git.ipfire.org Git - thirdparty/linux.git/commit

author	Fernando Fernandez Mancera <fmancera@suse.de>
	Thu, 28 Aug 2025 12:48:31 +0000 (14:48 +0200)
committer	Florian Westphal <fw@strlen.de>
	Tue, 2 Sep 2025 13:28:18 +0000 (15:28 +0200)
commit	077dc4a275790b09e8a2ce80822ba8970e9dfb99
tree	65ec7f03fbb3d1f0926cab59b41e06e9b461f180	tree \| snapshot
parent	f4f9e05904e11bbc772c031b35d0d25caa21d5e8	commit \| diff

netfilter: nft_payload: extend offset to 65535 bytes

In some situations 255 bytes offset is not enough to match or manipulate
the desired packet field. Increase the offset limit to 65535 or U16_MAX.

In addition, the nla policy maximum value is not set anymore as it is
limited to s16. Instead, the maximum value is checked during the payload
expression initialization function.

Tested with the nft command line tool.

table ip filter {
chain output {
@nh,2040,8 set 0xff
@nh,524280,8 set 0xff
@nh,524280,8 0xff
@nh,2040,8 0xff
}
}

Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Florian Westphal <fw@strlen.de>

include/net/netfilter/nf_tables_core.h		diff \| blob \| blame \| history
net/netfilter/nft_payload.c		diff \| blob \| blame \| history