netfilter: nf_tables: fix 'exist' matching on bigendian arches
authorFlorian Westphal <fw@strlen.de>
Mon, 4 Dec 2023 11:29:54 +0000 (12:29 +0100)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 13 Dec 2023 17:39:11 +0000 (18:39 +0100)
[ Upstream commit 63331e37fb227e796894b31d713697612c8dee7f ]

Maze reports "tcp option fastopen exists" fails to match on
OpenWrt 22.03.5, r20134-5f15225c1e (5.10.176) router.

"tcp option fastopen exists" translates to:
inet
  [ exthdr load tcpopt 1b @ 34 + 0 present => reg 1 ]
  [ cmp eq reg 1 0x00000001 ]

.. but existing nft userspace generates a 1-byte compare.

On LSB (x86), "*reg32 = 1" is identical to nft_reg_store8(reg32, 1), but
not on MSB, which will place the 1 last. IOW, on bigendian aches the cmp8
is awalys false.

Make sure we store this in a consistent fashion, so existing userspace
will also work on MSB (bigendian).

Regardless of this patch we can also change nft userspace to generate
'reg32 == 0' and 'reg32 != 0' instead of u8 == 0 // u8 == 1 when
adding 'option x missing/exists' expressions as well.

Fixes: 3c1fece8819e ("netfilter: nft_exthdr: Allow checking TCP option presence, too")
Fixes: b9f9a485fb0e ("netfilter: nft_exthdr: add boolean DCCP option matching")
Fixes: 055c4b34b94f ("netfilter: nft_fib: Support existence check")
Reported-by: Maciej Żenczykowski <zenczykowski@gmail.com>
Closes: https://lore.kernel.org/netfilter-devel/CAHo-OozyEqHUjL2-ntATzeZOiuftLWZ_HU6TOM_js4qLfDEAJg@mail.gmail.com/
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
net/netfilter/nft_exthdr.c
net/netfilter/nft_fib.c

index f96706de1ad0569486dff262e9873261c610e851..de588f7b69c45376c4bc1680a6e85cac56ccfc0e 100644 (file)
@@ -215,7 +215,7 @@ static void nft_exthdr_tcp_eval(const struct nft_expr *expr,
 
                offset = i + priv->offset;
                if (priv->flags & NFT_EXTHDR_F_PRESENT) {
-                       *dest = 1;
+                       nft_reg_store8(dest, 1);
                } else {
                        if (priv->len % NFT_REG32_SIZE)
                                dest[priv->len / NFT_REG32_SIZE] = 0;
@@ -462,7 +462,7 @@ static void nft_exthdr_dccp_eval(const struct nft_expr *expr,
                type = bufp[0];
 
                if (type == priv->type) {
-                       *dest = 1;
+                       nft_reg_store8(dest, 1);
                        return;
                }
 
index 1f12d7ade606c89496de381ba43b01addedac2f9..5748415f74d0bf6249587594098dec7ef004e661 100644 (file)
@@ -144,11 +144,15 @@ void nft_fib_store_result(void *reg, const struct nft_fib *priv,
        switch (priv->result) {
        case NFT_FIB_RESULT_OIF:
                index = dev ? dev->ifindex : 0;
-               *dreg = (priv->flags & NFTA_FIB_F_PRESENT) ? !!index : index;
+               if (priv->flags & NFTA_FIB_F_PRESENT)
+                       nft_reg_store8(dreg, !!index);
+               else
+                       *dreg = index;
+
                break;
        case NFT_FIB_RESULT_OIFNAME:
                if (priv->flags & NFTA_FIB_F_PRESENT)
-                       *dreg = !!dev;
+                       nft_reg_store8(dreg, !!dev);
                else
                        strncpy(reg, dev ? dev->name : "", IFNAMSIZ);
                break;