[PATCH nf-next 0/9] register tracking infrastructure follow up

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

The following patchset follows up on the register tracking infrastructure:

1) Add NFT_REDUCE_READONLY pointer cookie and use it, this is used
   to describe expressions that perform read-only operations on registers.
   Add WARN_ON_ONCE() to check for expr->ops->reduce, all expressions
   must have one.

2) Cancel register tracking information for operations that are larger
   than 32-bits (one register). Add update/cancel helper functions and
   adapt existing code to use them.

3) Add .reduce support to nft_ct.

4) Add .reduce support to nft_lookup.

5) Add .reduce support for nft_meta_bridge.

6) Add .reduce support for nft_numgen.

7) Add .reduce support for nft_osf.

8) Add .reduce support for nft_hash (jhash and symhash)

9) Add .reduce support for nft_immediate

Missing expressions with no expr->ops->reduce after this round:

- dynset
- exthdr
- fib
- socket
- tunnel
- xfrm

Florian Westphal (2):
  netfilter: nft_lookup: only cancel tracking for clobbered dregs
  netfilter: nft_meta: extend reduce support to bridge family

Pablo Neira Ayuso (7):
  netfilter: nf_tables: do not reduce read-only expressions
  netfilter: nf_tables: cancel tracking for clobbered destination registers
  netfilter: nft_ct: track register operations
  netfilter: nft_numgen: cancel register tracking
  netfilter: nft_osf: track register operations
  netfilter: nft_hash: track register operations
  netfilter: nft_immediate: cancel register tracking for data destination register

 include/net/netfilter/nf_tables.h        | 15 ++++++++
 include/net/netfilter/nft_meta.h         |  3 ++
 net/bridge/netfilter/nft_meta_bridge.c   |  5 ++-
 net/bridge/netfilter/nft_reject_bridge.c |  1 +
 net/netfilter/nf_tables_api.c            | 47 ++++++++++++++++++++++-
 net/netfilter/nft_bitwise.c              |  8 ++--
 net/netfilter/nft_byteorder.c            |  3 +-
 net/netfilter/nft_cmp.c                  |  3 ++
 net/netfilter/nft_compat.c               |  1 +
 net/netfilter/nft_connlimit.c            |  1 +
 net/netfilter/nft_counter.c              |  1 +
 net/netfilter/nft_ct.c                   | 49 ++++++++++++++++++++++++
 net/netfilter/nft_dup_netdev.c           |  1 +
 net/netfilter/nft_flow_offload.c         |  1 +
 net/netfilter/nft_fwd_netdev.c           |  2 +
 net/netfilter/nft_hash.c                 | 37 ++++++++++++++++++
 net/netfilter/nft_immediate.c            | 12 ++++++
 net/netfilter/nft_last.c                 |  1 +
 net/netfilter/nft_limit.c                |  2 +
 net/netfilter/nft_log.c                  |  1 +
 net/netfilter/nft_lookup.c               | 12 ++++++
 net/netfilter/nft_masq.c                 |  3 ++
 net/netfilter/nft_meta.c                 | 16 ++++----
 net/netfilter/nft_nat.c                  |  2 +
 net/netfilter/nft_numgen.c               | 22 +++++++++++
 net/netfilter/nft_objref.c               |  2 +
 net/netfilter/nft_osf.c                  | 26 +++++++++++++
 net/netfilter/nft_payload.c              |  9 ++---
 net/netfilter/nft_queue.c                |  2 +
 net/netfilter/nft_quota.c                |  1 +
 net/netfilter/nft_range.c                |  1 +
 net/netfilter/nft_redir.c                |  3 ++
 net/netfilter/nft_reject_inet.c          |  1 +
 net/netfilter/nft_reject_netdev.c        |  1 +
 net/netfilter/nft_rt.c                   |  1 +
 net/netfilter/nft_synproxy.c             |  1 +
 net/netfilter/nft_tproxy.c               |  1 +
 37 files changed, 274 insertions(+), 24 deletions(-)

-- 
2.30.2
[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux