netfilter: nft_meta: cancel register tracking after meta update

The meta expression might mangle the packet metadata, cancel register
tracking since any metadata in the registers is stale.

Finer grain register tracking cancellation by inspecting the meta type
on the register is also possible.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/bridge/netfilter/nft_meta_bridge.c b/net/bridge/netfilter/nft_meta_bridge.c
index 97805ec424c1996f8e0286a096f3205b644bd8a5..c1ef9cc89b7829568cb108a5bb35629c322e121a 100644 (file)
--- a/net/bridge/netfilter/nft_meta_bridge.c
+++ b/net/bridge/netfilter/nft_meta_bridge.c
@@ -100,6 +100,25 @@ static const struct nft_expr_ops nft_meta_bridge_get_ops = {
        .dump           = nft_meta_get_dump,
 };
 
+static bool nft_meta_bridge_set_reduce(struct nft_regs_track *track,
+                                      const struct nft_expr *expr)
+{
+       int i;
+
+       for (i = 0; i < NFT_REG32_NUM; i++) {
+               if (!track->regs[i].selector)
+                       continue;
+
+               if (track->regs[i].selector->ops != &nft_meta_bridge_get_ops)
+                       continue;
+
+               track->regs[i].selector = NULL;
+               track->regs[i].bitwise = NULL;
+       }
+
+       return false;
+}
+
 static const struct nft_expr_ops nft_meta_bridge_set_ops = {
        .type           = &nft_meta_bridge_type,
        .size           = NFT_EXPR_SIZE(sizeof(struct nft_meta)),
@@ -107,6 +126,7 @@ static const struct nft_expr_ops nft_meta_bridge_set_ops = {
        .init           = nft_meta_set_init,
        .destroy        = nft_meta_set_destroy,
        .dump           = nft_meta_set_dump,
+       .reduce         = nft_meta_bridge_set_reduce,
        .validate       = nft_meta_set_validate,
 };
 

diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index 40fe48fcf9d06c90269f0fcf805cc0b8cef847dc..5ab4df56c945bdaa6c06c3aca660312bff202054 100644 (file)
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -788,6 +788,25 @@ static const struct nft_expr_ops nft_meta_get_ops = {
        .offload        = nft_meta_get_offload,
 };
 
+static bool nft_meta_set_reduce(struct nft_regs_track *track,
+                               const struct nft_expr *expr)
+{
+       int i;
+
+       for (i = 0; i < NFT_REG32_NUM; i++) {
+               if (!track->regs[i].selector)
+                       continue;
+
+               if (track->regs[i].selector->ops != &nft_meta_get_ops)
+                       continue;
+
+               track->regs[i].selector = NULL;
+               track->regs[i].bitwise = NULL;
+       }
+
+       return false;
+}
+
 static const struct nft_expr_ops nft_meta_set_ops = {
        .type           = &nft_meta_type,
        .size           = NFT_EXPR_SIZE(sizeof(struct nft_meta)),
@@ -795,6 +814,7 @@ static const struct nft_expr_ops nft_meta_set_ops = {
        .init           = nft_meta_set_init,
        .destroy        = nft_meta_set_destroy,
        .dump           = nft_meta_set_dump,
+       .reduce         = nft_meta_set_reduce,
        .validate       = nft_meta_set_validate,
 };