Broke down and added an OR to the rules engine. It is now possible to have a series of MATCHes that are ORed.

author: Adam Ierymenko <adam.ierymenko@gmail.com> 2016-10-11 12:00:16 -0700
committer: Adam Ierymenko <adam.ierymenko@gmail.com> 2016-10-11 12:00:16 -0700
commit: e53f63ca8700a526b15c2e7d05076d685734bcf6 (patch)
tree: bd653d2adad189f041f311858fd29eda211d892a /node
parent: e59ed3e68f6091a4bc5bb8b58cb080755feced3c (diff)
download: infinitytier-e53f63ca8700a526b15c2e7d05076d685734bcf6.tar.gz
infinitytier-e53f63ca8700a526b15c2e7d05076d685734bcf6.zip
2 files changed, 21 insertions, 19 deletions
diff --git a/node/Capability.hpp b/node/Capability.hpp
index 99980ce7..2c829ee5 100644
--- a/node/Capability.hpp
+++ b/node/Capability.hpp
@@ -166,7 +166,7 @@ public:
 			// field followed by field data. The inclusion of the size will allow non-supported
 			// rules to be ignored but still parsed.
 			b.append((uint8_t)rules[i].t);
-			switch((ZT_VirtualNetworkRuleType)(rules[i].t & 0x7f)) {
+			switch((ZT_VirtualNetworkRuleType)(rules[i].t & 0x3f)) {
 				//case ZT_NETWORK_RULE_ACTION_DROP:
 				//case ZT_NETWORK_RULE_ACTION_ACCEPT:
 				//case ZT_NETWORK_RULE_ACTION_DEBUG_LOG:
@@ -198,10 +198,6 @@ public:
 					b.append((uint8_t)1);
 					b.append((uint8_t)rules[i].v.vlanDei);
 					break;
-				case ZT_NETWORK_RULE_MATCH_ETHERTYPE:
-					b.append((uint8_t)2);
-					b.append((uint16_t)rules[i].v.etherType);
-					break;
 				case ZT_NETWORK_RULE_MATCH_MAC_SOURCE:
 				case ZT_NETWORK_RULE_MATCH_MAC_DEST:
 					b.append((uint8_t)6);
@@ -227,6 +223,10 @@ public:
 					b.append((uint8_t)1);
 					b.append((uint8_t)rules[i].v.ipProtocol);
 					break;
+				case ZT_NETWORK_RULE_MATCH_ETHERTYPE:
+					b.append((uint8_t)2);
+					b.append((uint16_t)rules[i].v.etherType);
+					break;
 				case ZT_NETWORK_RULE_MATCH_ICMP:
 					b.append((uint8_t)3);
 					b.append((uint8_t)rules[i].v.icmp.type);
@@ -270,7 +270,7 @@ public:
 		while ((ruleCount < maxRuleCount)&&(p < b.size())) {
 			rules[ruleCount].t = (uint8_t)b[p++];
 			const unsigned int fieldLen = (unsigned int)b[p++];
-			switch((ZT_VirtualNetworkRuleType)(rules[ruleCount].t & 0x7f)) {
+			switch((ZT_VirtualNetworkRuleType)(rules[ruleCount].t & 0x3f)) {
 				default:
 					break;
 				case ZT_NETWORK_RULE_ACTION_TEE:
@@ -293,9 +293,6 @@ public:
 				case ZT_NETWORK_RULE_MATCH_VLAN_DEI:
 					rules[ruleCount].v.vlanDei = (uint8_t)b[p];
 					break;
-				case ZT_NETWORK_RULE_MATCH_ETHERTYPE:
-					rules[ruleCount].v.etherType = b.template at<uint16_t>(p);
-					break;
 				case ZT_NETWORK_RULE_MATCH_MAC_SOURCE:
 				case ZT_NETWORK_RULE_MATCH_MAC_DEST:
 					memcpy(rules[ruleCount].v.mac,b.field(p,6),6);
@@ -316,6 +313,9 @@ public:
 				case ZT_NETWORK_RULE_MATCH_IP_PROTOCOL:
 					rules[ruleCount].v.ipProtocol = (uint8_t)b[p];
 					break;
+				case ZT_NETWORK_RULE_MATCH_ETHERTYPE:
+					rules[ruleCount].v.etherType = b.template at<uint16_t>(p);
+					break;
 				case ZT_NETWORK_RULE_MATCH_ICMP:
 					rules[ruleCount].v.icmp.type = (uint8_t)b[p];
 					rules[ruleCount].v.icmp.code = (uint8_t)b[p+1];
diff --git a/node/Network.cpp b/node/Network.cpp
index 00c201ba..177f1a6d 100644
--- a/node/Network.cpp
+++ b/node/Network.cpp
@@ -58,7 +58,6 @@ static const char *_rtn(const ZT_VirtualNetworkRuleType rt)
 		case ZT_NETWORK_RULE_MATCH_VLAN_ID: return "MATCH_VLAN_ID";
 		case ZT_NETWORK_RULE_MATCH_VLAN_PCP: return "MATCH_VLAN_PCP";
 		case ZT_NETWORK_RULE_MATCH_VLAN_DEI: return "MATCH_VLAN_DEI";
-		case ZT_NETWORK_RULE_MATCH_ETHERTYPE: return "MATCH_ETHERTYPE";
 		case ZT_NETWORK_RULE_MATCH_MAC_SOURCE: return "MATCH_MAC_SOURCE";
 		case ZT_NETWORK_RULE_MATCH_MAC_DEST: return "MATCH_MAC_DEST";
 		case ZT_NETWORK_RULE_MATCH_IPV4_SOURCE: return "MATCH_IPV4_SOURCE";
@@ -67,6 +66,7 @@ static const char *_rtn(const ZT_VirtualNetworkRuleType rt)
 		case ZT_NETWORK_RULE_MATCH_IPV6_DEST: return "MATCH_IPV6_DEST";
 		case ZT_NETWORK_RULE_MATCH_IP_TOS: return "MATCH_IP_TOS";
 		case ZT_NETWORK_RULE_MATCH_IP_PROTOCOL: return "MATCH_IP_PROTOCOL";
+		case ZT_NETWORK_RULE_MATCH_ETHERTYPE: return "MATCH_ETHERTYPE";
 		case ZT_NETWORK_RULE_MATCH_ICMP: return "MATCH_ICMP";
 		case ZT_NETWORK_RULE_MATCH_IP_SOURCE_PORT_RANGE: return "MATCH_IP_SOURCE_PORT_RANGE";
 		case ZT_NETWORK_RULE_MATCH_IP_DEST_PORT_RANGE: return "MATCH_IP_DEST_PORT_RANGE";
@@ -182,7 +182,7 @@ static _doZtFilterResult _doZtFilter(
 	uint8_t thisSetMatches = 1;
 
 	for(unsigned int rn=0;rn<ruleCount;++rn) {
-		const ZT_VirtualNetworkRuleType rt = (ZT_VirtualNetworkRuleType)(rules[rn].t & 0x7f);
+		const ZT_VirtualNetworkRuleType rt = (ZT_VirtualNetworkRuleType)(rules[rn].t & 0x3f);
 
 		// First check if this is an ACTION
 		if ((unsigned int)rt <= (unsigned int)ZT_NETWORK_RULE_ACTION__MAX_ID) {
@@ -272,8 +272,9 @@ static _doZtFilterResult _doZtFilter(
 			}
 		}
 
-		// Circuit breaker: skip further MATCH entries up to next ACTION if match state is false
-		if (!thisSetMatches)
+		// Circuit breaker: no need to evaluate an AND if the set's match state
+		// is currently false since anything AND false is false.
+		if ((!thisSetMatches)&&(!(rules[rn].t & 0x40)))
 			continue;
 
 		// If this was not an ACTION evaluate next MATCH and update thisSetMatches with (AND [result])
@@ -301,10 +302,6 @@ static _doZtFilterResult _doZtFilter(
 				thisRuleMatches = (uint8_t)(rules[rn].v.vlanDei == 0);
 				FILTER_TRACE("%u %s %c %u==%u -> %u",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),(unsigned int)rules[rn].v.vlanDei,0,(unsigned int)thisRuleMatches);
 				break;
-			case ZT_NETWORK_RULE_MATCH_ETHERTYPE:
-				thisRuleMatches = (uint8_t)(rules[rn].v.etherType == (uint16_t)etherType);
-				FILTER_TRACE("%u %s %c %u==%u -> %u",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),(unsigned int)rules[rn].v.etherType,etherType,(unsigned int)thisRuleMatches);
-				break;
 			case ZT_NETWORK_RULE_MATCH_MAC_SOURCE:
 				thisRuleMatches = (uint8_t)(MAC(rules[rn].v.mac,6) == macSource);
 				FILTER_TRACE("%u %s %c %.12llx=%.12llx -> %u",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),rules[rn].v.mac,macSource.toInt(),(unsigned int)thisRuleMatches);
@@ -380,6 +377,10 @@ static _doZtFilterResult _doZtFilter(
 					FILTER_TRACE("%u %s %c [frame not IP] -> 0",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='));
 				}
 				break;
+			case ZT_NETWORK_RULE_MATCH_ETHERTYPE:
+				thisRuleMatches = (uint8_t)(rules[rn].v.etherType == (uint16_t)etherType);
+				FILTER_TRACE("%u %s %c %u==%u -> %u",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),(unsigned int)rules[rn].v.etherType,etherType,(unsigned int)thisRuleMatches);
+				break;
 			case ZT_NETWORK_RULE_MATCH_ICMP:
 				if ((etherType == ZT_ETHERTYPE_IPV4)&&(frameLen >= 20)) {
 					if (frameData[9] == 0x01) {
@@ -560,8 +561,9 @@ static _doZtFilterResult _doZtFilter(
 				break;
 		}
 
-		// State of equals state AND result of last MATCH (possibly NOTed depending on bit 0x80)
-		thisSetMatches &= (thisRuleMatches ^ ((rules[rn].t >> 7) & 1));
+		if ((rules[rn].t & 0x40))
+			thisSetMatches |= (thisRuleMatches ^ ((rules[rn].t >> 7) & 1));
+		else thisSetMatches &= (thisRuleMatches ^ ((rules[rn].t >> 7) & 1));
 	}
 
 	return DOZTFILTER_NO_MATCH;
author	Adam Ierymenko <adam.ierymenko@gmail.com>	2016-10-11 12:00:16 -0700
committer	Adam Ierymenko <adam.ierymenko@gmail.com>	2016-10-11 12:00:16 -0700
commit	e53f63ca8700a526b15c2e7d05076d685734bcf6 (patch)
tree	bd653d2adad189f041f311858fd29eda211d892a /node
parent	e59ed3e68f6091a4bc5bb8b58cb080755feced3c (diff)
download	infinitytier-e53f63ca8700a526b15c2e7d05076d685734bcf6.tar.gz infinitytier-e53f63ca8700a526b15c2e7d05076d685734bcf6.zip