I've resurrected the work I started a couple of years ago.
Currently bitwise boolean operations (AND, OR and XOR) can only have one
variable operand. They are converted in user space into mask-and-xor
operations on one register and two immediate values which are evaluated
by the kernel. We add support for evaluating these operations directly
in kernel space on one register and either an immediate value or a
second register.
We also add support for keeping track of the bit-length of boolean
expressions since this can be useful to user space during
delinearization.
* Patch 1 adds support for keeping track of the bit-length of
boolean expressions.
* Patches 2 & 3 make some small unrelated improvements.
* Patch 4 renames functions and an enum constant related to the current
mask-and-xor implementation in anticipation of adding support for
directly evaluating AND, OR and XOR operations.
* Patch 5 adds support for directly evaluating AND, OR and XOR
operations.
Changes since v1
* Patch 1 is new.
* In v1, all boolean operations were still expected to be
mask-and-xor operations, but the mask and xor values could be
passed in registers.
Jeremy Sowden (5):
netfilter: bitwise: keep track of bit-length of expressions
netfilter: bitwise: replace hard-coded size with `sizeof` expression
netfilter: bitwise: improve error goto labels
netfilter: bitwise: rename some boolean operation functions
netfilter: bitwise: add support for doing AND, OR and XOR directly
include/uapi/linux/netfilter/nf_tables.h | 21 ++-
net/netfilter/nft_bitwise.c | 178 +++++++++++++++++++----
2 files changed, 164 insertions(+), 35 deletions(-)
--
2.35.1
