Skip to content

Commit 4a80e02

Browse files
ummakynesummakynes
committed
netfilter: nft_meta: cancel register tracking after meta update
The meta expression might mangle the packet metadata, cancel register tracking since any metadata in the registers is stale. Finer grain register tracking cancellation by inspecting the meta type on the register is also possible. Signed-off-by: Pablo Neira Ayuso <[email protected]>
1 parent cc003c7 commit 4a80e02

File tree

2 files changed

+40
-0
lines changed

2 files changed

+40
-0
lines changed

net/bridge/netfilter/nft_meta_bridge.c

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -100,13 +100,33 @@ static const struct nft_expr_ops nft_meta_bridge_get_ops = {
100100
.dump = nft_meta_get_dump,
101101
};
102102

103+
static bool nft_meta_bridge_set_reduce(struct nft_regs_track *track,
104+
const struct nft_expr *expr)
105+
{
106+
int i;
107+
108+
for (i = 0; i < NFT_REG32_NUM; i++) {
109+
if (!track->regs[i].selector)
110+
continue;
111+
112+
if (track->regs[i].selector->ops != &nft_meta_bridge_get_ops)
113+
continue;
114+
115+
track->regs[i].selector = NULL;
116+
track->regs[i].bitwise = NULL;
117+
}
118+
119+
return false;
120+
}
121+
103122
static const struct nft_expr_ops nft_meta_bridge_set_ops = {
104123
.type = &nft_meta_bridge_type,
105124
.size = NFT_EXPR_SIZE(sizeof(struct nft_meta)),
106125
.eval = nft_meta_set_eval,
107126
.init = nft_meta_set_init,
108127
.destroy = nft_meta_set_destroy,
109128
.dump = nft_meta_set_dump,
129+
.reduce = nft_meta_bridge_set_reduce,
110130
.validate = nft_meta_set_validate,
111131
};
112132

net/netfilter/nft_meta.c

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -788,13 +788,33 @@ static const struct nft_expr_ops nft_meta_get_ops = {
788788
.offload = nft_meta_get_offload,
789789
};
790790

791+
static bool nft_meta_set_reduce(struct nft_regs_track *track,
792+
const struct nft_expr *expr)
793+
{
794+
int i;
795+
796+
for (i = 0; i < NFT_REG32_NUM; i++) {
797+
if (!track->regs[i].selector)
798+
continue;
799+
800+
if (track->regs[i].selector->ops != &nft_meta_get_ops)
801+
continue;
802+
803+
track->regs[i].selector = NULL;
804+
track->regs[i].bitwise = NULL;
805+
}
806+
807+
return false;
808+
}
809+
791810
static const struct nft_expr_ops nft_meta_set_ops = {
792811
.type = &nft_meta_type,
793812
.size = NFT_EXPR_SIZE(sizeof(struct nft_meta)),
794813
.eval = nft_meta_set_eval,
795814
.init = nft_meta_set_init,
796815
.destroy = nft_meta_set_destroy,
797816
.dump = nft_meta_set_dump,
817+
.reduce = nft_meta_set_reduce,
798818
.validate = nft_meta_set_validate,
799819
};
800820

0 commit comments

Comments
 (0)