Hi,
I'd like to propose this again.
First patch is preparation work.
Second patch is the actual change I'd like to get into nf-next.
The third patch partially un-does the second:
Instead of rejecting a rule that triggers uninitialised register
access detection, do explicit zeroing from blob generator.
Please see patch 3 for a rationale why I think that we should
just go with patch 1+2.
Patch 4 reverts the explicit zeroing.
Florian Westphal (4):
netfilter: nf_tables: pass context structure to
nft_parse_register_load
netfilter: nf_tables: allow loads only when register is initialized
netfilter: nf_tables: insert register zeroing instructions for dodgy
chains
netfilter: nf_tables: don't initialize registers in nft_do_chain()
include/net/netfilter/nf_tables.h | 14 ++-
net/bridge/netfilter/nft_meta_bridge.c | 2 +-
net/ipv4/netfilter/nft_dup_ipv4.c | 4 +-
net/ipv6/netfilter/nft_dup_ipv6.c | 4 +-
net/netfilter/nf_tables_api.c | 119 +++++++++++++++++++++++--
net/netfilter/nf_tables_core.c | 2 +-
net/netfilter/nft_bitwise.c | 4 +-
net/netfilter/nft_byteorder.c | 2 +-
net/netfilter/nft_cmp.c | 6 +-
net/netfilter/nft_ct.c | 2 +-
net/netfilter/nft_dup_netdev.c | 2 +-
net/netfilter/nft_dynset.c | 4 +-
net/netfilter/nft_exthdr.c | 2 +-
net/netfilter/nft_fwd_netdev.c | 6 +-
net/netfilter/nft_hash.c | 2 +-
net/netfilter/nft_lookup.c | 2 +-
net/netfilter/nft_masq.c | 4 +-
net/netfilter/nft_meta.c | 2 +-
net/netfilter/nft_nat.c | 8 +-
net/netfilter/nft_objref.c | 2 +-
net/netfilter/nft_payload.c | 2 +-
net/netfilter/nft_queue.c | 2 +-
net/netfilter/nft_range.c | 2 +-
net/netfilter/nft_redir.c | 4 +-
net/netfilter/nft_tproxy.c | 4 +-
25 files changed, 159 insertions(+), 48 deletions(-)
--
2.44.2
