@@ -223,6 +223,17 @@ static bool nft_immediate_offload_action(const struct nft_expr *expr)
return false;
}
+static bool nft_immediate_reduce(struct nft_regs_track *track,
+ const struct nft_expr *expr)
+{
+ const struct nft_immediate_expr *priv = nft_expr_priv(expr);
+
+ if (priv->dreg != NFT_REG_VERDICT)
+ nft_reg_track_cancel(track, priv->dreg, priv->dlen);
+
+ return false;
+}
+
static const struct nft_expr_ops nft_imm_ops = {
.type = &nft_imm_type,
.size = NFT_EXPR_SIZE(sizeof(struct nft_immediate_expr)),
@@ -233,6 +244,7 @@ static const struct nft_expr_ops nft_imm_ops = {
.destroy = nft_immediate_destroy,
.dump = nft_immediate_dump,
.validate = nft_immediate_validate,
+ .reduce = nft_immediate_reduce,
.offload = nft_immediate_offload,
.offload_action = nft_immediate_offload_action,
};
The immediate expression might clobber existing data on the registers, cancel register tracking for the destination register. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- v2: use nft_reg_track_cancel() instead of __nft_reg_track_cancel() net/netfilter/nft_immediate.c | 12 ++++++++++++ 1 file changed, 12 insertions(+)