 + nft add rule filter forward meta priority abcd:1234 + + and to set it, you have to: + + nft add rule filter forward meta priority set abcd:1234 + + The priority expression in flex looks ahead to restrict the pattern to + avoid problems with mappings: + + {classid}/[ \t\n:\-},] + + So the following doesn't break: + + ... vmap { 25:accept } + ^^^^^ + + The lookahead expression requires a slight change to extend the input + string in one byte. + + This patch is conservative as you always have to explicity indicate + major and minor numbers even if zero. + + We could consider supporting this shortcut in the future: + + abcd: + + However, with regards to this: + + :abcd + + We don't need to support it since major number is assumed to be >= 1. + However, if we ever decide to support this, we'll have problems since + this clashes with our port representation in redirect and mangle. + + So let's keep this simple and start with this approach. + + Signed-off-by: Pablo Neira Ayuso +--- + src/cli.c | 8 +++++ + src/erec.c | 1 + + src/main.c | 3 +- + src/meta.c | 39 +++++++++++++++++------- + src/scanner.l | 6 ++++ + src/statement.c | 2 +- + tests/py/any/meta.t | 22 ++++++++------ + tests/py/any/meta.t.payload | 72 +++++++++++++++++++++++++++++++++++++++++++++ + 8 files changed, 131 insertions(+), 22 deletions(-) + +diff --git a/src/cli.c b/src/cli.c +index adffd6b..a74411a 100644 +--- a/src/cli.c ++++ b/src/cli.c +@@ -92,6 +92,8 @@ static void cli_complete(char *line) + const HIST_ENTRY *hist; + const char *c; + LIST_HEAD(msgs); ++ int len; ++ char *s; + + if (line == NULL) { + printf("\n"); +@@ -119,6 +121,12 @@ static void cli_complete(char *line) + if (hist == NULL || strcmp(hist->line, line)) + add_history(line); + ++ len = strlen(line); ++ s = xmalloc(len + 2); ++ snprintf(s, len + 2, "%s\n", line); ++ xfree(line); ++ line = s; ++ + parser_init(state, &msgs); + scanner_push_buffer(scanner, &indesc_cli, line); + nft_run(scanner, state, &msgs); +diff --git a/src/erec.c b/src/erec.c +index d514230..adbc096 100644 +--- a/src/erec.c ++++ b/src/erec.c +@@ -92,6 +92,7 @@ void erec_print(FILE *f, const struct error_record *erec) + case INDESC_BUFFER: + case INDESC_CLI: + line = indesc->data; ++ *strchrnul(line, '\n') = '\0'; + break; + case INDESC_FILE: + memset(buf, 0, sizeof(buf)); +diff --git a/src/main.c b/src/main.c +index ad73d80..39a47bb 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -328,12 +328,13 @@ int main(int argc, char * const *argv) + for (len = 0, i = optind; i < argc; i++) + len += strlen(argv[i]) + strlen(" "); + +- buf = xzalloc(len + 1); ++ buf = xzalloc(len + 2); + for (i = optind; i < argc; i++) { + strcat(buf, argv[i]); + if (i + 1 < argc) + strcat(buf, " "); + } ++ strcat(buf, "\n"); + parser_init(&state, &msgs); + scanner = scanner_init(&state); + scanner_push_buffer(scanner, &indesc_cmdline, buf); +diff --git a/src/meta.c b/src/meta.c +index 3a72d10..652b1cf 100644 +--- a/src/meta.c ++++ b/src/meta.c +@@ -10,6 +10,7 @@ + * Development of this code funded by Astaro AG (http://www.astaro.com/) + */ + ++#include + #include + #include + #include +@@ -89,34 +90,50 @@ static struct error_record *tchandle_type_parse(const struct expr *sym, + struct expr **res) + { + uint32_t handle; ++ char *str; + + if (strcmp(sym->identifier, "root") == 0) + handle = TC_H_ROOT; + else if (strcmp(sym->identifier, "none") == 0) + handle = TC_H_UNSPEC; +- else if (sym->identifier[0] == ':') { +- if (sscanf(sym->identifier, ":%04x", &handle) != 1) ++ else if (strchr(sym->identifier, ':')) { ++ uint16_t tmp; ++ char *colon; ++ ++ str = xstrdup(sym->identifier); ++ ++ colon = strchr(str, ':'); ++ if (!colon) + goto err; +- } else if (sym->identifier[strlen(sym->identifier)-1] == ':') { +- if (sscanf(sym->identifier, "%04x:", &handle) != 1) ++ ++ *colon = '\0'; ++ ++ errno = 0; ++ tmp = strtoull(str, NULL, 16); ++ if (errno != 0) + goto err; + +- handle <<= 16; +- } else { +- uint32_t min, max; ++ handle = (tmp << 16); ++ if (str[strlen(str) - 1] == ':') ++ goto out; + +- if (sscanf(sym->identifier, "%04x:%04x", &max, &min) != 2) ++ errno = 0; ++ tmp = strtoull(colon + 1, NULL, 16); ++ if (errno != 0) + goto err; + +- handle = max << 16 | min; ++ handle |= tmp; ++ } else { ++ handle = strtoull(sym->identifier, NULL, 0); + } ++out: + *res = constant_expr_alloc(&sym->location, sym->dtype, + BYTEORDER_HOST_ENDIAN, + sizeof(handle) * BITS_PER_BYTE, &handle); + return NULL; + err: +- return error(&sym->location, "Could not parse %s", +- sym->dtype->desc); ++ xfree(str); ++ return error(&sym->location, "Could not parse %s", sym->dtype->desc); + } + + static const struct datatype tchandle_type = { +diff --git a/src/scanner.l b/src/scanner.l +index 88669d0..5855041 100644 +--- a/src/scanner.l ++++ b/src/scanner.l +@@ -170,6 +170,7 @@ macaddr (([[:xdigit:]]{1,2}:){5}[[:xdigit:]]{1,2}) + ip4addr (([[:digit:]]{1,3}"."){3}([[:digit:]]{1,3})) + ip6addr ({v680}|{v67}|{v66}|{v65}|{v64}|{v63}|{v62}|{v61}|{v60}) + ++classid ({hexdigit}{1,4}:{hexdigit}{1,4}) + addrstring ({macaddr}|{ip4addr}|{ip6addr}) + + %option prefix="nft_" +@@ -500,6 +501,11 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) + return NUM; + } + ++{classid}/[ \t\n:\-},] { ++ yylval->string = xstrdup(yytext); ++ return STRING; ++ } ++ + {quotedstring} { + yytext[yyleng - 1] = '\0'; + yylval->string = xstrdup(yytext + 1); +diff --git a/src/statement.c b/src/statement.c +index 76f528b..0960f44 100644 +--- a/src/statement.c ++++ b/src/statement.c +@@ -458,7 +458,7 @@ static void redir_stmt_print(const struct stmt *stmt) + printf("redirect"); + + if (stmt->redir.proto) { +- printf(" to "); ++ printf(" to :"); + expr_print(stmt->redir.proto); + } + +diff --git a/tests/py/any/meta.t b/tests/py/any/meta.t +index 424cb18..6ea06d9 100644 +--- a/tests/py/any/meta.t ++++ b/tests/py/any/meta.t +@@ -38,15 +38,19 @@ meta l4proto { 33, 55, 67, 88};ok;meta l4proto { 33, 55, 67, 88} + meta l4proto { 33-55};ok + - meta l4proto != { 33-55};ok + +-- meta priority :aabb;ok +-- meta priority bcad:dadc;ok +-- meta priority aabb:;ok +-- meta priority != :aabb;ok +-- meta priority != bcad:dadc;ok +-- meta priority != aabb:;ok +-- meta priority bcad:dada-bcad:dadc;ok +-- meta priority != bcad:dada-bcad:dadc;ok +-- meta priority {bcad:dada, bcad:dadc, aaaa:bbbb};ok ++meta priority root;ok ++meta priority none;ok ++meta priority 0x87654321;ok;meta priority 8765:4321 ++meta priority 2271560481;ok;meta priority 8765:4321 ++meta priority 1:1234;ok ++meta priority bcad:dadc;ok ++meta priority aabb:0;ok ++meta priority != bcad:dadc;ok ++meta priority != aabb:0;ok ++meta priority bcad:dada-bcad:dadc;ok ++meta priority != bcad:dada-bcad:dadc;ok ++meta priority {bcad:dada, bcad:dadc, aaaa:bbbb};ok ++meta priority set cafe:beef;ok + - meta priority != {bcad:dada, bcad:dadc, aaaa:bbbb};ok + + meta mark 0x4;ok;mark 0x00000004 +diff --git a/tests/py/any/meta.t.payload b/tests/py/any/meta.t.payload +index 00a2f20..8065178 100644 +--- a/tests/py/any/meta.t.payload ++++ b/tests/py/any/meta.t.payload +@@ -775,3 +775,75 @@ ip test-ip4 output + [ meta load oif => reg 9 ] + [ lookup reg 1 set __map%d dreg 0 ] + ++# meta priority root ++ip test-ip4 input ++ [ meta load priority => reg 1 ] ++ [ cmp eq reg 1 0xffffffff ] ++ ++# meta priority none ++netdev test-netdev ingress ++ [ meta load priority => reg 1 ] ++ [ cmp eq reg 1 0x00000000 ] ++ ++# meta priority 1:1234 ++ip test-ip4 input ++ [ meta load priority => reg 1 ] ++ [ cmp eq reg 1 0x00011234 ] ++ ++# meta priority bcad:dadc ++ip test-ip4 input ++ [ meta load priority => reg 1 ] ++ [ cmp eq reg 1 0xbcaddadc ] ++ ++# meta priority aabb:0 ++ip test-ip4 input ++ [ meta load priority => reg 1 ] ++ [ cmp eq reg 1 0xaabb0000 ] ++ ++# meta priority != bcad:dadc ++ip test-ip4 input ++ [ meta load priority => reg 1 ] ++ [ cmp neq reg 1 0xbcaddadc ] ++ ++# meta priority != aabb:0 ++ip test-ip4 input ++ [ meta load priority => reg 1 ] ++ [ cmp neq reg 1 0xaabb0000 ] ++ ++# meta priority bcad:dada-bcad:dadc ++ip test-ip4 input ++ [ meta load priority => reg 1 ] ++ [ byteorder reg 1 = hton(reg 1, 4, 4) ] ++ [ cmp gte reg 1 0xdadaadbc ] ++ [ cmp lte reg 1 0xdcdaadbc ] ++ ++# meta priority != bcad:dada-bcad:dadc ++ip test-ip4 input ++ [ meta load priority => reg 1 ] ++ [ byteorder reg 1 = hton(reg 1, 4, 4) ] ++ [ cmp lt reg 1 0xdadaadbc ] ++ [ cmp gt reg 1 0xdcdaadbc ] ++ ++# meta priority {bcad:dada, bcad:dadc, aaaa:bbbb} ++__set%d test-ip4 3 ++__set%d test-ip4 0 ++ element bcaddada : 0 [end] element bcaddadc : 0 [end] element aaaabbbb : 0 [end] ++ip test-ip4 input ++ [ meta load priority => reg 1 ] ++ [ lookup reg 1 set __set%d ] ++ ++# meta priority set cafe:beef ++ip test-ip4 input ++ [ immediate reg 1 0xcafebeef ] ++ [ meta set priority with reg 1 ] ++ ++# meta priority 0x87654321 ++ip test-ip4 input ++ [ meta load priority => reg 1 ] ++ [ cmp eq reg 1 0x87654321 ] ++ ++# meta priority 2271560481 ++ip test-ip4 input ++ [ meta load priority => reg 1 ] ++ [ cmp eq reg 1 0x87654321 ] ++ +-- +1.8.3.1 + diff --git a/SOURCES/0009-meta-fix-memory-leak-in-tc-classid-parser.patch b/SOURCES/0009-meta-fix-memory-leak-in-tc-classid-parser.patch new file mode 100644 index 0000000..06f0372 --- /dev/null +++ b/SOURCES/0009-meta-fix-memory-leak-in-tc-classid-parser.patch @@ -0,0 +1,47 @@ +From b43f64d4c9dcd52da901ea1274895d11575acf4e Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 12 May 2017 17:57:57 +0200 +Subject: [PATCH] meta: fix memory leak in tc classid parser + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1380326 +Upstream Status: nftables commit d815b8d2bf18b + +commit d815b8d2bf18bc589f10c3fb4524a2b93fe91b93 +Author: Liping Zhang +Date: Sun Aug 28 16:36:22 2016 +0800 + + meta: fix memory leak in tc classid parser + + We forgot to free the str which was allocated by xstrdup, + so memory leak will happen. + + Signed-off-by: Liping Zhang + Signed-off-by: Pablo Neira Ayuso +--- + src/meta.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/meta.c b/src/meta.c +index 652b1cf..d77106e 100644 +--- a/src/meta.c ++++ b/src/meta.c +@@ -90,7 +90,7 @@ static struct error_record *tchandle_type_parse(const struct expr *sym, + struct expr **res) + { + uint32_t handle; +- char *str; ++ char *str = NULL; + + if (strcmp(sym->identifier, "root") == 0) + handle = TC_H_ROOT; +@@ -127,6 +127,7 @@ static struct error_record *tchandle_type_parse(const struct expr *sym, + handle = strtoull(sym->identifier, NULL, 0); + } + out: ++ xfree(str); + *res = constant_expr_alloc(&sym->location, sym->dtype, + BYTEORDER_HOST_ENDIAN, + sizeof(handle) * BITS_PER_BYTE, &handle); +-- +1.8.3.1 + diff --git a/SOURCES/0010-datatype-time_type-should-send-milliseconds-to-users.patch b/SOURCES/0010-datatype-time_type-should-send-milliseconds-to-users.patch new file mode 100644 index 0000000..391986f --- /dev/null +++ b/SOURCES/0010-datatype-time_type-should-send-milliseconds-to-users.patch @@ -0,0 +1,119 @@ +From fad810f8c3b1b9135f9b8a89d6e6e5472fb2b3b4 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 12 May 2017 18:29:28 +0200 +Subject: [PATCH] datatype: time_type should send milliseconds to userspace + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1427114 +Upstream Status: nftables commit 82dfc87c85f00 +Conflicts: Adjusted one test case for previously backported commit + 3ed932917cc74 ("src: use new range expression for != [a,b] + intervals"). + +commit 82dfc87c85f00acfa0d46369ae3f66c26a93f502 +Author: Pablo Neira Ayuso +Date: Fri Jul 8 15:12:31 2016 +0200 + + datatype: time_type should send milliseconds to userspace + + Kernel expects milliseconds, so fix this datatype to use + milliseconds instead of seconds. + + Signed-off-by: Pablo Neira Ayuso +--- + include/utils.h | 1 + + src/datatype.c | 3 ++- + tests/py/any/ct.t.payload | 16 ++++++++-------- + 3 files changed, 11 insertions(+), 9 deletions(-) + +diff --git a/include/utils.h b/include/utils.h +index 8a1dc5e..d886764 100644 +--- a/include/utils.h ++++ b/include/utils.h +@@ -83,6 +83,7 @@ + (void) (&_max1 == &_max2); \ + _max1 > _max2 ? _max1 : _max2; }) + ++#define MSEC_PER_SEC 1000L + + /** + * fls - find last (most-significant) bit set +diff --git a/src/datatype.c b/src/datatype.c +index 40e14c9..002c4c6 100644 +--- a/src/datatype.c ++++ b/src/datatype.c +@@ -883,7 +883,7 @@ struct error_record *time_parse(const struct location *loc, const char *str, + + static void time_type_print(const struct expr *expr) + { +- time_print(mpz_get_uint64(expr->value)); ++ time_print(mpz_get_uint64(expr->value) / MSEC_PER_SEC); + } + + static struct error_record *time_type_parse(const struct expr *sym, +@@ -896,6 +896,7 @@ static struct error_record *time_type_parse(const struct expr *sym, + if (erec != NULL) + return erec; + ++ s *= MSEC_PER_SEC; + if (s > UINT32_MAX) + return error(&sym->location, "value too large"); + +diff --git a/tests/py/any/ct.t.payload b/tests/py/any/ct.t.payload +index 26bcf26..0598fdf 100644 +--- a/tests/py/any/ct.t.payload ++++ b/tests/py/any/ct.t.payload +@@ -197,35 +197,35 @@ ip test-ip4 output + # ct expiration 30 + ip test-ip4 output + [ ct load expiration => reg 1 ] +- [ cmp eq reg 1 0x0000001e ] ++ [ cmp eq reg 1 0x00007530 ] + + # ct expiration 22 + ip test-ip4 output + [ ct load expiration => reg 1 ] +- [ cmp eq reg 1 0x00000016 ] ++ [ cmp eq reg 1 0x000055f0 ] + + # ct expiration != 233 + ip test-ip4 output + [ ct load expiration => reg 1 ] +- [ cmp neq reg 1 0x000000e9 ] ++ [ cmp neq reg 1 0x00038e28 ] + + # ct expiration 33-45 + ip test-ip4 output + [ ct load expiration => reg 1 ] + [ byteorder reg 1 = hton(reg 1, 4, 4) ] +- [ cmp gte reg 1 0x21000000 ] +- [ cmp lte reg 1 0x2d000000 ] ++ [ cmp gte reg 1 0xe8800000 ] ++ [ cmp lte reg 1 0xc8af0000 ] + + # ct expiration != 33-45 + ip test-ip4 output + [ ct load expiration => reg 1 ] + [ byteorder reg 1 = hton(reg 1, 4, 4) ] +- [ range neq reg 1 0x21000000 0x2d000000 ] ++ [ range neq reg 1 0xe8800000 0xc8af0000 ] + + # ct expiration {33, 55, 67, 88} + __set%d test-ip4 3 + __set%d test-ip4 0 +- element 00000021 : 0 [end] element 00000037 : 0 [end] element 00000043 : 0 [end] element 00000058 : 0 [end] ++ element 000080e8 : 0 [end] element 0000d6d8 : 0 [end] element 000105b8 : 0 [end] element 000157c0 : 0 [end] + ip test-ip4 output + [ ct load expiration => reg 1 ] + [ lookup reg 1 set __set%d ] +@@ -233,7 +233,7 @@ ip test-ip4 output + # ct expiration {33-55} + __set%d test-ip4 7 + __set%d test-ip4 0 +- element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end] ++ element 00000000 : 1 [end] element e8800000 : 0 [end] element d9d60000 : 1 [end] + ip test-ip4 output + [ ct load expiration => reg 1 ] + [ byteorder reg 1 = hton(reg 1, 4, 4) ] +-- +1.8.3.1 + diff --git a/SOURCES/0011-include-refresh-uapi-linux-netfilter-nf_tables.h-cop.patch b/SOURCES/0011-include-refresh-uapi-linux-netfilter-nf_tables.h-cop.patch new file mode 100644 index 0000000..0099337 --- /dev/null +++ b/SOURCES/0011-include-refresh-uapi-linux-netfilter-nf_tables.h-cop.patch @@ -0,0 +1,218 @@ +From d9512e718d90343bb83f39c26c6c4ee2e3173a53 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 12 May 2017 18:52:01 +0200 +Subject: [PATCH] include: refresh uapi/linux/netfilter/nf_tables.h copy + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1440011 +Upstream Status: nftables commit e7b1270057037 + +commit e7b1270057037c1c2524204c4c903c995cf77aab +Author: Pablo Neira Ayuso +Date: Fri Aug 26 13:22:00 2016 +0200 + + include: refresh uapi/linux/netfilter/nf_tables.h copy + + Fetch incremental incremental updates on this file. + + Signed-off-by: Pablo Neira Ayuso +--- + include/linux/netfilter/nf_tables.h | 80 ++++++++++++++++++++++++++++++++++++- + 1 file changed, 79 insertions(+), 1 deletion(-) + +diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h +index 0df2ccc..3b4ec63 100644 +--- a/include/linux/netfilter/nf_tables.h ++++ b/include/linux/netfilter/nf_tables.h +@@ -3,6 +3,7 @@ + + #define NFT_TABLE_MAXNAMELEN 32 + #define NFT_CHAIN_MAXNAMELEN 32 ++#define NFT_SET_MAXNAMELEN 32 + #define NFT_USERDATA_MAXLEN 256 + + /** +@@ -182,6 +183,7 @@ enum nft_chain_attributes { + NFTA_CHAIN_USE, + NFTA_CHAIN_TYPE, + NFTA_CHAIN_COUNTERS, ++ NFTA_CHAIN_PAD, + __NFTA_CHAIN_MAX + }; + #define NFTA_CHAIN_MAX (__NFTA_CHAIN_MAX - 1) +@@ -206,6 +208,7 @@ enum nft_rule_attributes { + NFTA_RULE_COMPAT, + NFTA_RULE_POSITION, + NFTA_RULE_USERDATA, ++ NFTA_RULE_PAD, + __NFTA_RULE_MAX + }; + #define NFTA_RULE_MAX (__NFTA_RULE_MAX - 1) +@@ -308,6 +311,7 @@ enum nft_set_attributes { + NFTA_SET_TIMEOUT, + NFTA_SET_GC_INTERVAL, + NFTA_SET_USERDATA, ++ NFTA_SET_PAD, + __NFTA_SET_MAX + }; + #define NFTA_SET_MAX (__NFTA_SET_MAX - 1) +@@ -341,6 +345,7 @@ enum nft_set_elem_attributes { + NFTA_SET_ELEM_EXPIRATION, + NFTA_SET_ELEM_USERDATA, + NFTA_SET_ELEM_EXPR, ++ NFTA_SET_ELEM_PAD, + __NFTA_SET_ELEM_MAX + }; + #define NFTA_SET_ELEM_MAX (__NFTA_SET_ELEM_MAX - 1) +@@ -541,6 +546,10 @@ enum nft_cmp_attributes { + }; + #define NFTA_CMP_MAX (__NFTA_CMP_MAX - 1) + ++enum nft_lookup_flags { ++ NFT_LOOKUP_F_INV = (1 << 0), ++}; ++ + /** + * enum nft_range_ops - nf_tables range operator + * +@@ -577,6 +586,7 @@ enum nft_range_attributes { + * @NFTA_LOOKUP_SREG: source register of the data to look for (NLA_U32: nft_registers) + * @NFTA_LOOKUP_DREG: destination register (NLA_U32: nft_registers) + * @NFTA_LOOKUP_SET_ID: uniquely identifies a set in a transaction (NLA_U32) ++ * @NFTA_LOOKUP_FLAGS: flags (NLA_U32: enum nft_lookup_flags) + */ + enum nft_lookup_attributes { + NFTA_LOOKUP_UNSPEC, +@@ -584,6 +594,7 @@ enum nft_lookup_attributes { + NFTA_LOOKUP_SREG, + NFTA_LOOKUP_DREG, + NFTA_LOOKUP_SET_ID, ++ NFTA_LOOKUP_FLAGS, + __NFTA_LOOKUP_MAX + }; + #define NFTA_LOOKUP_MAX (__NFTA_LOOKUP_MAX - 1) +@@ -613,6 +624,7 @@ enum nft_dynset_attributes { + NFTA_DYNSET_SREG_DATA, + NFTA_DYNSET_TIMEOUT, + NFTA_DYNSET_EXPR, ++ NFTA_DYNSET_PAD, + __NFTA_DYNSET_MAX, + }; + #define NFTA_DYNSET_MAX (__NFTA_DYNSET_MAX - 1) +@@ -741,6 +753,26 @@ enum nft_meta_keys { + }; + + /** ++ * enum nft_hash_attributes - nf_tables hash expression netlink attributes ++ * ++ * @NFTA_HASH_SREG: source register (NLA_U32) ++ * @NFTA_HASH_DREG: destination register (NLA_U32) ++ * @NFTA_HASH_LEN: source data length (NLA_U32) ++ * @NFTA_HASH_MODULUS: modulus value (NLA_U32) ++ * @NFTA_HASH_SEED: seed value (NLA_U32) ++ */ ++enum nft_hash_attributes { ++ NFTA_HASH_UNSPEC, ++ NFTA_HASH_SREG, ++ NFTA_HASH_DREG, ++ NFTA_HASH_LEN, ++ NFTA_HASH_MODULUS, ++ NFTA_HASH_SEED, ++ __NFTA_HASH_MAX, ++}; ++#define NFTA_HASH_MAX (__NFTA_HASH_MAX - 1) ++ ++/** + * enum nft_meta_attributes - nf_tables meta expression netlink attributes + * + * @NFTA_META_DREG: destination register (NLA_U32) +@@ -835,6 +867,7 @@ enum nft_limit_attributes { + NFTA_LIMIT_BURST, + NFTA_LIMIT_TYPE, + NFTA_LIMIT_FLAGS, ++ NFTA_LIMIT_PAD, + __NFTA_LIMIT_MAX + }; + #define NFTA_LIMIT_MAX (__NFTA_LIMIT_MAX - 1) +@@ -849,6 +882,7 @@ enum nft_counter_attributes { + NFTA_COUNTER_UNSPEC, + NFTA_COUNTER_BYTES, + NFTA_COUNTER_PACKETS, ++ NFTA_COUNTER_PAD, + __NFTA_COUNTER_MAX + }; + #define NFTA_COUNTER_MAX (__NFTA_COUNTER_MAX - 1) +@@ -895,6 +929,25 @@ enum nft_queue_attributes { + #define NFT_QUEUE_FLAG_CPU_FANOUT 0x02 /* use current CPU (no hashing) */ + #define NFT_QUEUE_FLAG_MASK 0x03 + ++enum nft_quota_flags { ++ NFT_QUOTA_F_INV = (1 << 0), ++}; ++ ++/** ++ * enum nft_quota_attributes - nf_tables quota expression netlink attributes ++ * ++ * @NFTA_QUOTA_BYTES: quota in bytes (NLA_U16) ++ * @NFTA_QUOTA_FLAGS: flags (NLA_U32) ++ */ ++enum nft_quota_attributes { ++ NFTA_QUOTA_UNSPEC, ++ NFTA_QUOTA_BYTES, ++ NFTA_QUOTA_FLAGS, ++ NFTA_QUOTA_PAD, ++ __NFTA_QUOTA_MAX ++}; ++#define NFTA_QUOTA_MAX (__NFTA_QUOTA_MAX - 1) ++ + /** + * enum nft_reject_types - nf_tables reject expression reject types + * +@@ -1066,7 +1119,7 @@ enum nft_gen_attributes { + * @NFTA_TRACE_NFPROTO: nf protocol processed (NLA_U32) + * @NFTA_TRACE_POLICY: policy that decided fate of packet (NLA_U32) + */ +-enum nft_trace_attibutes { ++enum nft_trace_attributes { + NFTA_TRACE_UNSPEC, + NFTA_TRACE_TABLE, + NFTA_TRACE_CHAIN, +@@ -1084,6 +1137,7 @@ enum nft_trace_attibutes { + NFTA_TRACE_MARK, + NFTA_TRACE_NFPROTO, + NFTA_TRACE_POLICY, ++ NFTA_TRACE_PAD, + __NFTA_TRACE_MAX + }; + #define NFTA_TRACE_MAX (__NFTA_TRACE_MAX - 1) +@@ -1096,4 +1150,28 @@ enum nft_trace_types { + __NFT_TRACETYPE_MAX + }; + #define NFT_TRACETYPE_MAX (__NFT_TRACETYPE_MAX - 1) ++ ++/** ++ * enum nft_ng_attributes - nf_tables number generator expression netlink attributes ++ * ++ * @NFTA_NG_DREG: destination register (NLA_U32) ++ * @NFTA_NG_UNTIL: source value to increment the counter until reset (NLA_U32) ++ * @NFTA_NG_TYPE: operation type (NLA_U32) ++ */ ++enum nft_ng_attributes { ++ NFTA_NG_UNSPEC, ++ NFTA_NG_DREG, ++ NFTA_NG_UNTIL, ++ NFTA_NG_TYPE, ++ __NFTA_NG_MAX ++}; ++#define NFTA_NG_MAX (__NFTA_NG_MAX - 1) ++ ++enum nft_ng_types { ++ NFT_NG_INCREMENTAL, ++ NFT_NG_RANDOM, ++ __NFT_NG_MAX ++}; ++#define NFT_NG_MAX (__NFT_NG_MAX - 1) ++ + #endif /* _LINUX_NF_TABLES_H */ +-- +1.8.3.1 + diff --git a/SOURCES/0012-src-Interpret-OP_NEQ-against-a-set-as-OP_LOOKUP.patch b/SOURCES/0012-src-Interpret-OP_NEQ-against-a-set-as-OP_LOOKUP.patch new file mode 100644 index 0000000..e5ea600 --- /dev/null +++ b/SOURCES/0012-src-Interpret-OP_NEQ-against-a-set-as-OP_LOOKUP.patch @@ -0,0 +1,131 @@ +From cb0e9dac618d08410a799d0f6e24c03052754b53 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 12 May 2017 18:32:43 +0200 +Subject: [PATCH] src: Interpret OP_NEQ against a set as OP_LOOKUP + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1440011 +Upstream Status: nftables commit cc7b37d18a687 + +commit cc7b37d18a687d53e8724b3104b042e6767a9cef +Author: Anatole Denis +Date: Thu Nov 24 15:16:20 2016 +0100 + + src: Interpret OP_NEQ against a set as OP_LOOKUP + + Now that the support for inverted matching is in the kernel and in libnftnl, add + it to nftables too. + + This fixes bug #888 + + Signed-off-by: Anatole Denis + Signed-off-by: Pablo Neira Ayuso +--- + src/evaluate.c | 14 ++++++++++++++ + src/netlink_delinearize.c | 10 ++++++++++ + src/netlink_linearize.c | 14 +++++++++----- + 3 files changed, 33 insertions(+), 5 deletions(-) + +diff --git a/src/evaluate.c b/src/evaluate.c +index 1b8d565..680eda0 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -1460,6 +1460,20 @@ static int expr_evaluate_relational(struct eval_ctx *ctx, struct expr **expr) + if (byteorder_conversion(ctx, &rel->right, left->byteorder) < 0) + return -1; + break; ++ case EXPR_SET: ++ assert(rel->op == OP_NEQ); ++ right = rel->right = ++ implicit_set_declaration(ctx, "__set%d", ++ left->dtype, left->len, ++ right); ++ /* fall through */ ++ case EXPR_SET_REF: ++ assert(rel->op == OP_NEQ); ++ /* Data for range lookups needs to be in big endian order */ ++ if (right->set->flags & SET_F_INTERVAL && ++ byteorder_conversion(ctx, &rel->left, BYTEORDER_BIG_ENDIAN) < 0) ++ return -1; ++ break; + default: + BUG("invalid expression type %s\n", right->ops->name); + } +diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c +index 505516c..c002538 100644 +--- a/src/netlink_delinearize.c ++++ b/src/netlink_delinearize.c +@@ -299,6 +299,7 @@ static void netlink_parse_lookup(struct netlink_parse_ctx *ctx, + const char *name; + struct expr *expr, *left, *right; + struct set *set; ++ uint32_t flag; + + name = nftnl_expr_get_str(nle, NFTNL_EXPR_LOOKUP_SET); + set = set_lookup(ctx->table, name); +@@ -330,6 +331,12 @@ static void netlink_parse_lookup(struct netlink_parse_ctx *ctx, + expr = relational_expr_alloc(loc, OP_LOOKUP, left, right); + } + ++ if (nftnl_expr_is_set(nle, NFTNL_EXPR_LOOKUP_FLAGS)) { ++ flag = nftnl_expr_get_u32(nle, NFTNL_EXPR_LOOKUP_FLAGS); ++ if (flag & NFT_LOOKUP_F_INV) ++ expr->op = OP_NEQ; ++ } ++ + ctx->stmt = expr_stmt_alloc(loc, expr); + } + +@@ -1218,6 +1225,9 @@ static void ct_meta_common_postprocess(const struct expr *expr) + struct expr *right = expr->right; + + switch (expr->op) { ++ case OP_NEQ: ++ if (right->ops->type != EXPR_SET && right->ops->type != EXPR_SET_REF) ++ break; + case OP_LOOKUP: + expr_set_type(right, left->dtype, left->byteorder); + if (right->dtype == &integer_type) +diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c +index ffc3f57..8d8ec92 100644 +--- a/src/netlink_linearize.c ++++ b/src/netlink_linearize.c +@@ -216,6 +216,8 @@ static void netlink_gen_lookup(struct netlink_linearize_ctx *ctx, + expr->right->set->handle.set); + nftnl_expr_set_u32(nle, NFTNL_EXPR_LOOKUP_SET_ID, + expr->right->set->handle.set_id); ++ if (expr->op == OP_NEQ) ++ nftnl_expr_set_u32(nle, NFTNL_EXPR_LOOKUP_FLAGS, NFT_LOOKUP_F_INV); + + release_register(ctx, expr->left); + nftnl_rule_add_expr(ctx->nlr, nle); +@@ -284,13 +286,14 @@ static void netlink_gen_cmp(struct netlink_linearize_ctx *ctx, + + assert(dreg == NFT_REG_VERDICT); + +- if (expr->right->ops->type == EXPR_RANGE) +- return netlink_gen_range(ctx, expr, dreg); +- +- sreg = get_register(ctx, expr->left); +- + switch (expr->right->ops->type) { ++ case EXPR_RANGE: ++ return netlink_gen_range(ctx, expr, dreg); ++ case EXPR_SET: ++ case EXPR_SET_REF: ++ return netlink_gen_lookup(ctx, expr, dreg); + case EXPR_PREFIX: ++ sreg = get_register(ctx, expr->left); + if (expr->left->dtype->type != TYPE_STRING) { + len = div_round_up(expr->right->len, BITS_PER_BYTE); + netlink_gen_expr(ctx, expr->left, sreg); +@@ -303,6 +306,7 @@ static void netlink_gen_cmp(struct netlink_linearize_ctx *ctx, + } + break; + default: ++ sreg = get_register(ctx, expr->left); + len = div_round_up(expr->right->len, BITS_PER_BYTE); + right = expr->right; + netlink_gen_expr(ctx, expr->left, sreg); +-- +1.8.3.1 + diff --git a/SOURCES/0013-evaluate-Avoid-undefined-behaviour-in-concat_subtype.patch b/SOURCES/0013-evaluate-Avoid-undefined-behaviour-in-concat_subtype.patch new file mode 100644 index 0000000..0f0aa90 --- /dev/null +++ b/SOURCES/0013-evaluate-Avoid-undefined-behaviour-in-concat_subtype.patch @@ -0,0 +1,47 @@ +From 858069eb28f440d5fb8658f1c3903e078ac42b92 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 12 May 2017 18:33:23 +0200 +Subject: [PATCH] evaluate: Avoid undefined behaviour in concat_subtype_id() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1360789 +Upstream Status: nftables commit 83e52f7a7f5ea + +commit 83e52f7a7f5eaa893e146d23ff2e9292179f9485 +Author: Phil Sutter +Date: Tue Aug 30 19:39:52 2016 +0200 + + evaluate: Avoid undefined behaviour in concat_subtype_id() + + For the left side of a concat expression, dtype is NULL and therefore + off is 0. In that case the code expects to get a datatype of + TYPE_INVALID, but this is fragile as the output of concat_subtype_id() + is undefined for n > 32 / TYPE_BITS. + + To fix this, call datatype_lookup() directly passing the expected + TYPE_INVALID as argument if off is 0. + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso +--- + src/evaluate.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/evaluate.c b/src/evaluate.c +index 680eda0..20584b7 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -965,7 +965,10 @@ static int expr_evaluate_concat(struct eval_ctx *ctx, struct expr **expr) + "expressions", + i->dtype->name); + +- tmp = concat_subtype_lookup(type, --off); ++ if (dtype == NULL) ++ tmp = datatype_lookup(TYPE_INVALID); ++ else ++ tmp = concat_subtype_lookup(type, --off); + expr_set_context(&ctx->ectx, tmp, tmp->size); + + if (list_member_evaluate(ctx, &i) < 0) +-- +1.8.3.1 + diff --git a/SPECS/nftables.spec b/SPECS/nftables.spec index 173247a..5d5ee86 100644 --- a/SPECS/nftables.spec +++ b/SPECS/nftables.spec @@ -1,6 +1,10 @@ +%define rpmversion 0.6 +%define specrelease 4%{?dist} +%define libnftnlversion 1.0.6-4 + Name: nftables -Version: 0.6 -Release: 2%{?dist} +Version: %{rpmversion} +Release: %{specrelease} Summary: Netfilter Tables userspace utillites License: GPLv2 URL: http://netfilter.org/projects/nftables/ @@ -13,17 +17,30 @@ BuildRequires: bison BuildRequires: libmnl-devel BuildRequires: gmp-devel BuildRequires: readline-devel -BuildRequires: libnftnl-devel +BuildRequires: libnftnl-devel >= %{libnftnlversion} # docbook2X is available in EPEL repo only, which is not included in Brew #BuildRequires: docbook2X #BuildRequires: docbook-dtds BuildRequires: systemd +Patch0: 0001-src-use-new-range-expression-for-a-b-intervals.patch +Patch1: 0002-netlink_delinearize-Avoid-potential-null-pointer-der.patch +Patch2: 0003-evaluate-Fix-datalen-checks-in-expr_evaluate_string.patch +Patch3: 0004-evaluate-reject-Have-a-generic-fix-for-missing-netwo.patch +Patch4: 0005-payload-don-t-update-protocol-context-if-we-can-t-fi.patch +Patch5: 0006-src-rename-datatype-name-from-tc_handle-to-classid.patch +Patch6: 0007-src-simplify-classid-printing-using-x-instead-of-04x.patch +Patch7: 0008-src-meta-priority-support-using-tc-classid.patch +Patch8: 0009-meta-fix-memory-leak-in-tc-classid-parser.patch +Patch9: 0010-datatype-time_type-should-send-milliseconds-to-users.patch +Patch10: 0011-include-refresh-uapi-linux-netfilter-nf_tables.h-cop.patch +Patch11: 0012-src-Interpret-OP_NEQ-against-a-set-as-OP_LOOKUP.patch +Patch12: 0013-evaluate-Avoid-undefined-behaviour-in-concat_subtype.patch %description Netfilter Tables userspace utilities. %prep -%setup -q +%autosetup -p1 %build %configure --disable-silent-rules @@ -60,6 +77,24 @@ cp -a %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/ %{_unitdir}/nftables.service %changelog +* Fri May 12 2017 Phil Sutter [0.6-4.el7] +- evaluate: Avoid undefined behaviour in concat_subtype_id() (Phil Sutter) [1360789] +- src: Interpret OP_NEQ against a set as OP_LOOKUP (Phil Sutter) [1440011] +- include: refresh uapi/linux/netfilter/nf_tables.h copy (Phil Sutter) [1440011] +- datatype: time_type should send milliseconds to userspace (Phil Sutter) [1427114] +- meta: fix memory leak in tc classid parser (Phil Sutter) [1380326] +- src: meta priority support using tc classid (Phil Sutter) [1380326] +- src: simplify classid printing using x instead of 04x (Phil Sutter) [1380326] +- src: rename datatype name from tc_handle to classid (Phil Sutter) [1380326] +- payload: don't update protocol context if we can't find a description (Timothy Redaelli) [1446534 1399764] +- evaluate: reject: Have a generic fix for missing network context (Timothy Redaelli) [1360354] + +* Mon Mar 06 2017 Phil Sutter [0.6-3.el7] +- nftables.spec: Require at least libnftnl-1.0.6-4 (Phil Sutter) [1358705] +- evaluate: Fix datalen checks in expr_evaluate_string() (Phil Sutter) [1360240] +- netlink_delinearize: Avoid potential null pointer deref (Timothy Redaelli) [1360257] +- src: use new range expression for != [a,b] intervals (Phil Sutter) [1358705] + * Tue Jul 19 2016 Phil Sutter 0.6-2 - Add pre-generated nft.8 to overcome missing docbook2X package.