Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6aa187f2 authored by Eric W. Biederman's avatar Eric W. Biederman Committed by Pablo Neira Ayuso
Browse files

netfilter: nf_tables: kill nft_pktinfo.ops 



- Add nft_pktinfo.pf to replace ops->pf
- Add nft_pktinfo.hook to replace ops->hooknum

This simplifies the code, makes it more readable, and likely reduces
cache line misses.  Maintainability is enhanced as the details of
nft_hook_ops are of no concern to the recpients of nft_pktinfo.

Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 082a758f

include/net/netfilter/nf_tables.h

+4 −5
Original line number Diff line number Diff line
@@ -16,7 +16,8 @@ struct nft_pktinfo { 
	struct sk_buff			*skb;

	const struct net_device		*in;

	const struct net_device		*out;

	const struct nf_hook_ops	*ops;

	u8				pf;

	u8				hook;

	u8				nhoff;

	u8				thoff;

	u8				tprot;
@@ -25,16 +26,14 @@ struct nft_pktinfo { 
};



static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,

				   const struct nf_hook_ops *ops,

				   struct sk_buff *skb,

				   const struct nf_hook_state *state)

{

	pkt->skb = skb;

	pkt->in = pkt->xt.in = state->in;

	pkt->out = pkt->xt.out = state->out;

	pkt->ops = ops;

	pkt->xt.hooknum = ops->hooknum;

	pkt->xt.family = ops->pf;

	pkt->hook = pkt->xt.hooknum = state->hook;

	pkt->pf = pkt->xt.family = state->pf;

}



/**

include/net/netfilter/nf_tables_ipv4.h

+1 −2
Original line number Diff line number Diff line
@@ -6,13 +6,12 @@ 


static inline void

nft_set_pktinfo_ipv4(struct nft_pktinfo *pkt,

		     const struct nf_hook_ops *ops,

		     struct sk_buff *skb,

		     const struct nf_hook_state *state)

{

	struct iphdr *ip;



	nft_set_pktinfo(pkt, ops, skb, state);

	nft_set_pktinfo(pkt, skb, state);



	ip = ip_hdr(pkt->skb);

	pkt->tprot = ip->protocol;

include/net/netfilter/nf_tables_ipv6.h

+1 −2
Original line number Diff line number Diff line
@@ -6,14 +6,13 @@ 


static inline int

nft_set_pktinfo_ipv6(struct nft_pktinfo *pkt,

		     const struct nf_hook_ops *ops,

		     struct sk_buff *skb,

		     const struct nf_hook_state *state)

{

	int protohdr, thoff = 0;

	unsigned short frag_off;



	nft_set_pktinfo(pkt, ops, skb, state);

	nft_set_pktinfo(pkt, skb, state);



	protohdr = ipv6_find_hdr(pkt->skb, &thoff, -1, &frag_off, NULL);

	/* If malformed, drop it */

net/bridge/netfilter/nf_tables_bridge.c

+7 −9
Original line number Diff line number Diff line
@@ -65,27 +65,25 @@ int nft_bridge_ip6hdr_validate(struct sk_buff *skb) 
EXPORT_SYMBOL_GPL(nft_bridge_ip6hdr_validate);



static inline void nft_bridge_set_pktinfo_ipv4(struct nft_pktinfo *pkt,

					       const struct nf_hook_ops *ops,

					       struct sk_buff *skb,

					       const struct nf_hook_state *state)

{

	if (nft_bridge_iphdr_validate(skb))

		nft_set_pktinfo_ipv4(pkt, ops, skb, state);

		nft_set_pktinfo_ipv4(pkt, skb, state);

	else

		nft_set_pktinfo(pkt, ops, skb, state);

		nft_set_pktinfo(pkt, skb, state);

}



static inline void nft_bridge_set_pktinfo_ipv6(struct nft_pktinfo *pkt,

					       const struct nf_hook_ops *ops,

					       struct sk_buff *skb,

					       const struct nf_hook_state *state)

{

#if IS_ENABLED(CONFIG_IPV6)

	if (nft_bridge_ip6hdr_validate(skb) &&

	    nft_set_pktinfo_ipv6(pkt, ops, skb, state) == 0)

	    nft_set_pktinfo_ipv6(pkt, skb, state) == 0)

		return;

#endif

	nft_set_pktinfo(pkt, ops, skb, state);

	nft_set_pktinfo(pkt, skb, state);

}



static unsigned int
@@ -97,13 +95,13 @@ nft_do_chain_bridge(const struct nf_hook_ops *ops, 


	switch (eth_hdr(skb)->h_proto) {

	case htons(ETH_P_IP):

		nft_bridge_set_pktinfo_ipv4(&pkt, ops, skb, state);

		nft_bridge_set_pktinfo_ipv4(&pkt, skb, state);

		break;

	case htons(ETH_P_IPV6):

		nft_bridge_set_pktinfo_ipv6(&pkt, ops, skb, state);

		nft_bridge_set_pktinfo_ipv6(&pkt, skb, state);

		break;

	default:

		nft_set_pktinfo(&pkt, ops, skb, state);

		nft_set_pktinfo(&pkt, skb, state);

		break;

	}

net/bridge/netfilter/nft_reject_bridge.c

+6 −6
Original line number Diff line number Diff line
@@ -273,16 +273,16 @@ static void nft_reject_bridge_eval(const struct nft_expr *expr, 
		switch (priv->type) {

		case NFT_REJECT_ICMP_UNREACH:

			nft_reject_br_send_v4_unreach(pkt->skb, pkt->in,

						      pkt->ops->hooknum,

						      pkt->hook,

						      priv->icmp_code);

			break;

		case NFT_REJECT_TCP_RST:

			nft_reject_br_send_v4_tcp_reset(pkt->skb, pkt->in,

							pkt->ops->hooknum);

							pkt->hook);

			break;

		case NFT_REJECT_ICMPX_UNREACH:

			nft_reject_br_send_v4_unreach(pkt->skb, pkt->in,

						      pkt->ops->hooknum,

						      pkt->hook,

						      nft_reject_icmp_code(priv->icmp_code));

			break;

		}
@@ -291,16 +291,16 @@ static void nft_reject_bridge_eval(const struct nft_expr *expr, 
		switch (priv->type) {

		case NFT_REJECT_ICMP_UNREACH:

			nft_reject_br_send_v6_unreach(net, pkt->skb, pkt->in,

						      pkt->ops->hooknum,

						      pkt->hook,

						      priv->icmp_code);

			break;

		case NFT_REJECT_TCP_RST:

			nft_reject_br_send_v6_tcp_reset(net, pkt->skb, pkt->in,

							pkt->ops->hooknum);

							pkt->hook);

			break;

		case NFT_REJECT_ICMPX_UNREACH:

			nft_reject_br_send_v6_unreach(net, pkt->skb, pkt->in,

						      pkt->ops->hooknum,

						      pkt->hook,

						      nft_reject_icmpv6_code(priv->icmp_code));

			break;

		}