diff options
| author | Fernando Fernandez Mancera <fmancera@suse.de> | 2025-08-28 14:48:31 +0200 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2025-09-02 15:28:18 +0200 |
| commit | 077dc4a275790b09e8a2ce80822ba8970e9dfb99 (patch) | |
| tree | 65ec7f03fbb3d1f0926cab59b41e06e9b461f180 /include/net | |
| parent | netfilter: nf_reject: remove unneeded exports (diff) | |
| download | linux-077dc4a275790b09e8a2ce80822ba8970e9dfb99.tar.gz linux-077dc4a275790b09e8a2ce80822ba8970e9dfb99.zip | |
netfilter: nft_payload: extend offset to 65535 bytes
In some situations 255 bytes offset is not enough to match or manipulate
the desired packet field. Increase the offset limit to 65535 or U16_MAX.
In addition, the nla policy maximum value is not set anymore as it is
limited to s16. Instead, the maximum value is checked during the payload
expression initialization function.
Tested with the nft command line tool.
table ip filter {
chain output {
@nh,2040,8 set 0xff
@nh,524280,8 set 0xff
@nh,524280,8 0xff
@nh,2040,8 0xff
}
}
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'include/net')
| -rw-r--r-- | include/net/netfilter/nf_tables_core.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/include/net/netfilter/nf_tables_core.h b/include/net/netfilter/nf_tables_core.h index 6c2f483d9828..7644cfe9267d 100644 --- a/include/net/netfilter/nf_tables_core.h +++ b/include/net/netfilter/nf_tables_core.h @@ -73,7 +73,7 @@ struct nft_ct { struct nft_payload { enum nft_payload_bases base:8; - u8 offset; + u16 offset; u8 len; u8 dreg; }; |