diff options
author | Phil Sutter <phil@nwl.cc> | 2020-10-30 14:08:33 +0100 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2020-11-04 15:39:23 +0100 |
commit | 274cb05edc58d6fa982a34c84b2f4cf6acc3e335 (patch) | |
tree | c6575d918216e25f5328a4e19fe94f6c58fee92d /iptables/nft-ipv4.c | |
parent | 323259001d617ae359430a03ee3d3e7f107684e0 (diff) |
ebtables: Optimize masked MAC address matches
Just like with class-based prefix matches in iptables-nft, optimize
masked MAC address matches if the mask is on a byte-boundary.
To reuse the logic in add_addr(), extend it to accept the payload base
value via parameter.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'iptables/nft-ipv4.c')
-rw-r--r-- | iptables/nft-ipv4.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index ce702041..fdc15c6f 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -50,13 +50,15 @@ static int nft_ipv4_add(struct nft_handle *h, struct nftnl_rule *r, void *data) if (cs->fw.ip.src.s_addr || cs->fw.ip.smsk.s_addr || cs->fw.ip.invflags & IPT_INV_SRCIP) { op = nft_invflags2cmp(cs->fw.ip.invflags, IPT_INV_SRCIP); - add_addr(r, offsetof(struct iphdr, saddr), + add_addr(r, NFT_PAYLOAD_NETWORK_HEADER, + offsetof(struct iphdr, saddr), &cs->fw.ip.src.s_addr, &cs->fw.ip.smsk.s_addr, sizeof(struct in_addr), op); } if (cs->fw.ip.dst.s_addr || cs->fw.ip.dmsk.s_addr || cs->fw.ip.invflags & IPT_INV_DSTIP) { op = nft_invflags2cmp(cs->fw.ip.invflags, IPT_INV_DSTIP); - add_addr(r, offsetof(struct iphdr, daddr), + add_addr(r, NFT_PAYLOAD_NETWORK_HEADER, + offsetof(struct iphdr, daddr), &cs->fw.ip.dst.s_addr, &cs->fw.ip.dmsk.s_addr, sizeof(struct in_addr), op); } |