|
|
df4535 |
From c65bd8b3c23f0fe5f824274467740a2d350dcb9c Mon Sep 17 00:00:00 2001
|
|
|
df4535 |
From: Phil Sutter <phil@nwl.cc>
|
|
|
df4535 |
Date: Tue, 1 Mar 2022 18:59:31 +0100
|
|
|
df4535 |
Subject: [PATCH] nft: Simplify immediate parsing
|
|
|
df4535 |
|
|
|
df4535 |
Implementations of parse_immediate callback are mostly trivial, the only
|
|
|
df4535 |
relevant part is access to family-specific parts of struct
|
|
|
df4535 |
iptables_command_state when setting goto flag for iptables and
|
|
|
df4535 |
ip6tables. Refactor them into simple set_goto_flag callbacks.
|
|
|
df4535 |
|
|
|
df4535 |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
df4535 |
Acked-by: Florian Westphal <fw@strlen.de>
|
|
|
df4535 |
(cherry picked from commit b5f2faea325a315bfb932ebc634f3298d4824cae)
|
|
|
df4535 |
---
|
|
|
df4535 |
iptables/nft-arp.c | 9 ---------
|
|
|
df4535 |
iptables/nft-bridge.c | 9 ---------
|
|
|
df4535 |
iptables/nft-ipv4.c | 12 +++---------
|
|
|
df4535 |
iptables/nft-ipv6.c | 12 +++---------
|
|
|
df4535 |
iptables/nft-shared.c | 17 +++++++----------
|
|
|
df4535 |
iptables/nft-shared.h | 2 +-
|
|
|
df4535 |
6 files changed, 14 insertions(+), 47 deletions(-)
|
|
|
df4535 |
|
|
|
df4535 |
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
|
|
|
df4535 |
index 7c61c31a13c40..0c37a762cd418 100644
|
|
|
df4535 |
--- a/iptables/nft-arp.c
|
|
|
df4535 |
+++ b/iptables/nft-arp.c
|
|
|
df4535 |
@@ -182,14 +182,6 @@ static void nft_arp_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
|
|
|
df4535 |
fw->arp.invflags |= flags;
|
|
|
df4535 |
}
|
|
|
df4535 |
|
|
|
df4535 |
-static void nft_arp_parse_immediate(const char *jumpto, bool nft_goto,
|
|
|
df4535 |
- void *data)
|
|
|
df4535 |
-{
|
|
|
df4535 |
- struct iptables_command_state *cs = data;
|
|
|
df4535 |
-
|
|
|
df4535 |
- cs->jumpto = jumpto;
|
|
|
df4535 |
-}
|
|
|
df4535 |
-
|
|
|
df4535 |
static void parse_mask_ipv4(struct nft_xt_ctx *ctx, struct in_addr *mask)
|
|
|
df4535 |
{
|
|
|
df4535 |
mask->s_addr = ctx->bitwise.mask[0];
|
|
|
df4535 |
@@ -575,7 +567,6 @@ struct nft_family_ops nft_family_ops_arp = {
|
|
|
df4535 |
.print_payload = NULL,
|
|
|
df4535 |
.parse_meta = nft_arp_parse_meta,
|
|
|
df4535 |
.parse_payload = nft_arp_parse_payload,
|
|
|
df4535 |
- .parse_immediate = nft_arp_parse_immediate,
|
|
|
df4535 |
.print_header = nft_arp_print_header,
|
|
|
df4535 |
.print_rule = nft_arp_print_rule,
|
|
|
df4535 |
.save_rule = nft_arp_save_rule,
|
|
|
df4535 |
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
|
|
|
df4535 |
index 2aa15e2d1e69d..e00a19e843d93 100644
|
|
|
df4535 |
--- a/iptables/nft-bridge.c
|
|
|
df4535 |
+++ b/iptables/nft-bridge.c
|
|
|
df4535 |
@@ -284,14 +284,6 @@ static void nft_bridge_parse_payload(struct nft_xt_ctx *ctx,
|
|
|
df4535 |
}
|
|
|
df4535 |
}
|
|
|
df4535 |
|
|
|
df4535 |
-static void nft_bridge_parse_immediate(const char *jumpto, bool nft_goto,
|
|
|
df4535 |
- void *data)
|
|
|
df4535 |
-{
|
|
|
df4535 |
- struct iptables_command_state *cs = data;
|
|
|
df4535 |
-
|
|
|
df4535 |
- cs->jumpto = jumpto;
|
|
|
df4535 |
-}
|
|
|
df4535 |
-
|
|
|
df4535 |
/* return 0 if saddr, 1 if daddr, -1 on error */
|
|
|
df4535 |
static int
|
|
|
df4535 |
lookup_check_ether_payload(uint32_t base, uint32_t offset, uint32_t len)
|
|
|
df4535 |
@@ -948,7 +940,6 @@ struct nft_family_ops nft_family_ops_bridge = {
|
|
|
df4535 |
.print_payload = NULL,
|
|
|
df4535 |
.parse_meta = nft_bridge_parse_meta,
|
|
|
df4535 |
.parse_payload = nft_bridge_parse_payload,
|
|
|
df4535 |
- .parse_immediate = nft_bridge_parse_immediate,
|
|
|
df4535 |
.parse_lookup = nft_bridge_parse_lookup,
|
|
|
df4535 |
.parse_match = nft_bridge_parse_match,
|
|
|
df4535 |
.parse_target = nft_bridge_parse_target,
|
|
|
df4535 |
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
|
|
|
df4535 |
index d8c48ce8817b6..c826ac153139f 100644
|
|
|
df4535 |
--- a/iptables/nft-ipv4.c
|
|
|
df4535 |
+++ b/iptables/nft-ipv4.c
|
|
|
df4535 |
@@ -241,15 +241,9 @@ static void nft_ipv4_parse_payload(struct nft_xt_ctx *ctx,
|
|
|
df4535 |
}
|
|
|
df4535 |
}
|
|
|
df4535 |
|
|
|
df4535 |
-static void nft_ipv4_parse_immediate(const char *jumpto, bool nft_goto,
|
|
|
df4535 |
- void *data)
|
|
|
df4535 |
+static void nft_ipv4_set_goto_flag(struct iptables_command_state *cs)
|
|
|
df4535 |
{
|
|
|
df4535 |
- struct iptables_command_state *cs = data;
|
|
|
df4535 |
-
|
|
|
df4535 |
- cs->jumpto = jumpto;
|
|
|
df4535 |
-
|
|
|
df4535 |
- if (nft_goto)
|
|
|
df4535 |
- cs->fw.ip.flags |= IPT_F_GOTO;
|
|
|
df4535 |
+ cs->fw.ip.flags |= IPT_F_GOTO;
|
|
|
df4535 |
}
|
|
|
df4535 |
|
|
|
df4535 |
static void print_fragment(unsigned int flags, unsigned int invflags,
|
|
|
df4535 |
@@ -473,7 +467,7 @@ struct nft_family_ops nft_family_ops_ipv4 = {
|
|
|
df4535 |
.is_same = nft_ipv4_is_same,
|
|
|
df4535 |
.parse_meta = nft_ipv4_parse_meta,
|
|
|
df4535 |
.parse_payload = nft_ipv4_parse_payload,
|
|
|
df4535 |
- .parse_immediate = nft_ipv4_parse_immediate,
|
|
|
df4535 |
+ .set_goto_flag = nft_ipv4_set_goto_flag,
|
|
|
df4535 |
.print_header = print_header,
|
|
|
df4535 |
.print_rule = nft_ipv4_print_rule,
|
|
|
df4535 |
.save_rule = nft_ipv4_save_rule,
|
|
|
df4535 |
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
|
|
|
df4535 |
index a5481b3f77ac5..127bc96379968 100644
|
|
|
df4535 |
--- a/iptables/nft-ipv6.c
|
|
|
df4535 |
+++ b/iptables/nft-ipv6.c
|
|
|
df4535 |
@@ -180,15 +180,9 @@ static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx,
|
|
|
df4535 |
}
|
|
|
df4535 |
}
|
|
|
df4535 |
|
|
|
df4535 |
-static void nft_ipv6_parse_immediate(const char *jumpto, bool nft_goto,
|
|
|
df4535 |
- void *data)
|
|
|
df4535 |
+static void nft_ipv6_set_goto_flag(struct iptables_command_state *cs)
|
|
|
df4535 |
{
|
|
|
df4535 |
- struct iptables_command_state *cs = data;
|
|
|
df4535 |
-
|
|
|
df4535 |
- cs->jumpto = jumpto;
|
|
|
df4535 |
-
|
|
|
df4535 |
- if (nft_goto)
|
|
|
df4535 |
- cs->fw6.ipv6.flags |= IP6T_F_GOTO;
|
|
|
df4535 |
+ cs->fw6.ipv6.flags |= IP6T_F_GOTO;
|
|
|
df4535 |
}
|
|
|
df4535 |
|
|
|
df4535 |
static void nft_ipv6_print_rule(struct nft_handle *h, struct nftnl_rule *r,
|
|
|
df4535 |
@@ -415,7 +409,7 @@ struct nft_family_ops nft_family_ops_ipv6 = {
|
|
|
df4535 |
.is_same = nft_ipv6_is_same,
|
|
|
df4535 |
.parse_meta = nft_ipv6_parse_meta,
|
|
|
df4535 |
.parse_payload = nft_ipv6_parse_payload,
|
|
|
df4535 |
- .parse_immediate = nft_ipv6_parse_immediate,
|
|
|
df4535 |
+ .set_goto_flag = nft_ipv6_set_goto_flag,
|
|
|
df4535 |
.print_header = print_header,
|
|
|
df4535 |
.print_rule = nft_ipv6_print_rule,
|
|
|
df4535 |
.save_rule = nft_ipv6_save_rule,
|
|
|
df4535 |
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
|
|
|
df4535 |
index 7f757d38ecaec..172cf2054a33c 100644
|
|
|
df4535 |
--- a/iptables/nft-shared.c
|
|
|
df4535 |
+++ b/iptables/nft-shared.c
|
|
|
df4535 |
@@ -510,9 +510,7 @@ static void nft_parse_counter(struct nftnl_expr *e, struct xt_counters *counters
|
|
|
df4535 |
static void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
|
|
|
df4535 |
{
|
|
|
df4535 |
const char *chain = nftnl_expr_get_str(e, NFTNL_EXPR_IMM_CHAIN);
|
|
|
df4535 |
- const char *jumpto = NULL;
|
|
|
df4535 |
- bool nft_goto = false;
|
|
|
df4535 |
- void *data = ctx->cs;
|
|
|
df4535 |
+ struct iptables_command_state *cs = ctx->cs;
|
|
|
df4535 |
int verdict;
|
|
|
df4535 |
|
|
|
df4535 |
if (nftnl_expr_is_set(e, NFTNL_EXPR_IMM_DATA)) {
|
|
|
df4535 |
@@ -535,23 +533,22 @@ static void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
|
|
|
df4535 |
/* Standard target? */
|
|
|
df4535 |
switch(verdict) {
|
|
|
df4535 |
case NF_ACCEPT:
|
|
|
df4535 |
- jumpto = "ACCEPT";
|
|
|
df4535 |
+ cs->jumpto = "ACCEPT";
|
|
|
df4535 |
break;
|
|
|
df4535 |
case NF_DROP:
|
|
|
df4535 |
- jumpto = "DROP";
|
|
|
df4535 |
+ cs->jumpto = "DROP";
|
|
|
df4535 |
break;
|
|
|
df4535 |
case NFT_RETURN:
|
|
|
df4535 |
- jumpto = "RETURN";
|
|
|
df4535 |
+ cs->jumpto = "RETURN";
|
|
|
df4535 |
break;;
|
|
|
df4535 |
case NFT_GOTO:
|
|
|
df4535 |
- nft_goto = true;
|
|
|
df4535 |
+ if (ctx->h->ops->set_goto_flag)
|
|
|
df4535 |
+ ctx->h->ops->set_goto_flag(cs);
|
|
|
df4535 |
/* fall through */
|
|
|
df4535 |
case NFT_JUMP:
|
|
|
df4535 |
- jumpto = chain;
|
|
|
df4535 |
+ cs->jumpto = chain;
|
|
|
df4535 |
break;
|
|
|
df4535 |
}
|
|
|
df4535 |
-
|
|
|
df4535 |
- ctx->h->ops->parse_immediate(jumpto, nft_goto, data);
|
|
|
df4535 |
}
|
|
|
df4535 |
|
|
|
df4535 |
static void nft_parse_limit(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
|
|
|
df4535 |
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
|
|
|
df4535 |
index 520a296fb530c..29f7056714235 100644
|
|
|
df4535 |
--- a/iptables/nft-shared.h
|
|
|
df4535 |
+++ b/iptables/nft-shared.h
|
|
|
df4535 |
@@ -89,7 +89,7 @@ struct nft_family_ops {
|
|
|
df4535 |
void *data);
|
|
|
df4535 |
void (*parse_lookup)(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
|
|
|
df4535 |
void *data);
|
|
|
df4535 |
- void (*parse_immediate)(const char *jumpto, bool nft_goto, void *data);
|
|
|
df4535 |
+ void (*set_goto_flag)(struct iptables_command_state *cs);
|
|
|
df4535 |
|
|
|
df4535 |
void (*print_table_header)(const char *tablename);
|
|
|
df4535 |
void (*print_header)(unsigned int format, const char *chain,
|
|
|
df4535 |
--
|
|
|
df4535 |
2.34.1
|
|
|
df4535 |
|