Commit 0e5a1c7e authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso

netfilter: nf_tables: use hook state from xt_action_param structure

Don't copy relevant fields from hook state structure, instead use the
one that is already available in struct xt_action_param.

This patch also adds a set of new wrapper functions to fetch relevant
hook state structure fields.
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 613dbd95
...@@ -14,27 +14,42 @@ ...@@ -14,27 +14,42 @@
struct nft_pktinfo { struct nft_pktinfo {
struct sk_buff *skb; struct sk_buff *skb;
struct net *net;
const struct net_device *in;
const struct net_device *out;
u8 pf;
u8 hook;
bool tprot_set; bool tprot_set;
u8 tprot; u8 tprot;
/* for x_tables compatibility */ /* for x_tables compatibility */
struct xt_action_param xt; struct xt_action_param xt;
}; };
static inline struct net *nft_net(const struct nft_pktinfo *pkt)
{
return pkt->xt.state->net;
}
static inline unsigned int nft_hook(const struct nft_pktinfo *pkt)
{
return pkt->xt.state->hook;
}
static inline u8 nft_pf(const struct nft_pktinfo *pkt)
{
return pkt->xt.state->pf;
}
static inline const struct net_device *nft_in(const struct nft_pktinfo *pkt)
{
return pkt->xt.state->in;
}
static inline const struct net_device *nft_out(const struct nft_pktinfo *pkt)
{
return pkt->xt.state->out;
}
static inline void nft_set_pktinfo(struct nft_pktinfo *pkt, static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,
struct sk_buff *skb, struct sk_buff *skb,
const struct nf_hook_state *state) const struct nf_hook_state *state)
{ {
pkt->skb = skb; pkt->skb = skb;
pkt->net = state->net;
pkt->in = state->in;
pkt->out = state->out;
pkt->hook = state->hook;
pkt->pf = state->pf;
pkt->xt.state = state; pkt->xt.state = state;
} }
......
...@@ -23,7 +23,7 @@ static void nft_meta_bridge_get_eval(const struct nft_expr *expr, ...@@ -23,7 +23,7 @@ static void nft_meta_bridge_get_eval(const struct nft_expr *expr,
const struct nft_pktinfo *pkt) const struct nft_pktinfo *pkt)
{ {
const struct nft_meta *priv = nft_expr_priv(expr); const struct nft_meta *priv = nft_expr_priv(expr);
const struct net_device *in = pkt->in, *out = pkt->out; const struct net_device *in = nft_in(pkt), *out = nft_out(pkt);
u32 *dest = &regs->data[priv->dreg]; u32 *dest = &regs->data[priv->dreg];
const struct net_bridge_port *p; const struct net_bridge_port *p;
......
...@@ -315,17 +315,20 @@ static void nft_reject_bridge_eval(const struct nft_expr *expr, ...@@ -315,17 +315,20 @@ static void nft_reject_bridge_eval(const struct nft_expr *expr,
case htons(ETH_P_IP): case htons(ETH_P_IP):
switch (priv->type) { switch (priv->type) {
case NFT_REJECT_ICMP_UNREACH: case NFT_REJECT_ICMP_UNREACH:
nft_reject_br_send_v4_unreach(pkt->net, pkt->skb, nft_reject_br_send_v4_unreach(nft_net(pkt), pkt->skb,
pkt->in, pkt->hook, nft_in(pkt),
nft_hook(pkt),
priv->icmp_code); priv->icmp_code);
break; break;
case NFT_REJECT_TCP_RST: case NFT_REJECT_TCP_RST:
nft_reject_br_send_v4_tcp_reset(pkt->net, pkt->skb, nft_reject_br_send_v4_tcp_reset(nft_net(pkt), pkt->skb,
pkt->in, pkt->hook); nft_in(pkt),
nft_hook(pkt));
break; break;
case NFT_REJECT_ICMPX_UNREACH: case NFT_REJECT_ICMPX_UNREACH:
nft_reject_br_send_v4_unreach(pkt->net, pkt->skb, nft_reject_br_send_v4_unreach(nft_net(pkt), pkt->skb,
pkt->in, pkt->hook, nft_in(pkt),
nft_hook(pkt),
nft_reject_icmp_code(priv->icmp_code)); nft_reject_icmp_code(priv->icmp_code));
break; break;
} }
...@@ -333,17 +336,20 @@ static void nft_reject_bridge_eval(const struct nft_expr *expr, ...@@ -333,17 +336,20 @@ static void nft_reject_bridge_eval(const struct nft_expr *expr,
case htons(ETH_P_IPV6): case htons(ETH_P_IPV6):
switch (priv->type) { switch (priv->type) {
case NFT_REJECT_ICMP_UNREACH: case NFT_REJECT_ICMP_UNREACH:
nft_reject_br_send_v6_unreach(pkt->net, pkt->skb, nft_reject_br_send_v6_unreach(nft_net(pkt), pkt->skb,
pkt->in, pkt->hook, nft_in(pkt),
nft_hook(pkt),
priv->icmp_code); priv->icmp_code);
break; break;
case NFT_REJECT_TCP_RST: case NFT_REJECT_TCP_RST:
nft_reject_br_send_v6_tcp_reset(pkt->net, pkt->skb, nft_reject_br_send_v6_tcp_reset(nft_net(pkt), pkt->skb,
pkt->in, pkt->hook); nft_in(pkt),
nft_hook(pkt));
break; break;
case NFT_REJECT_ICMPX_UNREACH: case NFT_REJECT_ICMPX_UNREACH:
nft_reject_br_send_v6_unreach(pkt->net, pkt->skb, nft_reject_br_send_v6_unreach(nft_net(pkt), pkt->skb,
pkt->in, pkt->hook, nft_in(pkt),
nft_hook(pkt),
nft_reject_icmpv6_code(priv->icmp_code)); nft_reject_icmpv6_code(priv->icmp_code));
break; break;
} }
......
...@@ -30,7 +30,7 @@ static void nft_dup_ipv4_eval(const struct nft_expr *expr, ...@@ -30,7 +30,7 @@ static void nft_dup_ipv4_eval(const struct nft_expr *expr,
}; };
int oif = regs->data[priv->sreg_dev]; int oif = regs->data[priv->sreg_dev];
nf_dup_ipv4(pkt->net, pkt->skb, pkt->hook, &gw, oif); nf_dup_ipv4(nft_net(pkt), pkt->skb, nft_hook(pkt), &gw, oif);
} }
static int nft_dup_ipv4_init(const struct nft_ctx *ctx, static int nft_dup_ipv4_init(const struct nft_ctx *ctx,
......
...@@ -45,9 +45,9 @@ void nft_fib4_eval_type(const struct nft_expr *expr, struct nft_regs *regs, ...@@ -45,9 +45,9 @@ void nft_fib4_eval_type(const struct nft_expr *expr, struct nft_regs *regs,
__be32 addr; __be32 addr;
if (priv->flags & NFTA_FIB_F_IIF) if (priv->flags & NFTA_FIB_F_IIF)
dev = pkt->in; dev = nft_in(pkt);
else if (priv->flags & NFTA_FIB_F_OIF) else if (priv->flags & NFTA_FIB_F_OIF)
dev = pkt->out; dev = nft_out(pkt);
iph = ip_hdr(pkt->skb); iph = ip_hdr(pkt->skb);
if (priv->flags & NFTA_FIB_F_DADDR) if (priv->flags & NFTA_FIB_F_DADDR)
...@@ -55,7 +55,7 @@ void nft_fib4_eval_type(const struct nft_expr *expr, struct nft_regs *regs, ...@@ -55,7 +55,7 @@ void nft_fib4_eval_type(const struct nft_expr *expr, struct nft_regs *regs,
else else
addr = iph->saddr; addr = iph->saddr;
*dst = inet_dev_addr_type(pkt->net, dev, addr); *dst = inet_dev_addr_type(nft_net(pkt), dev, addr);
} }
EXPORT_SYMBOL_GPL(nft_fib4_eval_type); EXPORT_SYMBOL_GPL(nft_fib4_eval_type);
...@@ -89,13 +89,13 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs, ...@@ -89,13 +89,13 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs,
* Search results for the desired outinterface instead. * Search results for the desired outinterface instead.
*/ */
if (priv->flags & NFTA_FIB_F_OIF) if (priv->flags & NFTA_FIB_F_OIF)
oif = pkt->out; oif = nft_out(pkt);
else if (priv->flags & NFTA_FIB_F_IIF) else if (priv->flags & NFTA_FIB_F_IIF)
oif = pkt->in; oif = nft_in(pkt);
else else
oif = NULL; oif = NULL;
if (pkt->hook == NF_INET_PRE_ROUTING && fib4_is_local(pkt->skb)) { if (nft_hook(pkt) == NF_INET_PRE_ROUTING && fib4_is_local(pkt->skb)) {
nft_fib_store_result(dest, priv->result, pkt, LOOPBACK_IFINDEX); nft_fib_store_result(dest, priv->result, pkt, LOOPBACK_IFINDEX);
return; return;
} }
...@@ -122,7 +122,7 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs, ...@@ -122,7 +122,7 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs,
fl4.saddr = get_saddr(iph->daddr); fl4.saddr = get_saddr(iph->daddr);
} }
if (fib_lookup(pkt->net, &fl4, &res, FIB_LOOKUP_IGNORE_LINKSTATE)) if (fib_lookup(nft_net(pkt), &fl4, &res, FIB_LOOKUP_IGNORE_LINKSTATE))
return; return;
switch (res.type) { switch (res.type) {
......
...@@ -31,8 +31,8 @@ static void nft_masq_ipv4_eval(const struct nft_expr *expr, ...@@ -31,8 +31,8 @@ static void nft_masq_ipv4_eval(const struct nft_expr *expr,
range.max_proto.all = range.max_proto.all =
*(__be16 *)&regs->data[priv->sreg_proto_max]; *(__be16 *)&regs->data[priv->sreg_proto_max];
} }
regs->verdict.code = nf_nat_masquerade_ipv4(pkt->skb, pkt->hook, regs->verdict.code = nf_nat_masquerade_ipv4(pkt->skb, nft_hook(pkt),
&range, pkt->out); &range, nft_out(pkt));
} }
static struct nft_expr_type nft_masq_ipv4_type; static struct nft_expr_type nft_masq_ipv4_type;
......
...@@ -35,8 +35,7 @@ static void nft_redir_ipv4_eval(const struct nft_expr *expr, ...@@ -35,8 +35,7 @@ static void nft_redir_ipv4_eval(const struct nft_expr *expr,
mr.range[0].flags |= priv->flags; mr.range[0].flags |= priv->flags;
regs->verdict.code = nf_nat_redirect_ipv4(pkt->skb, &mr, regs->verdict.code = nf_nat_redirect_ipv4(pkt->skb, &mr, nft_hook(pkt));
pkt->hook);
} }
static struct nft_expr_type nft_redir_ipv4_type; static struct nft_expr_type nft_redir_ipv4_type;
......
...@@ -27,10 +27,10 @@ static void nft_reject_ipv4_eval(const struct nft_expr *expr, ...@@ -27,10 +27,10 @@ static void nft_reject_ipv4_eval(const struct nft_expr *expr,
switch (priv->type) { switch (priv->type) {
case NFT_REJECT_ICMP_UNREACH: case NFT_REJECT_ICMP_UNREACH:
nf_send_unreach(pkt->skb, priv->icmp_code, pkt->hook); nf_send_unreach(pkt->skb, priv->icmp_code, nft_hook(pkt));
break; break;
case NFT_REJECT_TCP_RST: case NFT_REJECT_TCP_RST:
nf_send_reset(pkt->net, pkt->skb, pkt->hook); nf_send_reset(nft_net(pkt), pkt->skb, nft_hook(pkt));
break; break;
default: default:
break; break;
......
...@@ -28,7 +28,7 @@ static void nft_dup_ipv6_eval(const struct nft_expr *expr, ...@@ -28,7 +28,7 @@ static void nft_dup_ipv6_eval(const struct nft_expr *expr,
struct in6_addr *gw = (struct in6_addr *)&regs->data[priv->sreg_addr]; struct in6_addr *gw = (struct in6_addr *)&regs->data[priv->sreg_addr];
int oif = regs->data[priv->sreg_dev]; int oif = regs->data[priv->sreg_dev];
nf_dup_ipv6(pkt->net, pkt->skb, pkt->hook, gw, oif); nf_dup_ipv6(nft_net(pkt), pkt->skb, nft_hook(pkt), gw, oif);
} }
static int nft_dup_ipv6_init(const struct nft_ctx *ctx, static int nft_dup_ipv6_init(const struct nft_ctx *ctx,
......
...@@ -80,17 +80,17 @@ static u32 __nft_fib6_eval_type(const struct nft_fib *priv, ...@@ -80,17 +80,17 @@ static u32 __nft_fib6_eval_type(const struct nft_fib *priv,
return RTN_UNREACHABLE; return RTN_UNREACHABLE;
if (priv->flags & NFTA_FIB_F_IIF) if (priv->flags & NFTA_FIB_F_IIF)
dev = pkt->in; dev = nft_in(pkt);
else if (priv->flags & NFTA_FIB_F_OIF) else if (priv->flags & NFTA_FIB_F_OIF)
dev = pkt->out; dev = nft_out(pkt);
nft_fib6_flowi_init(&fl6, priv, pkt, dev); nft_fib6_flowi_init(&fl6, priv, pkt, dev);
v6ops = nf_get_ipv6_ops(); v6ops = nf_get_ipv6_ops();
if (dev && v6ops && v6ops->chk_addr(pkt->net, &fl6.daddr, dev, true)) if (dev && v6ops && v6ops->chk_addr(nft_net(pkt), &fl6.daddr, dev, true))
ret = RTN_LOCAL; ret = RTN_LOCAL;
route_err = afinfo->route(pkt->net, (struct dst_entry **)&rt, route_err = afinfo->route(nft_net(pkt), (struct dst_entry **)&rt,
flowi6_to_flowi(&fl6), false); flowi6_to_flowi(&fl6), false);
if (route_err) if (route_err)
goto err; goto err;
...@@ -158,20 +158,20 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs, ...@@ -158,20 +158,20 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs,
int lookup_flags; int lookup_flags;
if (priv->flags & NFTA_FIB_F_IIF) if (priv->flags & NFTA_FIB_F_IIF)
oif = pkt->in; oif = nft_in(pkt);
else if (priv->flags & NFTA_FIB_F_OIF) else if (priv->flags & NFTA_FIB_F_OIF)
oif = pkt->out; oif = nft_out(pkt);
lookup_flags = nft_fib6_flowi_init(&fl6, priv, pkt, oif); lookup_flags = nft_fib6_flowi_init(&fl6, priv, pkt, oif);
if (pkt->hook == NF_INET_PRE_ROUTING && fib6_is_local(pkt->skb)) { if (nft_hook(pkt) == NF_INET_PRE_ROUTING && fib6_is_local(pkt->skb)) {
nft_fib_store_result(dest, priv->result, pkt, LOOPBACK_IFINDEX); nft_fib_store_result(dest, priv->result, pkt, LOOPBACK_IFINDEX);
return; return;
} }
*dest = 0; *dest = 0;
again: again:
rt = (void *)ip6_route_lookup(pkt->net, &fl6, lookup_flags); rt = (void *)ip6_route_lookup(nft_net(pkt), &fl6, lookup_flags);
if (rt->dst.error) if (rt->dst.error)
goto put_rt_err; goto put_rt_err;
......
...@@ -32,7 +32,8 @@ static void nft_masq_ipv6_eval(const struct nft_expr *expr, ...@@ -32,7 +32,8 @@ static void nft_masq_ipv6_eval(const struct nft_expr *expr,
range.max_proto.all = range.max_proto.all =
*(__be16 *)&regs->data[priv->sreg_proto_max]; *(__be16 *)&regs->data[priv->sreg_proto_max];
} }
regs->verdict.code = nf_nat_masquerade_ipv6(pkt->skb, &range, pkt->out); regs->verdict.code = nf_nat_masquerade_ipv6(pkt->skb, &range,
nft_out(pkt));
} }
static struct nft_expr_type nft_masq_ipv6_type; static struct nft_expr_type nft_masq_ipv6_type;
......
...@@ -35,7 +35,8 @@ static void nft_redir_ipv6_eval(const struct nft_expr *expr, ...@@ -35,7 +35,8 @@ static void nft_redir_ipv6_eval(const struct nft_expr *expr,
range.flags |= priv->flags; range.flags |= priv->flags;
regs->verdict.code = nf_nat_redirect_ipv6(pkt->skb, &range, pkt->hook); regs->verdict.code =
nf_nat_redirect_ipv6(pkt->skb, &range, nft_hook(pkt));
} }
static struct nft_expr_type nft_redir_ipv6_type; static struct nft_expr_type nft_redir_ipv6_type;
......
...@@ -27,11 +27,11 @@ static void nft_reject_ipv6_eval(const struct nft_expr *expr, ...@@ -27,11 +27,11 @@ static void nft_reject_ipv6_eval(const struct nft_expr *expr,
switch (priv->type) { switch (priv->type) {
case NFT_REJECT_ICMP_UNREACH: case NFT_REJECT_ICMP_UNREACH:
nf_send_unreach6(pkt->net, pkt->skb, priv->icmp_code, nf_send_unreach6(nft_net(pkt), pkt->skb, priv->icmp_code,
pkt->hook); nft_hook(pkt));
break; break;
case NFT_REJECT_TCP_RST: case NFT_REJECT_TCP_RST:
nf_send_reset6(pkt->net, pkt->skb, pkt->hook); nf_send_reset6(nft_net(pkt), pkt->skb, nft_hook(pkt));
break; break;
default: default:
break; break;
......
...@@ -19,7 +19,7 @@ void nf_dup_netdev_egress(const struct nft_pktinfo *pkt, int oif) ...@@ -19,7 +19,7 @@ void nf_dup_netdev_egress(const struct nft_pktinfo *pkt, int oif)
struct net_device *dev; struct net_device *dev;
struct sk_buff *skb; struct sk_buff *skb;
dev = dev_get_by_index_rcu(pkt->net, oif); dev = dev_get_by_index_rcu(nft_net(pkt), oif);
if (dev == NULL) if (dev == NULL)
return; return;
......
...@@ -53,10 +53,10 @@ static noinline void __nft_trace_packet(struct nft_traceinfo *info, ...@@ -53,10 +53,10 @@ static noinline void __nft_trace_packet(struct nft_traceinfo *info,
nft_trace_notify(info); nft_trace_notify(info);
nf_log_trace(pkt->net, pkt->pf, pkt->hook, pkt->skb, pkt->in, nf_log_trace(nft_net(pkt), nft_pf(pkt), nft_hook(pkt), pkt->skb,
pkt->out, &trace_loginfo, "TRACE: %s:%s:%s:%u ", nft_in(pkt), nft_out(pkt), &trace_loginfo,
chain->table->name, chain->name, comments[type], "TRACE: %s:%s:%s:%u ",
rulenum); chain->table->name, chain->name, comments[type], rulenum);
} }
static inline void nft_trace_packet(struct nft_traceinfo *info, static inline void nft_trace_packet(struct nft_traceinfo *info,
...@@ -124,7 +124,7 @@ unsigned int ...@@ -124,7 +124,7 @@ unsigned int
nft_do_chain(struct nft_pktinfo *pkt, void *priv) nft_do_chain(struct nft_pktinfo *pkt, void *priv)
{ {
const struct nft_chain *chain = priv, *basechain = chain; const struct nft_chain *chain = priv, *basechain = chain;
const struct net *net = pkt->net; const struct net *net = nft_net(pkt);
const struct nft_rule *rule; const struct nft_rule *rule;
const struct nft_expr *expr, *last; const struct nft_expr *expr, *last;
struct nft_regs regs; struct nft_regs regs;
......
...@@ -171,7 +171,7 @@ void nft_trace_notify(struct nft_traceinfo *info) ...@@ -171,7 +171,7 @@ void nft_trace_notify(struct nft_traceinfo *info)
unsigned int size; unsigned int size;
int event = (NFNL_SUBSYS_NFTABLES << 8) | NFT_MSG_TRACE; int event = (NFNL_SUBSYS_NFTABLES << 8) | NFT_MSG_TRACE;
if (!nfnetlink_has_listeners(pkt->net, NFNLGRP_NFTRACE)) if (!nfnetlink_has_listeners(nft_net(pkt), NFNLGRP_NFTRACE))
return; return;
size = nlmsg_total_size(sizeof(struct nfgenmsg)) + size = nlmsg_total_size(sizeof(struct nfgenmsg)) +
...@@ -207,7 +207,7 @@ void nft_trace_notify(struct nft_traceinfo *info) ...@@ -207,7 +207,7 @@ void nft_trace_notify(struct nft_traceinfo *info)
nfmsg->version = NFNETLINK_V0; nfmsg->version = NFNETLINK_V0;
nfmsg->res_id = 0; nfmsg->res_id = 0;
if (nla_put_be32(skb, NFTA_TRACE_NFPROTO, htonl(pkt->pf))) if (nla_put_be32(skb, NFTA_TRACE_NFPROTO, htonl(nft_pf(pkt))))
goto nla_put_failure; goto nla_put_failure;
if (nla_put_be32(skb, NFTA_TRACE_TYPE, htonl(info->type))) if (nla_put_be32(skb, NFTA_TRACE_TYPE, htonl(info->type)))
...@@ -249,7 +249,7 @@ void nft_trace_notify(struct nft_traceinfo *info) ...@@ -249,7 +249,7 @@ void nft_trace_notify(struct nft_traceinfo *info)
goto nla_put_failure; goto nla_put_failure;
if (!info->packet_dumped) { if (!info->packet_dumped) {
if (nf_trace_fill_dev_info(skb, pkt->in, pkt->out)) if (nf_trace_fill_dev_info(skb, nft_in(pkt), nft_out(pkt)))
goto nla_put_failure; goto nla_put_failure;
if (nf_trace_fill_pkt_info(skb, pkt)) if (nf_trace_fill_pkt_info(skb, pkt))
...@@ -258,7 +258,7 @@ void nft_trace_notify(struct nft_traceinfo *info) ...@@ -258,7 +258,7 @@ void nft_trace_notify(struct nft_traceinfo *info)
} }
nlmsg_end(skb, nlh); nlmsg_end(skb, nlh);
nfnetlink_send(skb, pkt->net, 0, NFNLGRP_NFTRACE, 0, GFP_ATOMIC); nfnetlink_send(skb, nft_net(pkt), 0, NFNLGRP_NFTRACE, 0, GFP_ATOMIC);
return; return;
nla_put_failure: nla_put_failure:
......
...@@ -144,7 +144,7 @@ void nft_fib_store_result(void *reg, enum nft_fib_result r, ...@@ -144,7 +144,7 @@ void nft_fib_store_result(void *reg, enum nft_fib_result r,
*dreg = index; *dreg = index;
break; break;
case NFT_FIB_RESULT_OIFNAME: case NFT_FIB_RESULT_OIFNAME:
dev = dev_get_by_index_rcu(pkt->net, index); dev = dev_get_by_index_rcu(nft_net(pkt), index);
strncpy(reg, dev ? dev->name : "", IFNAMSIZ); strncpy(reg, dev ? dev->name : "", IFNAMSIZ);
break; break;
default: default:
......
...@@ -21,7 +21,7 @@ static void nft_fib_inet_eval(const struct nft_expr *expr, ...@@ -21,7 +21,7 @@ static void nft_fib_inet_eval(const struct nft_expr *expr,
{ {
const struct nft_fib *priv = nft_expr_priv(expr); const struct nft_fib *priv = nft_expr_priv(expr);
switch (pkt->pf) { switch (nft_pf(pkt)) {
case NFPROTO_IPV4: case NFPROTO_IPV4:
switch (priv->result) { switch (priv->result) {
case NFT_FIB_RESULT_OIF: case NFT_FIB_RESULT_OIF:
......
...@@ -32,8 +32,9 @@ static void nft_log_eval(const struct nft_expr *expr, ...@@ -32,8 +32,9 @@ static void nft_log_eval(const struct nft_expr *expr,
{ {
const struct nft_log *priv = nft_expr_priv(expr); const struct nft_log *priv = nft_expr_priv(expr);
nf_log_packet(pkt->net, pkt->pf, pkt->hook, pkt->skb, pkt->in, nf_log_packet(nft_net(pkt), nft_pf(pkt), nft_hook(pkt), pkt->skb,
pkt->out, &priv->loginfo, "%s", priv->prefix); nft_in(pkt), nft_out(pkt), &priv->loginfo, "%s",
priv->prefix);
} }
static const struct nla_policy nft_log_policy[NFTA_LOG_MAX + 1] = { static const struct nla_policy nft_log_policy[NFTA_LOG_MAX + 1] = {
......
...@@ -35,9 +35,8 @@ static void nft_lookup_eval(const struct nft_expr *expr, ...@@ -35,9 +35,8 @@ static void nft_lookup_eval(const struct nft_expr *expr,
const struct nft_set_ext *ext; const struct nft_set_ext *ext;
bool found; bool found;
found = set->ops->lookup(pkt->net, set, &regs->data[priv->sreg], &ext) ^ found = set->ops->lookup(nft_net(pkt), set, &regs->data[priv->sreg],
priv->invert; &ext) ^ priv->invert;
if (!found) { if (!found) {
regs->verdict.code = NFT_BREAK; regs->verdict.code = NFT_BREAK;
return; return;
......
...@@ -36,7 +36,7 @@ void nft_meta_get_eval(const struct nft_expr *expr, ...@@ -36,7 +36,7 @@ void nft_meta_get_eval(const struct nft_expr *expr,
{ {
const struct nft_meta *priv = nft_expr_priv(expr); const struct nft_meta *priv = nft_expr_priv(expr);
const struct sk_buff *skb = pkt->skb; const struct sk_buff *skb = pkt->skb;
const struct net_device *in = pkt->in, *out = pkt->out; const struct net_device *in = nft_in(pkt), *out = nft_out(pkt);
struct sock *sk; struct sock *sk;
u32 *dest = &regs->data[priv->dreg]; u32 *dest = &regs->data[priv->dreg];
...@@ -49,7 +49,7 @@ void nft_meta_get_eval(const struct nft_expr *expr, ...@@ -49,7 +49,7 @@ void nft_meta_get_eval(const struct nft_expr *expr,
*(__be16 *)dest = skb->protocol; *(__be16 *)dest = skb->protocol;
break; break;
case NFT_META_NFPROTO: case NFT_META_NFPROTO:
*dest = pkt->pf; *dest = nft_pf(pkt);
break; break;
case NFT_META_L4PROTO: case NFT_META_L4PROTO:
if (!pkt->tprot_set) if (!pkt->tprot_set)
...@@ -146,7 +146,7 @@ void nft_meta_get_eval(const struct nft_expr *expr, ...@@ -146,7 +146,7 @@ void nft_meta_get_eval(const struct nft_expr *expr,
break; break;
} }
switch (pkt->pf) { switch (nft_pf(pkt)) {
case NFPROTO_IPV4: case NFPROTO_IPV4:
if (ipv4_is_multicast(ip_hdr(skb)->daddr)) if (ipv4_is_multicast(ip_hdr(skb)->daddr))
*dest = PACKET_MULTICAST; *dest = PACKET_MULTICAST;
......
...@@ -43,7 +43,7 @@ static void nft_queue_eval(const struct nft_expr *expr, ...@@ -43,7 +43,7 @@ static void nft_queue_eval(const struct nft_expr *expr,
queue = priv->queuenum + cpu % priv->queues_total; queue = priv->queuenum + cpu % priv->queues_total;
} else { } else {
queue = nfqueue_hash(pkt->skb, queue, queue = nfqueue_hash(pkt->skb, queue,
priv->queues_total, pkt->pf, priv->queues_total, nft_pf(pkt),
jhash_initval); jhash_initval);
} }
} }
......
...@@ -23,36 +23,36 @@ static void nft_reject_inet_eval(const struct nft_expr *expr, ...@@ -23,36 +23,36 @@ static void nft_reject_inet_eval(const struct nft_expr *expr,
{ {
struct nft_reject *priv = nft_expr_priv(expr); struct nft_reject *priv = nft_expr_priv(expr);
switch (pkt->pf) { switch (nft_pf(pkt)) {
case NFPROTO_IPV4: case NFPROTO_IPV4:
switch (priv->type) { switch (priv->type) {
case NFT_REJECT_ICMP_UNREACH: case NFT_REJECT_ICMP_UNREACH:
nf_send_unreach(pkt->skb, priv->icmp_code, nf_send_unreach(pkt->skb, priv->icmp_code,
pkt->hook); nft_hook(pkt));
break; break;
case NFT_REJECT_TCP_RST: case NFT_REJECT_TCP_RST:
nf_send_reset(pkt->net, pkt->skb, pkt->hook); nf_send_reset(nft_net(pkt), pkt->skb, nft_hook(pkt));
break; break;
case NFT_REJECT_ICMPX_UNREACH: case NFT_REJECT_ICMPX_UNREACH:
nf_send_unreach(pkt->skb, nf_send_unreach(pkt->skb,
nft_reject_icmp_code(priv->icmp_code), nft_reject_icmp_code(priv->icmp_code),
pkt->hook); nft_hook(pkt));
break; break;
} }
break; break;
case NFPROTO_IPV6: case NFPROTO_IPV6:
switch (priv->type) { switch (priv->type) {
case NFT_REJECT_ICMP_UNREACH: case NFT_REJECT_ICMP_UNREACH:
nf_send_unreach6(pkt->net, pkt->skb, priv->icmp_code, nf_send_unreach6(nft_net(pkt), pkt->skb,
pkt->hook); priv->icmp_code, nft_hook(pkt));
break; break;
case NFT_REJECT_TCP_RST: case NFT_REJECT_TCP_RST:
nf_send_reset6(pkt->net, pkt->skb, pkt->hook); nf_send_reset6(nft_net(pkt), pkt->skb, nft_hook(pkt));
break; break;
case NFT_REJECT_ICMPX_UNREACH: case NFT_REJECT_ICMPX_UNREACH:
nf_send_unreach6(pkt->net, pkt->skb, nf_send_unreach6(nft_net(pkt), pkt->skb,
nft_reject_icmpv6_code(priv->icmp_code), nft_reject_icmpv6_code(priv->icmp_code),
pkt->hook); nft_hook(pkt));
break; break;
} }
break; break;
......
...@@ -43,14 +43,14 @@ void nft_rt_get_eval(const struct nft_expr *expr, ...@@ -43,14 +43,14 @@ void nft_rt_get_eval(const struct nft_expr *expr,
break; break;
#endif #endif
case NFT_RT_NEXTHOP4: case NFT_RT_NEXTHOP4:
if (pkt->pf != NFPROTO_IPV4) if (nft_pf(pkt) != NFPROTO_IPV4)
goto err; goto err;
*dest = rt_nexthop((const struct rtable *)dst, *dest = rt_nexthop((const struct rtable *)dst,
ip_hdr(skb)->daddr); ip_hdr(skb)->daddr);
break; break;
case NFT_RT_NEXTHOP6: case NFT_RT_NEXTHOP6:
if (pkt->pf != NFPROTO_IPV6) if (nft_pf(pkt) != NFPROTO_IPV6)
goto err; goto err;
memcpy(dest, rt6_nexthop((struct rt6_info *)dst, memcpy(dest, rt6_nexthop((struct rt6_info *)dst,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment