authorPablo Neira Ayuso <>2022-01-09 17:11:24 +0100
committerPablo Neira Ayuso <>2022-01-09 23:35:17 +0100
netfilter: nft_bitwise: track register operations
Check if the destination register already contains the data that this bitwise expression performs. This allows to skip this redundant operation. If the destination contains a different bitwise operation, cancel the register tracking information. If the destination contains no bitwise operation, update the register tracking information. Update the payload and meta expression to check if this bitwise operation has been already performed on the register. Hence, both the payload/meta and the bitwise expressions are reduced. There is also a special case: If source register != destination register and source register is not updated by a previous bitwise operation, then transfer selector from the source register to the destination register. Signed-off-by: Pablo Neira Ayuso <>
diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
--- a/net/netfilter/nft_payload.c
+++ b/net/netfilter/nft_payload.c
@@ -235,7 +235,7 @@ static bool nft_payload_reduce(struct nft_regs_track *track,
if (!track->regs[priv->dreg].bitwise)
return true;
- return false;
+ return nft_expr_reduce_bitwise(track, expr);
static bool nft_payload_offload_mask(struct nft_offload_reg *reg,