bug: GetRule missing parse expr.Ct and expr.Range in rule #119

lyonsdpy · 2021-05-11T06:50:28Z

1- create a new rule match ct stat and ip range

func TestRule(t *testing.T) {
	conn, err := getConn()
	if err != nil {
		t.Fatal(err)
	}
	defer closeNs(netns.NsHandle(conn.NetNS))

	ruleIn := &Rule{
		Table: mytable,
		Chain: cin,
		Exprs: []expr.Any{
			&expr.Ct{Register: 1, SourceRegister: false, Key: expr.CtKeySTATE},
			&expr.Bitwise{
				SourceRegister: 1,
				DestRegister:   1,
				Len:            4,
				Mask:           []byte{6, 0, 0, 0},
				Xor:            []byte{0, 0, 0, 0},
			},
			&expr.Cmp{Op: expr.CmpOpNeq, Register: 1, Data: []byte{0, 0, 0, 0}},
			&expr.Payload{
				Base:         expr.PayloadBaseNetworkHeader,
				DestRegister: 1,
				Offset:       16,
				Len:          4,
			},
			&expr.Range{
				Op:       expr.CmpOpNeq,
				Register: 1,
				FromData: []byte{192, 168, 1, 1},
				ToData:   []byte{192, 168, 1, 100},
			},
			&expr.Verdict{Kind: expr.VerdictAccept},
		},
	}

	conn.AddRule(ruleIn)

	err = conn.Flush()
	if err != nil {
		t.Fatal(err)
	}
}

2- use nft tool check the rule

$ nft list ruleset
table ip mytable {
        chain c_in {
                type filter hook input priority filter; policy accept;
                ct state established,related ip daddr != 192.168.1.1-192.168.1.100 accept
        }

        chain c_out {
                type filter hook output priority filter; policy accept;
        }
}

3- use GetRule and print rule.Expr type and content

func TestListRuleSet(t *testing.T) {
	conn, err := getConn()
	if err != nil {
		t.Fatal(err)
	}
	defer closeNs(netns.NsHandle(conn.NetNS))

	rules, err := conn.GetRule(mytable, cin)
	if err != nil {
		t.Fatal(err)
	}

	for _, rule := range rules {
		for _, exp := range rule.Exprs {
			t.Log("\n", reflect.TypeOf(exp))
			t.Logf("%+v", exp)
		}
	}

	rules, err = conn.GetRule(mytable, cout)
	if err != nil {
		t.Fatal(err)
	}

	for _, rule := range rules {
		for _, exp := range rule.Exprs {
			t.Log("\n", reflect.TypeOf(exp))
			t.Logf("%+v", exp)
		}
	}
}
/*output
*expr.Bitwise
&{SourceRegister:1 DestRegister:1 Len:4 Mask:[6 0 0 0] Xor:[0 0 0 0]}

*expr.Cmp
&{Op:1 Register:1 Data:[0 0 0 0]}

*expr.Payload
&{OperationType:0 DestRegister:1 SourceRegister:0 Base:1 Offset:16 Len:4 CsumType:0  CsumFlags:0}

*expr.Verdict
&{Kind:1 Chain:}
*/

notice that no *expr.Ct and *expr.Range appear

So I tried to add related type select below case unix.NFTA_EXPR_DATA in fucntion exprsFromMsg

case "ct":
    e = &expr.Ct{}
case "range":
    e = &expr.Range{}

then test work fine

/*output
*expr.Ct
&{Register:1 SourceRegister:false Key:0}

*expr.Bitwise
&{SourceRegister:1 DestRegister:1 Len:4 Mask:[6 0 0 0] Xor:[0 0 0 0]}

*expr.Cmp
&{Op:1 Register:1 Data:[0 0 0 0]}

*expr.Payload
&{OperationType:0 DestRegister:1 SourceRegister:0 Base:1 Offset:16 Len:4 CsumType:0  CsumFlags:0}

*expr.Range
&{Op:1 Register:1 FromData:[8 0 1 0 192 168 1 1] ToData:[8 0 1 0 192 168 1 100]}

*expr.Verdict
&{Kind:1 Chain:}
*/

The text was updated successfully, but these errors were encountered:

stapelberg · 2021-05-11T06:53:11Z

cc @sbezverk who authored the Ct expression type

fixes #119

lyonsdpy mentioned this issue May 11, 2021

Add expr.Ct and expr.Range type select in exprsFromMsg #120

Merged

stapelberg closed this as completed in #120 May 11, 2021

stapelberg pushed a commit that referenced this issue May 11, 2021

Add expr.Ct and expr.Range type select in exprsFromMsg (#120)

5231121

fixes #119

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

bug: GetRule missing parse expr.Ct and expr.Range in rule #119

bug: GetRule missing parse expr.Ct and expr.Range in rule #119

lyonsdpy commented May 11, 2021

stapelberg commented May 11, 2021

bug: GetRule missing parse expr.Ct and expr.Range in rule #119

bug: GetRule missing parse expr.Ct and expr.Range in rule #119

Comments

lyonsdpy commented May 11, 2021

stapelberg commented May 11, 2021