[PATCH nf-next,RFC 06/10] netfilter: nf_tables: use hook state from xt_action_param structure
Don't copy relevant fields from hook state structure, instead use the
one that is already available in struct xt_action_param.
This patch also adds a set of new wrapper functions to fetch relevant
hook state structure fields.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h| 35 +++-
net/bridge/netfilter/nft_meta_bridge.c | 2 +-
net/bridge/netfilter/nft_reject_bridge.c | 30 ---
net/ipv4/netfilter/nft_dup_ipv4.c| 2 +-
net/ipv4/netfilter/nft_masq_ipv4.c | 4 ++--
net/ipv4/netfilter/nft_redir_ipv4.c | 3 +--
net/ipv4/netfilter/nft_reject_ipv4.c | 4 ++--
net/ipv6/netfilter/nft_dup_ipv6.c| 2 +-
net/ipv6/netfilter/nft_masq_ipv6.c | 3 ++-
net/ipv6/netfilter/nft_redir_ipv6.c | 3 ++-
net/ipv6/netfilter/nft_reject_ipv6.c | 6 +++---
net/netfilter/nf_dup_netdev.c| 2 +-
net/netfilter/nf_tables_core.c | 10 -
net/netfilter/nf_tables_trace.c | 8
net/netfilter/nft_log.c | 5 +++--
net/netfilter/nft_lookup.c | 5 ++---
net/netfilter/nft_meta.c | 6 +++---
net/netfilter/nft_queue.c| 2 +-
net/netfilter/nft_reject_inet.c | 18
19 files changed, 86 insertions(+), 64 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h
b/include/net/netfilter/nf_tables.h
index 44060344f958..ba49f21d62ab 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -14,27 +14,42 @@
struct nft_pktinfo {
struct sk_buff *skb;
- struct net *net;
- const struct net_device *in;
- const struct net_device *out;
- u8 pf;
- u8 hook;
booltprot_set;
u8 tprot;
/* for x_tables compatibility */
struct xt_action_param xt;
};
+static inline struct net *pkt_net(const struct nft_pktinfo *pkt)
+{
+ return pkt->xt.state->net;
+}
+
+static inline unsigned int pkt_hook(const struct nft_pktinfo *pkt)
+{
+ return pkt->xt.state->hook;
+}
+
+static inline u8 pkt_pf(const struct nft_pktinfo *pkt)
+{
+ return pkt->xt.state->pf;
+}
+
+static inline const struct net_device *pkt_in(const struct nft_pktinfo *pkt)
+{
+ return pkt->xt.state->in;
+}
+
+static inline const struct net_device *pkt_out(const struct nft_pktinfo *pkt)
+{
+ return pkt->xt.state->out;
+}
+
static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,
struct sk_buff *skb,
const struct nf_hook_state *state)
{
pkt->skb = skb;
- pkt->net = state->net;
- pkt->in = state->in;
- pkt->out = state->out;
- pkt->hook = state->hook;
- pkt->pf = state->pf;
pkt->xt.state = state;
}
diff --git a/net/bridge/netfilter/nft_meta_bridge.c
b/net/bridge/netfilter/nft_meta_bridge.c
index ad47a921b701..ea72d56d44b9 100644
--- a/net/bridge/netfilter/nft_meta_bridge.c
+++ b/net/bridge/netfilter/nft_meta_bridge.c
@@ -23,7 +23,7 @@ static void nft_meta_bridge_get_eval(const struct nft_expr
*expr,
const struct nft_pktinfo *pkt)
{
const struct nft_meta *priv = nft_expr_priv(expr);
- const struct net_device *in = pkt->in, *out = pkt->out;
+ const struct net_device *in = pkt_in(pkt), *out = pkt_out(pkt);
u32 *dest = ®s->data[priv->dreg];
const struct net_bridge_port *p;
diff --git a/net/bridge/netfilter/nft_reject_bridge.c
b/net/bridge/netfilter/nft_reject_bridge.c
index 4b3df6b0e3b9..e8918a8a1511 100644
--- a/net/bridge/netfilter/nft_reject_bridge.c
+++ b/net/bridge/netfilter/nft_reject_bridge.c
@@ -315,17 +315,20 @@ static void nft_reject_bridge_eval(const struct nft_expr
*expr,
case htons(ETH_P_IP):
switch (priv->type) {
case NFT_REJECT_ICMP_UNREACH:
- nft_reject_br_send_v4_unreach(pkt->net, pkt->skb,
- pkt->in, pkt->hook,
+ nft_reject_br_send_v4_unreach(pkt_net(pkt), pkt->skb,
+ pkt_in(pkt),
+ pkt_hook(pkt),
priv->icmp_code);
break;
case NFT_REJECT_TCP_RST:
- nft_reject_br_send_v4_tcp_reset(pkt->net, pkt->skb,
- pkt->in, pkt->hook);
+ nft_reject_br_send_v4_tcp_reset(pkt_net(pkt), pkt->skb,
+ pkt_in(pkt),
+
[PATCH nf-next,RFC 06/10] netfilter: nf_tables: use hook state from xt_action_param structure
Don't copy relevant fields from hook state structure, instead use the
one that is already available in struct xt_action_param.
This patch also adds a set of new wrapper functions to fetch relevant
hook state structure fields.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h| 35 +++-
net/bridge/netfilter/nft_meta_bridge.c | 2 +-
net/bridge/netfilter/nft_reject_bridge.c | 30 ---
net/ipv4/netfilter/nft_dup_ipv4.c| 2 +-
net/ipv4/netfilter/nft_masq_ipv4.c | 4 ++--
net/ipv4/netfilter/nft_redir_ipv4.c | 3 +--
net/ipv4/netfilter/nft_reject_ipv4.c | 4 ++--
net/ipv6/netfilter/nft_dup_ipv6.c| 2 +-
net/ipv6/netfilter/nft_masq_ipv6.c | 3 ++-
net/ipv6/netfilter/nft_redir_ipv6.c | 3 ++-
net/ipv6/netfilter/nft_reject_ipv6.c | 6 +++---
net/netfilter/nf_dup_netdev.c| 2 +-
net/netfilter/nf_tables_core.c | 10 -
net/netfilter/nf_tables_trace.c | 8
net/netfilter/nft_log.c | 5 +++--
net/netfilter/nft_lookup.c | 5 ++---
net/netfilter/nft_meta.c | 6 +++---
net/netfilter/nft_queue.c| 2 +-
net/netfilter/nft_reject_inet.c | 18
19 files changed, 86 insertions(+), 64 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h
b/include/net/netfilter/nf_tables.h
index 44060344f958..ba49f21d62ab 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -14,27 +14,42 @@
struct nft_pktinfo {
struct sk_buff *skb;
- struct net *net;
- const struct net_device *in;
- const struct net_device *out;
- u8 pf;
- u8 hook;
booltprot_set;
u8 tprot;
/* for x_tables compatibility */
struct xt_action_param xt;
};
+static inline struct net *pkt_net(const struct nft_pktinfo *pkt)
+{
+ return pkt->xt.state->net;
+}
+
+static inline unsigned int pkt_hook(const struct nft_pktinfo *pkt)
+{
+ return pkt->xt.state->hook;
+}
+
+static inline u8 pkt_pf(const struct nft_pktinfo *pkt)
+{
+ return pkt->xt.state->pf;
+}
+
+static inline const struct net_device *pkt_in(const struct nft_pktinfo *pkt)
+{
+ return pkt->xt.state->in;
+}
+
+static inline const struct net_device *pkt_out(const struct nft_pktinfo *pkt)
+{
+ return pkt->xt.state->out;
+}
+
static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,
struct sk_buff *skb,
const struct nf_hook_state *state)
{
pkt->skb = skb;
- pkt->net = state->net;
- pkt->in = state->in;
- pkt->out = state->out;
- pkt->hook = state->hook;
- pkt->pf = state->pf;
pkt->xt.state = state;
}
diff --git a/net/bridge/netfilter/nft_meta_bridge.c
b/net/bridge/netfilter/nft_meta_bridge.c
index ad47a921b701..ea72d56d44b9 100644
--- a/net/bridge/netfilter/nft_meta_bridge.c
+++ b/net/bridge/netfilter/nft_meta_bridge.c
@@ -23,7 +23,7 @@ static void nft_meta_bridge_get_eval(const struct nft_expr
*expr,
const struct nft_pktinfo *pkt)
{
const struct nft_meta *priv = nft_expr_priv(expr);
- const struct net_device *in = pkt->in, *out = pkt->out;
+ const struct net_device *in = pkt_in(pkt), *out = pkt_out(pkt);
u32 *dest = ®s->data[priv->dreg];
const struct net_bridge_port *p;
diff --git a/net/bridge/netfilter/nft_reject_bridge.c
b/net/bridge/netfilter/nft_reject_bridge.c
index 4b3df6b0e3b9..e8918a8a1511 100644
--- a/net/bridge/netfilter/nft_reject_bridge.c
+++ b/net/bridge/netfilter/nft_reject_bridge.c
@@ -315,17 +315,20 @@ static void nft_reject_bridge_eval(const struct nft_expr
*expr,
case htons(ETH_P_IP):
switch (priv->type) {
case NFT_REJECT_ICMP_UNREACH:
- nft_reject_br_send_v4_unreach(pkt->net, pkt->skb,
- pkt->in, pkt->hook,
+ nft_reject_br_send_v4_unreach(pkt_net(pkt), pkt->skb,
+ pkt_in(pkt),
+ pkt_hook(pkt),
priv->icmp_code);
break;
case NFT_REJECT_TCP_RST:
- nft_reject_br_send_v4_tcp_reset(pkt->net, pkt->skb,
- pkt->in, pkt->hook);
+ nft_reject_br_send_v4_tcp_reset(pkt_net(pkt), pkt->skb,
+ pkt_in(pkt),
+
