Blame SOURCES/0063-nft-Simplify-immediate-parsing.patch

aca4c4
From c65bd8b3c23f0fe5f824274467740a2d350dcb9c Mon Sep 17 00:00:00 2001
aca4c4
From: Phil Sutter <phil@nwl.cc>
aca4c4
Date: Tue, 1 Mar 2022 18:59:31 +0100
aca4c4
Subject: [PATCH] nft: Simplify immediate parsing
aca4c4
aca4c4
Implementations of parse_immediate callback are mostly trivial, the only
aca4c4
relevant part is access to family-specific parts of struct
aca4c4
iptables_command_state when setting goto flag for iptables and
aca4c4
ip6tables. Refactor them into simple set_goto_flag callbacks.
aca4c4
aca4c4
Signed-off-by: Phil Sutter <phil@nwl.cc>
aca4c4
Acked-by: Florian Westphal <fw@strlen.de>
aca4c4
(cherry picked from commit b5f2faea325a315bfb932ebc634f3298d4824cae)
aca4c4
---
aca4c4
 iptables/nft-arp.c    |  9 ---------
aca4c4
 iptables/nft-bridge.c |  9 ---------
aca4c4
 iptables/nft-ipv4.c   | 12 +++---------
aca4c4
 iptables/nft-ipv6.c   | 12 +++---------
aca4c4
 iptables/nft-shared.c | 17 +++++++----------
aca4c4
 iptables/nft-shared.h |  2 +-
aca4c4
 6 files changed, 14 insertions(+), 47 deletions(-)
aca4c4
aca4c4
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
aca4c4
index 7c61c31a13c40..0c37a762cd418 100644
aca4c4
--- a/iptables/nft-arp.c
aca4c4
+++ b/iptables/nft-arp.c
aca4c4
@@ -182,14 +182,6 @@ static void nft_arp_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
aca4c4
 	fw->arp.invflags |= flags;
aca4c4
 }
aca4c4
 
aca4c4
-static void nft_arp_parse_immediate(const char *jumpto, bool nft_goto,
aca4c4
-				    void *data)
aca4c4
-{
aca4c4
-	struct iptables_command_state *cs = data;
aca4c4
-
aca4c4
-	cs->jumpto = jumpto;
aca4c4
-}
aca4c4
-
aca4c4
 static void parse_mask_ipv4(struct nft_xt_ctx *ctx, struct in_addr *mask)
aca4c4
 {
aca4c4
 	mask->s_addr = ctx->bitwise.mask[0];
aca4c4
@@ -575,7 +567,6 @@ struct nft_family_ops nft_family_ops_arp = {
aca4c4
 	.print_payload		= NULL,
aca4c4
 	.parse_meta		= nft_arp_parse_meta,
aca4c4
 	.parse_payload		= nft_arp_parse_payload,
aca4c4
-	.parse_immediate	= nft_arp_parse_immediate,
aca4c4
 	.print_header		= nft_arp_print_header,
aca4c4
 	.print_rule		= nft_arp_print_rule,
aca4c4
 	.save_rule		= nft_arp_save_rule,
aca4c4
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
aca4c4
index 2aa15e2d1e69d..e00a19e843d93 100644
aca4c4
--- a/iptables/nft-bridge.c
aca4c4
+++ b/iptables/nft-bridge.c
aca4c4
@@ -284,14 +284,6 @@ static void nft_bridge_parse_payload(struct nft_xt_ctx *ctx,
aca4c4
 	}
aca4c4
 }
aca4c4
 
aca4c4
-static void nft_bridge_parse_immediate(const char *jumpto, bool nft_goto,
aca4c4
-				       void *data)
aca4c4
-{
aca4c4
-	struct iptables_command_state *cs = data;
aca4c4
-
aca4c4
-	cs->jumpto = jumpto;
aca4c4
-}
aca4c4
-
aca4c4
 /* return 0 if saddr, 1 if daddr, -1 on error */
aca4c4
 static int
aca4c4
 lookup_check_ether_payload(uint32_t base, uint32_t offset, uint32_t len)
aca4c4
@@ -948,7 +940,6 @@ struct nft_family_ops nft_family_ops_bridge = {
aca4c4
 	.print_payload		= NULL,
aca4c4
 	.parse_meta		= nft_bridge_parse_meta,
aca4c4
 	.parse_payload		= nft_bridge_parse_payload,
aca4c4
-	.parse_immediate	= nft_bridge_parse_immediate,
aca4c4
 	.parse_lookup		= nft_bridge_parse_lookup,
aca4c4
 	.parse_match		= nft_bridge_parse_match,
aca4c4
 	.parse_target		= nft_bridge_parse_target,
aca4c4
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
aca4c4
index d8c48ce8817b6..c826ac153139f 100644
aca4c4
--- a/iptables/nft-ipv4.c
aca4c4
+++ b/iptables/nft-ipv4.c
aca4c4
@@ -241,15 +241,9 @@ static void nft_ipv4_parse_payload(struct nft_xt_ctx *ctx,
aca4c4
 	}
aca4c4
 }
aca4c4
 
aca4c4
-static void nft_ipv4_parse_immediate(const char *jumpto, bool nft_goto,
aca4c4
-				     void *data)
aca4c4
+static void nft_ipv4_set_goto_flag(struct iptables_command_state *cs)
aca4c4
 {
aca4c4
-	struct iptables_command_state *cs = data;
aca4c4
-
aca4c4
-	cs->jumpto = jumpto;
aca4c4
-
aca4c4
-	if (nft_goto)
aca4c4
-		cs->fw.ip.flags |= IPT_F_GOTO;
aca4c4
+	cs->fw.ip.flags |= IPT_F_GOTO;
aca4c4
 }
aca4c4
 
aca4c4
 static void print_fragment(unsigned int flags, unsigned int invflags,
aca4c4
@@ -473,7 +467,7 @@ struct nft_family_ops nft_family_ops_ipv4 = {
aca4c4
 	.is_same		= nft_ipv4_is_same,
aca4c4
 	.parse_meta		= nft_ipv4_parse_meta,
aca4c4
 	.parse_payload		= nft_ipv4_parse_payload,
aca4c4
-	.parse_immediate	= nft_ipv4_parse_immediate,
aca4c4
+	.set_goto_flag		= nft_ipv4_set_goto_flag,
aca4c4
 	.print_header		= print_header,
aca4c4
 	.print_rule		= nft_ipv4_print_rule,
aca4c4
 	.save_rule		= nft_ipv4_save_rule,
aca4c4
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
aca4c4
index a5481b3f77ac5..127bc96379968 100644
aca4c4
--- a/iptables/nft-ipv6.c
aca4c4
+++ b/iptables/nft-ipv6.c
aca4c4
@@ -180,15 +180,9 @@ static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx,
aca4c4
 	}
aca4c4
 }
aca4c4
 
aca4c4
-static void nft_ipv6_parse_immediate(const char *jumpto, bool nft_goto,
aca4c4
-				     void *data)
aca4c4
+static void nft_ipv6_set_goto_flag(struct iptables_command_state *cs)
aca4c4
 {
aca4c4
-	struct iptables_command_state *cs = data;
aca4c4
-
aca4c4
-	cs->jumpto = jumpto;
aca4c4
-
aca4c4
-	if (nft_goto)
aca4c4
-		cs->fw6.ipv6.flags |= IP6T_F_GOTO;
aca4c4
+	cs->fw6.ipv6.flags |= IP6T_F_GOTO;
aca4c4
 }
aca4c4
 
aca4c4
 static void nft_ipv6_print_rule(struct nft_handle *h, struct nftnl_rule *r,
aca4c4
@@ -415,7 +409,7 @@ struct nft_family_ops nft_family_ops_ipv6 = {
aca4c4
 	.is_same		= nft_ipv6_is_same,
aca4c4
 	.parse_meta		= nft_ipv6_parse_meta,
aca4c4
 	.parse_payload		= nft_ipv6_parse_payload,
aca4c4
-	.parse_immediate	= nft_ipv6_parse_immediate,
aca4c4
+	.set_goto_flag		= nft_ipv6_set_goto_flag,
aca4c4
 	.print_header		= print_header,
aca4c4
 	.print_rule		= nft_ipv6_print_rule,
aca4c4
 	.save_rule		= nft_ipv6_save_rule,
aca4c4
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
aca4c4
index 7f757d38ecaec..172cf2054a33c 100644
aca4c4
--- a/iptables/nft-shared.c
aca4c4
+++ b/iptables/nft-shared.c
aca4c4
@@ -510,9 +510,7 @@ static void nft_parse_counter(struct nftnl_expr *e, struct xt_counters *counters
aca4c4
 static void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
aca4c4
 {
aca4c4
 	const char *chain = nftnl_expr_get_str(e, NFTNL_EXPR_IMM_CHAIN);
aca4c4
-	const char *jumpto = NULL;
aca4c4
-	bool nft_goto = false;
aca4c4
-	void *data = ctx->cs;
aca4c4
+	struct iptables_command_state *cs = ctx->cs;
aca4c4
 	int verdict;
aca4c4
 
aca4c4
 	if (nftnl_expr_is_set(e, NFTNL_EXPR_IMM_DATA)) {
aca4c4
@@ -535,23 +533,22 @@ static void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
aca4c4
 	/* Standard target? */
aca4c4
 	switch(verdict) {
aca4c4
 	case NF_ACCEPT:
aca4c4
-		jumpto = "ACCEPT";
aca4c4
+		cs->jumpto = "ACCEPT";
aca4c4
 		break;
aca4c4
 	case NF_DROP:
aca4c4
-		jumpto = "DROP";
aca4c4
+		cs->jumpto = "DROP";
aca4c4
 		break;
aca4c4
 	case NFT_RETURN:
aca4c4
-		jumpto = "RETURN";
aca4c4
+		cs->jumpto = "RETURN";
aca4c4
 		break;;
aca4c4
 	case NFT_GOTO:
aca4c4
-		nft_goto = true;
aca4c4
+		if (ctx->h->ops->set_goto_flag)
aca4c4
+			ctx->h->ops->set_goto_flag(cs);
aca4c4
 		/* fall through */
aca4c4
 	case NFT_JUMP:
aca4c4
-		jumpto = chain;
aca4c4
+		cs->jumpto = chain;
aca4c4
 		break;
aca4c4
 	}
aca4c4
-
aca4c4
-	ctx->h->ops->parse_immediate(jumpto, nft_goto, data);
aca4c4
 }
aca4c4
 
aca4c4
 static void nft_parse_limit(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
aca4c4
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
aca4c4
index 520a296fb530c..29f7056714235 100644
aca4c4
--- a/iptables/nft-shared.h
aca4c4
+++ b/iptables/nft-shared.h
aca4c4
@@ -89,7 +89,7 @@ struct nft_family_ops {
aca4c4
 			  void *data);
aca4c4
 	void (*parse_lookup)(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
aca4c4
 			     void *data);
aca4c4
-	void (*parse_immediate)(const char *jumpto, bool nft_goto, void *data);
aca4c4
+	void (*set_goto_flag)(struct iptables_command_state *cs);
aca4c4
 
aca4c4
 	void (*print_table_header)(const char *tablename);
aca4c4
 	void (*print_header)(unsigned int format, const char *chain,
aca4c4
-- 
aca4c4
2.34.1
aca4c4