From c4bc02802cb95af82d30cb0ad605060694640e07 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Tue, 1 Mar 2022 18:59:31 +0100 Subject: [PATCH] nft: Simplify immediate parsing Implementations of parse_immediate callback are mostly trivial, the only relevant part is access to family-specific parts of struct iptables_command_state when setting goto flag for iptables and ip6tables. Refactor them into simple set_goto_flag callbacks. Signed-off-by: Phil Sutter Acked-by: Florian Westphal (cherry picked from commit b5f2faea325a315bfb932ebc634f3298d4824cae) --- iptables/nft-arp.c | 9 --------- iptables/nft-bridge.c | 9 --------- iptables/nft-ipv4.c | 12 +++--------- iptables/nft-ipv6.c | 12 +++--------- iptables/nft-shared.c | 17 +++++++---------- iptables/nft-shared.h | 2 +- 6 files changed, 14 insertions(+), 47 deletions(-) diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c index 2a9387a18dffe..d55e06572b283 100644 --- a/iptables/nft-arp.c +++ b/iptables/nft-arp.c @@ -182,14 +182,6 @@ static void nft_arp_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, fw->arp.invflags |= flags; } -static void nft_arp_parse_immediate(const char *jumpto, bool nft_goto, - void *data) -{ - struct iptables_command_state *cs = data; - - cs->jumpto = jumpto; -} - static void parse_mask_ipv4(struct nft_xt_ctx *ctx, struct in_addr *mask) { mask->s_addr = ctx->bitwise.mask[0]; @@ -552,7 +544,6 @@ struct nft_family_ops nft_family_ops_arp = { .print_payload = NULL, .parse_meta = nft_arp_parse_meta, .parse_payload = nft_arp_parse_payload, - .parse_immediate = nft_arp_parse_immediate, .print_header = nft_arp_print_header, .print_rule = nft_arp_print_rule, .save_rule = nft_arp_save_rule, diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c index d98fd527d9549..5807c0d32a97c 100644 --- a/iptables/nft-bridge.c +++ b/iptables/nft-bridge.c @@ -251,14 +251,6 @@ static void nft_bridge_parse_payload(struct nft_xt_ctx *ctx, } } -static void nft_bridge_parse_immediate(const char *jumpto, bool nft_goto, - void *data) -{ - struct iptables_command_state *cs = data; - - cs->jumpto = jumpto; -} - /* return 0 if saddr, 1 if daddr, -1 on error */ static int lookup_check_ether_payload(uint32_t base, uint32_t offset, uint32_t len) @@ -889,7 +881,6 @@ struct nft_family_ops nft_family_ops_bridge = { .print_payload = NULL, .parse_meta = nft_bridge_parse_meta, .parse_payload = nft_bridge_parse_payload, - .parse_immediate = nft_bridge_parse_immediate, .parse_lookup = nft_bridge_parse_lookup, .parse_match = nft_bridge_parse_match, .parse_target = nft_bridge_parse_target, diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index 34f94bd8cc24a..80b8954f4a39d 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -241,15 +241,9 @@ static void nft_ipv4_parse_payload(struct nft_xt_ctx *ctx, } } -static void nft_ipv4_parse_immediate(const char *jumpto, bool nft_goto, - void *data) +static void nft_ipv4_set_goto_flag(struct iptables_command_state *cs) { - struct iptables_command_state *cs = data; - - cs->jumpto = jumpto; - - if (nft_goto) - cs->fw.ip.flags |= IPT_F_GOTO; + cs->fw.ip.flags |= IPT_F_GOTO; } static void print_fragment(unsigned int flags, unsigned int invflags, @@ -473,7 +467,7 @@ struct nft_family_ops nft_family_ops_ipv4 = { .is_same = nft_ipv4_is_same, .parse_meta = nft_ipv4_parse_meta, .parse_payload = nft_ipv4_parse_payload, - .parse_immediate = nft_ipv4_parse_immediate, + .set_goto_flag = nft_ipv4_set_goto_flag, .print_header = print_header, .print_rule = nft_ipv4_print_rule, .save_rule = nft_ipv4_save_rule, diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index d9c9400ad7dc3..663401b49f94d 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -180,15 +180,9 @@ static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx, } } -static void nft_ipv6_parse_immediate(const char *jumpto, bool nft_goto, - void *data) +static void nft_ipv6_set_goto_flag(struct iptables_command_state *cs) { - struct iptables_command_state *cs = data; - - cs->jumpto = jumpto; - - if (nft_goto) - cs->fw6.ipv6.flags |= IP6T_F_GOTO; + cs->fw6.ipv6.flags |= IP6T_F_GOTO; } static void nft_ipv6_print_rule(struct nft_handle *h, struct nftnl_rule *r, @@ -415,7 +409,7 @@ struct nft_family_ops nft_family_ops_ipv6 = { .is_same = nft_ipv6_is_same, .parse_meta = nft_ipv6_parse_meta, .parse_payload = nft_ipv6_parse_payload, - .parse_immediate = nft_ipv6_parse_immediate, + .set_goto_flag = nft_ipv6_set_goto_flag, .print_header = print_header, .print_rule = nft_ipv6_print_rule, .save_rule = nft_ipv6_save_rule, diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index c1664b50f9383..bd0c8895d48bb 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -510,9 +510,7 @@ static void nft_parse_counter(struct nftnl_expr *e, struct xt_counters *counters static void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e) { const char *chain = nftnl_expr_get_str(e, NFTNL_EXPR_IMM_CHAIN); - const char *jumpto = NULL; - bool nft_goto = false; - void *data = ctx->cs; + struct iptables_command_state *cs = ctx->cs; int verdict; if (nftnl_expr_is_set(e, NFTNL_EXPR_IMM_DATA)) { @@ -535,23 +533,22 @@ static void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e) /* Standard target? */ switch(verdict) { case NF_ACCEPT: - jumpto = "ACCEPT"; + cs->jumpto = "ACCEPT"; break; case NF_DROP: - jumpto = "DROP"; + cs->jumpto = "DROP"; break; case NFT_RETURN: - jumpto = "RETURN"; + cs->jumpto = "RETURN"; break;; case NFT_GOTO: - nft_goto = true; + if (ctx->h->ops->set_goto_flag) + ctx->h->ops->set_goto_flag(cs); /* fall through */ case NFT_JUMP: - jumpto = chain; + cs->jumpto = chain; break; } - - ctx->h->ops->parse_immediate(jumpto, nft_goto, data); } static void nft_parse_limit(struct nft_xt_ctx *ctx, struct nftnl_expr *e) diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h index da4ba9d2ba8de..e4ef16cc24f12 100644 --- a/iptables/nft-shared.h +++ b/iptables/nft-shared.h @@ -89,7 +89,7 @@ struct nft_family_ops { void *data); void (*parse_lookup)(struct nft_xt_ctx *ctx, struct nftnl_expr *e, void *data); - void (*parse_immediate)(const char *jumpto, bool nft_goto, void *data); + void (*set_goto_flag)(struct iptables_command_state *cs); void (*print_table_header)(const char *tablename); void (*print_header)(unsigned int format, const char *chain, -- 2.34.1