On Tue, Feb 18, 2014 at 10:27:22AM +0100, Florian Westphal wrote:
> Takes advantage of the fact that the number of labels is currently
> restricted to 2**128, ie. the extension area will always fit into
> nft register.
>
> Patrick says the kernel registers need to be changed anyway to
> deal with concatentations so we will probably not run into issues
> when the number of labels increases in a future kernel release.
>
> +#ifdef CONFIG_NF_CONNTRACK_LABELS
> + case NFT_CT_LABELS: {
> + struct nf_conn_labels *labels = nf_ct_labels_find(ct);
> + unsigned int size;
> +
> + if (!labels)
> + goto err;
Is that really an error? I'd expect it to be equivalent with "no labels set",
which can also be matched on.
> + size = labels->words * sizeof(long);
> + if (size > sizeof(dest->data))
> + goto err;
Can't we check that during ->init() if the number is limited anyway?
> + memcpy(dest->data, labels->bits, size);
> +
> + if (size < sizeof(dest->data))
> + memset(((char *) dest->data) + size, 0,
> + sizeof(dest->data) - size);
> + return;
> + }
> +#endif
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
