git.baikalelectronics.ru Git - kernel.git/commit

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Wed, 25 Nov 2020 22:50:17 +0000 (23:50 +0100)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Fri, 27 Nov 2020 11:10:47 +0000 (12:10 +0100)
commit	e9f03bc3960acdb948af527473fb153f12874b33
tree	5649d545ae81423cd33e5e2264e6271972e53fcf	tree \| snapshot
parent	6f9191c9f3ef98bbce4a1a3236825a6c5a35c1a9	commit \| diff

netfilter: nftables_offload: build mask based from the matching bytes

Userspace might match on prefix bytes of header fields if they are on
the byte boundary, this requires that the mask is adjusted accordingly.
Use NFT_OFFLOAD_MATCH_EXACT() for meta since prefix byte matching is not
allowed for this type of selector.

The bitwise expression might be optimized out by userspace, hence the
kernel needs to infer the prefix from the number of payload bytes to
match on. This patch adds nft_payload_offload_mask() to calculate the
bitmask to match on the prefix.

Fixes: 7bd4d78a0b74 ("netfilter: nf_tables: add hardware offload support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/net/netfilter/nf_tables_offload.h		diff \| blob \| history
net/netfilter/nft_cmp.c		diff \| blob \| history
net/netfilter/nft_meta.c		diff \| blob \| history
net/netfilter/nft_payload.c		diff \| blob \| history