tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: nf_tables: kill nft_pktinfo.ops

- Add nft_pktinfo.pf to replace ops->pf
- Add nft_pktinfo.hook to replace ops->hooknum

This simplifies the code, makes it more readable, and likely reduces
cache line misses. Maintainability is enhanced as the details of
nft_hook_ops are of no concern to the recpients of nft_pktinfo.

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Eric W. Biederman and committed by
Pablo Neira Ayuso 6aa187f2 082a758f

+54 -64
+4 -5
include/net/netfilter/nf_tables.h
··· 16 16 struct sk_buff *skb; 17 17 const struct net_device *in; 18 18 const struct net_device *out; 19 - const struct nf_hook_ops *ops; 19 + u8 pf; 20 + u8 hook; 20 21 u8 nhoff; 21 22 u8 thoff; 22 23 u8 tprot; ··· 26 25 }; 27 26 28 27 static inline void nft_set_pktinfo(struct nft_pktinfo *pkt, 29 - const struct nf_hook_ops *ops, 30 28 struct sk_buff *skb, 31 29 const struct nf_hook_state *state) 32 30 { 33 31 pkt->skb = skb; 34 32 pkt->in = pkt->xt.in = state->in; 35 33 pkt->out = pkt->xt.out = state->out; 36 - pkt->ops = ops; 37 - pkt->xt.hooknum = ops->hooknum; 38 - pkt->xt.family = ops->pf; 34 + pkt->hook = pkt->xt.hooknum = state->hook; 35 + pkt->pf = pkt->xt.family = state->pf; 39 36 } 40 37 41 38 /**
+1 -2
include/net/netfilter/nf_tables_ipv4.h
··· 6 6 7 7 static inline void 8 8 nft_set_pktinfo_ipv4(struct nft_pktinfo *pkt, 9 - const struct nf_hook_ops *ops, 10 9 struct sk_buff *skb, 11 10 const struct nf_hook_state *state) 12 11 { 13 12 struct iphdr *ip; 14 13 15 - nft_set_pktinfo(pkt, ops, skb, state); 14 + nft_set_pktinfo(pkt, skb, state); 16 15 17 16 ip = ip_hdr(pkt->skb); 18 17 pkt->tprot = ip->protocol;
+1 -2
include/net/netfilter/nf_tables_ipv6.h
··· 6 6 7 7 static inline int 8 8 nft_set_pktinfo_ipv6(struct nft_pktinfo *pkt, 9 - const struct nf_hook_ops *ops, 10 9 struct sk_buff *skb, 11 10 const struct nf_hook_state *state) 12 11 { 13 12 int protohdr, thoff = 0; 14 13 unsigned short frag_off; 15 14 16 - nft_set_pktinfo(pkt, ops, skb, state); 15 + nft_set_pktinfo(pkt, skb, state); 17 16 18 17 protohdr = ipv6_find_hdr(pkt->skb, &thoff, -1, &frag_off, NULL); 19 18 /* If malformed, drop it */
+7 -9
net/bridge/netfilter/nf_tables_bridge.c
··· 65 65 EXPORT_SYMBOL_GPL(nft_bridge_ip6hdr_validate); 66 66 67 67 static inline void nft_bridge_set_pktinfo_ipv4(struct nft_pktinfo *pkt, 68 - const struct nf_hook_ops *ops, 69 68 struct sk_buff *skb, 70 69 const struct nf_hook_state *state) 71 70 { 72 71 if (nft_bridge_iphdr_validate(skb)) 73 - nft_set_pktinfo_ipv4(pkt, ops, skb, state); 72 + nft_set_pktinfo_ipv4(pkt, skb, state); 74 73 else 75 - nft_set_pktinfo(pkt, ops, skb, state); 74 + nft_set_pktinfo(pkt, skb, state); 76 75 } 77 76 78 77 static inline void nft_bridge_set_pktinfo_ipv6(struct nft_pktinfo *pkt, 79 - const struct nf_hook_ops *ops, 80 78 struct sk_buff *skb, 81 79 const struct nf_hook_state *state) 82 80 { 83 81 #if IS_ENABLED(CONFIG_IPV6) 84 82 if (nft_bridge_ip6hdr_validate(skb) && 85 - nft_set_pktinfo_ipv6(pkt, ops, skb, state) == 0) 83 + nft_set_pktinfo_ipv6(pkt, skb, state) == 0) 86 84 return; 87 85 #endif 88 - nft_set_pktinfo(pkt, ops, skb, state); 86 + nft_set_pktinfo(pkt, skb, state); 89 87 } 90 88 91 89 static unsigned int ··· 95 97 96 98 switch (eth_hdr(skb)->h_proto) { 97 99 case htons(ETH_P_IP): 98 - nft_bridge_set_pktinfo_ipv4(&pkt, ops, skb, state); 100 + nft_bridge_set_pktinfo_ipv4(&pkt, skb, state); 99 101 break; 100 102 case htons(ETH_P_IPV6): 101 - nft_bridge_set_pktinfo_ipv6(&pkt, ops, skb, state); 103 + nft_bridge_set_pktinfo_ipv6(&pkt, skb, state); 102 104 break; 103 105 default: 104 - nft_set_pktinfo(&pkt, ops, skb, state); 106 + nft_set_pktinfo(&pkt, skb, state); 105 107 break; 106 108 } 107 109
+6 -6
net/bridge/netfilter/nft_reject_bridge.c
··· 273 273 switch (priv->type) { 274 274 case NFT_REJECT_ICMP_UNREACH: 275 275 nft_reject_br_send_v4_unreach(pkt->skb, pkt->in, 276 - pkt->ops->hooknum, 276 + pkt->hook, 277 277 priv->icmp_code); 278 278 break; 279 279 case NFT_REJECT_TCP_RST: 280 280 nft_reject_br_send_v4_tcp_reset(pkt->skb, pkt->in, 281 - pkt->ops->hooknum); 281 + pkt->hook); 282 282 break; 283 283 case NFT_REJECT_ICMPX_UNREACH: 284 284 nft_reject_br_send_v4_unreach(pkt->skb, pkt->in, 285 - pkt->ops->hooknum, 285 + pkt->hook, 286 286 nft_reject_icmp_code(priv->icmp_code)); 287 287 break; 288 288 } ··· 291 291 switch (priv->type) { 292 292 case NFT_REJECT_ICMP_UNREACH: 293 293 nft_reject_br_send_v6_unreach(net, pkt->skb, pkt->in, 294 - pkt->ops->hooknum, 294 + pkt->hook, 295 295 priv->icmp_code); 296 296 break; 297 297 case NFT_REJECT_TCP_RST: 298 298 nft_reject_br_send_v6_tcp_reset(net, pkt->skb, pkt->in, 299 - pkt->ops->hooknum); 299 + pkt->hook); 300 300 break; 301 301 case NFT_REJECT_ICMPX_UNREACH: 302 302 nft_reject_br_send_v6_unreach(net, pkt->skb, pkt->in, 303 - pkt->ops->hooknum, 303 + pkt->hook, 304 304 nft_reject_icmpv6_code(priv->icmp_code)); 305 305 break; 306 306 }
+1 -1
net/ipv4/netfilter/nf_tables_arp.c
··· 21 21 { 22 22 struct nft_pktinfo pkt; 23 23 24 - nft_set_pktinfo(&pkt, ops, skb, state); 24 + nft_set_pktinfo(&pkt, skb, state); 25 25 26 26 return nft_do_chain(&pkt, ops); 27 27 }
+1 -1
net/ipv4/netfilter/nf_tables_ipv4.c
··· 24 24 { 25 25 struct nft_pktinfo pkt; 26 26 27 - nft_set_pktinfo_ipv4(&pkt, ops, skb, state); 27 + nft_set_pktinfo_ipv4(&pkt, skb, state); 28 28 29 29 return nft_do_chain(&pkt, ops); 30 30 }
+1 -1
net/ipv4/netfilter/nft_chain_nat_ipv4.c
··· 33 33 { 34 34 struct nft_pktinfo pkt; 35 35 36 - nft_set_pktinfo_ipv4(&pkt, ops, skb, state); 36 + nft_set_pktinfo_ipv4(&pkt, skb, state); 37 37 38 38 return nft_do_chain(&pkt, ops); 39 39 }
+1 -1
net/ipv4/netfilter/nft_chain_route_ipv4.c
··· 37 37 ip_hdrlen(skb) < sizeof(struct iphdr)) 38 38 return NF_ACCEPT; 39 39 40 - nft_set_pktinfo_ipv4(&pkt, ops, skb, state); 40 + nft_set_pktinfo_ipv4(&pkt, skb, state); 41 41 42 42 mark = skb->mark; 43 43 iph = ip_hdr(skb);
+1 -1
net/ipv4/netfilter/nft_dup_ipv4.c
··· 30 30 }; 31 31 int oif = regs->data[priv->sreg_dev]; 32 32 33 - nf_dup_ipv4(pkt->skb, pkt->ops->hooknum, &gw, oif); 33 + nf_dup_ipv4(pkt->skb, pkt->hook, &gw, oif); 34 34 } 35 35 36 36 static int nft_dup_ipv4_init(const struct nft_ctx *ctx,
+1 -1
net/ipv4/netfilter/nft_masq_ipv4.c
··· 26 26 memset(&range, 0, sizeof(range)); 27 27 range.flags = priv->flags; 28 28 29 - regs->verdict.code = nf_nat_masquerade_ipv4(pkt->skb, pkt->ops->hooknum, 29 + regs->verdict.code = nf_nat_masquerade_ipv4(pkt->skb, pkt->hook, 30 30 &range, pkt->out); 31 31 } 32 32
+1 -1
net/ipv4/netfilter/nft_redir_ipv4.c
··· 36 36 mr.range[0].flags |= priv->flags; 37 37 38 38 regs->verdict.code = nf_nat_redirect_ipv4(pkt->skb, &mr, 39 - pkt->ops->hooknum); 39 + pkt->hook); 40 40 } 41 41 42 42 static struct nft_expr_type nft_redir_ipv4_type;
+2 -3
net/ipv4/netfilter/nft_reject_ipv4.c
··· 27 27 28 28 switch (priv->type) { 29 29 case NFT_REJECT_ICMP_UNREACH: 30 - nf_send_unreach(pkt->skb, priv->icmp_code, 31 - pkt->ops->hooknum); 30 + nf_send_unreach(pkt->skb, priv->icmp_code, pkt->hook); 32 31 break; 33 32 case NFT_REJECT_TCP_RST: 34 - nf_send_reset(pkt->skb, pkt->ops->hooknum); 33 + nf_send_reset(pkt->skb, pkt->hook); 35 34 break; 36 35 default: 37 36 break;
+1 -1
net/ipv6/netfilter/nf_tables_ipv6.c
··· 23 23 struct nft_pktinfo pkt; 24 24 25 25 /* malformed packet, drop it */ 26 - if (nft_set_pktinfo_ipv6(&pkt, ops, skb, state) < 0) 26 + if (nft_set_pktinfo_ipv6(&pkt, skb, state) < 0) 27 27 return NF_DROP; 28 28 29 29 return nft_do_chain(&pkt, ops);
+1 -1
net/ipv6/netfilter/nft_chain_nat_ipv6.c
··· 31 31 { 32 32 struct nft_pktinfo pkt; 33 33 34 - nft_set_pktinfo_ipv6(&pkt, ops, skb, state); 34 + nft_set_pktinfo_ipv6(&pkt, skb, state); 35 35 36 36 return nft_do_chain(&pkt, ops); 37 37 }
+1 -1
net/ipv6/netfilter/nft_chain_route_ipv6.c
··· 33 33 u32 mark, flowlabel; 34 34 35 35 /* malformed packet, drop it */ 36 - if (nft_set_pktinfo_ipv6(&pkt, ops, skb, state) < 0) 36 + if (nft_set_pktinfo_ipv6(&pkt, skb, state) < 0) 37 37 return NF_DROP; 38 38 39 39 /* save source/dest address, mark, hoplimit, flowlabel, priority */
+1 -1
net/ipv6/netfilter/nft_dup_ipv6.c
··· 28 28 struct in6_addr *gw = (struct in6_addr *)&regs->data[priv->sreg_addr]; 29 29 int oif = regs->data[priv->sreg_dev]; 30 30 31 - nf_dup_ipv6(pkt->skb, pkt->ops->hooknum, gw, oif); 31 + nf_dup_ipv6(pkt->skb, pkt->hook, gw, oif); 32 32 } 33 33 34 34 static int nft_dup_ipv6_init(const struct nft_ctx *ctx,
+1 -2
net/ipv6/netfilter/nft_redir_ipv6.c
··· 35 35 36 36 range.flags |= priv->flags; 37 37 38 - regs->verdict.code = nf_nat_redirect_ipv6(pkt->skb, &range, 39 - pkt->ops->hooknum); 38 + regs->verdict.code = nf_nat_redirect_ipv6(pkt->skb, &range, pkt->hook); 40 39 } 41 40 42 41 static struct nft_expr_type nft_redir_ipv6_type;
+2 -3
net/ipv6/netfilter/nft_reject_ipv6.c
··· 28 28 29 29 switch (priv->type) { 30 30 case NFT_REJECT_ICMP_UNREACH: 31 - nf_send_unreach6(net, pkt->skb, priv->icmp_code, 32 - pkt->ops->hooknum); 31 + nf_send_unreach6(net, pkt->skb, priv->icmp_code, pkt->hook); 33 32 break; 34 33 case NFT_REJECT_TCP_RST: 35 - nf_send_reset6(net, pkt->skb, pkt->ops->hooknum); 34 + nf_send_reset6(net, pkt->skb, pkt->hook); 36 35 break; 37 36 default: 38 37 break;
+1 -1
net/netfilter/nf_tables_core.c
··· 50 50 { 51 51 struct net *net = dev_net(pkt->in ? pkt->in : pkt->out); 52 52 53 - nf_log_trace(net, pkt->xt.family, pkt->ops->hooknum, pkt->skb, pkt->in, 53 + nf_log_trace(net, pkt->pf, pkt->hook, pkt->skb, pkt->in, 54 54 pkt->out, &trace_loginfo, "TRACE: %s:%s:%s:%u ", 55 55 chain->table->name, chain->name, comments[type], 56 56 rulenum);
+7 -9
net/netfilter/nf_tables_netdev.c
··· 17 17 18 18 static inline void 19 19 nft_netdev_set_pktinfo_ipv4(struct nft_pktinfo *pkt, 20 - const struct nf_hook_ops *ops, struct sk_buff *skb, 20 + struct sk_buff *skb, 21 21 const struct nf_hook_state *state) 22 22 { 23 23 struct iphdr *iph, _iph; 24 24 u32 len, thoff; 25 25 26 - nft_set_pktinfo(pkt, ops, skb, state); 26 + nft_set_pktinfo(pkt, skb, state); 27 27 28 28 iph = skb_header_pointer(skb, skb_network_offset(skb), sizeof(*iph), 29 29 &_iph); ··· 48 48 49 49 static inline void 50 50 __nft_netdev_set_pktinfo_ipv6(struct nft_pktinfo *pkt, 51 - const struct nf_hook_ops *ops, 52 51 struct sk_buff *skb, 53 52 const struct nf_hook_state *state) 54 53 { ··· 81 82 } 82 83 83 84 static inline void nft_netdev_set_pktinfo_ipv6(struct nft_pktinfo *pkt, 84 - const struct nf_hook_ops *ops, 85 85 struct sk_buff *skb, 86 86 const struct nf_hook_state *state) 87 87 { 88 - nft_set_pktinfo(pkt, ops, skb, state); 89 - __nft_netdev_set_pktinfo_ipv6(pkt, ops, skb, state); 88 + nft_set_pktinfo(pkt, skb, state); 89 + __nft_netdev_set_pktinfo_ipv6(pkt, skb, state); 90 90 } 91 91 92 92 static unsigned int ··· 96 98 97 99 switch (eth_hdr(skb)->h_proto) { 98 100 case htons(ETH_P_IP): 99 - nft_netdev_set_pktinfo_ipv4(&pkt, ops, skb, state); 101 + nft_netdev_set_pktinfo_ipv4(&pkt, skb, state); 100 102 break; 101 103 case htons(ETH_P_IPV6): 102 - nft_netdev_set_pktinfo_ipv6(&pkt, ops, skb, state); 104 + nft_netdev_set_pktinfo_ipv6(&pkt, skb, state); 103 105 break; 104 106 default: 105 - nft_set_pktinfo(&pkt, ops, skb, state); 107 + nft_set_pktinfo(&pkt, skb, state); 106 108 break; 107 109 } 108 110
+1 -1
net/netfilter/nft_log.c
··· 33 33 const struct nft_log *priv = nft_expr_priv(expr); 34 34 struct net *net = dev_net(pkt->in ? pkt->in : pkt->out); 35 35 36 - nf_log_packet(net, pkt->ops->pf, pkt->ops->hooknum, pkt->skb, pkt->in, 36 + nf_log_packet(net, pkt->pf, pkt->hook, pkt->skb, pkt->in, 37 37 pkt->out, &priv->loginfo, "%s", priv->prefix); 38 38 } 39 39
+2 -2
net/netfilter/nft_meta.c
··· 42 42 *(__be16 *)dest = skb->protocol; 43 43 break; 44 44 case NFT_META_NFPROTO: 45 - *dest = pkt->ops->pf; 45 + *dest = pkt->pf; 46 46 break; 47 47 case NFT_META_L4PROTO: 48 48 *dest = pkt->tprot; ··· 135 135 break; 136 136 } 137 137 138 - switch (pkt->ops->pf) { 138 + switch (pkt->pf) { 139 139 case NFPROTO_IPV4: 140 140 if (ipv4_is_multicast(ip_hdr(skb)->daddr)) 141 141 *dest = PACKET_MULTICAST;
+1 -1
net/netfilter/nft_queue.c
··· 42 42 queue = priv->queuenum + cpu % priv->queues_total; 43 43 } else { 44 44 queue = nfqueue_hash(pkt->skb, queue, 45 - priv->queues_total, pkt->ops->pf, 45 + priv->queues_total, pkt->pf, 46 46 jhash_initval); 47 47 } 48 48 }
+7 -7
net/netfilter/nft_reject_inet.c
··· 24 24 struct nft_reject *priv = nft_expr_priv(expr); 25 25 struct net *net = dev_net((pkt->in != NULL) ? pkt->in : pkt->out); 26 26 27 - switch (pkt->ops->pf) { 27 + switch (pkt->pf) { 28 28 case NFPROTO_IPV4: 29 29 switch (priv->type) { 30 30 case NFT_REJECT_ICMP_UNREACH: 31 31 nf_send_unreach(pkt->skb, priv->icmp_code, 32 - pkt->ops->hooknum); 32 + pkt->hook); 33 33 break; 34 34 case NFT_REJECT_TCP_RST: 35 - nf_send_reset(pkt->skb, pkt->ops->hooknum); 35 + nf_send_reset(pkt->skb, pkt->hook); 36 36 break; 37 37 case NFT_REJECT_ICMPX_UNREACH: 38 38 nf_send_unreach(pkt->skb, 39 39 nft_reject_icmp_code(priv->icmp_code), 40 - pkt->ops->hooknum); 40 + pkt->hook); 41 41 break; 42 42 } 43 43 break; ··· 45 45 switch (priv->type) { 46 46 case NFT_REJECT_ICMP_UNREACH: 47 47 nf_send_unreach6(net, pkt->skb, priv->icmp_code, 48 - pkt->ops->hooknum); 48 + pkt->hook); 49 49 break; 50 50 case NFT_REJECT_TCP_RST: 51 - nf_send_reset6(net, pkt->skb, pkt->ops->hooknum); 51 + nf_send_reset6(net, pkt->skb, pkt->hook); 52 52 break; 53 53 case NFT_REJECT_ICMPX_UNREACH: 54 54 nf_send_unreach6(net, pkt->skb, 55 55 nft_reject_icmpv6_code(priv->icmp_code), 56 - pkt->ops->hooknum); 56 + pkt->hook); 57 57 break; 58 58 } 59 59 break;