nft: Optimize class-based IP prefix matches

Payload expression works on byte-boundaries, leverage this with suitable prefix lengths. Signed-off-by: Phil Sutter <phil@nwl.cc>
author: Phil Sutter <phil@nwl.cc> 2020-10-02 09:44:38 +0200
committer: Phil Sutter <phil@nwl.cc> 2020-11-04 15:39:23 +0100
commit: 323259001d617ae359430a03ee3d3e7f107684e0 (patch)
tree: bb45b44cc1208b2e5607bdcd11d447db8e119cad /iptables/nft-ipv4.c
parent: 06a2eb727b0f350fcfea95839fc8c4674763a35d (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index afdecf97..ce702041 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -199,7 +199,8 @@ static void nft_ipv4_parse_payload(struct nft_xt_ctx *ctx,
 			parse_mask_ipv4(ctx, &cs->fw.ip.smsk);
 			ctx->flags &= ~NFT_XT_CTX_BITWISE;
 		} else {
-			cs->fw.ip.smsk.s_addr = 0xffffffff;
+			memset(&cs->fw.ip.smsk, 0xff,
+			       min(ctx->payload.len, sizeof(struct in_addr)));
 		}
 
 		if (inv)
@@ -212,7 +213,8 @@ static void nft_ipv4_parse_payload(struct nft_xt_ctx *ctx,
 			parse_mask_ipv4(ctx, &cs->fw.ip.dmsk);
 			ctx->flags &= ~NFT_XT_CTX_BITWISE;
 		} else {
-			cs->fw.ip.dmsk.s_addr = 0xffffffff;
+			memset(&cs->fw.ip.dmsk, 0xff,
+			       min(ctx->payload.len, sizeof(struct in_addr)));
 		}
 
 		if (inv)
author	Phil Sutter <phil@nwl.cc>	2020-10-02 09:44:38 +0200
committer	Phil Sutter <phil@nwl.cc>	2020-11-04 15:39:23 +0100
commit	323259001d617ae359430a03ee3d3e7f107684e0 (patch)
tree	bb45b44cc1208b2e5607bdcd11d447db8e119cad /iptables/nft-ipv4.c
parent	06a2eb727b0f350fcfea95839fc8c4674763a35d (diff)