netfilter: nft_meta: cancel register tracking after meta update
The meta expression might mangle the packet metadata, cancel register tracking since any metadata in the registers is stale. Finer grain register tracking cancellation by inspecting the meta type on the register is also possible. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
cc003c7ee6
commit
4a80e02698
|
@ -100,6 +100,25 @@ static const struct nft_expr_ops nft_meta_bridge_get_ops = {
|
|||
.dump = nft_meta_get_dump,
|
||||
};
|
||||
|
||||
static bool nft_meta_bridge_set_reduce(struct nft_regs_track *track,
|
||||
const struct nft_expr *expr)
|
||||
{
|
||||
int i;
|
||||
|
||||
for (i = 0; i < NFT_REG32_NUM; i++) {
|
||||
if (!track->regs[i].selector)
|
||||
continue;
|
||||
|
||||
if (track->regs[i].selector->ops != &nft_meta_bridge_get_ops)
|
||||
continue;
|
||||
|
||||
track->regs[i].selector = NULL;
|
||||
track->regs[i].bitwise = NULL;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
static const struct nft_expr_ops nft_meta_bridge_set_ops = {
|
||||
.type = &nft_meta_bridge_type,
|
||||
.size = NFT_EXPR_SIZE(sizeof(struct nft_meta)),
|
||||
|
@ -107,6 +126,7 @@ static const struct nft_expr_ops nft_meta_bridge_set_ops = {
|
|||
.init = nft_meta_set_init,
|
||||
.destroy = nft_meta_set_destroy,
|
||||
.dump = nft_meta_set_dump,
|
||||
.reduce = nft_meta_bridge_set_reduce,
|
||||
.validate = nft_meta_set_validate,
|
||||
};
|
||||
|
||||
|
|
|
@ -788,6 +788,25 @@ static const struct nft_expr_ops nft_meta_get_ops = {
|
|||
.offload = nft_meta_get_offload,
|
||||
};
|
||||
|
||||
static bool nft_meta_set_reduce(struct nft_regs_track *track,
|
||||
const struct nft_expr *expr)
|
||||
{
|
||||
int i;
|
||||
|
||||
for (i = 0; i < NFT_REG32_NUM; i++) {
|
||||
if (!track->regs[i].selector)
|
||||
continue;
|
||||
|
||||
if (track->regs[i].selector->ops != &nft_meta_get_ops)
|
||||
continue;
|
||||
|
||||
track->regs[i].selector = NULL;
|
||||
track->regs[i].bitwise = NULL;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
static const struct nft_expr_ops nft_meta_set_ops = {
|
||||
.type = &nft_meta_type,
|
||||
.size = NFT_EXPR_SIZE(sizeof(struct nft_meta)),
|
||||
|
@ -795,6 +814,7 @@ static const struct nft_expr_ops nft_meta_set_ops = {
|
|||
.init = nft_meta_set_init,
|
||||
.destroy = nft_meta_set_destroy,
|
||||
.dump = nft_meta_set_dump,
|
||||
.reduce = nft_meta_set_reduce,
|
||||
.validate = nft_meta_set_validate,
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in New Issue