Commit b2d30654 authored Mar 14, 2022 by Pablo Neira Ayuso

netfilter: nf_tables: do not reduce read-only expressions



Skip register tracking for expressions that perform read-only operations
on the registers. Define and use a cookie pointer NFT_REDUCE_READONLY to
avoid defining stubs for these expressions.

This patch re-enables register tracking which was disabled in ed5f85d4
("netfilter: nf_tables: disable register tracking"). Follow up patches
add remaining register tracking for existing expressions.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent 31d0bb97

include/net/netfilter/nf_tables.h

+8 −0

Original line number	Diff line number	Diff line
		@@ -1633,4 +1633,12 @@ static inline struct nftables_pernet nft_pernet(const struct net net)
		return net_generic(net, nf_tables_net_id);
		}

		#define __NFT_REDUCE_READONLY 1UL
		#define NFT_REDUCE_READONLY (void *)__NFT_REDUCE_READONLY

		static inline bool nft_reduce_is_readonly(const struct nft_expr *expr)
		{
		return expr->ops->reduce == NFT_REDUCE_READONLY;
		}

		#endif /* _NET_NF_TABLES_H */

net/bridge/netfilter/nft_reject_bridge.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -185,6 +185,7 @@ static const struct nft_expr_ops nft_reject_bridge_ops = {
		.init = nft_reject_init,
		.dump = nft_reject_dump,
		.validate = nft_reject_bridge_validate,
		.reduce = NFT_REDUCE_READONLY,
		};

		static struct nft_expr_type nft_reject_bridge_type __read_mostly = {

net/ipv4/netfilter/nft_dup_ipv4.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -75,6 +75,7 @@ static const struct nft_expr_ops nft_dup_ipv4_ops = {
		.eval = nft_dup_ipv4_eval,
		.init = nft_dup_ipv4_init,
		.dump = nft_dup_ipv4_dump,
		.reduce = NFT_REDUCE_READONLY,
		};

		static const struct nla_policy nft_dup_ipv4_policy[NFTA_DUP_MAX + 1] = {

net/ipv4/netfilter/nft_reject_ipv4.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -45,6 +45,7 @@ static const struct nft_expr_ops nft_reject_ipv4_ops = {
		.init = nft_reject_init,
		.dump = nft_reject_dump,
		.validate = nft_reject_validate,
		.reduce = NFT_REDUCE_READONLY,
		};

		static struct nft_expr_type nft_reject_ipv4_type __read_mostly = {

net/ipv6/netfilter/nft_dup_ipv6.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -73,6 +73,7 @@ static const struct nft_expr_ops nft_dup_ipv6_ops = {
		.eval = nft_dup_ipv6_eval,
		.init = nft_dup_ipv6_init,
		.dump = nft_dup_ipv6_dump,
		.reduce = NFT_REDUCE_READONLY,
		};

		static const struct nla_policy nft_dup_ipv6_policy[NFTA_DUP_MAX + 1] = {