netfilter: nf_tables: use hook state from xt_action_param structure
Don't copy relevant fields from hook state structure, instead use the one that is already available in struct xt_action_param. This patch also adds a set of new wrapper functions to fetch relevant hook state structure fields. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Pablo Neira Ayuso
@@ -28,7 +28,7 @@ static void nft_dup_ipv6_eval(const struct nft_expr *expr,
|
||||
struct in6_addr *gw = (struct in6_addr *)®s->data[priv->sreg_addr];
|
||||
int oif = regs->data[priv->sreg_dev];
|
||||
|
||||
nf_dup_ipv6(pkt->net, pkt->skb, pkt->hook, gw, oif);
|
||||
nf_dup_ipv6(nft_net(pkt), pkt->skb, nft_hook(pkt), gw, oif);
|
||||
}
|
||||
|
||||
static int nft_dup_ipv6_init(const struct nft_ctx *ctx,
|
||||
|
||||
@@ -80,17 +80,17 @@ static u32 __nft_fib6_eval_type(const struct nft_fib *priv,
|
||||
return RTN_UNREACHABLE;
|
||||
|
||||
if (priv->flags & NFTA_FIB_F_IIF)
|
||||
dev = pkt->in;
|
||||
dev = nft_in(pkt);
|
||||
else if (priv->flags & NFTA_FIB_F_OIF)
|
||||
dev = pkt->out;
|
||||
dev = nft_out(pkt);
|
||||
|
||||
nft_fib6_flowi_init(&fl6, priv, pkt, dev);
|
||||
|
||||
v6ops = nf_get_ipv6_ops();
|
||||
if (dev && v6ops && v6ops->chk_addr(pkt->net, &fl6.daddr, dev, true))
|
||||
if (dev && v6ops && v6ops->chk_addr(nft_net(pkt), &fl6.daddr, dev, true))
|
||||
ret = RTN_LOCAL;
|
||||
|
||||
route_err = afinfo->route(pkt->net, (struct dst_entry **)&rt,
|
||||
route_err = afinfo->route(nft_net(pkt), (struct dst_entry **)&rt,
|
||||
flowi6_to_flowi(&fl6), false);
|
||||
if (route_err)
|
||||
goto err;
|
||||
@@ -158,20 +158,20 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs,
|
||||
int lookup_flags;
|
||||
|
||||
if (priv->flags & NFTA_FIB_F_IIF)
|
||||
oif = pkt->in;
|
||||
oif = nft_in(pkt);
|
||||
else if (priv->flags & NFTA_FIB_F_OIF)
|
||||
oif = pkt->out;
|
||||
oif = nft_out(pkt);
|
||||
|
||||
lookup_flags = nft_fib6_flowi_init(&fl6, priv, pkt, oif);
|
||||
|
||||
if (pkt->hook == NF_INET_PRE_ROUTING && fib6_is_local(pkt->skb)) {
|
||||
if (nft_hook(pkt) == NF_INET_PRE_ROUTING && fib6_is_local(pkt->skb)) {
|
||||
nft_fib_store_result(dest, priv->result, pkt, LOOPBACK_IFINDEX);
|
||||
return;
|
||||
}
|
||||
|
||||
*dest = 0;
|
||||
again:
|
||||
rt = (void *)ip6_route_lookup(pkt->net, &fl6, lookup_flags);
|
||||
rt = (void *)ip6_route_lookup(nft_net(pkt), &fl6, lookup_flags);
|
||||
if (rt->dst.error)
|
||||
goto put_rt_err;
|
||||
|
||||
|
||||
@@ -32,7 +32,8 @@ static void nft_masq_ipv6_eval(const struct nft_expr *expr,
|
||||
range.max_proto.all =
|
||||
*(__be16 *)®s->data[priv->sreg_proto_max];
|
||||
}
|
||||
regs->verdict.code = nf_nat_masquerade_ipv6(pkt->skb, &range, pkt->out);
|
||||
regs->verdict.code = nf_nat_masquerade_ipv6(pkt->skb, &range,
|
||||
nft_out(pkt));
|
||||
}
|
||||
|
||||
static struct nft_expr_type nft_masq_ipv6_type;
|
||||
|
||||
@@ -35,7 +35,8 @@ static void nft_redir_ipv6_eval(const struct nft_expr *expr,
|
||||
|
||||
range.flags |= priv->flags;
|
||||
|
||||
regs->verdict.code = nf_nat_redirect_ipv6(pkt->skb, &range, pkt->hook);
|
||||
regs->verdict.code =
|
||||
nf_nat_redirect_ipv6(pkt->skb, &range, nft_hook(pkt));
|
||||
}
|
||||
|
||||
static struct nft_expr_type nft_redir_ipv6_type;
|
||||
|
||||
@@ -27,11 +27,11 @@ static void nft_reject_ipv6_eval(const struct nft_expr *expr,
|
||||
|
||||
switch (priv->type) {
|
||||
case NFT_REJECT_ICMP_UNREACH:
|
||||
nf_send_unreach6(pkt->net, pkt->skb, priv->icmp_code,
|
||||
pkt->hook);
|
||||
nf_send_unreach6(nft_net(pkt), pkt->skb, priv->icmp_code,
|
||||
nft_hook(pkt));
|
||||
break;
|
||||
case NFT_REJECT_TCP_RST:
|
||||
nf_send_reset6(pkt->net, pkt->skb, pkt->hook);
|
||||
nf_send_reset6(nft_net(pkt), pkt->skb, nft_hook(pkt));
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
|
||||
Reference in New Issue
Block a user