git.baikalelectronics.ru Git - kernel.git/commit

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Wed, 25 Nov 2020 22:50:17 +0000 (23:50 +0100)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Fri, 27 Nov 2020 11:10:47 +0000 (12:10 +0100)
commit	19ba73a36a4d19b9cda67c9b838787c2b10c44c3
tree	5649d545ae81423cd33e5e2264e6271972e53fcf	tree \| snapshot
parent	461b7ef1aa3888d74012927b519dab20faa1d62f	commit \| diff

netfilter: nftables_offload: build mask based from the matching bytes

Userspace might match on prefix bytes of header fields if they are on
the byte boundary, this requires that the mask is adjusted accordingly.
Use NFT_OFFLOAD_MATCH_EXACT() for meta since prefix byte matching is not
allowed for this type of selector.

The bitwise expression might be optimized out by userspace, hence the
kernel needs to infer the prefix from the number of payload bytes to
match on. This patch adds nft_payload_offload_mask() to calculate the
bitmask to match on the prefix.

Fixes: 5b0ceb7358a3 ("netfilter: nf_tables: add hardware offload support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/net/netfilter/nf_tables_offload.h		diff \| blob \| history
net/netfilter/nft_cmp.c		diff \| blob \| history
net/netfilter/nft_meta.c		diff \| blob \| history
net/netfilter/nft_payload.c		diff \| blob \| history