netfilter: nf_tables: add netlink policy based cap on registers

Should have no effect in practice; all of these use the nft_parse_register_load/store apis which is mandatory anyway due to the need to further validate the register load/store, e.g. that the size argument doesn't result in out-of-bounds load/store. OTOH this is a simple method to reject obviously wrong input at earlier stage. Signed-off-by: Florian Westphal <fw@strlen.de>
author: Florian Westphal <fw@strlen.de> 2026-03-13 13:12:30 +0100
committer: Florian Westphal <fw@strlen.de> 2026-04-08 07:51:31 +0200
commit: 8e57338c3601d0cde806bd7e70c377109106c983 (patch)
tree: 5c91aca637a394052dcaf3ff6031b50a360b1fed /include/uapi/linux
parent: 66b75e6bbeeb489156a74534561bbbd360843a73 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index dca9e72b0558..0b708153469c 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -46,6 +46,10 @@ enum nft_registers {
 };
 #define NFT_REG_MAX	(__NFT_REG_MAX - 1)
 
+#ifdef __KERNEL__
+#define NFT_REG32_MAX	NFT_REG32_15
+#endif
+
 #define NFT_REG_SIZE	16
 #define NFT_REG32_SIZE	4
 #define NFT_REG32_COUNT	(NFT_REG32_15 - NFT_REG32_00 + 1)
author	Florian Westphal <fw@strlen.de>	2026-03-13 13:12:30 +0100
committer	Florian Westphal <fw@strlen.de>	2026-04-08 07:51:31 +0200
commit	8e57338c3601d0cde806bd7e70c377109106c983 (patch)
tree	5c91aca637a394052dcaf3ff6031b50a360b1fed /include/uapi/linux
parent	66b75e6bbeeb489156a74534561bbbd360843a73 (diff)