netfilter: nf_tables: kill nft_pktinfo.ops
- Add nft_pktinfo.pf to replace ops->pf - Add nft_pktinfo.hook to replace ops->hooknum This simplifies the code, makes it more readable, and likely reduces cache line misses. Maintainability is enhanced as the details of nft_hook_ops are of no concern to the recpients of nft_pktinfo. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
082a758f04
commit
6aa187f21c
@ -16,7 +16,8 @@ struct nft_pktinfo {
|
||||
struct sk_buff *skb;
|
||||
const struct net_device *in;
|
||||
const struct net_device *out;
|
||||
const struct nf_hook_ops *ops;
|
||||
u8 pf;
|
||||
u8 hook;
|
||||
u8 nhoff;
|
||||
u8 thoff;
|
||||
u8 tprot;
|
||||
@ -25,16 +26,14 @@ struct nft_pktinfo {
|
||||
};
|
||||
|
||||
static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,
|
||||
const struct nf_hook_ops *ops,
|
||||
struct sk_buff *skb,
|
||||
const struct nf_hook_state *state)
|
||||
{
|
||||
pkt->skb = skb;
|
||||
pkt->in = pkt->xt.in = state->in;
|
||||
pkt->out = pkt->xt.out = state->out;
|
||||
pkt->ops = ops;
|
||||
pkt->xt.hooknum = ops->hooknum;
|
||||
pkt->xt.family = ops->pf;
|
||||
pkt->hook = pkt->xt.hooknum = state->hook;
|
||||
pkt->pf = pkt->xt.family = state->pf;
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -6,13 +6,12 @@
|
||||
|
||||
static inline void
|
||||
nft_set_pktinfo_ipv4(struct nft_pktinfo *pkt,
|
||||
const struct nf_hook_ops *ops,
|
||||
struct sk_buff *skb,
|
||||
const struct nf_hook_state *state)
|
||||
{
|
||||
struct iphdr *ip;
|
||||
|
||||
nft_set_pktinfo(pkt, ops, skb, state);
|
||||
nft_set_pktinfo(pkt, skb, state);
|
||||
|
||||
ip = ip_hdr(pkt->skb);
|
||||
pkt->tprot = ip->protocol;
|
||||
|
@ -6,14 +6,13 @@
|
||||
|
||||
static inline int
|
||||
nft_set_pktinfo_ipv6(struct nft_pktinfo *pkt,
|
||||
const struct nf_hook_ops *ops,
|
||||
struct sk_buff *skb,
|
||||
const struct nf_hook_state *state)
|
||||
{
|
||||
int protohdr, thoff = 0;
|
||||
unsigned short frag_off;
|
||||
|
||||
nft_set_pktinfo(pkt, ops, skb, state);
|
||||
nft_set_pktinfo(pkt, skb, state);
|
||||
|
||||
protohdr = ipv6_find_hdr(pkt->skb, &thoff, -1, &frag_off, NULL);
|
||||
/* If malformed, drop it */
|
||||
|
@ -65,27 +65,25 @@ int nft_bridge_ip6hdr_validate(struct sk_buff *skb)
|
||||
EXPORT_SYMBOL_GPL(nft_bridge_ip6hdr_validate);
|
||||
|
||||
static inline void nft_bridge_set_pktinfo_ipv4(struct nft_pktinfo *pkt,
|
||||
const struct nf_hook_ops *ops,
|
||||
struct sk_buff *skb,
|
||||
const struct nf_hook_state *state)
|
||||
{
|
||||
if (nft_bridge_iphdr_validate(skb))
|
||||
nft_set_pktinfo_ipv4(pkt, ops, skb, state);
|
||||
nft_set_pktinfo_ipv4(pkt, skb, state);
|
||||
else
|
||||
nft_set_pktinfo(pkt, ops, skb, state);
|
||||
nft_set_pktinfo(pkt, skb, state);
|
||||
}
|
||||
|
||||
static inline void nft_bridge_set_pktinfo_ipv6(struct nft_pktinfo *pkt,
|
||||
const struct nf_hook_ops *ops,
|
||||
struct sk_buff *skb,
|
||||
const struct nf_hook_state *state)
|
||||
{
|
||||
#if IS_ENABLED(CONFIG_IPV6)
|
||||
if (nft_bridge_ip6hdr_validate(skb) &&
|
||||
nft_set_pktinfo_ipv6(pkt, ops, skb, state) == 0)
|
||||
nft_set_pktinfo_ipv6(pkt, skb, state) == 0)
|
||||
return;
|
||||
#endif
|
||||
nft_set_pktinfo(pkt, ops, skb, state);
|
||||
nft_set_pktinfo(pkt, skb, state);
|
||||
}
|
||||
|
||||
static unsigned int
|
||||
@ -97,13 +95,13 @@ nft_do_chain_bridge(const struct nf_hook_ops *ops,
|
||||
|
||||
switch (eth_hdr(skb)->h_proto) {
|
||||
case htons(ETH_P_IP):
|
||||
nft_bridge_set_pktinfo_ipv4(&pkt, ops, skb, state);
|
||||
nft_bridge_set_pktinfo_ipv4(&pkt, skb, state);
|
||||
break;
|
||||
case htons(ETH_P_IPV6):
|
||||
nft_bridge_set_pktinfo_ipv6(&pkt, ops, skb, state);
|
||||
nft_bridge_set_pktinfo_ipv6(&pkt, skb, state);
|
||||
break;
|
||||
default:
|
||||
nft_set_pktinfo(&pkt, ops, skb, state);
|
||||
nft_set_pktinfo(&pkt, skb, state);
|
||||
break;
|
||||
}
|
||||
|
||||
|
@ -273,16 +273,16 @@ static void nft_reject_bridge_eval(const struct nft_expr *expr,
|
||||
switch (priv->type) {
|
||||
case NFT_REJECT_ICMP_UNREACH:
|
||||
nft_reject_br_send_v4_unreach(pkt->skb, pkt->in,
|
||||
pkt->ops->hooknum,
|
||||
pkt->hook,
|
||||
priv->icmp_code);
|
||||
break;
|
||||
case NFT_REJECT_TCP_RST:
|
||||
nft_reject_br_send_v4_tcp_reset(pkt->skb, pkt->in,
|
||||
pkt->ops->hooknum);
|
||||
pkt->hook);
|
||||
break;
|
||||
case NFT_REJECT_ICMPX_UNREACH:
|
||||
nft_reject_br_send_v4_unreach(pkt->skb, pkt->in,
|
||||
pkt->ops->hooknum,
|
||||
pkt->hook,
|
||||
nft_reject_icmp_code(priv->icmp_code));
|
||||
break;
|
||||
}
|
||||
@ -291,16 +291,16 @@ static void nft_reject_bridge_eval(const struct nft_expr *expr,
|
||||
switch (priv->type) {
|
||||
case NFT_REJECT_ICMP_UNREACH:
|
||||
nft_reject_br_send_v6_unreach(net, pkt->skb, pkt->in,
|
||||
pkt->ops->hooknum,
|
||||
pkt->hook,
|
||||
priv->icmp_code);
|
||||
break;
|
||||
case NFT_REJECT_TCP_RST:
|
||||
nft_reject_br_send_v6_tcp_reset(net, pkt->skb, pkt->in,
|
||||
pkt->ops->hooknum);
|
||||
pkt->hook);
|
||||
break;
|
||||
case NFT_REJECT_ICMPX_UNREACH:
|
||||
nft_reject_br_send_v6_unreach(net, pkt->skb, pkt->in,
|
||||
pkt->ops->hooknum,
|
||||
pkt->hook,
|
||||
nft_reject_icmpv6_code(priv->icmp_code));
|
||||
break;
|
||||
}
|
||||
|
@ -21,7 +21,7 @@ nft_do_chain_arp(const struct nf_hook_ops *ops,
|
||||
{
|
||||
struct nft_pktinfo pkt;
|
||||
|
||||
nft_set_pktinfo(&pkt, ops, skb, state);
|
||||
nft_set_pktinfo(&pkt, skb, state);
|
||||
|
||||
return nft_do_chain(&pkt, ops);
|
||||
}
|
||||
|
@ -24,7 +24,7 @@ static unsigned int nft_do_chain_ipv4(const struct nf_hook_ops *ops,
|
||||
{
|
||||
struct nft_pktinfo pkt;
|
||||
|
||||
nft_set_pktinfo_ipv4(&pkt, ops, skb, state);
|
||||
nft_set_pktinfo_ipv4(&pkt, skb, state);
|
||||
|
||||
return nft_do_chain(&pkt, ops);
|
||||
}
|
||||
|
@ -33,7 +33,7 @@ static unsigned int nft_nat_do_chain(const struct nf_hook_ops *ops,
|
||||
{
|
||||
struct nft_pktinfo pkt;
|
||||
|
||||
nft_set_pktinfo_ipv4(&pkt, ops, skb, state);
|
||||
nft_set_pktinfo_ipv4(&pkt, skb, state);
|
||||
|
||||
return nft_do_chain(&pkt, ops);
|
||||
}
|
||||
|
@ -37,7 +37,7 @@ static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops,
|
||||
ip_hdrlen(skb) < sizeof(struct iphdr))
|
||||
return NF_ACCEPT;
|
||||
|
||||
nft_set_pktinfo_ipv4(&pkt, ops, skb, state);
|
||||
nft_set_pktinfo_ipv4(&pkt, skb, state);
|
||||
|
||||
mark = skb->mark;
|
||||
iph = ip_hdr(skb);
|
||||
|
@ -30,7 +30,7 @@ static void nft_dup_ipv4_eval(const struct nft_expr *expr,
|
||||
};
|
||||
int oif = regs->data[priv->sreg_dev];
|
||||
|
||||
nf_dup_ipv4(pkt->skb, pkt->ops->hooknum, &gw, oif);
|
||||
nf_dup_ipv4(pkt->skb, pkt->hook, &gw, oif);
|
||||
}
|
||||
|
||||
static int nft_dup_ipv4_init(const struct nft_ctx *ctx,
|
||||
|
@ -26,7 +26,7 @@ static void nft_masq_ipv4_eval(const struct nft_expr *expr,
|
||||
memset(&range, 0, sizeof(range));
|
||||
range.flags = priv->flags;
|
||||
|
||||
regs->verdict.code = nf_nat_masquerade_ipv4(pkt->skb, pkt->ops->hooknum,
|
||||
regs->verdict.code = nf_nat_masquerade_ipv4(pkt->skb, pkt->hook,
|
||||
&range, pkt->out);
|
||||
}
|
||||
|
||||
|
@ -36,7 +36,7 @@ static void nft_redir_ipv4_eval(const struct nft_expr *expr,
|
||||
mr.range[0].flags |= priv->flags;
|
||||
|
||||
regs->verdict.code = nf_nat_redirect_ipv4(pkt->skb, &mr,
|
||||
pkt->ops->hooknum);
|
||||
pkt->hook);
|
||||
}
|
||||
|
||||
static struct nft_expr_type nft_redir_ipv4_type;
|
||||
|
@ -27,11 +27,10 @@ static void nft_reject_ipv4_eval(const struct nft_expr *expr,
|
||||
|
||||
switch (priv->type) {
|
||||
case NFT_REJECT_ICMP_UNREACH:
|
||||
nf_send_unreach(pkt->skb, priv->icmp_code,
|
||||
pkt->ops->hooknum);
|
||||
nf_send_unreach(pkt->skb, priv->icmp_code, pkt->hook);
|
||||
break;
|
||||
case NFT_REJECT_TCP_RST:
|
||||
nf_send_reset(pkt->skb, pkt->ops->hooknum);
|
||||
nf_send_reset(pkt->skb, pkt->hook);
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
|
@ -23,7 +23,7 @@ static unsigned int nft_do_chain_ipv6(const struct nf_hook_ops *ops,
|
||||
struct nft_pktinfo pkt;
|
||||
|
||||
/* malformed packet, drop it */
|
||||
if (nft_set_pktinfo_ipv6(&pkt, ops, skb, state) < 0)
|
||||
if (nft_set_pktinfo_ipv6(&pkt, skb, state) < 0)
|
||||
return NF_DROP;
|
||||
|
||||
return nft_do_chain(&pkt, ops);
|
||||
|
@ -31,7 +31,7 @@ static unsigned int nft_nat_do_chain(const struct nf_hook_ops *ops,
|
||||
{
|
||||
struct nft_pktinfo pkt;
|
||||
|
||||
nft_set_pktinfo_ipv6(&pkt, ops, skb, state);
|
||||
nft_set_pktinfo_ipv6(&pkt, skb, state);
|
||||
|
||||
return nft_do_chain(&pkt, ops);
|
||||
}
|
||||
|
@ -33,7 +33,7 @@ static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops,
|
||||
u32 mark, flowlabel;
|
||||
|
||||
/* malformed packet, drop it */
|
||||
if (nft_set_pktinfo_ipv6(&pkt, ops, skb, state) < 0)
|
||||
if (nft_set_pktinfo_ipv6(&pkt, skb, state) < 0)
|
||||
return NF_DROP;
|
||||
|
||||
/* save source/dest address, mark, hoplimit, flowlabel, priority */
|
||||
|
@ -28,7 +28,7 @@ static void nft_dup_ipv6_eval(const struct nft_expr *expr,
|
||||
struct in6_addr *gw = (struct in6_addr *)®s->data[priv->sreg_addr];
|
||||
int oif = regs->data[priv->sreg_dev];
|
||||
|
||||
nf_dup_ipv6(pkt->skb, pkt->ops->hooknum, gw, oif);
|
||||
nf_dup_ipv6(pkt->skb, pkt->hook, gw, oif);
|
||||
}
|
||||
|
||||
static int nft_dup_ipv6_init(const struct nft_ctx *ctx,
|
||||
|
@ -35,8 +35,7 @@ static void nft_redir_ipv6_eval(const struct nft_expr *expr,
|
||||
|
||||
range.flags |= priv->flags;
|
||||
|
||||
regs->verdict.code = nf_nat_redirect_ipv6(pkt->skb, &range,
|
||||
pkt->ops->hooknum);
|
||||
regs->verdict.code = nf_nat_redirect_ipv6(pkt->skb, &range, pkt->hook);
|
||||
}
|
||||
|
||||
static struct nft_expr_type nft_redir_ipv6_type;
|
||||
|
@ -28,11 +28,10 @@ static void nft_reject_ipv6_eval(const struct nft_expr *expr,
|
||||
|
||||
switch (priv->type) {
|
||||
case NFT_REJECT_ICMP_UNREACH:
|
||||
nf_send_unreach6(net, pkt->skb, priv->icmp_code,
|
||||
pkt->ops->hooknum);
|
||||
nf_send_unreach6(net, pkt->skb, priv->icmp_code, pkt->hook);
|
||||
break;
|
||||
case NFT_REJECT_TCP_RST:
|
||||
nf_send_reset6(net, pkt->skb, pkt->ops->hooknum);
|
||||
nf_send_reset6(net, pkt->skb, pkt->hook);
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
|
@ -50,7 +50,7 @@ static void __nft_trace_packet(const struct nft_pktinfo *pkt,
|
||||
{
|
||||
struct net *net = dev_net(pkt->in ? pkt->in : pkt->out);
|
||||
|
||||
nf_log_trace(net, pkt->xt.family, pkt->ops->hooknum, pkt->skb, pkt->in,
|
||||
nf_log_trace(net, pkt->pf, pkt->hook, pkt->skb, pkt->in,
|
||||
pkt->out, &trace_loginfo, "TRACE: %s:%s:%s:%u ",
|
||||
chain->table->name, chain->name, comments[type],
|
||||
rulenum);
|
||||
|
@ -17,13 +17,13 @@
|
||||
|
||||
static inline void
|
||||
nft_netdev_set_pktinfo_ipv4(struct nft_pktinfo *pkt,
|
||||
const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||
struct sk_buff *skb,
|
||||
const struct nf_hook_state *state)
|
||||
{
|
||||
struct iphdr *iph, _iph;
|
||||
u32 len, thoff;
|
||||
|
||||
nft_set_pktinfo(pkt, ops, skb, state);
|
||||
nft_set_pktinfo(pkt, skb, state);
|
||||
|
||||
iph = skb_header_pointer(skb, skb_network_offset(skb), sizeof(*iph),
|
||||
&_iph);
|
||||
@ -48,7 +48,6 @@ nft_netdev_set_pktinfo_ipv4(struct nft_pktinfo *pkt,
|
||||
|
||||
static inline void
|
||||
__nft_netdev_set_pktinfo_ipv6(struct nft_pktinfo *pkt,
|
||||
const struct nf_hook_ops *ops,
|
||||
struct sk_buff *skb,
|
||||
const struct nf_hook_state *state)
|
||||
{
|
||||
@ -82,12 +81,11 @@ __nft_netdev_set_pktinfo_ipv6(struct nft_pktinfo *pkt,
|
||||
}
|
||||
|
||||
static inline void nft_netdev_set_pktinfo_ipv6(struct nft_pktinfo *pkt,
|
||||
const struct nf_hook_ops *ops,
|
||||
struct sk_buff *skb,
|
||||
const struct nf_hook_state *state)
|
||||
{
|
||||
nft_set_pktinfo(pkt, ops, skb, state);
|
||||
__nft_netdev_set_pktinfo_ipv6(pkt, ops, skb, state);
|
||||
nft_set_pktinfo(pkt, skb, state);
|
||||
__nft_netdev_set_pktinfo_ipv6(pkt, skb, state);
|
||||
}
|
||||
|
||||
static unsigned int
|
||||
@ -98,13 +96,13 @@ nft_do_chain_netdev(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||
|
||||
switch (eth_hdr(skb)->h_proto) {
|
||||
case htons(ETH_P_IP):
|
||||
nft_netdev_set_pktinfo_ipv4(&pkt, ops, skb, state);
|
||||
nft_netdev_set_pktinfo_ipv4(&pkt, skb, state);
|
||||
break;
|
||||
case htons(ETH_P_IPV6):
|
||||
nft_netdev_set_pktinfo_ipv6(&pkt, ops, skb, state);
|
||||
nft_netdev_set_pktinfo_ipv6(&pkt, skb, state);
|
||||
break;
|
||||
default:
|
||||
nft_set_pktinfo(&pkt, ops, skb, state);
|
||||
nft_set_pktinfo(&pkt, skb, state);
|
||||
break;
|
||||
}
|
||||
|
||||
|
@ -33,7 +33,7 @@ static void nft_log_eval(const struct nft_expr *expr,
|
||||
const struct nft_log *priv = nft_expr_priv(expr);
|
||||
struct net *net = dev_net(pkt->in ? pkt->in : pkt->out);
|
||||
|
||||
nf_log_packet(net, pkt->ops->pf, pkt->ops->hooknum, pkt->skb, pkt->in,
|
||||
nf_log_packet(net, pkt->pf, pkt->hook, pkt->skb, pkt->in,
|
||||
pkt->out, &priv->loginfo, "%s", priv->prefix);
|
||||
}
|
||||
|
||||
|
@ -42,7 +42,7 @@ void nft_meta_get_eval(const struct nft_expr *expr,
|
||||
*(__be16 *)dest = skb->protocol;
|
||||
break;
|
||||
case NFT_META_NFPROTO:
|
||||
*dest = pkt->ops->pf;
|
||||
*dest = pkt->pf;
|
||||
break;
|
||||
case NFT_META_L4PROTO:
|
||||
*dest = pkt->tprot;
|
||||
@ -135,7 +135,7 @@ void nft_meta_get_eval(const struct nft_expr *expr,
|
||||
break;
|
||||
}
|
||||
|
||||
switch (pkt->ops->pf) {
|
||||
switch (pkt->pf) {
|
||||
case NFPROTO_IPV4:
|
||||
if (ipv4_is_multicast(ip_hdr(skb)->daddr))
|
||||
*dest = PACKET_MULTICAST;
|
||||
|
@ -42,7 +42,7 @@ static void nft_queue_eval(const struct nft_expr *expr,
|
||||
queue = priv->queuenum + cpu % priv->queues_total;
|
||||
} else {
|
||||
queue = nfqueue_hash(pkt->skb, queue,
|
||||
priv->queues_total, pkt->ops->pf,
|
||||
priv->queues_total, pkt->pf,
|
||||
jhash_initval);
|
||||
}
|
||||
}
|
||||
|
@ -24,20 +24,20 @@ static void nft_reject_inet_eval(const struct nft_expr *expr,
|
||||
struct nft_reject *priv = nft_expr_priv(expr);
|
||||
struct net *net = dev_net((pkt->in != NULL) ? pkt->in : pkt->out);
|
||||
|
||||
switch (pkt->ops->pf) {
|
||||
switch (pkt->pf) {
|
||||
case NFPROTO_IPV4:
|
||||
switch (priv->type) {
|
||||
case NFT_REJECT_ICMP_UNREACH:
|
||||
nf_send_unreach(pkt->skb, priv->icmp_code,
|
||||
pkt->ops->hooknum);
|
||||
pkt->hook);
|
||||
break;
|
||||
case NFT_REJECT_TCP_RST:
|
||||
nf_send_reset(pkt->skb, pkt->ops->hooknum);
|
||||
nf_send_reset(pkt->skb, pkt->hook);
|
||||
break;
|
||||
case NFT_REJECT_ICMPX_UNREACH:
|
||||
nf_send_unreach(pkt->skb,
|
||||
nft_reject_icmp_code(priv->icmp_code),
|
||||
pkt->ops->hooknum);
|
||||
pkt->hook);
|
||||
break;
|
||||
}
|
||||
break;
|
||||
@ -45,15 +45,15 @@ static void nft_reject_inet_eval(const struct nft_expr *expr,
|
||||
switch (priv->type) {
|
||||
case NFT_REJECT_ICMP_UNREACH:
|
||||
nf_send_unreach6(net, pkt->skb, priv->icmp_code,
|
||||
pkt->ops->hooknum);
|
||||
pkt->hook);
|
||||
break;
|
||||
case NFT_REJECT_TCP_RST:
|
||||
nf_send_reset6(net, pkt->skb, pkt->ops->hooknum);
|
||||
nf_send_reset6(net, pkt->skb, pkt->hook);
|
||||
break;
|
||||
case NFT_REJECT_ICMPX_UNREACH:
|
||||
nf_send_unreach6(net, pkt->skb,
|
||||
nft_reject_icmpv6_code(priv->icmp_code),
|
||||
pkt->ops->hooknum);
|
||||
pkt->hook);
|
||||
break;
|
||||
}
|
||||
break;
|
||||
|
Loading…
Reference in New Issue
Block a user